Posts

Dan Coats Still Refusing to Provide the Evidence that Russia Didn’t Affect the Election

Last month, I noted a troubling exchange between Martin Heinrich, Dan Coats, and Richard Burr in the Global Threats Hearing.

Martin Heinrich then asked Coats why ODNI had not shared the report on election tampering even with the Senate Intelligence Committee.

Heinrich: Director Coats, I want to come back to you for a moment. Your office issued a statement recently announcing that you had submitted the intelligence community’s report assessing the threats to the 2018 mid-term elections to the President and to appropriate Executive Agencies. Our committee has not seen this report. And despite committee requests following the election that the ODNI brief the committee on any identified threats, it took ODNI two months to get a simple oral briefing and no written assessment has yet been provided. Can you explain to me why we haven’t been kept more fully and currently informed about those Russian activities in the 2018–

Chairman Richard Burr interrupts to say that, in fact, he and Vice Chair Mark Warner have seen the report.

Burr: Before you respond, let me just acknowledge to the members that the Vice Chairman and I have both been briefed on the report and it’s my understanding that the report at some point will be available.

Coats then gives a lame excuse about the deadlines, 45 days, then 45 days.

Coats: The process that we’re going through are two 45 day periods, one for the IC to assess whether there was anything that resulted in a change of the vote or anything with machines, uh, what the influence efforts were and so forth. So we collected all of that, and the second 45 days — which we then provided to the Chairman and Vice Chairman. And the second 45 days is with DHS looking, and DOJ, looking at whether there’s information enough there to take — to determine what kind of response they might take. We’re waiting for that final information to come in.

After Coats dodges his question about sharing the report with the Committee, Heinrich then turns to Burr to figure out when they’re going to get the information. Burr at least hints that the Executive might try to withhold this report, but it hasn’t gotten to that yet.

Heinrich: So the rest of us can look forward — so the rest of us can then look forward to reading the report?

Coats: I think we will be informing the Chairman and the Vice Chairman of that, of their decisions.

Heinrich: That’s not what I asked. Will the rest of the Committee have access to that report, Mr. Chairman?

[pause]

Heinrich: Chairman Burr?

Burr; Well, let me say to members we’re sort of in unchartered ground. But I make the same commitment I always do, that anything that the Vice Chairman and myself are exposed to, we’ll make every request to open the aperture so that all members will be able to read I think it’s vitally important, especially on this one, we’re not to a point where we’ve been denied or we’re not to a point that negotiations need to start. So it’s my hope that, once the final 45-day window is up that is a report that will be made available, probably to members only.

Coming as it did in a hearing where it became clear that Trump’s spooks are helpless in keeping Trump from pursuing policies that damage the country, this exchange got very little attention. But it should!

DOJ missed its 45 day plus 45 day deadline of reporting whether any election tampering had had an effect. But just by one day. The day after their deadline, the Big Dick Toilet Salesman Matt Whitaker and serial liar Kirstjen Nielsen gave Trump a report claiming that any tampering had not had any impact on the election.

Although the specific conclusions within the joint report must remain classified, the Departments have concluded there is no evidence to date that any identified activities of a foreign government or foreign agent had a material impact on the integrity or security of election infrastructure or political/campaign infrastructure used in the 2018 midterm elections for the United States Congress. This finding was informed by a report prepared by the Office of the Director of National Intelligence (ODNI) pursuant to the same Executive Order and is consistent with what was indicated by the U.S. government after the 2018 elections.

While the report remains classified, its findings will help drive future efforts to protect election and political/campaign infrastructure from foreign interference.

Then, today, CyberComm boasted that that they had helped deter Russia during the midterms.

Senators from both political parties on Thursday praised the military’s cyber force for helping secure last year’s midterm elections, with one suggesting it was largely due to U.S. Cyber Command that the Russians failed to affect the 2018 vote.

“Would it be fair to say that it is not a coincidence that this election went off without a hitch and the fact that you were actively involved in the protection of very important infrastructure?” Sen. Mike Rounds (R-S.D.) asked Gen. Paul Nakasone, the command’s leader, at a hearing of the Senate Armed Services Committee.

