Posts

Nunes Is So Dumb He Missed the Most Likely Way the Trump Campaign Might Have Been Wiretapped

Devin Nunes is so bad at his job overseeing the nation’s intelligence agencies that his memo alleging FISA abuses failed to mention the one way he might have legitimately argued that the Deep State was spying on the Trump campaign.

The memo, released Friday after a week of political drama, purports to show that the process by which the FBI applied for four individualized FISA orders targeting former Trump foreign policy advisor Carter Page, spanning from October 2016 through July 2017, failed to adequately explain to the court that the application included information obtained as part of paid opposition research. On that claim, the memo falls short of making the case. So too does Nunes’ claim that “top officials used unverified information [from the Title I warrants] to fuel a counter-intelligence investigation during an American political campaign,” since Carter Page had been gone from the Trump campaign for a month before he was targeted.

But the memo only deals with the request for traditional “probable cause” FISA orders approved by the FISA Court. The memo even says this surveillance at issue was “not under Title VII,” probably an effort to distinguish this surveillance practice, which Nunes claims is being abused, from collection under FISA’s Section 702, which is even more problematic from a privacy standpoint. Nunes wrote the bill that reauthorized Section 702 two weeks ago, a bill that included no reforms to the practice that allows the government to access the communications of Americans against whom the FBI has no evidence of wrong-doing without a warrant. That is, Nunes wants to make sure you know that only the FISA practice that actually requires probable cause is at issue in his claims of FISA abuse, not the practice that permits warrantless surveillance of Americans that he championed a few weeks ago.

The thing is, Nunes is probably wrong that the surveillance of Carter Page doesn’t involve any of the authorities he recently pushed through. That’s because, along with Section 702, Nunes’ bill extending FISA’s Title VII also reauthorized a section, 705(b), which the government uses to spy on Americans already under surveillance, like Carter Page, during the periods when they travel overseas.

Carter Page traveled to Russia and London in December 2016 and Abu Dhabi in January 2017; he told the House Intelligence Committee he met with a slew of interesting foreigners along the way. It would be malpractice for the government to halt surveillance on someone it suspected of spying for Russia when he went to Russia.

So assuming the NSA kept spying on Page when he was meeting with the Russians they suspected him of conspiring with while he was in Russia, then the government would have switched to 705(b) authority. That permits the NSA to use the different kinds of surveillance tools, more powerful tools like hacking someone’s computer or querying data collected in bulk, that it uses overseas, drawing from more kinds of collection.

The thing is, that kind of individualized overseas surveillance — far more than the domestic individual surveillance at issue in the memo — has been a problem in recent years. Indeed, in the months before the government obtained its first FISA order on Carter Page, the NSA’s Inspector General found that in the 8 years since Congress had passed 705(b), NSA had never set up a system to track surveillance conducted under it. Of particular concern, analysts were conducting surveillance under the authority outside the time frame permitted under the 705(b) order, meaning that analysts might collect data from a period before the 705(b) order, or even before the traditional FISA order underlying it, had been approved. Or, NSA might forget to turn off their hacking sensor in Page’s laptop or smart phone even after he returned to the US. By using overseas spying methods outside the time period when the person was overseas, then, NSA might have gotten what amounts to a time machine, letting the government (perhaps unknowingly) obtain stored communications from the period when Page was still working with the Trump campaign.

The discovery, in early 2016, that NSA hadn’t been following the rules for the kind of spying that would have been used with Page while he was in Russia led to a string of other discoveries, which in turn led to the termination of one kind of NSA spying, called “about” collection. But the process of fixing 705(b) and “about” collection continued well into the period when Page was under FISA surveillance, including the times when he was traveling overseas.

All that said, if the government obtained information from outside the time of Carter Page’s travels overseas improperly, Trump has only Trump to blame. That’s because, even after they did fix the problems with the program in April 2017, the Trump Administration didn’t do what the Obama Administration before it had done on numerous occasions: get rid of any data obtained improperly under such conditions. So while the underlying problems with 705(b) were never fixed under the Obama Administration (which is absolutely something that should be laid at his feet) Jeff Sessions and Dan Coats would be responsible for any lasting harm under the problems. The Trump Administration’s deviation from past practice in destroying improperly obtained data would be responsible for any harm to Trump.

Ultimately, Nunes’ failure to consider for his politicized memo the one FISA practice most likely to have affected Carter Page identifies the real source of any problems with FISA: a failure of oversight, including from people like Devin Nunes. With the Title VII reauthorization bill he authored, Nunes might have ensured some follow-up to make sure known overseas spying problems were fixed. He might have required the government to make sure it destroyed any data on the Trump campaign it collected while Page was overseas.

Instead, Nunes seems completely unaware that such problems existed.

 

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Under Cover of the Nunes Memo, Russian Spooks Sneak Openly into Meetings with Trump’s Administration

On December 17, Vladimir Putin picked up the phone and called Donald Trump.

Ostensibly, the purpose of the call was to thank Trump for intelligence the US provided Russia that helped them thwart a terrorist attack. Here’s what the White House readout described.

