Posts

No One Benefits from a One (Wo)Man FISC Court

/2 Comments/in /by

Over at Just Security, Steve Vladeck takes issue with yet another proposal for a Drone Court.

A new chapter by Professors Amos Guiora and Jeffrey Brand–“Establishment of a Drone Court: A Necessary Restraint on Executive Power“–has been receiving a fair amount ofmedia and blog attention. The chapter differs from some prior calls for a “drone court” in seeing the Foreign Intelligence Surveillance Court (FISC) not as a model, but rather as a lesson in what not to do–a “non-starter,” in the authors’ words. Nevertheless, the chapter argues, we need a special “Operational Security Court” (OSC) comprised of already sitting Article III district and circuit judges (selected through a far different process from FISC judges) to strike the right balance between the government’s need to protect operational (and national) security and the rights of those targeted for drone operations to contest their targeting (through security cleared lawyers) ex ante.

My take on the proposal is slightly different from Vladeck’s. I take it as a proposal for a Sparkle Pony. The proper response to such a proposal is to point out all the reasons why we can’t have Sparkle Ponies. But I would end up largely where Valdeck is, looking at all the reasons FISC is failing its task, especially now that it has been blown up beyond proportion in the wake of President Bush’s illegal spy program. And Vladeck’s solution — to ensure people can sue after the fact — is a reasonable start.

That said, Vladeck asks an important question.

Finally, there’s the question of why an entire new court(the “OSC”) is needed at all. What’s wrong with giving the U.S. District Court for the District of Columbia exclusive original jurisdiction over these proceedings–as the Supreme Court has effectively provided in the secrecy-laden Guantánamo habeas cases? Even if one believes that ex ante judicial review of drone strikes is constitutionally and pragmatically feasible, why reinvent the wheel when there are perfectly good judges sitting in a perfectly good courthouse replete with experience in highly classified proceedings? 

In my insistence it’s time to get rid of FISC, I’ve been thinking the same thing: why can’t we just have all the DC District judges rule on these cases?

The biggest drawback I see in this is that it would mean the judges presiding over national security criminal cases — not even Espionage cases, which are more likely to be charged in EDVA — are not the same who preside over the National Security Court decisions. Just as an example, I think it important that a bunch of judges in Portland, OR are presiding over some of the more interesting national security cases. And for that reason I’m fascinated that Michael Mosman, who is presiding over the case of Reaz Qadir Khan, is also a FISC judge. While I don’t think Mosman brings a neutral approach to the Khan case, I do think he may be learning things about how the FISC programs work in practice.

But both sides of this debate, both the government and reformers, could point to Vladeck’s proposal as a vast improvement. That’s because it gets us out of what has become a series of one person courts.

Partly for logistical reasons (and potentially even for security reasons), rather than a court of 11 judges presiding over these expanding counterterrorism programs, we’ve actually had a series of single judges: Colleen Kollar-Kotelly, who presided over at least the Internet dragnet, some other important Pen Register rulings, and several initial Protect America Act reviews, then mostly Reggie Walton presiding over the Yahoo challenge and then the phone and Internet dragnet fixes, then John Bates presiding over the upstream fix (as well as reauthorizing and expanding the Internet dragnet). Presumably, presiding judge Thomas Hogan has assumed the role of one person court (though I suspect Rosemary Collyer, who is next in line to be presiding in any case, takes on some of this work).

And while I’d find great fault with some of Kollar-Kotelly and Bates’ rulings (and even some of Walton’s), I suspect the NatSec establishment was thrilled to see the end of  Walton on the court, because he dared to consider questions thoughtfully and occasionally impose limits on the intelligence programs.

No one benefits from having what works out to be primarily one judge review such massive programs. But that’s what we’ve effectively got now, and because it operates in secret, there’s no apparent check on really boneheaded decisions by these individual judges.

There are a lot of reasons to replace the FISC with review by normal judges, and one of them is that the current system tends to concentrate the review of massive spying programs in the hands of one or two judges alone.

DOJ Changed Its FISA Disclosure Policy on January 10, 2008

/1 Comment/in /by

While wandering through FBI’s Domestic Investigations and Operations Guide today, I realized that on January 10, 2008, DOJ changed its FISA use policy (at PDF 104) . In a memo announcing the new policy, Ken Wainstein explained that “this revised policy includes significant changes from current practice that will streamline the process for using FISA information in certain basic investigative processes, while still ensuring that important intelligence and law enforcement interests are protected.”

It then lists 4 (entirely redacted) investigative processes for which FISA information could be used.

While I’m sure this letter has been reported in the past, it has far greater significance given several newly disclosed facts.

First, just days earlier, Attorney General Michael Mukasey reversed existing policy by permitting NSA to contact chain on US person data in EO 12333-collected information. That decision would make it far easier to identify existing communications implicating Americans.

Even more importantly, this move took place just weeks before the government revamped the PRISM program, such that FBI had a much more central role in the process and obtained selected PRISM material directly. In effect, Mukasey made it easier to use FISA information just weeks before FBI started getting a lot more of it, and getting it directly.

This change adds to the already significant evidence that the FBI started back door searches on PRISM information with that change in January 2008.

It’s interesting, too, that FBI had already decided to make these changes before Colleen Kollar-Kotelly ruled the initial Protect America Act certifications met the statute on January 15, 2008. There’s growing evidence that DOJ long planned to involve FBI more centrally, but waited on her decision (and the day the PAA was originally scheduled to expire) to roll out the change formally.

One more critical detail: The letter indicated that the new policy would be tied to a new interpretation of information “derived from” FISA.