Military officials have said new authorities, approved over the last year, enabled CyberCom to be more aggressive — and effective — in what they privately say was an apparent success. Nakasone, who also heads the National Security Agency, stopped short of saying it was CyberCom that made the difference, telling Rounds that safeguarding the election was the agencies’ “number-one priority.”

But ODNI is still not providing SSCI — the people who are supposed to see such evidence — proof. Heinrich wrote Dan Coats a letter, signed by every member of SSCI,

Your office a statement in December that you had submitted the Intelligence Committee’s report assessing threats to the 2018 elections to the president and appropriate executive agencies. This month, the acting Attorney General and the Secretary of Homeland Security announced they had submitted their joint report evaluating the impact of any foreign interference on election infrastructure for the infrastructure of political organizations during the midterm elections.

While the agencies provided brief unclassified summaries of the reports’ findings, the Select Committee on Intelligence has not been provided either report. We request that you provide to all Committee Members and cleared staff both classified reports required by EO 13848 as soon as possible. Those reports are necessary for the Committee to meet its mission and charter to conduct vigorous oversight over the intelligence and intelligence-related activities of the United States Government.

They’re clearly hiding something. The question is whether it’s that Trump didn’t try to prevent tampering, or that some of the efforts — included the known effort to hack Claire McCaskill — actually did have an effect.

 

45 Days Plus 45 Days: Is Trump Violating His Own Election Tampering Executive Order?

As I noted last week, along with all the issues on which Trump’s top spooks clearly disagreed with him at last week’s Worldwide Threat Assessment hearing, there was also a remarkable exchange regarding a report mandated by a Trump Executive Order on election interference last year. Effectively, it became clear that Director of National Intelligence doesn’t want to brief the Intelligence Committee on whether Russia interfered with last year’s election.

Martin Heinrich: Director Coats, I want to come back to you for a moment. Your office issued a statement recently announcing that you had submitted the intelligence community’s report assessing the threats to the 2018 mid-term elections to the President and to appropriate Executive Agencies. Our committee has not seen this report. And despite committee requests following the election that the ODNI brief the committee on any identified threats, it took ODNI two months to get a simple oral briefing and no written assessment has yet been provided. Can you explain to me why we haven’t been kept more fully and currently informed about those Russian activities in the 2018–

Richard Burr: Before you respond, let me just acknowledge to the members that the Vice Chairman and I have both been briefed on the report and it’s my understanding that the report at some point will be available.

Dan Coats: The process that we’re going through are two 45 day periods, one for the IC to assess whether there was anything that resulted in a change of the vote or anything with machines, uh, what the influence efforts were and so forth. So we collected all of that, and the second 45 days — which we then provided to the Chairman and Vice Chairman. And the second 45 days is with DHS looking, and DOJ, looking at whether there’s information enough there to take — to determine what kind of response they might take. We’re waiting for that final information to come in.

Heinrich: So the rest of us can look forward — so the rest of us can then look forward to reading the report?

Coats: I think we will be informing the Chairman and the Vice Chairman of that, of their decisions.

Heinrich: That’s not what I asked. Will the rest of the Committee have access to that report, Mr. Chairman?

[pause]

Heinrich: Chairman Burr?

Burr; Well, let me say to members we’re sort of in unchartered ground. But I make the same commitment I always do, that anything that the Vice Chairman and myself are exposed to, we’ll make every request to open the aperture so that all members will be able to read I think it’s vitally important, especially on this one, we’re not to a point where we’ve been denied or we’re not to a point that negotiations need to start. So it’s my hope that, once the final 45-day window is up that is a report that will be made available, probably to members only.

The reporting requirements come from this language:

Section 1. (a) Not later than 45 days after the conclusion of a United States election, the Director of National Intelligence, in consultation with the heads of any other appropriate executive departments and agencies (agencies), shall conduct an assessment of any information indicating that a foreign government, or any person acting as an agent of or on behalf of a foreign government, has acted with the intent or purpose of interfering in that election. The assessment shall identify, to the maximum extent ascertainable, the nature of any foreign interference and any methods employed to execute it, the persons involved, and the foreign government or governments that authorized, directed, sponsored, or supported it. The Director of National Intelligence shall deliver this assessment and appropriate supporting information to the President, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, and the Secretary of Homeland Security.