President Vladimir V. Putin of Russia called President Donald J. Trump today to thank him for the advanced warning the United States intelligence agencies provided to Russia concerning a major terror plot in Saint Petersburg, Russia. Based on the information the United States provided, Russian authorities were able to capture the terrorists just prior to an attack that could have killed large numbers of people. No Russian lives were lost and the terrorist attackers were caught and are now incarcerated. President Trump appreciated the call and told President Putin that he and the entire United States intelligence community were pleased to have helped save so many lives. President Trump stressed the importance of intelligence cooperation to defeat terrorists wherever they may be. Both leaders agreed that this serves as an example of the positive things that can occur when our countries work together. President Putin extended his thanks and congratulations to Central Intelligence Agency (CIA) Director Mike Pompeo and the CIA. President Trump then called Director Pompeo to congratulate him, his very talented people, and the entire intelligence community on a job well done!

Putin, of course, has a history of trumping up terrorist attacks for political purposes (which is not to say he’s the only one).

In Trump’s Russia, top spooks come to you

That call that Putin initiated serves as important background to an event (or several — the details are still uncertain) that happened earlier this week, as everyone was distracted with Devin Nunes’ theatrics surrounding his memo attacking the Mueller investigation into whether Trump has engaged in a conspiracy with Russia. All three of Russia’s intelligence heads came to DC for a visit.

The visit of the sanctioned head of SVR, Sergey Naryshkin — Russia’s foreign intelligence service — was ostentatiously announced by Russia’s embassy.

SVR is the agency that tried to recruit Carter Page back in 2013, and which has also newly been given credit for the hack of the DNC in some Dutch reporting (and a recent David Sanger article). It’s clear that SVR wanted Americans to know that their sanctioned head had been through town.

As the week went on, WaPo reported that FSB’s Alexander Bortnikov and GRU’s Colonel General Igor Korobov had also been through town (GRU has previously gotten primary credit for the hack and Korobov was also sanctioned in the December 2016 response, and FSB was described as having an assisting role).

Pompeo met with Sergey Naryshkin, the head of Russia’s Foreign Intelligence Service or SVR, and Alexander Bortnikov, who runs the FSB, which is the main successor to the Soviet-era security service the KGB.

The head of Russia’s military intelligence, the GRU, also came to Washington, though it is not clear he met with Pompeo.

A senior U.S. intelligence official based in Moscow was also called back to Washington for the meeting with the CIA chief, said a person familiar with the events, who, like others, spoke on the condition of anonymity to discuss the sensitive meeting.

Treasury defies Congress on Russian sanctions

These visits have been associated with Trump’s decision not to enforce congressionally mandated sanctions, claiming that the threat of sanctions is already working even as Mike Pompeo insists that Russia remains a threat. In lieu of providing a mandated list of Russians who could be sanctioned, Treasury basically released the Forbes list of richest Russians, meaning that the sanction list includes people who’re squarely opposed to Putin. In my opinion, reporting on the Forbes list underplays the contempt of the move. Then, today, Treasury released a memo saying Russia was too systematically important to sanction.

Schumer’s questions and Pompeo’s non-answers

Indeed, Chuck Schumer emphasized sanctions in a letter he sent to Dan Coats, copied to Mike Pompeo, about the Naryshkin visit (the presence of the others was just becoming public).

As you are well aware, Mr. Naryshkin is a Specially Designated National under U.S. sanctions law, which imposes severe financial penalties and prohibits his entry into the U.S. without a waiver. Moreover, the visit of the SVR chief occurred only days before Congress was informed of the president’s decision not to implement sanctions authorized the Countering America’s Adversaries Through Sanctions Act (CAATSA), which was passed with near unanimous, bipartisan support. CAATSA was designed to impose a price on Russian President Vladimir Putin and his cronies for well-documented Russian aggression and interference in the 2016 election. However, the administration took little to no action, even as Russia continues its cyberattacks on the U.S.

Certainly, that seems a fair conclusion to draw — that by emphasizing Naryshkin’s presence, Russia was also boasting that it was immune from Congress’ attempts to sanction it.

But Mike Pompeo, who responded to Schumer, conveniently responded only to Schumer’s public comments, not the letter itself.

I am writing to you in response to your press conference Tuesday where you suggested there was something untoward in officials from Russian intelligence services meeting with their U.S. counterparts. Let me assure you there is not. [my emphasis]

This allowed Pompeo to dodge a range Schumer’s questions addressing Russia’s attacks on the US.

What specific policy issues and topics were discussed by Mr. Naryshkin and U.S. officials?

    1. Did the U.S. officials who met with Mr. Naryshkin raise Russia’s interference in the 2016 elections?  If not, why was this not raised? If raised, what was his response?
    2. Did the U.S. officials who met with Mr. Naryshkin raise existing and congressionally-mandated U.S. sanctions against Russia discussed? If not, why was this not raised? If raised, what was his response?
    3. Did the U.S. officials who met with Mr. Naryshkin raise ongoing Russian cyber attacks on the U.S. and its allies, including reported efforts to discredit the Federal Bureau of Investigation and law enforcement investigations into Russian interference in the 2016 U.S. elections? If not, why was this not raised? If raised, what was his response?
    4. Did the U.S. officials who met with Mr. Naryshkin make clear that Putin’s interference in the 2018 and 2020 elections would be a hostile act against the United States? If not, why was this not raised? If raised, what was his response?