The revised policy requires that it be reviewed one year from its effective date and requires NSD to issue guidance on what constitutes information “derived from” FISA collections by March 31, 2008.

Note that that initial annual review date would mean Bush’s DOJ would conduct such a review in the last days before Obama came in.

In any case, the redacted parts of this letter are probably, arguably, unclassified and FOIAble at this point, since PCLOB has revealed that FBI uses its back door searches for assessments.

Yes, the Government Does Spy Under Grandfathered Approvals

/in /by

Charlie Savage is catching no end of shit today because he reported on a provision in the PATRIOT Act (one I just noticed Tuesday, actually, when finding the sunset language for something else) that specifies ongoing investigations may continue even after a sunset.

The law says that Section 215, along with another section of the Patriot Act, expires on “June 1, 2015, except that former provisions continue in effect with respect to any particular foreign intelligence investigation that began before June 1, 2015, or with respect to any particular offense or potential offense that began or occurred before June 1, 2015.”

Michael Davidson, who until his retirement in 2011 was the Senate Intelligence Committee’s top staff lawyer, said this meant that as long as there was an older counterterrorism investigation still open, the court could keep issuing Section 215 orders to phone companies indefinitely for that investigation.

“It was always understood that no investigation should be different the day after the sunset than it was the day before,” Mr. Davidson said, adding: “There are important reasons for Congress to legislate on what, if any, program is now warranted. But considering the actual language of the sunset provision, no one should believe the present program will disappear solely because of the sunset.”

Mr. Davidson said the widespread assumption by lawmakers and executive branch officials, as well as in news articles in The New York Times and elsewhere, that the program must lapse next summer without new legislation was incorrect.

The exception is obscure because it was recorded as a note accompanying Section 215; while still law, it does not receive its own listing in the United States Code. It was created by the original Patriot Act and was explicitly restated in a 2006 reauthorization bill, and then quietly carried forward in 2010 and in 2011.

Now, I’m happy to give Savage shit when I think he deserves it. But I’m confident those attacking him now are wrong.

Before I get into why, let me first say that to some degree it is moot. The Administration believes that, legally, it needs no Congressional authorization to carry out the phone dragnet. None. What limits its ability to engage in the phone dragnet is not the law (at least not until some courts start striking the Administration’s interpretation down). It’s the willingness of the telecoms to cooperate. Right now, the government appears to have a significant problem forcing Verizon to fully cooperate. Without Verizon, you don’t have an effective dragnet, which is significantly what USA Freedom and other “reform” efforts are about, to coerce or entice Verizon’s full cooperation without at the same time creating a legal basis to kill the entire program.

That said, not only is Davidson likely absolutely correct, but there’s precedent at the FISA Court for broadly approving grandfathering claims that make dubious sense.

As Davidson noted elsewhere in Savage’s story, the FBI has ongoing enterprise investigations that don’t lapse — and almost certainly have not lapsed since 9/11. Indeed, that’s the investigation(s) the government appears, from declassified documents, to have argued the dragnet is “relevant” to. So while some claim this perverts the definition of “particular,” that’s not the word that’s really at issue here, it’s the “relevant to” interpretation that USAF leaves intact, effectively ratifying (this time with uncontested full knowledge of Congress) the 2004 redefinition of it that everyone agrees was batshit insane. If you want to prevent this from happening, you need to affirmatively correct that FISA opinion, not to mention not ratify the definition again, which USAF would do (as would a straight reauthorization of PATRIOT next year).

And as I said, there is precedent for this kind of grandfathering at FISA, all now in the public record thanks to the declassification of the Yahoo challenge documents (and all probably known to Davidson, given that he was a lead negotiator on FISA Amendments Act which included significant discussion about sunset procedures, which they lifted from PAA.

For starters, on January 15, 2008, in an opinion approving the certifications for Protect America Act submitted in August and September 2007, Colleen Kollar-Kotelly approved the grand-fathering of the earlier 2007 large content dockets based on the government’s argument that they had generally considered the same factors they promised to follow under the PAA certifications and would subject the data obtained to the post-collection procedures in the certifications. (See page 15ff)

Effectively then, this permitted them to continue collection under the older, weaker protections, under near year-long PAA certifications.

In the weeks immediately following Kollar-Kotelly’s approval of the underlying certifications (though there’s evidence they had planned the move as far back as October, before they served Directives on Yahoo), the government significantly reorganized their FAA program, bringing FBI into a central role in the process and almost certainly setting up the back door searches that have become so controversial. They submitted new certifications on January 31, 2008, on what was supposed to be the original expiration date of the PAA. As Kollar-Kotelly described in an June 18, 2008 opinion (starting at 30), that came to her in the form of new procedures received on February 12, 2008, 4 days before the final expiration date of PAA.

On February 12, 2008, the government filed in each of the 07 Dockets additional sets of procedures used by the Federal Bureau of Investigation(FBI) when that agency acquires foreign intelligence information under PAA authorities. These procedures were adopted pursuant to amendments made by the Attorney General and the Director of National Intelligence (DNI) on January 31, 2008 to the certifications in the 07 Dockets.

Then, several weeks later — and therefore several weeks after PAA expired on February 16, 2008 — the government submitted still new procedures.

On March 3, 2008, the government submitted NSA and FBI procedures in a new matter [redacted]

[snip]

Because the FBI and NSA procedures submitted in Docket No. [redacted] are quite similar to the procedures submitted in the 07 Dockets, the Court has consolidated these matters for purposes of its review under 50 U.S.C. § 1805c.

For the reasons explained below, the Court concludes that it retains jurisdiction to review the above-described procedures under §1805c. On the merits, the Court finds that the FBI procedures submitted in each of the 07 Dockets, and the NSA and FBI procedures submitted in Docket No. [redacted] satisfy the applicable review for clear error under 50 U.S.C. § 1805c(b).