(b) Within 45 days of receiving the assessment and information described in section 1(a) of this order, the Attorney General and the Secretary of Homeland Security, in consultation with the heads of any other appropriate agencies and, as appropriate, State and local officials, shall deliver to the President, the Secretary of State, the Secretary of the Treasury, and the Secretary of Defense a report evaluating, with respect to the United States election that is the subject of the assessment described in section 1(a):

(i) the extent to which any foreign interference that targeted election infrastructure materially affected the security or integrity of that infrastructure, the tabulation of votes, or the timely transmission of election results; and

(ii) if any foreign interference involved activities targeting the infrastructure of, or pertaining to, a political organization, campaign, or candidate, the extent to which such activities materially affected the security or integrity of that infrastructure, including by unauthorized access to, disclosure or threatened disclosure of, or alteration or falsification of, information or data.

The report shall identify any material issues of fact with respect to these matters that the Attorney General and the Secretary of Homeland Security are unable to evaluate or reach agreement on at the time the report is submitted. The report shall also include updates and recommendations, when appropriate, regarding remedial actions to be taken by the United States Government, other than the sanctions described in sections 2 and 3 of this order.

And if DOJ and Homeland Security do find someone tampered with the country, Trump’s own Executive Order requires harsh sanctions on the perpetrators.

Sec. 2. (a) All property and interests in property that are in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of any United States person of the following persons are blocked and may not be transferred, paid, exported, withdrawn, or otherwise dealt in: any foreign person determined by the Secretary of the Treasury, in consultation with the Secretary of State, the Attorney General, and the Secretary of Homeland Security:

(i) to have directly or indirectly engaged in, sponsored, concealed, or otherwise been complicit in foreign interference in a United States election;

(ii) to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any activity described in subsection (a)(i) of this section or any person whose property and interests in property are blocked pursuant to this order; or

(iii) to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person whose property or interests in property are blocked pursuant to this order.

The Executive Order was a transparent attempt to stave off similar language in the Intelligence Authorization last year.

Today is — by my count — the end of that second 45 day period (or 90 days total from the end of the election). So Trump’s Administration should be deciding today whether — just as one example — the Russian attempt to hack Claire McCaskill was more successful than she apparently knew and whether, according to his own Executive Order, Trump now has to impose sanctions on Russia for trying.

Last week’s report actually envisioned Russia attempting to manipulate data, which might explain the sensitivity around this report.

Russia’s social media efforts will continue to focus on aggravating social and racial tensions, undermining trust in authorities, and criticizing perceived anti-Russia politicians. Moscow may employ additional influence toolkits—such as spreading disinformation, conducting hack-and-leak operations, or manipulating data—in a more targeted fashion to influence US policy, actions, and elections.

Alternately, Trump’s Administration knows the Russians tried to help him again in the mid-term elections but doesn’t want to do what they’ve promised to do in response.

Update: Big Dick Toilet Salesman Matt Whitaker and DHS Secretary Kirstjen Nielsen say that Trump doesn’t have to sanction Russia for hacking Claire McCaskill and others last year because the report they won’t even share with the Senate Intelligence Committee says Russia’s tampering had no impact on the election.

Although the specific conclusions within the joint report must remain classified, the Departments have concluded there is no evidence to date that any identified activities of a foreign government or foreign agent had a material impact on the integrity or security of election infrastructure or political/campaign infrastructure used in the 2018 midterm elections for the United States Congress. This finding was informed by a report prepared by the Office of the Director of National Intelligence (ODNI) pursuant to the same Executive Order and is consistent with what was indicated by the U.S. government after the 2018 elections.

While the report remains classified, its findings will help drive future efforts to protect election and political/campaign infrastructure from foreign interference.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Jack Goldsmith and Susan Hennessey Run Cover for Those Giving Jeff Sessions Unreviewable Authority to Criminalize Dissent

I’m used to Susan Hennessey partnering with Ben Wittes to write apologies for NSA and FBI that ignore known facts. I’m a bit surprised that Jack Goldsmith did so in this defense of Democrats — like Adam Schiff and Nancy Pelosi and nineteen Democratic Senators — who have voted to give Jeff Sessions unreviewable authority to criminalize dissent using certain privacy tools.