Instead of providing responses to questions about Russian tampering, Pompeo instead excused the whole meeting by pointing to counterterrorism, that same purpose, indeed — the same attack — that Putin raised in his December phone call.

We periodically meet with our Russian intelligence counterparts — to keep America safe. While Russia remains an adversary, we would put American lives at greater risk if we ignored opportunities to work with the Russian services in the fight against terrorism. We are proud of that counterterror work, including CIA’s role with its Russian counterparts in the recent disruption of a terrorist plot targeting St. Petersburg, Russia — a plot that could have killed Americans.

[snip]

Security cooperation between our intelligence services has occurred under multiple administrations. I am confident that you would support CIA continuing these engagements that are aimed at protecting the American people.

The contempt on sanctions makes it clear this goes beyond counterterrorism

All this together should allay any doubt you might have that this meeting goes beyond counterterrorism, if, indeed, it even has anything to do with counterterrorism.

Just as one possible other topic, in November, WSJ reported that DOJ was working towards charging Russians involved in the hack after the new year.

The Justice Department has identified more than six members of the Russian government involved in hacking the Democratic National Committee’s computers and swiping sensitive information that became public during the 2016 presidential election, according to people familiar with the investigation.

Prosecutors and agents have assembled evidence to charge the Russian officials and could bring a case next year, these people said. Discussions about the case are in the early stages, they said.

If filed, the case would provide the clearest picture yet of the actors behind the DNC intrusion. U.S. intelligence agencies have attributed the attack to Russian intelligence services, but haven’t provided detailed information about how they concluded those services were responsible, or any details about the individuals allegedly involved.

Today, Russia issued a new warning that America is “hunting” Russians all over the world, citing (among others) hacker Roman Seleznev.

“American special services are continuing their de facto hunt for Russians all over the world,” reads the statement published on the ministry’s website on Friday. The Russian diplomats also gave several examples of such arbitrary detentions of Russian citizens that took place in Spain, Latvia, Canada and Greece.

“Sometimes these were actual abductions of our compatriots. This is what happened with Konstantin Yaroshenko, who was kidnapped in Liberia in 2010 and secretly taken to the United States in violation of Liberian and international laws. This also happened in 2014 with Roman Seleznyov, who was literally abducted in the Maldives and forcefully taken to American territory,” the statement reads.

The ministry also warned that after being handed over to the US justice system, Russian citizens often encounter extremely biased attitudes.

“Through various means, including direct threats, they attempt to coerce Russians into pleading guilty, despite the fact that the charges of them are far-fetched. Those who refuse get sentenced to extraordinarily long prison terms.”

And, as I noted earlier, Trey Gowdy — one of the few members of Congress who has seen where Mueller is going with this investigation — cited the import of the counterintelligence case against Russia in a Sunday appearance.

CHRIS WALLACE: Congressman, we’ll get to your concerns about the FBI and the Department of Justice in a moment. But — but let me begin first with this. Do you still trust, after all you’ve heard, do you still trust Special Counsel Robert Mueller to conduct a fair and unbiased investigation?

REP. TREY GOWDY, R-SC, OVERSIGHT COMMITTEE CHAIRMAN: One hundred percent, particularly if he’s given the time, the resources and the independence to do his job. Chris, he didn’t apply for the job. He’s where he is because we have an attorney general who had to recuse himself. So Mueller didn’t raise his hand and say, hey, pick me. We, as a country, asked him to do this.

And, by the way, he’s got two — there are two components to his jurisdiction. There is a criminal component. But there’s also a counterintelligence component that no one ever talks about because it’s not sexy and interesting. But he’s also going to tell us definitively what Russia tried to do in 2016. So the last time you and I were together, I told my Republican colleagues, leave him the hell alone, and that’s still my advice.

Schumer and other Democrats demanding answers about this visit might think about any ways the Russians might be working to undermine Mueller’s investigation or transparency that might come of it.

Three weeks of oversight free covert action

The timing of this visit is particularly concerning for another reason. In the three week continuing resolution to fund the government passed on January 22, the House Appropriations Chair Rodney Frelinghuysen added language that would allow the Administration to shift money funding intelligence activities around without telling Congress. It allows funds to,

“be obligated and expended notwithstanding section 504(a)(1) of the National Security Act of 1947.”

Section 504(a)(1) is the piece of the law that requires intelligence agencies to spend money on the program the money was appropriated for. “Appropriated funds available to an intelligence agency may be obligated or expended for an intelligence or intelligence-related activity only if those funds were specifically authorized by the Congress for use for such activities; or …”

The “or” refers to the intelligence community’s obligation to inform Congress of any deviation. But without any obligation to spend funds as specifically authorized, there is no obligation to inform Congress if that’s not happening.

Since the only real way to prohibit the Executive is to prohibit them to spend money on certain things, the change allows the Trump Administration to do things they’ve been specifically prohibited from doing for the three week period of the continuing resolution.