She regarded these new procedures, submitted well after the law had expired, a modification of existing certifications.

In all [redacted] of the above-captioned dockets, the DNI and the Attorney General authorized acquisitions of foreign intelligence information by making or amending certifications prior to February 16, 2009, pursuant to provisions of the PAA codified at 50 U.S.C. § 1805b.

She did this in part by relying on Reggie Walton’s interim April 25, 2008 opinion in the Yahoo case that the revisions affecting Yahoo were still kosher, without, apparently, considering the very different status of procedures changed after the law had expired.

The government even considered itself to be spying with Yahoo under a September 2007 certification (that is, the latter of at least two certifications affecting Yahoo) past the July 10, 2008 passage of FISA Amendments Act, which imposed additional protections for US persons.

These are, admittedly, a slightly different case. In two cases, they amount to retaining older, less protective laws even after their replacement gets passed by Congress. In the third, it amounts to modifying procedures under a law that has already expired but remains active because of the later expiration date of the underlying certificate.

Still, this is all stuff the FISC has already approved.

The FISC also maintains — incorrectly in my opinion, but I’m not a FISC judge so they don’t much give a damn — that the 2010 and 2011 PATRIOT reauthorizations ratified everything the court had already approved, even the dragnets not explicitly laid out in the law. This sunset language was public, and there’s nothing exotic about what they say. To argue the FISC wouldn’t consider these valid clauses grand-fathering the dragnet, you’d have to argue they don’t believe the 2010 and 2011 reauthorizations ratified even the secret things already in place. That’s highly unlikely to happen, as it would bring the validity of their 40ish reauthorizations under question, which they’re not going to do.

Again, I think it’s moot. The “reform” process before us is about getting Verizon to engage in a dragnet that is not actually authorized by the law as written. They’re not doing what the government would like them to do now, so there’s no reason to believe this grandfathered language would lead them to suddenly do so.

How to Fix the FISA Court … Or Not

/4 Comments/in , /by

The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26)

That line, from the FISCR opinion finding the Protect America Act constitutional, gets to the core problem with the FISA Court scheme. Even in 2009, when the line was first made public, it was pretty clear the government had made a false claim to the FISA Court of Review.

Now that we know that FBI had already been given authority to keep PAA-collected content in databases that they could search at what is now called the assessment stage of investigations — warrantless searches of the content of Americans against whom the FBI has no evidence of wrong-doing — the claim remains one of the signature moments where the government got approval for a program by being less than candid to the court (the government has been caught doing so in both Title III courts and at FISC, and continues to do so).

That’s also why I find Greg McNeal’s paper on Reforming the FISC, while very important, ultimately unconvincing.

McNeal’s paper is invaluable for the way he assesses the decision — in May 2006 — to authorize the collection of all phone records under Section 215. Not only does the paper largely agree with the Democratic appointees on PCLOB that the program is not authorized by the Section 215 statute, McNeal conducts his own assessment of the government’s application to use Section 215 for that purpose.

The application does not fare well.

Moreover, the government recognized that not all records would be relevant to an investigation, but justified relevance on what could best be described as usefulness or necessity to enable the government’s metadata analysis, stating:

The Application fully satisfies all requirements of title V of FISA. In particular, the Application seeks the production of tangible things “for” an international terrorism investigation. 50 U.S.C. § 1861(a)(1). In addition, the Application includes a statement of facts demonstrating that there are reasonable grounds to believe that the business records sought are “relevant” to an authorized investigation. Id.  § 1861(b)(2). Although the call detail records of the [redacted] contain large volumes of metadata, the vast majority of which will not be terrorist-related, the scope of the business records request presents no infirmity under title V. All of the business records to be collected here are relevant to FBI investigations into [redacted] because the NSA can effectively conduct metadata analysis only if it has the data in bulk.49

The government went even further, arguing that if the FISC found that the records were not relevant, that the FISC should read relevance out of the statute by tailoring its analysis in a way that would balance the government’s request to collect metadata in bulk against the degree of intrusion into privacy interests. Disregarding the fact that the balancing of these interests was likely already engaged in by Congress when writing section 215, the government wrote:

In addition, even if the metadata from non-terrorist communications were deemed not relevant, nothing in title V of FISA demands that a request for the production of “any tangible things” under that provision collect only information that is strictly relevant to the international terrorism investigation at hand. Were the Court to require some tailoring to fit the information that will actually be terrorist-related, the business records request detailed in the Application would meet any proper test for reasonable tailoring. Any tailoring standard must be informed by a balancing of the government interest at stake against the degree of intrusion into any protected privacy interests. Here, the Government’s interest is the most compelling imaginable: the defense of the Nation in wartime from attacks that may take thousands of lives. On the other side of the balance, the intrusion is minimal. As the Supreme Court has held, there is no constitutionally protected interest in metadata, such as numbers dialed on a telephone.50

Thus, what the government asked the court to disregard the judgment of the Congress as to the limitations and privacy interests at stake in the collection of business records. Specifically, the government asked the FISC to disregard Congress’s imposition of a statutory requirement that business records be relevant, and in disregarding that statutory requirement rely on the fact that there was no constitutionally protected privacy interest in business records. The government’s argument flipped the statute on its head, as the purpose of enhancing protections under section 215 was to supplement the constitutional baseline protections for privacy that were deemed inadequate by Congress.

McNeal is no hippie. That he largely agrees and goes beyond PCLOB’s conclusion that this decision was not authorized by the statute is significant.

