Posts

NSA’s Lawyers Missed “Virtually Every Record” over 25 Reviews

As I’ve written before, the Internet dragnet did not get through the its first 90 day Primary Order before it violated the rules laid out by the FISA Court. In an effort to convince Judge Kollar-Kotelly they could conduct the dragnet according to her orders, NSA’s Office of General Counsel agreed to do spot checks of the data twice every 90-day authorization. That requirement stayed in place for the rest of the dragnet.

Which means between 2004 and 2009, OGC should have conducted over 25 spot checks of the data NSA obtained under the program.

And yet, in that entire time, OGC somehow never noticed that “virtually every record” NSA was taking in included data that it was not authorized to collect.

That’s one of the two crazy things about the Internet dragnet that this month’s document dump made clear. I explain them in this piece at The Week. The other is that, in an end-to-end report conducted from roughly March through September of 2009, NSA also didn’t find that virtually every record they had collected had broken the law.

Exhibit A is a comprehensive end-to-end report that the NSA conducted in late summer or early fall of 2009, which focused on the work the agency did in metadata collection and analysis to try and identify people emailing terrorist suspects.

The report described a number of violations that the NSA had cleaned up since the beginning of that year — including using automatic alerts that had not been authorized and giving the FBI and CIA direct access to a database of query results. It concluded the internet dragnet was in pretty good shape. “NSA has taken significant steps designed to eliminate the possibility of any future compliance issues,” the last line of the report read, “and to ensure that mechanisms are in place to detect and respond quickly if any were to occur.”

But just weeks later, the Department of Justice informed the FISA Court, which oversees the NSA program, that the NSA had been collecting impermissible categories of data — potentially including content — for all five years of the program’s existence.

[snip]

Judge John Bates, then head of FISC, emphasized that the NSA had missed the unauthorized data in its comprehensive report. He noted “the extraordinary fact that NSA’s end-to-end review overlooked unauthorized acquisitions that were documented in virtually every record of what was acquired.” Bates went on, “[I]t must be added that those responsible for conducting oversight at NSA failed to do so effectively.”

Nevertheless, Bates went on to vastly expand the program.

No wonder James Clapper’s office made those documents so hard to read. There is no way to read them and believe the NSA can be trusted to stay within the law.

How Abu Zubaydah’s Torture Put CIA and FBI in NSA’s Databases

I said yesterday that the plan, going as far back as 2002, was to let CIA and FBI tap right into NSA’s data. I base that on this explanation from Keith Alexander, which he included in his declaration accompanying the End to End Report that was submitted sometime after October 30, 2009.

By the fall of 2002, the Intelligence Community had grown increasingly concerned about the potential for further attacks on the United States. For example, during 10 to 24 September 2002, the Government raised the homeland security threat condition to “orange,” indicating a high likelihood of attack. In this context, in October 2002 the Directors of NSA, CIA, and FBI established an Inter-Agency Review Group to examine information sharing [redacted] The group’s top recommendation was that NSA create a common target knowledge database to allow joint research and information exchanges [redacted].

Of course, we now know that the threat level was high in September 2002 because the government was chasing down a bunch of false leads from Abu Zubaydah’s torture.

Abu Zubaida’s revelations triggered a series of alerts and sent hundreds of CIA and FBI investigators scurrying in pursuit of phantoms. The interrogations led directly to the arrest of Jose Padilla, the man Abu Zubaida identified as heading an effort to explode a radiological “dirty bomb” in an American city. Padilla was held in a naval brig for 3 1/2 years on the allegation but was never charged in any such plot. Every other lead ultimately dissolved into smoke and shadow, according to high-ranking former U.S. officials with access to classified reports.

“We spent millions of dollars chasing false alarms,” one former intelligence official said.

In other words, the justification for creating a database where CIA and FBI could directly access much of NSA’s data was a mirage, one created by CIA’s own torture.

All that’s separate from the question of whether CIA and FBI should have access directly to NSA’s data. Perhaps it makes us more responsive. Perhaps it perpetuates this process of chasing ghosts. That’s a debate we should have based on actual results, not the tortured false confessions of a decade past.