Senators Burr and Warner tried to change the language before passage on January 22, to no avail.

This year’s Defense Authorization included a whole slew of limits on Executive Branch activity, including mandating a report if the Executive cooperates with Russia on Syria and prohibiting any military cooperation until such time as Russia leaves Ukraine. It’s possible the Trump Administration would claim those appropriations-tied requirements could be ignored during the time of the continuing resolution.

Which just happened to cover the period of the Russian visit.

Our friends are getting nervous

Meanwhile, both before and after the visit, our allies have found ways to raise concerns about sharing intelligence with the US in light of Trump’s coziness with Russia. A key subtext of the stories revealing that Netherlands’ AIVD saw Russian hackers targeting the Democrats via a hacked security camera was that Rick Ledgett’s disclosure of that operation last year had raised concerns about sharing with the US.

President elect Donald Trump categorically refuses to explicitly acknowledge the Russian interference. It would tarnish the gleam of his electoral victory. He has also frequently praised Russia, and president Putin in particular. This is one of the reasons the American intelligence services eagerly leak information: to prove that the Russians did in fact interfere with the elections. And that is why intelligence services have told American media about the amazing access of a ‘western ally’.

This has led to anger in Zoetermeer and The Hague. Some Dutchmen even feel betrayed. It’s absolutely not done to reveal the methods of a friendly intelligence service, especially if you’re benefiting from their intelligence. But no matter how vehemently the heads of the AIVD and MIVD express their displeasure, they don’t feel understood by the Americans. It’s made the AIVD and MIVD a lot more cautious when it comes to sharing intelligence. They’ve become increasingly suspicious since Trump was elected president.

Then, the author of a book on Israeli’s assassinations has suggested that the intelligence Trump shared with the Russians goes beyond what got publicly reported, goes to the heart of Israeli intelligence operations.

DAVIES: So if I understand it, you know of specific information that the U.S. shared with the Russians that has not been revealed publicly and that you are not revealing publicly?

BERGMAN: The nature of the information that President Trump revealed to Foreign Minister Lavrov is of the most secretive nature.

Finally, a piece on the Nunes memo out today suggests the British will be less likely to share intelligence with Trump’s administration after the release of the memo (though this is admittedly based on US congressional claims, not British sources).

Britain’s spy agencies risk having their intelligence methods revealed if Donald Trump releases a controversial memo about the FBI, congressional figures have warned.

The UK will be less likely to share confidential information if the secret memo about the Russian investigation is made public, according to those opposing its release.

Clearly, this meeting goes beyond counterterrorism cooperation. And given the way that both Treasury and CIA have acted contemptuously in the aftermath of the visit, Schumer and others should be far more aggressive in seeking answers about what this visit really entailed.

Update: I’ve added the section on Section 504.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Congress Should Revert to Section 702 as Passed in 2008, If That’s What the Spooks Want!

Congress is passing a continuing resolution with an extension of Section 702 today, giving Congress one month to figure out how it will reauthorize the surveillance program.

But the Intelligence Community is making one more bid to talk Congress into passing some bill today. The same Intelligence Community that has opposed bills that offer even lip service reforms — most notably the House Judiciary Committee bill — insist that anything else than a new authorization will make the country less safe.

Reauthorizing Section 702 before it expires is vital to keeping the nation safe. Let us be clear: if Congress fails to act, vital intelligence collection on international terrorists and other foreign adversaries will be lost. The country will be less secure.

And (again, from an IC that has refused to engage with the HJC bill) the IC wants its reauthorization now, without the short term extension, because short term extension don’t provide certainty.

We also believe it is important that Congress reauthorize Section 702 before it expires on December 31, 2017.  Although the current Section 702 certifications do not expire until April 2018, the Intelligence Community would need to start winding down its Section 702 program well in advance of that date.  Winding down such a valuable program would force agencies to divert resources away from addressing foreign threats. Short-term extensions are not the long-term answer either, as they fail to provide certainty, and will create needless and wasteful operational complications. We urge Congress, therefore, to act quickly to reauthorize Section 702 in a manner that preserves the effectiveness of this critical national security law before it expires.

Where the release gets truly inexcusable, however, is how they flip their demand that this reauthorization codify certain dubious practices and not limit other ones. Congress is not required to make changes, the spooks say, without telling you that even the SSCI bill makes at least one reform, and most of the bills on the floor today make more serious ones. Those are the bills the IC prevented from passing.

To be clear – Congress is not required to make any changes to Section 702. The Intelligence Community conducts and uses 702 collection in a manner that protects the privacy and civil liberties of individuals.

The spooks pretend, as they have before, that the Ninth Circuit approved back door searches, which it didn’t.

Every single court that has reviewed Section 702 and queries of its data has found it to be constitutional.

They then take their emphasis on the word targeting a step further than normal to avoid telling you that their “targeted surveillance” of location-obscuring servers like Tor and VPNs actually collects on US persons, and the “oversight’ of that collection allows entirely domestic communications collected via such “targeted” collection to be used in criminal cases.

The Intelligence Community’s use of Section 702, which permits targeted surveillance only of foreign persons located outside the United States, is subject to extensive oversight and incorporates substantial protections to protect the privacy and civil liberties of individuals.

