Posts

In Sworn Declaration about Dragnet, NSA Changes Its Tune about Scope of “This Program”

I’ve been tracking the sudden effort on the part of NSA to minimize how much of the call data in the US it collects (under “this program,” Section 215).

That effort has, unsurprisingly, carried over to its sworn declarations in lawsuits.

Along with the response in the First Unitarian Church of Los Angeles v. NSA suit the government filed last Friday (this is the EFF-backed suit that challenges the phone dragnet on Freedom of Association as well as other grounds), NSA’s Signals Intelligence Director Theresa Shea submitted a new declaration about the scope of the program.

Ostensibly, Shea’s declaration serves to explain the “new” “changes” Obama announced last month, which the FISA Court approved on February 4. As I have noted, in one case the “change” simply formalized NSA”s existing practice and in the other it’s probably not a big change either.

In addition to her explanation of those “changes,” Shea included this language about the scope of the dragnet.

Although there has been speculation that the NSA, under this program, acquires metadata relating to all telephone calls to, from, or within the United States, that is not the case. The Government has acknowledged that the program is broad in scope and involves the collection and aggregation of a large volume of data from multiple telecommunications service providers, but as the FISC observed in a decision last year, it has never captured information on all (or virtually all) calls made and/or received in the U.S. See In re Application of the FBI for an Order Requiring the Production of Tangible Things from [Redacted], Dkt. No. BR13-109 Amended Mem. Op. at 4 n.5 (F.I.S.C. Aug. 29, 2013) (publicly released, unclassified version) (“The production of all call detail records of all persons in the States has never occurred under under this program.“) And while the Government has also acknowledged that one provider was the recipient of a now-expired April 23, 2013, Secondary Order from the FISC (Exhibit B to my earlier declaration), the identities of the carriers participating in the program (either now, or at any time in the past) otherwise remain classified. [my emphasis]

Shea appears to be presenting as partial a picture of the dragnet as she did in her prior declaration, where she used expansive language that — if you looked closely — actually referred to the entire dragnet, not just the Section 215 part of it.

Here, she’s selectively citing the declassified August 29, 2013 version of Claire Eagan’s July 19, 2013 opinion. The latter date is significant, given that the day the government submitted the application tied to that order, NSA General Counsel Raj De made it clear there were 3 providers in the program (see after 18:00 in the third video). These are understood to be AT&T, Sprint, and Verizon.

Shea selectively focuses on language that describes some limits on the dragnet. She could also note that Eagan’s opinion quoted language suggesting the dragnet (at least in 2011) collected “substantially all” of the phone records from the providers in question, but she doesn’t, perhaps because it would present problems for her “virtually all” claim.

Moreover, Shea’s reference to “production of all call detail records” appears to have a different meaning than she suggests it has when read in context. Here’s what the actual language of the opinion says.

Specifically, the government requested Orders from this Court to obtain certain business records of specified telephone service providers. Those telephone company business records consist of a very large volume of each company’s call detail records or telephony metadata, but expressly exclude the contents of any communication; the name, address, or financial information of any subscriber or customer; or any cell site location information (CSLI). Primary Ord. at 3 n.l.5

5 In the event that the government seeks the production of CSLI as part of the bulk production of call detail records in the future, the government would be required to provide notice and briefing to this Court pursuant to FISC Rule 11. The production of all call detail records of all persons in the United States has never occurred under this program. For example, the government [redacted][my emphasis]

In context, the reference discusses not just whether the records of all the calls from all US telecom providers (AT&T, Sprint, and Verizon, which participated in this program on the date Eagan wrote the opinion, but also T-Mobile and Cricket, plus VOIP providers like Microsoft, owner of Skype, which did not) are turned over, but also whether each provider that does participate (AT&T, Sprint, and Verizon) turns over all the records on each call. The passage makes clear they don’t do the latter; AT&T, Sprint, and Verizon don’t turn over financial data, name, or cell location, for example! And since we know that at the time Eagan wrote this opinion, there were just those 3 providers participating, clearly the records of providers that didn’t use the backbone of those 3 providers or, in the case of Skype, would be inaccessible, would be missed. So not all call detail records from the providers that do provide records, nor records covering all the people in the US. But still a “very large volume” from AT&T, Sprint, and Verizon, the providers that happen to be covered by the suit.

And in this declaration, instead of using the number De used last July, Shea instead refers to “multiple telecommunications service providers,” which could be 50, 4, 3, or 2, or anywhere in between. Particularly given her “either now, or at any time in the past” language, this suggests the number of providers participating may have changed since July.

Which brings me to the two other implicit caveats in her statement.

First, she suggests (ignoring the time ODNI revealed Verizon’s name a second time) that the only thing we can be sure of is that Verizon provided all its domestic data for the 3 months following April 23, 2013.

Actually, we can be fairly sure that at least until January 3, Verizon still participated. That’s because the Primary Order approved on that date still includes a paragraph that — thanks to ODNI’s earlier redaction fail — we know was written to ensure that Verizon didn’t start handing over its foreign call records along with its domestic ones.

Screen Shot 2014-02-25 at 9.33.00 AM

Though curiously, the way in which DOJ implemented the Obama-directed changes — the ones that Shea’s declaration supposedly serves to explain — involved providing substitute language affecting a huge section of the Primary Order, without providing a new Primary Order itself. So we don’t know whether ¶1(B) — what I think of as the Verizon paragraph — still exists, or even whether it still existed on February 4, when Reggie Walton approved the change.

Which is particularly interesting given that Shea’s declaration just happened to be submitted on the date, February 21, when a significant change in Verizon’s structure may have affected how NSA gets its data. (That date was set in December by a joint scheduling change.)

One way or another, Shea’s claim that the dragnet doesn’t collect all or even virtually all phone records is very time delimited, certainly allowing the possibility that the scope of the dragnet has changed since the plaintiffs filed this suit on July 16, 3 days before Eagan explicitly excluded cell location data from the dragnet collection, which is the reason NSA’s leak recipients now give for limits on the scope of the program.

The claim is also — as claims about the Section 215 always are — very program delimited. In her statement claiming limits on how much data the NSA collects, Shea makes 2 references to “this program” and quotes Eagan making a third. She’s not saying the NSA doesn’t collect all the phone data in the US (I don’t think they quite do that either, but I think they collect more US phone data than they collect under this program). She’s saying only that it doesn’t collect “virtually all” the phone data in the US “under this program.”