But it’s a testament to two things: the way in which torture created the illusion of danger, and the degree to which torture — and threat claims based on it — have secretly served as the basis the Executive uses to demand the FISA Court permit it to extend the dragnet.

Even the current CIA Director has admitted this to be true — though without explicitly laying out the import of it. Isn’t it time we start acknowledging this — and reassessing the civil liberties damage done because of it — rather than keeping it hidden under redactions?

The Hospital Confrontation Heroes of Rule of Law Gutted Separation of Powers

Remember that cinematic story of how Jim Comey and Jack Goldsmith and Robert Mueller stood up to Bush and Cheney and forced them to shut down their illegal dragnet to defend the rule of law in 2004?

It turns out, what Comey and Goldsmith did in secret two months later was not so heroic. As I lay out over at Salon, the memo of law they used to get their illegal dragnet blessed by the FISA court argued both Judge Colleen Kollar-Kotelly and the Congress that passed the PRTT law in the first place had no choice but to cede to Executive power.

Essentially, they argued both she — an Article III judge — and Congress must have their power gutted to protect the president’s power.

[snip]

The same heroes of the hospital confrontation, lionized for the last decade for their courageous defense of the rule of law, thereby gutted the separation of powers, in secret. All to serve still more secrecy … and the power of the presidency they purportedly reined in two months earlier.

They may have won Bush — and themselves, who otherwise would have signed off on an illegal program — legal cover by doing so. But in the process they corroded the balance of powers enshrined by the Constitution, turning the FISC into a place where expansive executive branch programs get rubber-stamped in secret.

Here’s how they justified not getting Congress to write a new law to authorize the spying they themselves refused to approve.

The memo’s focus on Congress — at least what appears in unredacted form — is much more circumspect, but perhaps even more disturbing.

DOJ pointed to language showing Congress intended pen registers to apply to the Internet; they pointed to the absence of language prohibiting a pen register from being used to collect data from more than a single user, as if that’s the same as collecting from masses of people and as if that proved congressional intent to wiretap everyone.

And then they dismissed any potential constitutional conflict involved in such broad rereadings of statutes passed by Congress. “In almost all cases of potential constitutional conflict, if a statute is construed to restrict the executive, the executive has the option of seeking additional clarifying legislation from Congress,” the heroes of the hospital confrontation admitted. The White House had, in fact, consulted Majority Leader Tom DeLay about doing just that, but he warned it would be too difficult to get new legislation. So two months later, DOJ argued Congress’ prerogative as an independent branch of government would just have to give way to secrecy. “In this case, by contrast, the Government cannot pursue that route because seeking legislation would inevitably compromise the secrecy of the collection program the Government wishes to undertake.”

You remember that part of the Constitution where it says Congress passes the laws, unless the Executive Branch wants the laws to be secret, in which case they can do it?

Nope, neither do I.

Ashcroft, Comey, Goldsmith, and Baker: “All” Is the “Best” Reading of “Relevant”

Four MusketeersTowards the end of the Memorandum of Law in support of the Internet dragnet — which was signed by those guys ———-> — DOJ makes a claim that its reading of “relevant” to mean “almost all” was the best possible reading.

Here, by contrast, reading the term “relevant” to permit the collection of this critical information during wartime is a construction rooted in the text that requires no stretching of the ordinary meaning of the terms of the statute at all. In fact, for all the reasons outlined above, interpreting section 402 to authorize the collection the Government has requested in the best reading of the plain terms of the Act.

This is why you should not have secret courts.

I get making an aggressive push to authorize dragnet surveillance.

I get mining old and foreign dictionaries to come up with a definition that suits your needs.

But after you’ve made your best ditch effort to stretch the meaning of words, secretly, beyond all recognition, don’t then, secretly, pat yourself on the back pretending that wasn’t the game you just pulled.

But hey. Who’s the chump? After all, we now know that Misters Ashcroft, Comey, Goldsmith, and Baker pulled this off.

Yet no one is making any effort to put the English language back on some kind of sane footing. Nothing in any of the “reform” efforts before Congress attempts to put sanity back into the word “relevant.”