But as I said, I disagree with his remedy — and also with his assessment of the single source of this dysfunction.

McNeal’s remedy is laudable. He suggests all FISC decisions should be presumptively declassified and any significant FISC decision should get automatic appellate review, done by FISCR. That’s not dissimilar to a measure in Pat Leahy’s USA Freedom Act, which I’ve written about here. With my cautions about that scheme noted, I think McNeal’s remedy may have value.

The reason it won’t be enough stems from two things.

First, the government has proven it cannot be trusted with ex parte proceedings in the FISC. That may seem harsh, but the Yahoo challenge — which is the most complete view we’ve ever had of how the court works, even with a weak adversary — really damns the government’s conduct. In addition to the seemingly false claim to FISCR about whether the government held databases of incidentally collected data, over the course of the Yahoo challenge, the government,

  • Entirely restructured the program — bringing the FBI into a central role of the process — without telling Reggie Walton about these major changes to the program the challenge he was presiding over evaluated; this would be the first of 4 known times in Walton’s 7-year tenure where he had to deal with the government withholding materially significant information from the court
  • Provided outdated versions of documents, effectively hiding metadata that would have shown EO 12333, which was a key issue being litigated, was more fluid than presented to the court
  •  Apparently did not notice either FISC or FISCR about an OLC opinion — language from which was declassified right in the middle of the challenge — authorizing the President to pixie dust EO 12333 at any time without noting that publicly
  • Apparently did not provide the underlying documents explaining another significant change they made during the course of the challenge, which would have revealed how easily Americans could be reverse targeted under a program prohibiting it; these procedures were critical to FISCR’s conclusion the program was legal

In short, the materials withheld or misrepresented over the course of the Yahoo challenge may have made the difference in FISCR’s judgment that the program was legal (even ignoring all the things withheld from Yahoo, especially regarding the revised role of FBI in the process). (Note, in his paper, McNeal rightly argues Congress and the public could have had a clear idea of what Section 702 does; I’d limit that by noting that almost no one besides me imagined they were doing back door searches before that was revealed by the Snowden leaks).

One problem with McNeal’s suggestion, then, is that the government simply can’t be trusted to engage in ex parte proceedings before the FISC or FISCR. Every major program we’ve seen authorized by the court has featured significant misrepresentations about what the program really entailed. Every one! Until we eliminate that problem, the value of these courts will be limited.

But then there is the other problem, my own assessment of the source of the problem with FISC. McNeal thinks it is that Congress wants to pawn its authority off onto the FISC.

The underlying disease is that Congress wants things to operate the way that they do; Congress wants the FISC and has incentives to maintain the status quo.

Why does Congress want the FISC? Because it allows them to push accountability off to someone else. If members ofCongress are responsible for conducting oversight of secretoperations, their reputations are on the line if the operations gotoo far toward violating civil liberties, or not far enoughtoward protecting national security. However, with the FISC conducting operations, Congress has the ability to dodge accountability by claiming they have empowered a court to conduct oversight.

I don’t, in general, disagree with this sentiment in the least. The last thing Congress wants to do is make a decision that might later be tied to an intelligence failure, a terrorist attack, a botched operation. Heck, I’d add that the last thing most members of Congress serving on the Intelligence Committees would want to do is piss off the contractors whose donations provide one of the perks of the seat.

But the dysfunction of the FISC stems, in significant part, from something else.

In his paper on the phone dragnet (which partly incorporates the Internet dragnet), David Kris suggests the original decision to bring the dragnets under the FISC (in the paper he was limited by DOJ review about what he could say of the Internet dragnet, so it is not entirely clear whether he means the Colleen Kollar-Kotelly opinion that paved the way for the flawed Malcolm Howard one McNeal critiques, or the Howard one) was erroneous. Read more

Protect America Act Was Designed to Collect on Americans, But DOJ Hid that from the FISC

/7 Comments/in , /by

The government released a document in the Yahoo dump that makes it clear it intended to reverse target Americans under Protect America Act (and by extension, FISA Amendments Act). That’s the Department of Defense Supplemental Procedures Governing Communications Metadata Analysis.

The document — as released earlier this month and (far more importantly) as submitted belatedly to the FISC in March 2008 — is fairly nondescript. It describes what DOD can do once it has collected metadata (irrespective of where it gets it) and how it defines metadata. It also clarifies that, “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communcations, nor to they qualify as ‘us[ing] a selection term’.”

The procedures do not once mention US persons.

There are two things that should have raised suspicions at FISC about this document. First, DOJ did not submit the procedures to FISC in a February 20, 2008 collection of documents they submitted after being ordered to by Judge Walton after he caught them hiding other materials; they did not submit them until March 14, 2008.

The signature lines should have raised even bigger suspicions.

Gates Mukasey

First, there’s the delay between the two dates. Robert Gates, signing as Secretary of Defense, signed the document on October 17, 2007. That’s after at least one of the PAA Certifications underlying the Directives submitted to Yahoo (the government is hiding the date of the second Certification for what I suspect are very interesting reasons), but 6 days after Judge Colleen Kollar-Kotelly submitted questions as part of her assessment of whether the Certifications were adequate. Michael Mukasey, signing as Attorney General, didn’t sign the procedures until January 3, 2008, two weeks before Kollar-Kotelly issued her ruling on the certifications, but long after it started trying to force Yahoo to comply and even after the government submitted its first ex parte submission to Walton. That was also just weeks before the government redid the Certifications (newly involving FBI in the process) underlying PAA on January 29. I’ll come back to the dates, but the important issue is they didn’t even finalize these procedures until they were deep into two legal reviews of PAA and in the process of re-doing their Certifications.