Given her previously expansive declaration (which implicitly included all the other dragnet collection methods), I take this declaration as a rather interesting indicator of the limits to the claims about limits to the dragnet.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Keith Alexander Refutes Claims NSA Doesn’t Get Cell Data

Eight days ago, the country’s four major newspapers reported a claim that the NSA collected 33% or less of US phone records (under the Section 215 program, they should have specified, but did not) because it couldn’t collect most cell phone metadata:

  • “[I]t doesn’t cover records for most cellphones,” (WSJ)
  • “[T]he agency has struggled to prepare its database to handle vast amounts of cellphone data,” (WaPo)
  • “[I]t has struggled to take in cellphone data,” (NYT)
  • “[T]he NSA is gathering toll records from most domestic land line calls, but is incapable of collecting those from most cellphone or Internet calls.” (LAT)

Since that time, I have pointed to a number of pieces of evidence that suggest these claims are only narrowly true:

  • A WSJ article from June made it clear the cell gap, such as it existed, existed primarily for Verizon and T-Mobile, but their calls were collected via other means (the WaPo and NYT both noted this in their stories without considering how WSJ’s earlier claim it was still near-comprehensive contradicted the 33% claim)
  • The NSA’s claimed Section 215 dragnet successes — Basaaly Moalin, Najibullah Zazi, Tsarnaev brothers — all involved cell users
  • Identifying Moalin via the dragnet likely would have been impossible if NSA didn’t have access to T-Mobile cell data
  • The phone dragnet orders specifically included cell phone identifiers starting in 2008
  • Also since 2008, phone dragnet orders seem to explicitly allow contact-chaining on cell identifiers, and several of the tools they use with phone dragnet data specifically pertain to cell phones

Now you don’t have to take my word for it. Here’s what Keith Alexander had to say about the claim Friday:

Responding to a question about recent reports that the NSA collects data on only 20% to 30% of calls involving U.S. numbers, Alexander acknowledged that the agency doesn’t have full coverage of those calls. He wouldn’t say what fraction of the calls NSA gets information on, but specifically denied that the agency is completely missing data on calls made with cell phones.

“That part is not true,” he said. “We don’t get it all. We don’t get 100% of the data. It’s not where we want it to be, but it has been sufficient to go after the key targets that we’re going after.” [my emphasis]

Admittedly, Alexander is not always entirely honest, so it’s possible he’s just trying to dissuade terrorists from using cellphones while the NSA isn’t tracking them. But he points to the same evidence I did — that NSA has gotten key targets who use cell phones.

There’s something else Alexander said that might better explain the slew of claims that it can’t collect cell phone data.

The NSA director, who is expected to retire within weeks, indicated that some of the gaps in coverage are due to the fact that the NSA “paused any changes to the program” during the recent controversy and discussions about restructuring the effort.

The NSA has paused changes to the program.

This echoes WaPo and WSJ reports that crises (they cited both the 2009 and current crisis) delayed some work on integrating cell data, but suggests that NSA was already making changes when the Snowden leaks started.

There is evidence the pause — or at least part of it — extends back to before the Snowden leak. As I reported last week, even though the NSA has had authority to conduct a new auto-alert on the phone dragnet since November 2012, they’ve never been able to use it because of technical reasons.

The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes.

This description actually came from DOJ, not the FISC, and I suspect the issue is rather that NSA has not solved some technical issues that would allow it to perform the auto-alert within the legal limits laid out by the FISC (we don’t know what those limits are because the Administration is withholding the Primary Order Supplement that would describe it, and redacting the description of the search itself in all subsequent orders).

That said, there are plenty of reasons to believe there are new reasons why NSA is having problems collecting cell phone data because it includes cell location, which is far different than claiming (abundant evidence to the contrary) they haven’t been collecting cell data all this time. In addition to whatever reason NSA decided to stop its cell location pilot in 2011 and the evolving understanding of how the US v. Jones decision might affect NSA’s phone dragnet program, 3 more things have happened since the beginning of the Snowden leaks:

  • On July 19, Claire Eagan specifically excluded the collection of cell site location information under the Section 215 authority
  • On September 1, NYT exposed AT&T’s Hemisphere program; not only might this give AT&T reason to stop collating such data, but if Hemisphere is the underlying source for AT&T’s Section 215 response, then it includes cell location data that is now prohibited
  • On September 2, Verizon announced plans to split from Vodaphone, which might affect how much of its data, including phone metadata, is available to NSA via GCHQ under the Tempora program; that change legally takes effect February 21

Remember, too, there’s a February 2013 FISC Section 215 opinion the Administration is also still withholding, which also might explain some of the “technical-meaning-legal” problems they’re having.

Underlying this all (and assuredly underlying the problems with collecting VOIP calls, which are far easier to understand and has been mentioned in some of this reporting, including the LAT story) is a restriction arising from using an ill-suited law like Section 215 to collect a phone dragnet: telecoms can only be obligated to turn over records they actually “already generate,” as described by NSA’s SID Director Theresa Shea.

[P]ursuant to the FISC’s orders, telecommunications service providers turn over to the NSA business records that the companies already generate and maintain for their own pre-existing business purposes (such as billing and fraud prevention).

To the extent telecoms use SS7 data, which includes cell location, to fulfill their Section 215 obligation (after all, what telecoms need billing records on a daily basis?), it probably does introduce problems.

Which, I suspect, will mean that Alexander and the rest of the dragnet defenders will recommend that a third party collate and store all this data, the worst of all solutions. They need to have a comprehensive source (like Hemisphere apparently plays for the DEA), one that will shield the government from necessarily having collected cell location data that is increasingly legally suspect to obtain. And they’ll celebrate it as a great sop to the civil libertarians, too, when in fact, they’ve probably reached the point where it is clear Section 215 can’t legally authorize what it is they want it to do.

The issue, more and more evidence suggests, is that they can’t collect the dragnet data without a law designed to construct the dragnet. Which is another way of saying the dragnet, as intended to function, is illegal.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Faulty Premise of the 30% Call Data Claims: Legal Limits on Geolocation Data

In this post, I suggested that reports (WSJ, WaPo) that NSA collects only 20 to 30% of US phone records probably don’t account for the records collected under authorities besides Section 215.