Working Thread, Internet Dragnet Dump 2: 2004 Documents

This will be a closer working thread on documents released yesterday.

X: Initial Dragnet Application (prior to July 14, 2004)

(2) From the start, the government said they wanted to disseminate the dragnet info, perhaps to tag into FBI’s investigative authorities.

(2) The footnote defining metadata hides all the stuff not associated with “standard e-mails.”

(4) The application discusses the briefing I discussed here, attended by (among others) John Brennan.

(5) The application is not submitted by a lawyer, but by Michael Hayden.

(6) The government hasn’t released a Tenet submission; back in November it hid that this submission was from him.

(16) ODNI maintains that the fictional example of metadata is classified.

(18) Originally access was restricted by making the metadata accessible only by 2 admin login accounts. That’s probably a carry-over from the compartments of the illegal program.

(20) RAS approval assigned to the same 7 authorizers that were in place for the beginning of the phone dragnet in 2006.

(21) They’re hiding at least one kind of Internet metadata.

(23) Metadata originally accessible for only 18 months. Is that what they used for the illegal dragnet?

Y. Memo of Law in Support of Original Dragnet Application, before July 14, 2004

(4) The government claims that only email metadata related to terrorism will be seen. By definition, that means anything returned in a query would be related to counterterrorism and therefore game for dissemination.

(4) This is the jist of the illegal use of PRTT for the dragnet:

Nevertheless, it involves nothing more than adapting the traditional tools of FISA to meet an unprecedented challenge and does so in a way that promotes both of the twin goals of FISA: facilitating the foreign-intelligence collection needed to protect American lives while at the same time providing judicial oversight to safeguard American freedoms.

This claim is followed by a 5-page redaction, which is mighty interesting as it would have to explain why this judicial review was so useful.

(9) Footnote 5 again makes it clear that this involves email and other online communications.

(12) This language is remarkable for a secret court document.

Collecting and archiving meta data is thus the best avenue for solving this fundamental problem: although investigators do know know exactly where the terrorists’ communications are hiding in the billions of bits of data flowing through the United States today, we do know that they are there, and if we archive the data now, we will be able to use it in a targeted way to find the terrorists tomorrow.

(20) This language is particularly important given debates about USA Freedom.

Nothing in the definitions of pen registers or trap and trace devices requires that the “instrument” or “facility” on which the device is placed carry the communications solely of a single user.

(20) This section really tries to constrain the Court.

Unlike certain other certifications made in other contexts under the statute, see, e.g., U.S.C. § 1805(a)(5), FISA does not subject the certification of relevance to any review by the Court.

Read more

James Clapper Thinks Fictitious Email Metadata Is Properly Classified

If you didn’t already need proof that the FISA Court needs to consult technical advisors before they permit the government to collect all of Americans’ metadata, consider this lesson DOJ offered as part of its initial application for the Internet dragnet (see page 16).

Fictional Metadata

 

Of course, you’re prohibited from seeing the better part of that lesson — the fictional example of metadata they offered — because James Clapper has deemed it classified.

Funny. Eric Holder recently claimed in a Congressional hearing that if something’s not true it’s not classified. I guess the fictions they tell FISC judges are another matter.

Internet Dragnet Timeline

This timeline provides known dates for the PRTT Internet dragnet, important related dates in the phone dragnet, upstream 702 collection, and SPCMA (overseas Internet dragnet). In addition, it provides links to the documents in this release; see this post for the listing of documents.

May 6, 2004: Jack Goldsmith opinion authorizes phone dragnet but not Internet dragnet.

Before July 14, 2004: Government applies for Internet dragnet. X. Application for Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes, Y. Memorandum of Law and Fact in Support of Application for Pen Registers and Trap and Trace Devices for Foreign Intelligence Purposes, Z. Declaration of General Michael V. Hayden, U.S Air Force, Director, NSA, in Support of Pen Register/Trap and Trace Application

July 14, 2004: Colleen Kollar-Kotelly approves Internet dragnet, specifies categories of metadata (Document A in 8/12 dump).