Here, the spooks don’t acknowledge how much has changed in between the various passage of these bills.

In short, we believe Congress got it right in 2008 when it passed Section 702 and in 2012 when Congress reauthorized it.

Consider: if the 702 on the table today were 702 as it existed in 2008, Congress would pass it gladly. That’s because no backdoor searches were permitted (though FBI was already doing them), to say nothing of the 2014 exception that permits the collection of US person location-obscured communications. And upstream “about” collection wasn’t affirmatively permitted either.

In other words, if Congress could have Section 702 as it passed in 2008, it’d be a vast improvement from a privacy perspective than the program as it exists right now (and also wouldn’t include a counterproliferation certificate or approval to target cybersecurity targets).

Note, too, the spooks don’t admit that most of Congress didn’t know about backdoor and other kinds of US person searches in 2012.

All that said, even after saying that Congress had it right in 2008, the spooks return to the coded demands that Congress not do a single thing to limit the spying on Americans that has gotten added to the program since 2008.

Nevertheless, the Intelligence Community continues to be open to reasonable reforms to Section 702 to further enhance the already-substantial privacy protections contained in the law, but we simply cannot support legislation that would impede the operational efficacy of this vital authority.

There were many “reasonable reforms to … further enhance the already-substantial privacy protections contained in the law.” Those were the bills the IC refused to let pass, which is why we’re here on one of the last legislative days of the year, punting this legislation for a month.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

“Circumventing” Encryption Is Different than “Weakening” or “Altering” It

I’m still catching up to the Questions for the Record that ODNI submitted to the Senate Intelligence Committee after its June hearing on 702. So I’d like to look more closely at something from the QFRs first reported by Zack Whittaker on encryption.

It has to do with a response to a Ron Wyden question about whether 702 provides authority to “circumvent or weaken” encryption.

Whittaker notes what I pointed out here — because of the way 702 works, “the court is never going to review the individual directives which is where the specific technical assistance gets laid out (unless a provider is permitted to challenge those directives).” That’s the headline point of his piece, one I agree with.

The US government does not need the approval of its secret surveillance court to ask a tech company to build an encryption backdoor.

Whittaker also notes that this language falls far short of denying (or confirming) whether it has asked for a back door. Meaning, it’s possible they asked a provider for a back door, and the provider complied without being forced to.

That said, I wanted to point out the limits to this claim from Whittaker.

In its answers, the government said it has “not to date” needed to ask the FISC to issue an order to compel a company to backdoor or weaken its encryption.

It is true that the government says it has not asked an ECSP to “alter the encryption provided by a service or product it offers.”

But that answer is non-responsive to the totality of Wyden’s question, which asks if the government ordered a provider to “circumvent or weaken” encryption. The government only addresses the latter question, whether the government has altered (presumably by weakening) encryption. It hasn’t answered, at all, whether it has ordered a provider to “circumvent” encryption.

That’s an important point regardless. These QFRs are always carefully crafted, particularly in responses to Wyden (or the few other people who actually exercise oversight).

I think it’s particularly important given something that happened with iOS in the last year: rather than just answering, yes or no, before a phone trusts a computer (meaning it will share its contents with iTunes and therefore potentially with Apple), iOS 11 now requires you to enter your password before a phone will trust a computer.

A different and more significant change is requiring the passcode to “trust” a new computer. Currently, when the police wish to search a phone, they unlock it either with the fingerprint reader, by convincing the suspect to unlock the phone (e.g. to look up a phone number), or they simply seize the phone while it is unlocked. None of these avenues directly implicate suspects’ constitutional rights. Once the unlocked phone is obtained, officials connect the device to a computer running forensics software, or even just iTunes, direct the device to “trust” the new computer when prompted, and download a backup that contains almost all of the relevant information stored on the phone. Requiring the passcode in order to sync the device with a new machine means that, even with an unlocked device, a party that wants access is now limited to searching the phone manually for visible items and can only perform that search while the phone remains unlocked.

I had already been thinking trusted backups provided a way the government could, through Apple, obtain contents from phones that would otherwise be hard to decrypt (I believe it would require altering iTunes, not the encryption itself). Such an approach would be particularly useful for NatSec investigations, where collecting contents wasn’t so much about solving an already committed crime (which is what all the iPhones the government hasn’t been able to break into were collected for), but to prevent one or otherwise collect prospective data.

I don’t even know if this is technically feasible. Nor do I know whether someone would be better sticking with iOS 10 and just rigorously refusing to trust a given computer or upgrading to iOS 11 and never entering that password.

But I do know this passage on encryption is — with respect to whether the government has ever ordered a company to circumvent encryption — a non-denial.

And I have learned that non-denials, especially in response to Wyden, generally should be closely scrutinized.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

A Dragnet of emptywheel’s Most Important Posts on Surveillance, 2007 to 2017

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten this week.