So why did WSJ, WaPo, LAT, and NYT all report on this story at once? Why, after 8 months in which the government has taken the heat for collecting all US call records, are anonymous sources suddenly selectively leaking stories claiming they don’t get (any, the stories suggest) cell data?

There’s a tall tale the stories collectively tell that probably explains it.

None of the stories really explain why NSA didn’t start collecting cell data from the start, when, after all, it got no legal review. Nor did they note that, according to this WSJ article which a few of them cited, NSA does get cell data from AT&T and Sprint. But the stories collectively provide two explanations for why — as cell phones came to dominate US telecommunications — NSA didn’t add them to their Section 215 collection (which remember, is different from not including them in their EO 12333 collection).

First, NSA was too busy responding to crises (their 2009 phone dragnet violations and the Snowden leaks) to integrate cell data.

WSJ:

The agency’s legal orders to U.S. phone companies don’t cover most cellphone records, a gap the NSA has been trying to address for years. The effort has been repeatedly slowed by other, more pressing demands, such as responding to criticisms from the U.S. court that oversees its operations, people familiar with the matter say.

WaPo:

Compounding the challenge, the agency in 2009 struggled with compliance issues, including what a surveillance court found were “daily violations of the minimization procedures set forth in [court] orders” designed to protect Americans’ call records that “could not otherwise have been legally captured in bulk.”

As a result, the NSA’s director, Gen. Keith Alexander, ordered an “end-to-end” review of the program, during which additional compliance incidents were discovered and reported to the court. The process of uncovering problems and fixing them took months, and the same people working to address the compliance problems were the ones who would have to prepare the database to handle more records.

The NSA fell behind, the former official said.

In June, the program was revealed through a leak of a court order to Verizon by former NSA contractor Edward Snowden, setting off an intense national debate over the wisdom and efficacy of bulk collection.

The same NSA personnel were also tasked to answer inquiries from congressional overseers and others about how the program and its controls worked. “At a time when you’re behind, it’s hard to catch up,” the former official said.

This claim is pretty ridiculous, given that we know (indeed, several of these reporters got selective leaks about this in October just before Keith Alexander admitted to it) NSA worked on geolocation from 2010 to 2011, which these reporters’ anonymous sources claim is the problem with cell data now. They were working on the problem, if indeed it was one.

The existence of that 2010 to 2011 pilot program also presents problems for the other explanation offered: that NSA is legally prohibited from receiving cell geolocation data.

WaPo:

Apart from the decline in land-line use, the agency has struggled to prepare its database to handle vast amounts of cellphone data, current and former officials say. For instance, cellphone records may contain geolocation data, which the NSA is not permitted to receive.

WSJ:

Moreover, the NSA has been stymied by how to remove location data—which is isn’t allowed to collect—from cellphone records collected in bulk, a U.S. official said.

[snip]

A key difficulty has been separating location data from cellphone records. NSA has an agreement with the secret Foreign Intelligence Surveillance court that it won’t collect location data from phones.

It is true that Alexander told Congress in October NSA would warn Congress and the FISC before they started collecting cell geolocation data again, but NSA still maintained it would be legal to do so.

And it is true that the intervening years since the pilot program, the Jones case presented challenges to the practice that even James Clapper admitted — back in 2012 — might force NSA to change its current practices (even while suggesting the rules were probably different for intelligence gathering as opposed to criminal investigation).

It’s also possible NSA’s delayed notice to Congress on its geolocation efforts — not even the House Judiciary Committee got notice before the Reauthorization of the PATRIOT Act in 2011 — has created problems for NSA’s collection of geolocation (and therefore, these stories claim, cell data).

Nevertheless, the record shows that DOJ and NSA believed the language of the existing Section 215 orders permitted NSA to collect cell location data at least through the end of 2011 and probably still believed it after Jones.

So that can’t be the explanation for why NSA hasn’t been collecting cell data (under Section 215, from Verizon and T-Mobile) all these years.

But the claim NSA is not permitted to collect geolocation data provides two of these stories reason to report that the purported legal prohibition on the collection of cell location has forced NSA to seek court orders for the cell data in question.

WaPo:

The government is taking steps to restore the collection — which does not include the content of conversations — closer to previous levels. The NSA is preparing to seek court orders to compel wireless companies that currently do not hand over records to the government to do so, said the current and former officials, who spoke on the condition of anonymity to discuss internal deliberations.

LAT:

The NSA aims to build the technical capacity over the next few years to collect toll records from every domestic land line and cellphone call, assuming Congress extends authority for Section 215 of the USA Patriot Act after it expires in June 2015.

Once the capacity is available, the agency would seek court orders to require telecommunications companies that do not currently deliver their records to the NSA to do so.

This is the point of these stories: to prepare us for the argument, in advance of next year’s PATRIOT Act reauthorization, that Section 215 must be expanded to include cell data these reporters claim NSA doesn’t collect (they imply, under any authority) now. NSA told these reporters a story about how meager its (Section 215-based) collection is to prepare for a debate that it needs to expand authority, not curtail it.

That said, even as obviously facetious as are the claims that NSA believed it was prohibited from collecting geolocation data even as it was doing so, there have been at least two intervening events, in addition to the Jones decision, that I suspect have changed NSA’s views on cell location data. These may explain why NSA is telling this tall tale now.

First, whereas before July 19, 2013 (indeed, for the entire period when it was testing cell location data), NSA had no guidance on whether Section 215 covered cell location, in July, in the wake of Snowden’s leaks, Claire Eagan explicitly excluded Cell Location Site Identifier information from the order (though that is not the only way to get cell location).

Furthermore, this Order does not authorize the production of cell site location information (CSLI).

That is, the Executive no longer operated at the full expanse of its authority on cell geolocation, because a court bound its authority, at least for Section 215 collection.

In addition, as of about two weeks ago and for the first time in 14 years, Verizon Wireless is no longer partially foreign owned. Verizon Wireless and Vodaphone announced plans to split up back in September and on January 28, the board approved the deal. The split will be final on February 21.

I suspect (this is speculation, but I will explain in a future post why my confidence on this point is very very high) that the reason NSA is telling this tall tale right now has nothing to do (as some of the stories suggested) with the fact that some of America’s key cell telecoms are partly foreign owned. Rather, I suspect any gap in cell data collection arises instead from the fact that the nation’s largest cell provider, Verizon, is no longer partly owned by a British company and therefore no longer subject to the collection agreements of GCHQ.