Before October 12, 2004: the government provides notice it exceeded scope included in first order, in follow-up declarations attributes overcollection to poor management (response probably includes Paul Wolfowitz, Michael Hayden, and Joel Brenner)

Around October 12, 2004: Government reapplies without some collection, promises monthly spot checks.

April 27, 2005: In briefing leading up to PATRIOT reauthorization, Alberto Gonzales makes no mention of PRTT Internet dragnet.

November 17, 2007: Executive begins (internal) approval process for contact chaining on already-collected data which will become SPCMA.

Read more

USA Freedumber Reverses John Bates’ Attempts at Oversight

I’ve written about this here and here, but I’m going to make one more effort at explaining why I believe HR 3361 (AKA USA Freedumber Act) will undo the paltry efforts John Bates made to rein in the NSA.

My argument is that with section 202 of HR 3361, the government is creating something new — Attorney General created “privacy procedures” — that serve to dramatically alter the concept of minimization procedures and in doing so undermining the authority of the FISA Court to limit illegal activities.

The government and NSA’s boosters have long argued that minimization procedures — limits on the collection, retention, and dissemination of US person data — play an affirmative role in protecting US person privacy even while the government “collects it all.” Significantly, they point the the FISA Court’s role in reviewing minimization procedures as a key part of oversight of these massive dragnets.

But they’ve always played a funny game with minimization procedures on the legally most problematic part of their dragnet, the Internet dragnet. And a last minute change to HR 3361 seems to codify that funny game.

Unlike the FISA authorization for content in motion, stored communication, and business record collection, the Pen Register/Trap and Trace provision (50 USC 1842) they used to collect Internet metadata collection includes no provision for minimization procedures. The original USA Freedom Act and the compromise bill added minimization procedures and gave FISC judges the authority to review compliance with them. But at the last minute, the intelligence community replaced that provision with “Privacy Procedures” over which only the Attorney General has sole authority.

SEC. 202. PRIVACY PROCEDURES.

(a) IN GENERAL.—Section 402 (50 U.S.C. 1842) is amended by adding at the end the following new sub-section:

‘(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard nonpublicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect national security, include protections for the collection, retention, and use of information concerning United States persons.

Given the history of the PR/TT program, I believe this may (and may be designed to) permit the ongoing acquisition of illegal content.

DOJ argues FISC may only rubber stamp

Before we look at the history of minimization procedures under the FISC-authorized Internet dragnet, understand that even as the government asked the FISC to rubber stamp one of the only parts of the illegal wiretapping program DOJ saw fit to shut down, it also argued that FISC’s authority to do was very limited.

In Colleen Kollar-Kotelly’s July 2004 opinion, she made clear the government believed she could only review the presence of language in the application, not whether it complied with the law, including the “relevance” provision.

In the Government’s view, the Court’s exclusive function regarding this certification would be to verify that it contains the words required by § 1842(c)(2); the basis for a properly worded certification would be of no judicial concern. See Memorandum of Law and Fact at 28-34.

The Court has reviewed the Government’s arguments and authorities and does not find them persuasive.19

19 For example, the Government cites legislative history that “Congress intended to ‘authorize[] FISA judges to issue a pen register or trap and trace upon a certification that the information sought is relevant to'” an FBI investigation. Memorandum of Law and Fact at 30 (quoting S. Rep. No. 105-185, at 27 (1998). However, authorizing the Court to issue an order when a certification is made, and requiring it to do so without resolving doubts about the correctness of the certification are quite different. (26-27)

Six years later, the government was still arguing the FISC could only serve as a rubber stamp. John Bates’ 2010 opinion again had to deal with such a claim.

The Government again argues that the Court should conduct no substantive review of the certification of relevance. See Memorandum of Law at 29. This opinion follows Judge Kollar-Kotelly’s [redacted] Opinion in assuming, without conclusively deciding, that substantive review is warranted. (73 fn 58)

The government’s review that the FISC is no more than a rubber stamp is particularly interesting given the discussion over minimization procedures.