Moreover, Mukasey dawdled two months before he signed them; he started at AG on November 9, 2007.

Then there’s the fact that the title for his signature line was clearly altered, after the fact.

Someone else was supposed to sign these procedures. (Peter Keisler was Acting Attorney General before Mukasey was confirmed, including on October 17, when Gates signed these procedures.) These procedures were supposed to be approved back in October 2007 (still two months after the first PAA Certifications) but they weren’t, for some reason.

The backup to those procedures — which Edward Snowden leaked in full — may explain the delay.

Those procedures were changed in 2008 to reverse earlier decisions prohibiting contact chaining on US person metadata. 

NSA had tried to get DOJ to approve that change in 2006. But James Baker (who was one of the people who almost quit over the hospital confrontation in 2004 and who is now FBI General Counsel) refused to let them.

After Baker (and Alberto Gonzales) departed DOJ, and after Congress passed the Protect America Act, the spooks tried again. On November 20, 2007, Ken Wainstein and Steven Bradbury tried to get the Acting Deputy Attorney General Craig Morford (not Mukasey, who was already AG!) to approve the procedures. The entire point of the change, Wainstein’s memo makes clear, was to permit the contact chaining of US persons.

The Supplemental Procedures, attached at Tab A, would clarify that the National Security Agency (NSA) may analyze communications metadata associated with United States persons and persons believed to be in the United States.

What the government did, after passage of the PAA, was make it permissible for NSA to figure out whom Americans were emailing.

And this metadata was — we now know — central to FISCR’s understanding of the program (though perhaps not FISC’s; in an interview today I asked Reggie Walton about this document and he simply didn’t remember it).

The new declassification of the FISCR opinion makes clear, the linking procedures (that is, contact chaining) NSA did were central to FISCR’s finding that Protect America Act, as implemented in directives to Yahoo, had sufficient particularity to be reasonable.

The linking procedures — procedures that show that the [redacted] designated for surveillance are linked to persons reasonably believed to be overseas and otherwise appropriate targets — involve the application of “foreign intelligence factors” These factors are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. As attested by affidavits  of the Director of the National Security Agency (NSA), the government identifies [redacted] surveillance for national security purposes on information indicating that, for instance, [big redaction] Although the FAA itself does not mandate a showing of particularity, see 50 U.S.C. § 1805(b). This pre-surveillance procedure strikes us as analogous to and in conformity with the particularly showing contemplated by Sealed Case.

In fact, these procedures were submitted to FISC and FISCR precisely to support their discussion of particularity! We know they were using these precise procedures with PAA because they were submitted to FISC and FISCR in defense of a claim that they weren’t targeting US persons.

Except, by all appearances, the government neglected to tell FISC and FISCR that the entire reason these procedures were changed, subsequent to the passage of the PAA, was so NSA could go identify the communications involving Americans.

And this program, and the legal authorization for it? It’s all built into the FISA Amendments Act.

Hiding Yahoos: ORCON and the FISC Special Advocate

/1 Comment/in /by

Some weeks ago, I noted the language in James Clapper’s letter purportedly “supporting” Patrick Leahy’s USA Freedom Act making it clear he intended to retain the information asymmetry that currently exists in the FISA Court — specifically, ex parte communication with the court.

We note that, consistent with the President’s request, the bill estsablishes a process for the appointment of an amicus curiae to assist the FISA Court and FISA Court of Review in matters that present a novel or significant interpretation of the law. We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

The Yahoo documents released a few weeks back illustrate how this might work in practice.

We’ve known since January 2009 that Yahoo (which we then only knew was an Internet company) didn’t receive the materials — perhaps most importantly, the minimization procedures — it needed to adequately challenge the program.

The cover sheet to the ex parte appendix provided to the FISCR illustrates the range of things withheld from Yahoo’s attorney, Marc Zwillinger, who apparently had a Top Secret clearance. In addition to the minimization procedures for NSA and FBI, the government withheld the “linking” procedures used to identify targets (the titles of these documents are redacted in the released version, but this post explains why at least some must pertain to these procedures; note, I think the government also withheld these from Judge Reggie Walton at the FISC level!), and a January 15, 2008 Colleen Kollar-Kotelly FISC opinion assessing the adequacy of the original certifications.

Comparing two versions of Walton’s April 25, 2008 opinions — a version redacted for Yahoo’s use in 2008, and the version redacted for public release now — provides context on the key issues obscured or suppressed entirely from Yahoo’s view. (Note two things about these redactions: first, with the exception of language on the information the government demanded from Yahoo, we’re receiving more information than Yahoo’s cleared attorney received when he was fighting this case. And the older document actually includes two sets of redactions: the more faded redactions used for Yahoo, and a more opaque set done for this release, the latter of which hide details about the Directives given to Yahoo.)

Effectively, the government hid what they changed when they rewrote Certifications underlying their demands to Yahoo just 2 weeks before the law expired. A significant part of those changes involves getting FBI involved in the process (I increasingly suspect those January 29, 2008 Certifications are when the government first obtained official permission for FBI back door searches).

Notice of the new Certificates was given to Yahoo on February 16, 2008, the day PAA expired, and signed by then Solicitor General Paul Clement, though signed as Acting Attorney General (see page 81). One day earlier, Judge Walton had given the government an ex parte order requiring them to address whether the ex parte materials they had submitted to him in December “constitutes the complete and up-to-date set of certifications … applicable to the directives that are at issue in this proceeding.” Walton also required the government to provide notice to Yahoo they were going to submit a new classified appendix.

Apparently, Walton had gotten wind of the fact — but had not been told formally — that the government had submitted entirely new Certifications affecting their treatment of the data they would obtain from Yahoo. So he ordered them to update the record so his review actually considered the surveillance as it would be implemented.