Say … am I really the only NSA beat writer who is wondering why it is taking ODNI so long to declassify the January 4 FISC reauthorization for the Section 215 dragnet as compared to the previous reauthorizations since the Snowden leak?

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

NSA’s Latest Claim: It Only Gets 30% of “Substantially All” the Hay in the Haystack

SIGINT and 215In December 2007, the FBI began intercepting MOALIN’s cell phone.

FBI search warrant affidavit seeking (among other things) additional cell phones, October 29, 2010

Yesterday, Siobhan Gorman reported that NSA’s “phone-data program” collects 20% or less of the phone data in the US. She explains that the program doesn’t collect cell phone data, and so has covered a decreasing percentage of US calls over the last several years.

The National Security Agency’s phone-data program, which has been at the center of controversy over the NSA’s surveillance operations, collects information from about 20% or less of all U.S. calls—much less than previously described by lawmakers.

The program had been described as collecting records on virtually every phone call placed in the U.S., but in fact, it doesn’t cover records for most cellphones, the fastest-growing sector in telephony and an area where the agency has struggled to keep pace, according to several people familiar with the program.

Ellen Nakashima’s report places the percentage between 20 and 30%, echoing Gorman’s claim about limits on cell data.

The actual percentage of records gathered is somewhere between 20 and 30 percent and reflects Americans’ increasing turn away from the use of land lines to cellphones. Officials also have faced technical challenges in preparing the NSA database to handle large amounts of new records without taking in data such as cell tower locations that are not authorized for collection.

[snip]

The bulk collection began largely as a land-line program, focusing on carriers such as AT&T and Verizon Business Network Services. At least two large wireless companies are not covered — Verizon Wireless and T-Mobile U.S., which was first reported by the Wall Street Journal.

Industry officials have speculated that partial foreign ownership has made the NSA reluctant to issue orders to those carriers. But U.S. officials said that was not a reason.

“They’re doing business in the United States; they’re required to comply with U.S. law,” said one senior U.S. official. “A court order is a court order.”

Rather, the official said, the drop in collection stems from several factors.

Apart from the decline in land-line use, the agency has struggled to prepare its database to handle vast amounts of cellphone data, current and former officials say. For instance, cellphone records may contain geolocation data, which the NSA is not permitted to receive.

These reports offer a more credible explanation than Geoffrey Stone’s multiple claims to this effect about why the program misses data. So they may be true.

But I think they instead point to the legal range of authorities NSA uses to collect phone records, not to what records they actually have in their possession.

These reports are commenting (though without specifying, or even seeming to be aware they need to specify) on what the government claims it collects under Section 215. These reports are not commenting on what NSA collects under all authorities.

In this post I will show why I believe these reports to be credible only in a very narrow sense. In a follow-up post I will point to the legal issues that underlie the Administration’s conflicting claims about what it collects.

Read more

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

When Judge Reggie Walton Disappeared the FBI Director: The Tell that FISC Wasn’t Following the Law

SEN. MIKULSKI: General Clapper, there are 36 different legal opinions.

DIR. CLAPPER: I realize that.

SEN. MIKULSKI: Thirty-six say the program’s constitutional. Judge Leon said it’s not.

Thirty-six “legal opinions” have deemed the dragnet legal and constitutional, its defenders say defensively, over and over again.

But that’s not right — not by a long shot, as ACLU’s Brett Max Kaufman pointed out in a post yesterday. In its report, PCLOB confirmed what I first guessed 4 months ago: the FISA Court never got around to writing an opinion considering the legality or constitutionality of the dragnet until August 29, 2013.

FISC judges, on 33 occasions before then, signed off on the dragnet without bothering to give it comprehensive legal review.

Sure, after the program had been reauthorized 11 times, Reggie Walton considered the more narrow question of whether the program violates the Stored Communications Act (I suspect, but cannot yet prove, that the government presented that question because of concerns raised by DOJ IG Glenn Fine). But until Claire Eagan’s “strange” opinion in August, no judge considered in systematic fashion whether the dragnet was legal or constitutional.

And the thing is, I think FISC judge — now Presiding Judge — Reggie Walton realized around about 2009 what they had done. I think he realized the program didn’t fit the statute.

Consider a key problem with the dragnet — another one I discussed before PCLOB (though I was not the first or only one to do so). The wrong agency is using it.

Section 215 does not authorize the NSA to acquire anything at all. Instead, it permits the FBI to obtain records for use in its own investigations. If our surveillance programs are to be governed by law, this clear congressional determination about which federal agency should obtain these records must be followed.

Section 215 expressly allows only the FBI to acquire records and other tangible things that are relevant to its foreign intelligence and counterterrorism investigations. Its text makes unmistakably clear the connection between this limitation and the overall design of the statute. Applications to the FISA court must be made by the director of the FBI or a subordinate. The records sought must be relevant to an authorized FBI investigation. Records produced in response to an order are to be “made available to,” “obtained” by, and “received by” the FBI. The Attorney General is directed to adopt minimization procedures governing the FBI’s retention and dissemination of the records it obtains pursuant to an order. Before granting a Section 215 application, the FISA court must find that the application enumerates the minimization procedures that the FBI will follow in handling the records it obtains. [my emphasis, footnotes removed]

The Executive convinced the FISA Court, over and over and over, to approve collection for NSA’s use using a law authorizing collection only by FBI.

Which is why I wanted to point out something else Walton cleaned up in 2009, along with watchlists of 3,000 Americans who had not received First Amendment Review. Judge Reggie Walton disappeared the FBI Director.

>>>Poof!<<<

Gone.