NSA did not fix “abouts” problems before the issues became public

There are numerous problems with this post. The one that irks me the most, however, is the claim that the “system itself” identified and addressed problems with “abouts” collection before they became public.

We acknowledge that the program has raised hard legal questions as well as difficult compliance issues, primarily involving “abouts” collection. But these problems were identified by the system itself, long before the issues became public, and the practices were fixed or terminated.

This claim, one I’ve corrected Hennessey for on numerous occasions on Twitter, is false, and should be retracted.

I say that with great confidence, because I wrote about the problems on August 11, 2016, well before NSA failed to disclose the full extent of the problems in an October 4, 2016 hearing, which led the worst FISC judge ever, Rosemary Collyer, to complain about NSA’s institutional “lack of candor.”

At the October 26, 2016 hearing, the Court ascribed the government’s failure to disclose those IG and OCO reviews at the October 4, 2016 hearing to an institutional “lack of candor” on NSA’s part and emphasized that “this is a very serious Fourth Amendment issue.”

As a reminder, the problem (the FISC has) with “abouts” collection is not so much that it collected entirely domestic communications — that’s the complaint of the rest of us. It’s that NSA never ever complied with John Bates’ 2011 requirement that NSA not conduct back door searches on upstream collection, because it might result in searches of those entirely domestic communications. In my August 2016 post, I noted that reviewers kept discovering that NSA continued to do back door searches on upstream data in violation of that prohibition, and kept refusing to implement technical fixes to avoid them.

I also raised concerns about the oversight of 704/705(b), which is how the NSA first realized how badly non-compliant their upstream searches were, on May 13, 2016, That’s about when NSA first reported to DOJ “in May and June 2016” that “approximately eighty-five percent of” queries using a tool the NSA employs with 704/705b queries “were not compliant with the applicable minimization procedures.”

I’ll grant that I’m remarkably attentive to documents that get declassified years after the fact. But I’m nevertheless “the public.” If I’m identifying these problems — and NSA’s refusal to make the technical fixes to avoid them — before they get fully briefed to DOJ or FISC, then it is absolutely false to claim that “the system” fixed or terminated the problem long before they became public.

Again, Lawfare should issue a retraction for that claim.

Update, January 19: On Twitter yesterday, Hennessey claimed I misread this quote, and that her proof that the system works was that the NSA had gotten away with ignoring Bates’ orders for five years, but finally shut it down before the public learned that NSA had been ignoring FISC’s orders.

This is still factually false — as I responded to her, the NSA was still identifying problems for eight months after I wrote about the problems, even assuming it had found all of them by April 2017, which was the last declassified reporting on it. But her explanation actually makes the comment downright damning for the NSA. It suggests a lawyer who was at NSA during the period it was not in compliance believes that getting away with violating the Fourth Amendment for five years, but fixing it before documents released on a three year delay (and only because of Snowden) is a sign of a law-abiding agency.

A portrait of a guy who doesn’t know key details as a rigorous overseer

The fact that I was harping on the “abouts” problems before any overseers of the program managed to fully investigate and fix them by itself disproves the claims that Hennessey and Goldsmith make in their hagiography of Adam Schiff.

He is the ranking Democrat on the House intelligence committee and one of the most knowledgeable and informed members of Congress on intelligence matters. Schiff has not hesitated to be  when he sees fit. He has watched the 702 program up close over many years in classified settings in his oversight role. He knows well its virtues and its warts. We suppose it is possible that Schiff would vote to give the president, whose integrity he so obviously worries about, vast powers to spy on Americans in an abusive way. Given everything Schiff has publicly said and done over the last year, however, a much more plausible inference is that he knows not only how valuable the 702 program is but also how law-constrained and carefully controlled and monitored it is.

Plus, I’m not sure why they think that Schiff’s attempt to fix the Section 215 phone dragnet only after Edward Snowden made it public proves that Schiff “never hesitated to be critical of intelligence community practices.” On the contrary, it proves that he did hesitate to do so before excessive programs became public.