I’ve listed most of the differences between the two memoranda below. While much of it pertains to prior classified decisions and the operation of FISC generally, the biggest sections redacted from Yahoo but released in part to us now describe the new certifications, including FBI’s new role in the process.  Of particular concern, the government withheld Walton’s comment admonishing the government for changing the certifications, “without appropriately informing the Court or supplementing the record in this matter until ordered to do so” (page 4), though footnote 4 and page 35 make it clear that Walton revealed some details of the government’s belated disclosures in a February 29 order for more briefing.

More troubling still, they hid Walton’s still significantly-redacted assessment that the changes in the Certifications would not change the nature of the government’s demand from Yahoo (page 38).

Neither type of amendment altered the nature of the assistance to be rendered by Yahoo,40

40 Yahoo has submitted a sworn statement that, prior to serving the directives on Yahoo, representatives of the government “indicated that, at the outset, it only would expect…

I wrote about these changing requests here. And while on paper the changing requests couldn’t have been a result of the changed Certification — Yahoo’s Manager of Legal Compliance described them in a January 23 submission, and the new Certifications were issued the following week — I find the timing, and the government’s failure to notice Walton on them, suspect enough that it’s the kind of thing that should have been briefed. Plus, as I’ll show in a follow-up post, I’m fairly certain the government hid  from both FISC and FISCR the degree to which this was about targeting Americans.

Once Walton learned that the government’s requests to Yahoo had changed between the date of Kollar-Kotelly’s initial approval and the expiration of the law, it seems it should have merited more direct briefing, but that would have required admitting that the changes put domestic law enforcement in the center of the program, which presents (or should present) significantly different Fourth Amendment concerns, notably increasing the importance of prior interpretations of the “significant purpose” language instituted under the PATRIOT Act.

In other words, not only did the ex parte nature of this proceeding hide the details Yahoo would have needed to make a robust Fourth Amendment argument, as well as evidence that the government was not being entirely forthcoming to FISC (which would have bolstered Yahoo’s separation of powers claim), it also hid what may be specifically pertinent details behind the government’s last minute changed certifications.

In theory, this shouldn’t happen with the USA Freedom Advocate, because the bill specifically requires the Advocate have access to certifications necessary for her to complete her duties.

(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—

[snip]

(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;

By comparison, the government was challenging Yahoo’s legal standing to take this challenge in the first place.

But I find the apparent basis for withholding information from Yahoo to be relevant. This memorandum, at least, was originally classified Top Secret/ORCON (Originator Controlled); the redacted memorandum given to Yahoo was classified Secret. That means that the changes arose, at least in part, from the ability of the originator (which may be DOJ’s National Security Division, given that Mark Bradley conducted the declassification review) to determine who gets the document. As I noted, there are two bases in USAF that would permit the government to withhold information, classification and privilege. Withholding information under an ORCON claim likely stems from both (though I am checking this).

So while the government should not be able to treat the advocate the same way they treated Yahoo (which, after all, FISC treated as a Congressionally sanctioned challenger to the orders, just as it would the advocate), they seem to have the prerogative to. (Update: I should add that Walton permitted the government to do all the ex parte briefing here under FISA’s ex parte briefing language; given that USAF doesn’t change that for any of the authorities in question, we should assume this precedent will apply to the advocate.)

To be clear, the USAF advocate is not one of the things that I believe sets back a slow reform process (as, for example, I believe the “transparency” provisions and some weakened minimization procedures do). I think it most likely that the advocate will evolve the way PCLOB has, which was first authorized in 2004, thwarted by Executive obstruction (on precisely these kinds of issues), reauthorized as a more effective body in 2007, then slow-walked again — partly by President Obama, though partly by Congress — for another 6 years. That is, if the advocate is at least as self-respecting as Lanny Davis (!), she will quit if the Executive ignores the intent of Congress that she have access to the materials she needs to do her job, exposing the inefficacy of the existing system. All that, of course, assumes she will cop onto what has been withheld. Clearly, Yahoo got a sense of it during this process, though FISC and FISCR seem to have realized only some of the other stuff withheld from them.

That is, judging by the PCLOB example, if all goes well and if USAF were to pass this year, we might have a fully functional advocate by 2023!

The Yahoo materials released show that the government withheld pertinent information from Yahoo, FISC, and FISCR until forced to provide it, and they never provided any of them with all the information they should have.

That it retains the ability to do so under USAF doesn’t bode well for the advocate. But that’s really just a subset to a larger issue that, even when authorized by Congress to provide oversight of this executive spying, the government has consistently, for years, been less than fully cooperative with FISC’s authority to do so.

As I’ve said, the surest way to reform surveillance is to eliminate the FISA Court.

Read more

Hospital Hero Jack Goldsmith, the Destroyer of the Internet Dragnet, Authorized the Internet Dragnet

/22 Comments/in , /by

As I noted earlier, I think the re-release of Jack Goldsmith’s May 6, 2004 OLC memo authorizing Stellar Wind is meant to warn Congress that the Executive does not believe it needs any Congressional authorization to spy on every American — just in time for the USA Freedom Act debate in the Senate. This is exactly parallel to similar provocations during the Protect America Act debate. In the past, such provocations led Congress to capitulate to Executive branch demands to tailor the program to their wishes.

That earlier post, however, implied that this warning pertains primarily to the phone dragnet.

It doesn’t. The warning also applies to the Internet dragnet (and I suspect that stories about the heroic hospital heroes shutting down the Internet dragnet have been dramatically overblown).