The structure of all the dragnet orders released so far (save Eagan’s opinion) follow a similar general structure:

  • An (unnumbered, unlettered) preamble paragraph describing that the FBI Director made a request
  • 3-4 paragraphs measuring the request against the statute, followed by some “wherefore” language
  • A number of paragraphs describing the order, consisting of the description of the phone records required, followed by 2 minimization paragraphs, the first pertaining to FBI and,
  • The second paragraph introducing minimization procedures for NSA, followed by a larger number of lettered paragraphs describing the treatment of the records and queries (this section got quite long during the 2009 period when Walton was trying to clean up the dragnet and remains longer to this day because of the DOJ oversight Walton required)

Here’s how the first three paragraphs looked in the first order and (best as I can tell) the next 11 orders, including Walton’s first order in December 2008:

An application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (the Act), Title 50, United States Code (U.S.C.), § 1861, as amended, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, the Court finds that:

1. The Director of the FBI is authorized to make an application for an order requiring the production of any tangible thing for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the First Amendment to the Constitution of the United States. [50 U.S.C. § 1861 (c)(1)]

2. The tangible things to be produced are all call-detail records or “telephone metadata” created by [the telecoms]. Telephone metadata includes …

[snip]

3. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12,333 to protect against international terrorism, … [my emphasis]

Here’s how the next order and all (released) following orders start [save the bracketed language, which is unique to this order]:

An verified application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (FISA), as amended, 50 U.S.C. § 1861, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, [as well as the government’s filings in Docket Number BR 08-13 (the prior renewal of the above-captioned matter),] the Court finds that:

1. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12333 to protect against international terrorism, …

That is, Walton took out the paragraph — which he indicated in his opinion 3 months earlier derived from the statutory language at 50 U.S.C. § 1861 (c)(1) — pertaining to the FBI Director. The paragraph always fudged the issue anyway, as it doesn’t discuss the FBI Director’s authority to obtain this for the NSA. Nevertheless, Walton seems to have found that discussion unnecessary or unhelpful.

Walton’s March 5, 2009 order and all others since have just 3 statutory paragraphs, which basically say:

  1. The tangible things are relevant to authorized FBI investigations conducted under EO 12333 — Walton cites 50 USC 1861 (c)(1) here
  2. The tangible things could be obtained by a subpoena duces tecum (50 USC 1861 (c)(2)(D)
  3. The application includes an enumeration of minimization procedures — Walton doesn’t cite statute in this May 5, 2009 order, but later orders would cite 50 USC 1861 (c)(1) again

Here’s what 50 USC 1861 (c)(1), in its entirety, says:

(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.

And here are two key parts of subsections (a) and (b) — in addition to “relevant” language that has always been included in the dragnet orders.

(a) Application for order; conduct of investigation generally

(1) Subject to paragraph (3), the Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things

[snip]

(2) shall include—

[snip]

(B) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.

FBI … FBI … FBI.

The language incorporated in 50 USC 1861 (c)(1) that has always been cited as the standard judges must follow emphasizes the FBI repeatedly (PCLOB laid out that fact at length in their analysis of the program). And even Reggie Walton once admitted that fact.

And then, following his lead, FISC stopped mentioning that in its statutory analysis altogether.

Eagan didn’t even consider that language in her “strange” opinion, not even when citing the passages (here, pertaining to minimization) of Section 215 that directly mention the FBI.

Section 215 of the USA PATRIOT Act created a statutory framework, the various parts of which are designed to ensure not only that the government has access to the information it needs for authorized investigations, but also that there are protections and prohibitions in place to safeguard U.S. person information. It requires the government to demonstrate, among other things, that there is “an investigation to obtain foreign intelligence information … to [in this case] protect against international terrorism,” 50 U.S.C. § 1861(a)(1); that investigations of U.S. persons are “not conducted solely upon the basis of activities protected by the first amendment to the Constitution,” id.; that the investigation is “conducted under guidelines approved by the Attorney General under Executive Order 12333,” id. § 1861(a)(2); that there is “a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant” to the investigation, id. § 1861(b)(2)(A);14 that there are adequate minimization procedures “applicable to the retention and dissemination” of the information requested, id. § 1861(b)(2)(B); and, that only the production of such things that could be “obtained with a subpoena duces tecum” or “any other order issued by a court of the United States directing the production of records” may be ordered, id. § 1861(c)(2)(D), see infra Part III.a. (discussing Section 2703(d) of the Stored Communications Act). If the Court determines that the government has met the requirements of Section 215, it shall enter an ex parte order compelling production.

This Court must verify that each statutory provision is satisfied before issuing the requested Orders. For example, even if the Court finds that the records requested are relevant to an investigation, it may not authorize the production if the minimization procedures are insufficient. Under Section 215, minimization procedures are “specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” Id. § 1861(g)(2)(A)

Reggie Walton disappeared the FBI Director as a statutory requirement (he retained that preamble paragraph, the nod to authorized FBI investigations, and the perfunctory paragraph on minimization of data provided from NSA to FBI) on March 5, 2009, and he has never been heard from in discussions of the FISC again.

Now I can imagine someone like Steven Bradbury making an argument that so long as the FBI Director actually signed the application, and so long as the FBI had minimization procedures for the as few as 16 tips they receive from the program in a given year, it was all good to use an FBI statute to let the NSA collect a dragnet potentially incorporating all the phone records of all Americans. I can imagine Bradbury pointing to the passive construction of that “things to be made available” language and suggest so long as there were minimization procedures about FBI receipt somewhere, the fact that the order underlying that passive voice was directed at the telecoms didn’t matter. That would be a patently dishonest argument, but not one I’d put beyond a hack like Bradbury.

The thing is, no one has made it. Not Malcolm Howard in the first order authorizing the dragnet, not DOJ in its request for that order (indeed, as PCLOB pointed out, the application relied heavily on Keith Alexander’s declaration about how the data would be used). The closest anyone has come is the white paper written last year that emphasizes the relevance to FBI investigations.

But no one I know of has affirmatively argued that it’s cool to use an FBI statute for the NSA. In the face of all the evidence that the dragnet has not helped the FBI thwart a single plot — maybe hasn’t even helped the FBI catch one Somali-American donating less than $10,000 to al-Shabaab, as they’ve been crowing for months — FBI Director Jim Comey has stated to Congress that the dragnet is useful to the FBI primarily for agility (though the record doesn’t back Comey’s claim).

Which leaves us with the only conclusion that makes sense given the Executive’s failure to prove it is useful at all: it’s not the FBI that uses it, it’s NSA. They don’t want to tell us how the NSA uses it, in part, because we’ll realize all their reassurances about protections for Americans fall flat for the millions of Americans who are 3 degrees away from a potential suspect.

But they also don’t want to admit that it’s the NSA that uses it, because then it’ll become far more clear how patently illegal this program has been from the start.