The distinction is utterly critical given something I’ve pointed out about this bill. The bill itself is an admission that the intelligence community is out of control, and that congressional overseers can’t get information they need to adequately oversee the program without demanding it in legislation. That’s because it requires the IC to provide information on two practices that Congress cannot be deemed competent to legislate on without having answers about first.

For example, the bill requires an IG Report on how FBI queries raw data.

(b) MATTERS INCLUDED.—The report under subsection (a) shall include, at a minimum, an assessment of the following:

(1) The interpretations by the Federal Bureau of Investigation and the National Security Division of the Department of Justice, respectively, relating to the querying procedures adopted under subsection (f) of section 702 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1881a(f)), as added by section 101.

[snip]

(6) The scope of access by the criminal division of the Federal Bureau of Investigation to information obtained pursuant to the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), including with respect to information acquired under subsection (a) of such section 702 based on queries conducted by the criminal division.

(7) The frequency and nature of the reviews conducted by the National Security Division of the Department of Justice and the Office of the Director of National Intelligence relating to the compliance by the Federal Bureau of Investigation with such querying procedures.

I have explained (and I know Hennessey regards this as a problem too) that since 2012, FBI has devolved its access to raw 702 data to field offices. The FBI already conducted far, far less oversight of the back door searches it conducts than NSA does. But because the DOJ/DNI 702 review teams visit only a fraction of the FBI field offices with each review, and because FBI’s querying system doesn’t collect enough information to do oversight remotely, it is possible that the offices that are least familiar with 702 requirements are — for the smaller number of 702 queries they conduct — getting the least oversight.

You can’t pass a bill that effectively blesses FBI’s use of back door searches on Americans about whom it has no evidence of any wrongdoing, while admitting you don’t know how FBI conducts those back door searches, and make any claim to conduct adequate oversight. Rather, the bill permits FBI to continue practices it has stubbornly refused to brief Congress on, rather than demanding that FBI brief Congress first, so Congress can impose any restrictions that might be necessary to adequately protect Americans.

The bill also requires a briefing within six months to explain how DOJ complies with FISA’s legally mandated notice requirements (because notice under 702 is treated as notice under 106(c), this covers 702 surveillance as well).

Not later than 180 days after the date of the enactment of this Act, the Attorney General, in consultation with the Director of National Intelligence, shall provide to the Committee on the Judiciary and the Permanent Select Committee on Intelligence of the House of Representatives and the Committee on the Judiciary and the Select 10 Committee on Intelligence of the Senate a briefing with respect to how the Department of Justice interprets the requirements under sections 106(c), 305(d), and 405(c) of the Foreign Intelligence Surveillance Act of 1978 (50 14 U.S.C. 1806(c), 1825(d), and 1845(c)) to notify an aggrieved person under such sections of the use of information obtained or derived from electronic surveillance, physical search, or the use of a pen register or trap and trace device. The briefing shall focus on how the Department interprets the phrase ‘‘obtained or derived from’’ in such sections.

The public treatment of DOJ’s serial, obvious failures to give notice to defendants is a nifty trick. When DOJ fails to give notice, it clearly violates the law, but notice is not included in minimization procedure review, so therefore is not reviewed by the FISC. When surveillance boosters like Hennessey and Goldsmith say there have never been any willful violations of the law, they manage to ignore the notice violations that have allowed some pretty problematic practices to avoid judicial oversight only because by breaking the law DOJ ensures no court will find them to be breaking the law.

Catch 22: Heads legal violations never get reviewed by a court, tails surveillance boosters can claim the surveillance has a clean bill of health.

Again, this is a known, egregious problem with the implementation of 702.

But rather than do the obvious thing as part of what this post dubs “robust democratic deliberation,” which is to demand answers about how notice is (not) given and require DOJ to fix it as part of the bill, the bill instead simply requires DOJ to provide the information that Congress needs to do basic oversight six months after reauthorization, which effectively punts fixing the problem six years down the road.

How many Chinese-American scientists will be improperly prosecuted because FBI is technically inane in those 6 years, because a bunch of California legislators like Nancy Pelosi, Adam Schiff, and Dianne Feinstein chose to punt on basic oversight?

The most egregious example of this, however, involves the government’s obstinate refusal to explain how many US persons are affected by 702. This bill also did not incorporate an HJC proposal requiring a count of how many Americans got referred for criminal prosecution off of 702 collection.