The government invites rubber stamp judges to modify minimization procedures 

Even in spite of DOJ’s view that the FISC should be no more than a rubber stamp on PRTT applications, they nevertheless invited the judges to review and modify minimization procedures submitted in light of the extent of the collection being approved.

Read more

January 8, 2010: A Remarkably Busy Day in Telecom Law

I Con the Record has just released a bunch of new documents, showing how (according to Ellen Nakashima) Sprint challenged a dragnet order, and in response got to see the FISA Court opinions authorizing the program. (Well, not really the telecom opinion; rather they mostly authorize the PRTT program.)

The official story goes like this:

In early 2009, Sprint received an order saying that all customer call records had to be turned over to the government, current and former officials said. Over the summer and fall, the company’s executives met several times with Justice Department officials to understand how Section 215, which compelled companies to turn over records relevant to investigations, could be used to mandate the transfer of all call records.

Dissatisfied with their answers, Sussmann, the Sprint attorney, wrote a detailed petition to challenge the order. In late 2009, shortly before the petition was to be filed, Robert S. Litt, the top intelligence official for the U.S. intelligence community, pressed officials to provide the legal rationale to the company, according to a former administration official.

Intelligence officials then furnished several court rulings, in particular, a 2004 opinion written by Colleen Kollar-Kotelly, then chief judge of the surveillance court, according to the documents released Wednesday. While the opinion related to the collection of e-mail addressing information, the legal rationale was identical.

But there are a few more details I find exceedingly interesting.

First, here’s what the government declassified in response to Sprint’s challenge:

  • Colleen Kollar-Kotelly’s July 24 [14], 2004 opinion (the government is only now admitting the date)
  • Response to Orders for Additional Briefing (it’s unclear whether this is PRTT or phone dragnet, but given the order, I’m guessing PRTT)
  • Opinion (again, it’s unclear whether this is PRTT or phone dragnet)
  • The original application for the dragnet, including all exhibits, and the original dragnet order (note, we’ve not seen all the exhibits)
  • The application, including all exhibits, the Primary Order, and Reggie Walton’s supplemental order finding the phone dragnet did not violate ECPA

That is, not only the opinions authorizing the “relevant to” bullshit used to justify the program, but also the opinion stating that the dragnet did not violate ECPA.

And here’s the other thing I find so interesting. The motion to unseal the records is dated January 7, 2010. The motion for more time, the order granting it, and the order approving the unsealing of the records were all dated January 8, 2010.

January 8, 2010, January 8, 2010, January 8, 2010.

On January 8, 2010, DOJ’s OLC issued an order finding that ECPA permitted telecoms to hand over toll records to the government voluntarily for certain kinds of investigations. OLC wrote that opinion because DOJ Inspector General Glenn Fine had been investigating National Security Letters (and, oh by the way, Section 215) for years, and found big problems, at least, with the paperwork FBI handed 3 telecoms who were living onsite at FBI. We found out about the order almost immediately, when Fine issued his report later that month.

I’ve long suspected that Reggie Walton only considered the ECPA question both because of Fine’s ongoing NSL investigation but, probably, also because of whatever conclusions Fine drew in his examination of the illegal wiretap program (I suspect FISC only considered financial records for the same reason, Fine’s 215 investigation in 2010) and potentially his ongoing investigations of Section 215.

And now we know that just as Fine was raising real questions about the legality of the incestuous record-sharing the government and the telecoms had been engaged in for years (one that’s about to start again with the new “reformed” dragnet), Sprint not only demanded the underlying records authorizing the dragnet, but even the supplemental opinion finding the dragnet didn’t violate ECPA.

Here’s what I wrote 4 years ago about that OLC opinion.