One of the very few things — aside from the name STELLAR WIND, over and over, as well as references to content collection that could have been released after President Bush admitted to that part of the program in 2005, and the title Secretary of Defense — that has been newly revealed is this bit of the Table of Contents (here’s the previous release for comparison).

Screen Shot 2014-09-06 at 1.05.11 PM

 

It shows that the memo discusses content, discusses telephony metadata, discusses something else, then concludes that content and metadata are both kosher under the Fourth Amendment. That already makes it clear that part IV is about metadata. The last sentence of the first full paragraph on page 19 does, too. Page 7 makes it clear that Fourth Amendment analysis applies to “both telephony and e-mail.” Much later in the memo, it becomes clear this section — pages 96 to 100 — deals with Internet metadata.

In fact, the only substantive newly unredacted parts of the memo appear on 101 (PDF 69) and then from 106 to 108.

All of this new information makes it clear that Goldsmith asserted that Smith v. Maryland applied for metadata — and applied to both phone and Internet metadata. Remarkably, in that analysis, the government keeps at least one paragraph addressing phone metadata hidden, but reveals the analysis at 106-7 (PDF 74-75) that applies to Internet. (Goldsmith’s claim that Internet users can get providers to turn off spam, at the bottom of 107, is particularly nice.)

In perhaps the most interesting newly released passage (out of the roughly 5 pages that got newly released!), Goldsmith absolves himself of examining what procedures the government was using in its “metadata” collection.

As for meta data collection, as explained below, we conclude that under the Supreme Court’s decision in Smith v. Maryland, 442 U.S. 735 (1979), the interception of the routing information for both telephone calls and e-mails does not implicate any Fourth Amendment interests.85

85 Although this memorandum evaluates the STELLAR WIND program under the Fourth Amendment, we do not here analyze the specific procedures followed by the NSA in implementing the program.  (101/PDF 69)

I find this utterly damning, given that we know that, for the following 5 years, the government would lie to FISC about whether their “metadata” contained content. Even the OLC opinion built in the Executive’s ability to collect content in the guise of metadata!

In any case, what is clear — again, just in time to impact the debate over USA Freedom, for which prospective call record collection might or might not be limited to telephone content — is that rather than legally shutting down the Internet dragnet in 2004, Jack Goldsmith authorized it.

And that authorization remains in place, telling the Executive it can collect Internet (and phone) “metadata” whether or not FISC or Congress rubberstamps it doing so. Not only that, but telling the Executive this analysis holds regardless of how inadequate their procedures are in implementing this program to ensure that no content gets swept up in the guise of metadata (which of course is precisely what occurred).

So the Administration, in releasing this “newly unredacted” memo did one thing. Tell Congress it will continue to collect phone and Internet “metadata” on its own terms, regardless of what Congress does.

Only one thing could alter this analysis of course: if the Courts decide that Smith v. Maryland doesn’t actually permit the government to collect all metadata, plus some content-as-metadata, in the country, if they say the Executive can’t actually collect “everything there is to know about everybody and have it all in one big government cloud,” as 2nd Circuit Judge Gerard Lynch described the implications of what we now know to be Goldsmith’s logic on Tuesday. But the courts are going to stop analyzing this question as soon as Congress passes USA Freedom Act. Moreover, the last check on the program — the unwillingness of providers to break the law — will be removed by the broad immunity provision included in the bill.

Not only didn’t Jack Goldsmith heroically legally shut down the Internet dragnet in 2004 (clearly President Bush did make several modifications; we just still don’t know what those are). But he provided a tool that is likely proving remarkably valuable as the Executive gets Congress and privacy NGOs to finish signing off on their broad authority.

The hospital heroes may have temporarily halted the conduct of the Internet dragnet — even while telling Colleen Kollar-Kotelly she had to rubber stamp ignoring the letter of the law because Congress couldn’t know about the dragnet — but they didn’t shut it down. Here it is, legally still operating, just in time to use as a cudgel with Congress.

Update: One other thing other reporting on this is missing — and not for the first time — is that whatever change they made to the Internet dragnet, it was by no means the only change after the hospital confrontation. They also took Iraqi targeting out (in some way). And there was a later April 2 modification that appears to have nothing to do with NSA at all (I have my theories about this, but they’re still theories). So it is too simple to say the hospital confrontation was exclusively about the Internet dragnet — the public record already makes clear that’s not the case.

NSA’s Lawyers Missed “Virtually Every Record” over 25 Reviews

/5 Comments/in /by

As I’ve written before, the Internet dragnet did not get through the its first 90 day Primary Order before it violated the rules laid out by the FISA Court. In an effort to convince Judge Kollar-Kotelly they could conduct the dragnet according to her orders, NSA’s Office of General Counsel agreed to do spot checks of the data twice every 90-day authorization. That requirement stayed in place for the rest of the dragnet.

Which means between 2004 and 2009, OGC should have conducted over 25 spot checks of the data NSA obtained under the program.

And yet, in that entire time, OGC somehow never noticed that “virtually every record” NSA was taking in included data that it was not authorized to collect.

That’s one of the two crazy things about the Internet dragnet that this month’s document dump made clear. I explain them in this piece at The Week. The other is that, in an end-to-end report conducted from roughly March through September of 2009, NSA also didn’t find that virtually every record they had collected had broken the law.

Exhibit A is a comprehensive end-to-end report that the NSA conducted in late summer or early fall of 2009, which focused on the work the agency did in metadata collection and analysis to try and identify people emailing terrorist suspects.

The report described a number of violations that the NSA had cleaned up since the beginning of that year — including using automatic alerts that had not been authorized and giving the FBI and CIA direct access to a database of query results. It concluded the internet dragnet was in pretty good shape. “NSA has taken significant steps designed to eliminate the possibility of any future compliance issues,” the last line of the report read, “and to ensure that mechanisms are in place to detect and respond quickly if any were to occur.”