Letting Jeff Sessions criminalize dissent

That refusal — the refusal to even legislatively require the government to report on the impact of 702 surveillance on Americans, via incidental collection and/or criminal referral — brings us to the problem with this bill that opponents are all raising, but about which Hennessey and Goldsmith are inexcusably silent: the codification of giving Jeff Sessions unreviewable authority to determine what counts as a “criminal proceeding [that] affects, involves, or is related to the national security of the United States.”

Here’s how Hennessey and Goldsmith describe the impact of this program on Americans.

As Lawfare readers know, Section 702 authorizes the intelligence community to target the communications of non-U.S. persons located outside the United States for foreign intelligence purposes. It does not permit the intelligence community to target a U.S. person anywhere in the world. But it does permit incidental collection on U.S. persons, subject to strict rules about minimization and use.

Their silence about how the bill doesn’t deal with back door searches is problematic enough.

But they predictably, but problematically, make no mention of the way the bill codifies the use of 702 in domestic law enforcement under the Tor/VPN exception.

As I have laid out, in 2014 FISC created an exception to the rule that NSA must detask from a facility as soon as they learn that Americans are also using that facility. That exception applies to Tor and (though I understand this part even less) VPN servers — basically the kinds of privacy tools that criminals, spies, journalists, and dissidents might use to hide their online activities. NSA has to sort through what they collect on the back end, but along the way, they get to decide to keep any entirely domestic traffic they find has significant foreign intelligence purpose or is evidence of a crime, among other reasons. The bill even codifies 8 enumerated crimes under which they can keep such data. Some of those crimes — child porn and murder — make sense, but others — like transnational crime (including local drug dealers selling imported drugs) and CFAA (with its well-known propensity for abuse) pose more potential for abuse.

But it’s the unreviewable authority for Jeff Sessions bit that is the real problem.

We know, for example, that painting Black Lives Matter as a national security threat is key to the Trump-Sessions effort to criminalize race. We also know that Trump has accused his opponents of treason, all for making critical comments about Trump.

This bill gives Sessions unreviewable authority to decide that a BLM protest organized using or whistleblowing relying on Tor, discovered by collection done in the name of hunting Russian spies, can be referred for prosecution. The fact that the underlying data predicating any prosecution was obtained without a warrant under 702 would — in part because this bill doesn’t add teeth to FISA notice — ensure that courts would never learn the genesis of the prosecution. Even if a court somehow managed to do so, however, it could never deem the domestic surveillance unlawful because the bill gives Jeff Sessions the unreviewable authority to treat dissent as a national security threat.

This is such an obviously bad idea, and it is being supported by people who talk incessantly about the threat that Trump and Sessions present. Yet, rather than addressing the issue head on (which I doubt Hennessey could legally do in any case), they simply remain silent about what is the biggest complaint from privacy activists, that this gives a racist, vindictive Attorney General far more authority than he should have, and does so without fixing the inadequate protections for criminal defendants along the way.

I mean, I get that surveillance boosters who recognize the threat Trump and Sessions pose want to absolve themselves for giving Trump tools that can so obviously be abused.

But this attempt does so precisely by dodging the most obvious reasons for which boosters should be held to account.

Update: Changed post to note that just Trump has accused FBI Agents of treason, not Sessions, and not (yet) journalists.

Update: Here’s the roll call of the 65-34 vote passage of the bill. Democrats who voted in favor are:

  1. Carper
  2. Casey
  3. Cortez Masto
  4. Donnelly
  5. Duckworth
  6. Feinstein
  7. Hassan
  8. Heitkamp
  9. Jones
  10. Klobuchar
  11. Manchin
  12. McCaskill
  13. Nelson
  14. Peters
  15. Reed
  16. Schumer
  17. Shaheen
  18. Stabenow
  19. Warner
  20. Whitehouse

 

The NSL to 215 Collection: Data Flows AND URLs

Since last summer, I have been noting that majority of Section 215 production now consists of Internet data the government used to collect using National Security Letters but — after the Internet companies successfully refused compliance under NSLs anymore in light of an Office of Legal Counsel ruling limiting what could be obtained under NSLs — the government started using Section 215 to obtain.