To celebrate, the emptywheel team has been sharing some of our favorite work from the last decade. This is my massive dragnet of surveillance posts.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2007

Whitehouse Reveals Smoking Gun of White House Claiming Not to Be Bound by Any Law

Just days after opening the new digs, I noticed Sheldon Whitehouse entering important details into the Senate record — notably, that John Yoo had pixie dusted EO 12333 to permit George Bush to authorize the Stellar Wind dragnet. In the ten years since, both parties worked to gradually expand spying on Americans under EO 12333, only to have Obama permit the sharing of raw EO 12333 data in its last days in office, completing the years long project of restoring Stellar Wind’s functionalities. This post, from 2016, analyzes a version of the underlying memo permitting the President to change EO 12333 without providing public notice he had done so.

2008

McConnell and Mukasey Tell Half Truths

In the wake of the Protect America Act, I started to track surveillance legislation as it was written, rather than figure out after the fact how the intelligence community snookered us. In this post, I examined the veto threats Mike McConnell and Michael Mukasey issued in response to some Russ Feingold amendments to the FISA Amendments Act and showed that the government intended to use that authority to access Americans’ communication via both what we now call back door searches and reverse targeting. “That is, one of the main purposes is to collect communications in the United States.”

9 years later, we’re still litigating this (though, since then FISC has permitted the NSA to collect entirely domestic communications under the 2014 exception).

2009

FISA + EO 12333 + [redacted] procedures = No Fourth Amendment

The Government Sez: We Don’t Have a Database of All Your Communication

After the FISCR opinion on what we now know to be the Yahoo challenge to Protect American Act first got declassified, I identified several issues that we now have much more visibility on. First, PAA permitted spying on Americans overseas under EO 12333. And it didn’t achieve particularity through the PAA, but instead through what we know to be targeting procedures, including contact chaining. Since then we’ve learned the role of SPCMA in this.

In addition, to avoid problems with back door searches, the government claimed it didn’t have a database of all our communication — a claim that, narrowly parsed might be true, but as to the intent of the question was deeply misleading. That claim is one of the reasons we’ve never had a real legal review of back door searches.

Bush’s Illegal Domestic Surveillance Program and Section 215

On PATRIOTs and JUSTICE: Feingold Aims for Justice

During the 2009 PATRIOT Act reauthorization, I continued to track what the government hated most as a way of understanding what Congress was really authorizing. I understood that Stellar Wind got replaced not just by PAA and FAA, but also by the PATRIOT authorities.

All of which is a very vague way to say we probably ought to be thinking of four programs–Bush’s illegal domestic surveillance program and the PAA/FAA program that replaced it, NSLs, Section 215 orders, and trap and trace devices–as one whole. As the authorities of one program got shut down by exposure or court rulings or internal dissent, it would migrate to another program. That might explain, for example, why Senators who opposed fishing expeditions in 2005 would come to embrace broadened use of Section 215 orders in 2009.

I guessed, for example, that the government was bulk collecting data and mining it to identify targets for surveillance.

We probably know what this is: the bulk collection and data mining of information to select targets under FISA. Feingold introduced a bajillion amendments that would have made data mining impossible, and each time Mike McConnell and Michael Mukasey would invent reasons why Feingold’s amendments would have dire consequences if they passed. And the legal information Feingold refers to is probably the way in which the Administration used EO 12333 and redacted procedures to authorize the use of data mining to select FISA targets.

Sadly, I allowed myself to get distracted by my parallel attempts to understand how the government used Section 215 to obtain TATP precursors. As more and more people confirmed that, I stopped pursuing the PATRIOT Act ties to 702 as aggressively.

2010

Throwing our PATRIOT at Assange

This may be controversial, given everything that has transpired since, but it is often forgotten what measures the US used against Wikileaks in 2010. The funding boycott is one thing (which is what led Wikileaks to embrace Bitcoin, which means it is now in great financial shape). But there’s a lot of reason to believe that the government used PATRIOT authorities to target not just Wikileaks, but its supporters and readers; this was one hint of that in real time.

2011

The March–and April or May–2004 Changes to the Illegal Wiretap Program

When the first iteration of the May 2004 Jack Goldsmith OLC memo first got released, I identified that there were multiple changes made and unpacked what some of them were. The observation that Goldsmith newly limited Stellar Wind to terrorist conversations is one another reporter would claim credit for “scooping” years later (and get the change wrong in the process). We’re now seeing the scope of targeting morph again, to include a range of domestic crimes.

Using Domestic Surveillance to Get Rapists to Spy for America

Something that is still not widely known about 702 and our other dragnets is how they are used to identify potential informants. This post, in which I note Ted Olson’s 2002 defense of using (traditional) FISA to find rapists whom FBI can then coerce to cooperate in investigations was the beginning of my focus on the topic.

2012

FISA Amendments Act: “Targeting” and “Querying” and “Searching” Are Different Things

During the 2012 702 reauthorization fight, Ron Wyden and Mark Udall tried to stop back door searches. They didn’t succeed, but their efforts to do so revealed that the government was doing so. Even back in 2012, Dianne Feinstein was using the same strategy the NSA currently uses — repeating the word “target” over and over — to deny the impact on Americans.