Better to just disappear the FBI Director and hope no one starts investigating the disappearance.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Phone Metadata Program Metadata

ODNI released a bunch of the remaining phone dragnet primary orders (and amendments) here. I will have more to say about this later. Of particular note, though, they seem to be withholding the BR 09-15 primary order, which was right in the middle of PATRIOT reauthorization, when NSA kept disseminating results in violation of Reggie Walton’s orders.

  1. Howard, Malcolm BR 06-05 (5/24/06)
  2. Howard, Malcolm BR 06-08 (8/18/06)
  3. Scullin, Frederick, BR 06-12 (11/15/06)
  4. Broomfield, Robert, BR 07-04 (2/02/07)
  5. Gorton, Nathaniel, BR 07-10 (5/03/07)
  6. Gorton, Nathaniel, BR 07-14 (7/23/07)
  7. Vinson, Roger, BR 07-16 (10/18/07)
  8. Howard, Malcolm, BR 08-01 (1/?/08)
  9. Kollar-Kotelly, Colleen, BR 08-04 (4/3/08)
  10. Zagel, James, BR 08-07 (6/26/08)
  11. Zagel, James, BR 08-08 (8/19/08) [or 9/19/08]
  12. Walton, Reggie, BR 08-13 (12/12/08)
  13. Walton, Reggie, BR 09-01 (3/5/09)
  14. Walton, Reggie, BR 09-06 (5/29/09)
  15. Walton, Reggie (?) BR 09-09 (7/8/09) [see also]
  16. Walton, Reggie, BR 09-13 (9/3/09)
  17. Walton, Reggie (?) BR 09-15 (10/30/09) [See also]
  18. Walton, Reggie (?) BR 09-19 [see also]
  19. Walton, Reggie, BR 10-10 (2/26/10)
  20. Walton, Reggie, BR 10-17 (5/14/10)
  21. Walton, Reggie, BR 10-49 (8/04/10)
  22. Walton, Reggie, BR 10-70 (10/29/10)
  23. Bates, John, BR, 11-07 (1/20/11)
  24. Feldman, Martin, BR 11-57 (4/13/11)
  25. Bates, John, BR 11-107 (6/22/11)
  26. ~9/20/11?
  27. BR-11-191 [see also]
  28. ~1/29/12?
  29. ~4/29/12?
  30. ~7/28/12?
  31. ~10/26/12?
  32. ~1/25/13?
  33. Vinson, Roger, BR 13-80, (4/25/13)
  34. Eagan, Claire, BR 13-109, (7/18/13)
  35. McLaughlin, Mary, BR 13-158 (10/11/13)
  36. 1/3/14

1/19: Updated to add the 7/9/09 order and BR 09-19.

1/20: There is one more missing primary order. In an NSA declaration dated November 12, SID Director Theresa Shea said there had been 34 approvals. As shown above, the McLaughlin order is the 33rd of identified orders.

1/26: I think I’ve corrected all the date errors I originally hate (the date stamp is not all that accurate). For the 2011-2013 dates, I’ve worked backwards of the 4/25/13 order.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Robert Litt and Mike Rogers KNOW Congress Hasn’t Ratified the Phone Dragnet

WaPo has a biting profile of Robert Litt, ODNI’s General Counsel who made one more failed attempt to rationalize James Clapper’s lies to Congress last week.

One of the most newsworthy bits is that WaPo published the name of Alfreda Frances Bikowsky, the analyst who got Khaled el-Masri kidnapped and tortured by mistake, for the first time.

A far more subtle but equally important detail comes in its description of why House Intelligence Chair Mike Rogers banned Litt from appearing before the Committee last summer.

Some lawmakers have found Litt’s manner off-putting at best. Rogers, the chairman of the House Intelligence Committee, made clear to the DNI’s office last summer that Litt was no longer welcome before his panel.

“The committee has not found Bob to be the most effective witness to explain complex legal and policy issues,” said a U.S. government official familiar with the falling-out. Rogers was also bothered that Litt faulted the committee for not doing more to share information about the surveillance programs with other members, unaware that doing so would have violated committee rules. [my emphasis]

For what it’s worth, I suspect Rogers is not worried as much about Litt’s honesty (Rogers hasn’t objected to James Clapper or Keith Alexander’s lies, for example, and has himself been a key participant in sustaining them), but rather, for his usual candor and abrasiveness, which the article also shows inspiring members of Congress to want to repeal the dragnet. Litt couches his answers in legalese, but unlike most IC witnesses, you can often parse it to discern where the outlines of truth are.

But I am acutely interested that Litt blames Rogers for not “doing more to share information about the surveillance programs with other members.”

That refers, of course, to Rogers’ failure to make the Administration’s notice on the phone dragnet available to members in 2011, before the PATRIOT Reauthorization. As a result of that, 65 Congressmen voted to reauthorize the PATRIOT Act without full notice (perhaps any formal notice) of the phone dragnet — a sufficiently large block to make the difference in the vote. In spite of that fact, the Administration and even FISA Judges have repeatedly pointed to Congress’ reauthorization of the phone dragnet to explain why it’s legal even though it so obviously exceeds the intent of the Section 215 as passed.

Apparently Litt blames Rogers for that. And doing so got him banished from the Committee.

Frankly, Litt is right in this dispute. Rogers’ excuse that committee rules prevented him from sharing the letter the Administration stated they wanted to be shared with the rest of Congress rings hollow, given that just one year earlier, Silvestre Reyes did make the previous letter available. If committee rules prevent such a thing, they are Rogers’ committee rules, and they were fairly new at the time. (Ironically, by imposing those rules, Rogers prevented members of his own party, elected with strong Tea Party backing, from learning about intelligence programs, though he may have just imposed the rules to increase the value of his own special access.)

So it is Rogers’ fault the Administration should not be able to claim Congress ratified the FISA Court’s expansive understanding of Section 215.

And Rogers and Litt’s spat about it make it clear they both know the significance of it: claims of legislative ratification fail because Congress did not, in fact, know what they were voting on, at least in 2011.

Unsurprisingly, that has not prevented the Administration from making that claim. Litt himself made a variety of it before PCLOB in November, months after he had this fight with Rogers.

[NSA General Counsel Raj] DE: So in other words, and some of this is obviously known to you all but just to make sure members of the public are aware, not only was this program approved by the Foreign Intelligence Surveillance Court every 90 days, it was twice, the particular provision was twice re-authorized by Congress with full information from the Executive Branch about the use of the provision.