  • As I will explain at length later, this OLC opinion may not relate exclusively to the use of exigent letters, not least because Inspector General Glenn Fine appears worried the FBI will use it prospectively, not just to retroactively rationalize abuses from the past.
  • Fine appears to disagree whether the FBI has represented what it was doing with exigent letters honestly in its request for an opinion to the OLC. This is at least the second time they have done so, Fine alleges, in their attempts to justify these practices. In this case, the dispute may pertain to whose phone records they were, what was included among them, and whether they pertained to an ongoing investigation.
  • My guess is that the OLC opinion addresses whether section 2701 of the Stored Communications Act allows electronic communication providers to voluntarily provide data to someone above and beyond the narrow statutory permission to do so in 2702 and 2709 of the Act.
  • Whatever the loophole FBI is exploiting, it appears to be a use that would have no protections for First Amendment activity, no requirement that the data relate to open investigations, and no minimization or reporting requirements. That is, through its acquisition of this OLC opinion, the FBI appears to have opened up a giant, completely unlimited loophole to access phone data that it could use prospectively (though the FBI claims it doesn’t intend to). Much of Fine’s language here is an attempt to close this loophole.

In January, EFF lost its bid to obtain that memo in the DC Circuit.

Now, what are the chances that Sprint also didn’t get a looksee at the OLC memo authorizing not just what the FISC had approved, but also the violative Section 215 collection that had been in place until early 2009?

What are the chances that that OLC opinion, dated January 8, 2010 and pertaining to ECPA, is unrelated to the decision to declassify the FISC opinion assessing whether the phone dragnet violated ECPA?

The Torture Apologists Raise Brennan’s Torture-Derived Scary Memos

Some time in mid-2004, 8 high ranking National Security officials gave then presiding FISA Court Judge Colleen Kollar-Kotelly a briefing. Their goal was to convince her the then halted and now-discontinued Internet dragnet program was so important, and the terrorist threat against the US so great, she should write a shoddy legal opinion authorizing NSA to restart the program under the authority of the FISA Pen Register statute.

As part of the briefing, they replicated a process they had used for Bush’s illegal wiretap program: to have CIA’s analytical people write what they called a “scary memo” explaining why al Qaeda was so dangerous we had to continue that dragnet.

After the terrorism analysts completed their portion of the memoranda, the DCI Chief of Staff added a paragraph at the end of the memoranda stating that the individuals and organizations involved in global terrorism (and discussed in the memoranda) possessed the capability and intention to’ undertake further terrorist attacks within the United States. The DCI Chief of Staff recalled that the paragraph was provided to him initially by a senior White House official. The paragraph included the DCI’s recommendation to the President that he authorize the NSA to conduct surveillance activities under the PSP. CIA Office of General Counsel (OGC) attorneys reviewed the draft threat assessment memoranda to determine whether they contained sufficient threat information and a compelling case for reauthorization of the PSP. [my emphasis]

As head of the Terrorist Threat Integration Center (and later as head of the nascent National Counterterrorism Center), John Brennan oversaw that “scary memo.”

Last year, John Brennan admitted that he used information derived from the torture program (he calls it the detention and interrogation  program) for those “scary memos.”

Burr: I’m still not clear on whether you think the information from CIA interrogations saved lives.  Have you ever made a representation to a court, including the FISA court, about the type and importance of information learned from detainees including detainees in the CIA detention and interrogation program?

Brennan: Ahm, first of all, in the first part of your question, as to you’re not sure whether I believe that there has been information … I don’t know myself.

Burr: I said I wasn’t clear whether I understood, whether whether I was clear.

Brennan: And I’m not clear at this time either because I read a report that calls into question a lot of the information that I was provided earlier on, my impressions. Um. There, when I was in the government as the head of the national counterterrorism center I know that I had signed out a number of um affirmations related to the uh continuation of certain programs uh based on the analysis and intelligence that was available to analysts. I don’t know exactly what it was at the time, but we can take a look at that.

Burr: But the committee can assume that you had faith if you made that claim to a court or including the FISA court, you had faith in the documents in the information that was supplied to you to make that declaration.

Brennan: Absolutely. At the time if I had made any such affirmation, i would have had faith that the information I was provided was an accurate representation. [my emphasis]

We can imagine the kind of things Brennan might have used in his “scary memos” and that briefing to Kollar-Kotelly, on which the entire FISC-authorized dragnet .

Hassan Ghul — whom CIA tortured even after he provided critical information about Osama bin Laden’s courier — was already in custody, and given uncertainty about when his torture started, may have provided such information.

Read more