Sheldon Whitehouse Confirms FISA Amendments Act Permits Unwarranted Access to US Person Content

As part of the 2012 702 reauthorization, Sheldon Whitehouse said that requiring warrants to access the US person content collected incidentally would “kill the program.” I took that as confirmation of what Wyden was saying: the government was doing what we now call back door searches.

2013

20 Questions: Mike Rogers’ Vaunted Section 215 Briefings

After the Snowden leaks started, I spent a lot of time tracking bogus claims about oversight. After having pointed out that, contrary to Administration claims, Congress did not have the opportunity to be briefed on the phone dragnet before reauthorizing the PATRIOT Act in 2011, I then noted that in one of the only briefings available to non-HPSCI House members, FBI had lied by saying there had been no abuses of 215.

John Bates’ TWO Wiretapping Warnings: Why the Government Took Its Internet Dragnet Collection Overseas

Among the many posts I wrote on released FISA orders, this is among the most important (and least widely understood). It was a first glimpse into what now clearly appears to be 7 years of FISA violation by the PRTT Internet dragnet. It explains why they government moved much of that dragnet to SPCMA collection. And it laid out how John Bates used FISA clause 1809(a)(2) to force the government to destroy improperly collected data.

Federated Queries and EO 12333 FISC Workaround

In neither NSA nor FBI do the authorities work in isolation. That means you can conduct a query on federated databases and obtain redundant results in which the same data point might be obtained via two different authorities. For example, a call between Michigan and Yemen might be collected via bulk collection off a switch in or near Yemen (or any of the switches between there and the US), as well as in upstream collection from a switch entering the US (and all that’s assuming the American is not targeted). The NSA uses such redundancy to apply the optimal authority to a data point. With metadata, for example, it trained analysts to use SPCMA rather than PATRIOT authorities because they could disseminate it more easily and for more purposes. With content, NSA appears to default to PRISM where available, probably to bury the far more creative collection under EO 12333 for the same data, and also because that data comes in structured form.

Also not widely understood: the NSA can query across metadata types, returning both Internet and phone connection in the same query (which is probably all the more important now given how mobile phones collapse the distinction between telephony and Internet).

This post described how this worked with the metadata dragnets.

The Purpose(s) of the Dragnet, Revisited

The government likes to pretend it uses its dragnet only to find terrorists. But it does far more, as this analysis of some court filings lays out.

2014

The Corporate Store: Where NSA Goes to Shop Your Content and Your Lifestyle

There’s something poorly understood about the metadata dragnets NSA conducts. The contact-chaining isn’t the point. Rather, the contact-chaining serves as a kind of nomination process that puts individuals’ selectors, indefinitely, into the “corporate store,” where your identity can start attracting other related datapoints like a magnet. The contact-chaining is just a way of identifying which people are sufficiently interesting to submit them to that constant, ongoing data collection.

SPCMA: The Other NSA Dragnet Sucking In Americans

I’ve done a lot of work on SPCMA — the authorization that, starting in 2008, permitted the NSA to contact chain on and through Americans with EO 12333 data, which was one key building block to restoring access to EO 12333 analysis on Americans that had been partly ended by the hospital confrontation, and which is where much of the metadata analysis affecting Americans has long happened. This was my first comprehensive post on it.

The August 20, 2008 Correlations Opinion

A big part of both FBI and NSA’s surveillance involves correlating identities — basically, tracking all the known identities a person uses on telephony and the Internet (and financially, though we see fewer details of that), so as to be able to pull up all activities in one profile (what Bill Binney once called “dossiers”). It turns out the FISC opinion authorizing such correlations is among the documents the government still refuses to release under FOIA. Even as I was writing the post Snowden was explaining how it works with XKeyscore.

A Yahoo! Lesson for USA Freedom Act: Mission Creep

This is another post I refer back to constantly. It shows that, between the time Yahoo first discussed the kinds of information they’d have to hand over under PRISM in August 2007 and the time they got directives during their challenge, the kinds of information they were asked for expanded into all four of its business areas. This is concrete proof that it’s not just emails that Yahoo and other PRISM providers turn over — it’s also things like searches, location data, stored documents, photos, and cookies.

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal

Confession: I have an entire chapter of the start of a book on the Yahoo challenge to PRISM. That’s because so much about it embodied the kind of dodgy practices the government has, at the most important times, used with the FISA Court. In this post, I showed that the documents that the government provided the FISCR hid the fact that the then-current versions of the documents had recently been modified. Using the active documents would have shown that Yahoo’s key argument — that the government could change the rules protecting Americans anytime, in secret — was correct.

2015

Is CISA the Upstream Cyber Certificate NSA Wanted But Didn’t Really Get?

Among the posts I wrote on CISA, I noted that because the main upstream 702 providers have a lot of federal business, they’ll “voluntarily” scan on any known cybersecurity signatures as part of protecting the federal government. Effectively, it gives the government the certificate it wanted, but without any of the FISA oversight or sharing restrictions. The government has repeatedly moved collection to new authorities when FISC proved too watchful of its practices.

The FISA Court’s Uncelebrated Good Points

Many civil libertarians are very critical of the FISC. Not me. In this post I point out that it has policed minimization procedures, conducted real First Amendment reviews, taken notice of magistrate decisions and, in some cases, adopted the highest common denominator, and limited dissemination.