We know most Section 215 orders are for Internet records because someone reliable — DOJ’s Inspector General in last year’s report on National Security Letters — told us that a collection of Internet companies successfully challenged FBI’s use of NSLs to collect this stuff after DOJ published an opinion on ECPA in 2008.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

That report went on to explain that FBI considered fixing this problem by amending the definition for toll records in Section 2709, but then bagged that plan and just moved all this collection to Section 215, which takes longer.

In the absence of a legislative amendment to Section 2709, [2.5 lines redacted]. [Deputy General Counsel of FBI’s National Security Law Branch] Siegel told us that the process of generating and approving a Section 215 application is similar to the NSL process for the agents and supervisors in the field, but then the applications undergo a review process in NSLB and the Department’s National Security Division, which submits the application to the Foreign Intelligence Surveillance Court (FISA Court). According to Siegel, a request that at one time could be accomplished with an NSL in a matter of hours if necessary, now takes about 30-40 days to accomplish with a standard Section 215 application.

In addition to increasing the time it takes to obtain transactional records, Section 215 requests, unlike NSL requests, require the involvement of FBI Headquarters, NSD, and the FISA Court. Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.

The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.

The government is, according to the report, going through all sorts of hoop-jumping on these records rather than working with Congress to pass ECPA reform.

Why?

The FISA Court imposed minimization procedures on this production, meaning it was fairly bulky. That led me to speculate — particularly given Claire McCaskill questions confirming Section 215 might be used for the purpose — the collection obtained URL search information. More recently, particularly when the FBI claimed (which, sadly, coming from the FBI can never be assumed to be true) it used Section 215 for cyber investigations, I became convinced it involved data flow records.

Meanwhile, in January 2014, Nicholas Merrill, the first person to fight an NSL order when he received one in 2004, started fighting to overturn the gag order that had been imposed on him a decade earlier (this came at the same time as President Obama claimed he would move FBI to end its forever gags on NSLs). And while the FBI agreed to let Merrill tell the target of the NSL about it, it ordered him to keep most of what he had been ordered to turn over secret.  He is currently permitted to reveal the following:

Screen Shot 2015-03-29 at 8.36.05 AM

In other words, while FBI is okay with Merrill telling the target of a decade-old investigation he or she was targeted, he can’t tell us what — as far back as 2004 — FBI claimed was included under ECPA’s definition of electronic communication transactional records.

In December, Merrill sued to be able to tell us that. And on March 20, a redacted version of his declaration in that suit was released. While the government redacted what they had asked of him (and bizarrely, redacted language in his lawyer’s declaration that appeared unredacted in documents they included as exhibits; see this Cryptome document for the full packet), Merrill provided a pretty good sense of what might have been included in those 15 (of 16!) redacted or partly redacted orders from a decade ago. First, he described all the records he had:

Calyx Internet Access, like most ISPs, collected a wide array of information about its clients. For a given client, we may have collected their [1] name, [2] address and [3] telephone number; [4] other addresses associated with the account; [5] email addresses associated with the account; [6] IP addresses associated with the account; [7] Uniform Resource Locator (URL) addresses assigned to the account; [8] activity logs for the account; [9] logs tracking visitors to the client’s website; [10] the content of a client’s electronic communications; [11] data files residing on Calyx’s server; [12] the client’s customer list; [13] the client’s bank account and [14] credit card numbers; [15] records relating to merchandise bought and sold; and the [16] date the account was opened or closed. [numbers 1 through 16 added]

Of all those 16 things, the only thing that should have been impossible to be included among the 16 requests the FBI made in its NSL demand on Merrill 11 years ago is the actual content of the client’s communication, item 10 (though see my caveat below, explaining that they may well have demanded that too).

In addition to describing the kinds of things he had — which therefore might be among the 16 things FBI demanded of him — Merrill described the kinds of things ISPs might have that the FBI might want. He includes URL searches and IP-based identifiers.

Electronic communication service providers can maintain records of the IP addresses assigned to particular individuals and of the electronic communications involving that IP address. These records can identify, among other things, the identity of an otherwise anonymous individual communicating on the Internet, the identities of individuals in communication with one another, and the web sites (or other Internet content) that an individual has accessed.