[snip]

MR. LITT: I just want to add one very brief comment to Raj’s in terms of the extent to which Congress was kept informed. By statute we’re required to provide copies of significant opinion and decisions of the FISC to the Intelligence and Judiciary Committees of both Houses of Congress and they got the materials relating to this program, as we were required to by law.

Now, Litt’s intejection here is particularly interesting. He doesn’t correct De. He shifts the claim somewhat, to rely on Judiciary and Intelligence Committee notice. But even there, his claim fails, given that the Administration did not provide all relevant opinions to those Committees until after the first dragnet reauthorization in 2010. Litt probably thinks that’s okay because he didn’t qualify when Congress got the materials.

But it’s still a blatant lie, according to the public record.

More significantly, the Administration repeated that lie to both the FISC and, more significantly still, the 3 Article III Judges presiding over challenges to the dragnet generally.

The Administration keeps running around, telling everyone who is obligated to listen that Congress has ratified their expansive interpretation of the phone dragnet. It’s not true. And the fact that Litt and Rogers fought — way back in the summer — over who is responsible makes it clear they know it’s not true.

But they still keep saying it.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Judge Pauley’s Deliberate Blind Spot: Systematic Section 215 Abuses

Sorry for my silence of late, particularly regarding William Pauley’s ruling finding the phone dragnet legal. The good news is my mom can now reach the light switch in her sewing room without risk of falling.

As noted, Judge Pauley ruled against the ACLU in their suit challenging the phone dragnet. A number of commentators have pointed to some bizarre errors or focus in Pauley’s ruling, including,

  • Pauley says the government could not find the “gossamer threads” of terrorist plotters leading up to 9/11. They did find them. They simply didn’t act appropriately with them.
  • He unquestioningly considers the 3 uses of Section 215 (with Zazi, Headley, and Ouazzani) proof that it is effective. He does not note that even Keith Alexander has admitted it was only critical in one case, one not even mentioned in the government’s filings in this case.
  • He ignores the role of the Executive in willingly declassifying many details this program, instead finding it dangerous to allow the ACLU to sue based on an unauthorized leak. The government has actually been very selective about what Snowden-leaked programs they’ve declassified, almost certainly to protect even more problematic programs from legal challenge.
  • He claims Congress has renewed Section 215 7 times (including 2001, it was renewed it 5 times).
  • He claims there is no doubt the Intelligence and Judiciary Committees knew about the rulings underlying the program in spite of the fact that some rulings were not provided until after Section 215 was renewed; he admits that the limits on circulation of notice in 2011 was “problematic” but asserts the Executive met its statutory requirements (he doesn’t deal with the evidence in the record that the Executive Branch lied in briefings about the conduct of the dragnet).

There are also Pauley’s claims about the amount of data included — he says the government collects all phone metadata; they say NSA collects far less data. This is a more complicated issue which I’ll return to, though maybe not until the New Year.

But I’m most interested in the evidence Pauley points to to support his claim that the FISC (and Congress) conduct adequate oversight over this program. He points to John Bates’ limits to the government’s intentional collection of US person data via upstream collection rather than Reggie Walton’s limits to Section 215 abuses.

For example, in 20011, FISC Judge Bates engaged in a protracted iterative process with the Government–over the Government’s application for reauthorization of another FISA collection program. That led to a complete review of that program’s collection and querying methods.

He then immediately turns to Claire Eagan’s opinion reiterating that the government had found and dealt with abuses of the phone dragnet program.

In other words, for some bizarre reason he introduces a series of rulings pertaining to Section 702 — and not to Section 215 — to support his argument that the government can regulate this Section 215 collection adequately.

It’s particularly bizarre given that we have far more documents showing the iterative process that took place in 2009 pertaining directly to the phone dragnet. Why even mention the Bates rulings on upstream collection when there are so many Reggie Walton ones pertaining directly to Section 215?

I suspect this is because Pauley relies so heavily on the adequacy of the minimization procedures imposed by the FISC, as when he cites Claire Eagan’s problematic opinion to claim that without adequate minimization procedures, FISC would not approve Section 215 phone dragnet orders.

Without those minimization procedures, FISC would not issue any section 215 orders for bulk telephony metadata collection.

(Note, Pauley doesn’t note that the government has not met the terms of the Section 215 itself with regards to minimization procedures, which among other things would require an analysis of the NSA using a statute written for the FBI.)

The only way Pauley can say the limits he points to in his analysis — that NSA can only analyze 3 hops deep, that FBI only gets summaries of the queries, that every query got approved for RAS — is if he ignores that for the first 3 years of the program, all of these claims were false.

He uses similar analysis to dismiss concerns about the power of metadata.

But [ACLU’s contention that the government could use metadata analysis to learn sensitive details about people] is at least three inflections from the Government’s bulk telephony metadata collection. First, without additional legal justification–subject to rigorous minimization procedures–the NSA cannot even query the telephony metadata database. Second, when it makes a query, it only learns the telephony metadata of the telephone numbers within three “hops” of the “seed.” Third, without resort to additional techniques, the Government does not know who any of the telephone numbers belong to.

These last assertions are all particularly flawed. Not only have these minimization procedures failed in the past, not only has the government been able to go four hops deep in the past (which could conceivably include all Americans in a query), not only is there abundant evidence — which I’ll lay out in a future post — that the government does know the identities of at least some of those whom it is chaining, but there are two ways the government accesses this data for which none of this is true: when “data integrity analysts” fiddle with the data to prepare it for querying, and when it is placed in the “corporate store” and analyzed further.

All the claims about minimization Pauley uses to deem this program legal have big big problems.

The NSA conducted a fraud on the FISC for 3 years (and still is, to the extent they claim the violations under the program arose from complexity rather than their insistence on adopting all the practices used under the illegal program for the FISC-authorized program). Yet Pauley points to the FISC to dismiss any Constitutional concerns with this program.

And to do that, he ignores the abundant evidence that all his claims have been — and may still be, in some cases — false.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The John Bates Internet Metadata Opinion Probably Dates to July 2010

I’ve seen a lot of outright errors in the reporting on the John Bates opinion authorizing the government to restart the Internet metadata program released on Monday.

Bates’ opinion was likely written in July 2010.