But just weeks later, the Department of Justice informed the FISA Court, which oversees the NSA program, that the NSA had been collecting impermissible categories of data — potentially including content — for all five years of the program’s existence.

[snip]

Judge John Bates, then head of FISC, emphasized that the NSA had missed the unauthorized data in its comprehensive report. He noted “the extraordinary fact that NSA’s end-to-end review overlooked unauthorized acquisitions that were documented in virtually every record of what was acquired.” Bates went on, “[I]t must be added that those responsible for conducting oversight at NSA failed to do so effectively.”

Nevertheless, Bates went on to vastly expand the program.

No wonder James Clapper’s office made those documents so hard to read. There is no way to read them and believe the NSA can be trusted to stay within the law.

How Abu Zubaydah’s Torture Put CIA and FBI in NSA’s Databases

/3 Comments/in , /by

I said yesterday that the plan, going as far back as 2002, was to let CIA and FBI tap right into NSA’s data. I base that on this explanation from Keith Alexander, which he included in his declaration accompanying the End to End Report that was submitted sometime after October 30, 2009.

By the fall of 2002, the Intelligence Community had grown increasingly concerned about the potential for further attacks on the United States. For example, during 10 to 24 September 2002, the Government raised the homeland security threat condition to “orange,” indicating a high likelihood of attack. In this context, in October 2002 the Directors of NSA, CIA, and FBI established an Inter-Agency Review Group to examine information sharing [redacted] The group’s top recommendation was that NSA create a common target knowledge database to allow joint research and information exchanges [redacted].

Of course, we now know that the threat level was high in September 2002 because the government was chasing down a bunch of false leads from Abu Zubaydah’s torture.

Abu Zubaida’s revelations triggered a series of alerts and sent hundreds of CIA and FBI investigators scurrying in pursuit of phantoms. The interrogations led directly to the arrest of Jose Padilla, the man Abu Zubaida identified as heading an effort to explode a radiological “dirty bomb” in an American city. Padilla was held in a naval brig for 3 1/2 years on the allegation but was never charged in any such plot. Every other lead ultimately dissolved into smoke and shadow, according to high-ranking former U.S. officials with access to classified reports.

“We spent millions of dollars chasing false alarms,” one former intelligence official said.

In other words, the justification for creating a database where CIA and FBI could directly access much of NSA’s data was a mirage, one created by CIA’s own torture.

All that’s separate from the question of whether CIA and FBI should have access directly to NSA’s data. Perhaps it makes us more responsive. Perhaps it perpetuates this process of chasing ghosts. That’s a debate we should have based on actual results, not the tortured false confessions of a decade past.

But it’s a testament to two things: the way in which torture created the illusion of danger, and the degree to which torture — and threat claims based on it — have secretly served as the basis the Executive uses to demand the FISA Court permit it to extend the dragnet.

Even the current CIA Director has admitted this to be true — though without explicitly laying out the import of it. Isn’t it time we start acknowledging this — and reassessing the civil liberties damage done because of it — rather than keeping it hidden under redactions?

The Hospital Confrontation Heroes of Rule of Law Gutted Separation of Powers

/8 Comments/in , /by

Remember that cinematic story of how Jim Comey and Jack Goldsmith and Robert Mueller stood up to Bush and Cheney and forced them to shut down their illegal dragnet to defend the rule of law in 2004?

It turns out, what Comey and Goldsmith did in secret two months later was not so heroic. As I lay out over at Salon, the memo of law they used to get their illegal dragnet blessed by the FISA court argued both Judge Colleen Kollar-Kotelly and the Congress that passed the PRTT law in the first place had no choice but to cede to Executive power.

Essentially, they argued both she — an Article III judge — and Congress must have their power gutted to protect the president’s power.

[snip]

The same heroes of the hospital confrontation, lionized for the last decade for their courageous defense of the rule of law, thereby gutted the separation of powers, in secret. All to serve still more secrecy … and the power of the presidency they purportedly reined in two months earlier.

They may have won Bush — and themselves, who otherwise would have signed off on an illegal program — legal cover by doing so. But in the process they corroded the balance of powers enshrined by the Constitution, turning the FISC into a place where expansive executive branch programs get rubber-stamped in secret.

Here’s how they justified not getting Congress to write a new law to authorize the spying they themselves refused to approve.

The memo’s focus on Congress — at least what appears in unredacted form — is much more circumspect, but perhaps even more disturbing.

DOJ pointed to language showing Congress intended pen registers to apply to the Internet; they pointed to the absence of language prohibiting a pen register from being used to collect data from more than a single user, as if that’s the same as collecting from masses of people and as if that proved congressional intent to wiretap everyone.

And then they dismissed any potential constitutional conflict involved in such broad rereadings of statutes passed by Congress. “In almost all cases of potential constitutional conflict, if a statute is construed to restrict the executive, the executive has the option of seeking additional clarifying legislation from Congress,” the heroes of the hospital confrontation admitted. The White House had, in fact, consulted Majority Leader Tom DeLay about doing just that, but he warned it would be too difficult to get new legislation. So two months later, DOJ argued Congress’ prerogative as an independent branch of government would just have to give way to secrecy. “In this case, by contrast, the Government cannot pursue that route because seeking legislation would inevitably compromise the secrecy of the collection program the Government wishes to undertake.”

You remember that part of the Constitution where it says Congress passes the laws, unless the Executive Branch wants the laws to be secret, in which case they can do it?

Nope, neither do I.