Electronic communication service providers can also monitor and store information regarding web transactions by their users. These transaction logs can be very detailed, including the name of every web page accessed, information about the page’s content, the names of accounts accessed, and sometimes username and password combinations. This monitoring can occur by routing all of a user’s traffic through a proxy server or by using a network monitoring system.

[snip]

Web servers also often maintain logs of every request that they receive and every web page that is served. This could include a complete list of all web pages seen by an individual, all search terms, names of email accounts, passwords, purchases made, names of other individuals with whom the user has communicated, and so on.

And he described flow data — the kinds of things FBI might use in a hacking investigation.

Electronic communication service providers can also record internet “NetFlow” data. This data consists of a set of packets that travel between two points. Routers can be set to automatically record a list of all the NetFlows that they see, or all the NetFlows to or from a specific IP ,address. This NetFlow data can essentially provide a complete history of each electronic communications service used by a particular Internet user.

In short, Merrill is strongly hinting that he was asked for both URL information and NetFlow information. Merrill is hinting that the FBI was using NSLs to obtain detailed descriptions of all of the Internet activities for targets of NSLs.

Merrill also suggests that email subject lines — now considered content — might be demanded. That’s interesting because he got served his NSL before the hospital confrontation in 2004, and the government (specifically Michael Hayden) has claimed that subject lines were metadata, not content. So he may be indicating that back in 2004, the FBI was treating subject lines as an electronic communication transactional record (and given that FBI did not withdraw the substance of his NSL until 2006, perhaps continued to do so).

So back in 2004, at least, the FBI was making vast demands for records of all of a target’s Internet activity.

There’s good reason to believe that this is precisely the kind of production (at least some) Internet companies successfully moved to Section 215 orders in 2009. That’s true, in part, because in the NSL IG Report describing all the crazy requests FBI had been making under ECPA, the most substantive ongoing crazy requests appeared to be connected to AT&T production. Seven types of records from a provider that is almost certainly AT&T were redacted in that IG Report. So while it’s likely the FISC now reviews and minimizes that same kind of requests to ISPs as part of Section 215 orders, it probably doesn’t from telecoms.

That said, all that might change if the Cybersecurity Information Sharing Act passes. That bill would pre-empt existing laws, including ECPA, for sharing of cybersecurity, leak, or IP theft investigations (and can be used to investigate a broad array of serious crimes). So CISA would provide the legal cover for ISPs to share such information, at least for any ISPs who would “voluntarily” share such data. For that reason, we should look much more closely at the terms of that “voluntary” production.

That’s the subject of another post, however.

For now, take Merrill’s declaration as pretty strong confirmation that the FBI at least was obtaining both URL search information and data flow information using nothing more than an NSL. Its desire to get such expansive data again is likely at least as pressing an issue behind current surveillance legislation debates as its desire to continue a dragnet of all our phone records.

 

Claire McCaskill: Why Aren’t We Calling Sandy Hook Terror?

Janet Napolitano is testifying before the Senate Homeland Security Committee, purportedly on the budget. Not surprisingly, she’s getting a ton of questions about the Boston Marathon attack and immigration.

But in a smart series of questions that will undoubtedly be controversial, Claire McCaskill challenged Napolitano to explain why we so quickly called Boston a terrorist attack, but wouldn’t call Sandy Hook a terrorist attack. Noting that we still don’t know the motive behind either attack, McCaskill asked (these are my immediate transcriptions),

Other than weapon, is there any difference between Sandy Hook and Boston?

[snip]

We are so quick to call Boston terror, why aren’t we calling man w/high capacity magazine a terrorist?

[snip]

As I look at it w/eyes of prosecutor, I find it troubling that one is treated to cause so much more fear than other.

[snip]

It’s possible both had same motive, just one chose military weapon, the other chose homemade explosive.

It’s a provocative, but necessary question. The crime of terrorism relies on having a political motive. In both these attacks, we don’t know motive. But two days after Boston, we’re treating it as terrorism, while the attack that killed 20 children in their school still isn’t called such.

My inclination would be to call neither terrorism. McCaskill is right that the term just serves to generate fear.

But I’m glad she asked the question.