We know it had to have been written before October 3, 2011, because Bates’ opinion of that date cites this one (page 17 footnote 15). It was almost certainly written before May 2, 2011, because that’s when the government “clarified” its upstream production included US person content, which was likely a response to this opinion.

According to Claire Eagan, it was written in 2010; this quotation from Eagan’s opinion cites page 73 of this opinion (though she leaves out one word — “analytic” — from this quotation).

As this Court noted in 2010, the “finding of relevance most crucially depended on the conclusion that bulk collection is necessary for NSA to employ [analytic] tools that are likely to generate useful investigative leads to help identify and track terrorist operatives.”

It had to have been written after June 21, 2010 and probably dates to between June 21 and July 23, 2010, because page 92 footnote 78 cites Holder v. HLP (which was released on June 21), but uses a “WL” citation; by July 23 the “S. Ct.” citation was available. (h/t to Document Exploitation for this last observation).

So: it had to have been written between June 21, 2010 and October 3, 2011, but was almost certainly written sometime in the July 2010 timeframe.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Colleen Kollar-Kotelly Ate the Serpent’s Fruit of Judicial “Oversight” in Lieu of Law

Sometime next week, I will have a post on what known documents the government chose not to release in yesterday’s dump — a significant chunk, for example, almost certainly show how the dragnet programs are tied inextricably to the content programs.

But for now, we’re getting increased clarity on the phone and Internet dragnet program.

One thing that seems clear is that there is no opinion authorizing the phone dragnet, as I suggested two months ago.

What passes as the government’s application for the phone dragnet — it is described as “Production to Congress of a May 23, 2006 Government Memorandum of Law,” but for a number of reasons, I have my doubts we’ve gotten even precisely that, which I’ll lay out at a future time — is dated May 23, 2006, the day before Malcom Howard approved the application. That doesn’t leave time for Howard to have written a fulsome opinion on the practice (and indeed, the timing makes me wonder whether this was approved because of urgent legal deadlines facing the telecoms). [Update: And when John Bates cites the “precedent” in his June-July 2010 opinion (75) he doesn’t cite an opinion.]

And the application makes it clear it relies on Kollar-Kotelly’s opinion as its legal justification. The first instance of doing so, tellingly, makes it clear FISC approval is designed primarily to give legal sanction for the program, not to assess whether the program actually is legal.

The Application is completely consistent with this Court’s ground breaking and innovative decision [redacted] in [redacted]. In that case, the Court authorized the installation and use of pen registers and trap and trace devices to collect bulk e-mail metadata [redacted]. The Court found that all of “the information likely to be obtained” from such collection is “relevant to an ongoing investigation to protect against international terrorism.” 50 U.S.C. § 1842(c)(2); [redacted] 25-54. The Court explained that “the bulk collection of meta data–i.e., the collection of both a huge volume and high percentage of unrelated communications–is necessary to identify the much smaller number of [redacted] communications.” Id. at 49. Moreover, as was the case in [redacted], this Application promotes both the twin goals of FISA: facilitating the foreign-intelligence collection needed to protect American lives while at the same time providing judicial oversight to safeguard American freedoms.

Let’s pause and reflect on this point for a moment.

We can now say with some certainty that a great many dragnet applications stem from the Kollar-Kotelly opinion. That’s because we have almost certainly identified the two opinions named in Claire Eagan’s opinion from earlier this year.

This Court has previously examined the issue of relevance for bulk collections. See [6 lines redacted]

While those involved different collections from the one at issue here, the relevance standard was similar. See 50 U.S.C. § 1842(c)(2) (“[R]elevant to an ongoing investigation to protect against international terrorism …. “). In both cases, there were facts demonstrating that information concerning known and unknown affiliates of international terrorist organizations was contained within the non-content metadata the government sought to obtain. As this Court noted in 2010, the “finding of relevance most crucially depended on the conclusion that bulk collection is necessary for NSA to employ tools that are likely to generate useful investigative leads to help identify and track terrorist operatives.”

An earlier reference in Eagan quotes the Kollar-Kotelly opinion directly (and the page number lines up), and while I have not found the citation from this passage in the Bates opinion also released yesterday yet (I think it may appear in the redactions on page 76), that opinion discusses relevance at length and was clearly written between 2009 and 2011. [Update: the quote appears to be a rough transcription of Bates’ cherry picked quote from Kollar-Kotelly that appears on page 9. Update 2: The quote comes from page 73, which is Bates’ own transcription of his citation of K-K, but Eagan missed the word “analytic” before tools.]

[Update] Another thing suggests the Bates opinion dates to 2010. The language in the December 2009 notice to Congress suggests ongoing problems, and includes the Internet metadata problems, whereas the February 2011 notice includes far more redacted discussion (yet still treats an active Internet metadata program.

In addition, we know from the geolocation materials that the government didn’t get an opinion dedicated to that application before they started.

DOJ advised in February 2010 that obtaining the data for the described testing purposes was permissible based upon the current language of the Court’s BR FISA order requiring the production of’ all ca11 detail records.’ It is our understanding that DOJ also orally advised the FISC, via its staff, that we had obtained a limited set of test data sampling of cellular mobility data (cell site location information) pursuant to the Court-authorized program and that we were exploring the possibility of acquiring such mobility data under the BR FISA program in the near future based upon the authority currently granted by the Court.

There are 2004, 2006, 2008, 2010, and 2013 opinions that relate to Section 215 (and, I suspect, other activities as well; updated with typo fixed). But at the very least, Kollar-Kotelly’s opinion authorized gathering substantially all the phone and (by 2010) Internet metadata in the country, as well as (starting in 2010) some subset of geolocation data).

Kollar-Kotelly, then, is the primary analysis the government has always relied on to construct maps charting the relationships of every American.

Which is why I find it so troubling that the application here is unashamed that the point of the opinion is not to assess the legality of a practice, but instead to “provid[e] judicial oversight to safeguard American freedoms.” (Side note: these opinions argue these practices are “necessary” to protect American lives, but the phone dragnet has never once done so, as far as we know, and the government has since purportedly canceled the Internet dragnet program because it was unnecessary, though that is almost certainly a lie.)

Guaranteeing the government doesn’t violate the Constitution was supposed to safeguard American freedoms. But with the Kollar-Kotelly opinion and all that follows from it, impotent oversight has came to substitute for defending the Constitution.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.