How the Government Uses Location Data from Mobile Apps

Following up on a Ron Wyden breadcrumb, I figured out that the government — under both FISA and criminal law — obtain location data from mobile apps. While the government still has to adhere to the collection standard in any given jurisdiction, obtaining the data gives the government enhanced location data tied to social media, which can implicate associates of targets as well as the target himself.

The NSA (Said It) Ate Its Illegal Domestic Content Homework before Having to Turn It in to John Bates

I’m close to being able to show that even after John Bates reauthorized the Internet metadata dragnet in 2010, it remained out of compliance (meaning NSA was always violating FISA in obtaining Internet metadata from 2002 to 2011, with a brief lapse). That case was significantly bolstered when it became clear NSA hastily replaced the Internet dragnet with obtaining metadata from upstream collection after the October 2011 upstream opinion. NSA hid the evidence of problems on intake from its IG.

FBI Asks for at Least Eight Correlations with a Single NSL

As part of my ongoing effort to catalog the collection and impact of correlations, I showed that the NSL Nick Merrill started fighting in 2004 asked for eight different kinds of correlations before even asking for location data. Ultimately, it’s these correlations as much as any specific call records that the government appears to be obtaining with NSLs.

2016

What We Know about the Section 215 Phone Dragnet and Location Data

During the lead-up to the USA Freedom Debate, the government leaked stories about receiving a fraction of US phone records, reportedly because of location concerns. The leaks were ridiculously misleading, in part because they ignored that the US got redundant collection of many of exactly the same calls they were looking for from EO 12333 collection. Yet in spite of these leaks, the few figured out that the need to be able to force Verizon and other cell carriers to strip location data was a far bigger reason to pass USAF than anything Snowden had done. This post laid out what was known about location data and the phone dragnet.

While It Is Reauthorizing FISA Amendments Act, Congress Should Reform Section 704

When Congress passed FISA Amendments Act, it made a show of providing protections to Americans overseas. One authority, Section 703, was for spying on people overseas with help of US providers, and another was for spying on Americans overseas without that help. By May 2016, I had spent some time laying out that only the second, which has less FISC oversight, was used. And I was seeing problems with its use in reporting. So I suggested maybe Congress should look into that?

It turns out that at precisely that moment, NSA was wildly scrambling to get a hold on its 704 collection, having had an IG report earlier in the year showing they couldn’t audit it, find it all, or keep it within legal boundaries. This would be the source of the delay in the 702 reauthorization in 2016, which led to the prohibition on about searches.

The Yahoo Scan: On Facilities and FISA

The discussion last year of a scan the government asked Yahoo to do of all of its users was muddled because so few people, even within the privacy community, understand how broadly the NSA has interpreted the term “selector” or “facility” that it can target for collection. The confusion remains to this day, as some in the privacy community claim HPSCI’s use of facility based language in its 702 reauthorization bill reflects new practice. This post attempts to explain what we knew about the terms in 2016 (though the various 702 reauthorization bills have offered some new clarity about the distinctions between the language the government uses).

2017

Ron Wyden’s History of Bogus Excuses for Not Counting 702 US Person Collection

Ron Wyden has been asking for a count of how many Americans get swept up under 702 for years. The IC has been inventing bogus explanations for why they can’t do that for years. This post chronicles that process and explains why the debate is so important.

The Kelihos Pen Register: Codifying an Expansive Definition of DRAS?

When DOJ used its new Rule 41 hacking warrant against the Kelihos botnet this year, most of the attention focused on that first-known usage. But I was at least as interested in the accompanying Pen Register order, which I believe may serve to codify an expansion of the dialing, routing, addressing, and signaling information the government can obtain with a PRTT. A similar codification of an expansion exists in the HJC and Lee-Leahy bills reauthorizing 702.

The Problems with Rosemary Collyer’s Shitty Upstream 702 Opinion

The title speaks for itself. I don’t even consider Rosemary Collyer’s 2017 approval of 702 certificates her worst FISA opinion ever. But it is part of the reason why I consider her the worst FISC judge.

It Is False that Downstream 702 Collection Consists Only of To and From Communications

I pointed out a number of things not raised in a panel on 702, not least that the authorization of EO 12333 sharing this year probably replaces some of the “about” collection function. Most of all, though, I reminded that in spite of what often gets claimed, PRISM is far more than just communications to and from a target.

UNITEDRAKE and Hacking under FISA Orders

A document leaked by Shadow Brokers reveals a bit about how NSA uses hacking on FISA targets. Perhaps most alarmingly, the same tools that conduct such hacks can be used to impersonate a user. While that might be very useful for collection purposes, it also invites very serious abuse that might create a really nasty poisonous tree.

A Better Example of Article III FISA Oversight: Reaz Qadir Khan

In response to Glenn Gerstell’s claims that Article III courts have exercised oversight by approving FISA practices (though the reality on back door searches is not so cut and dry), I point to the case of Reaz Qadir Khan where, as Michael Mosman (who happens to serve on FISC) moved towards providing a CIPA review for surveillance techniques, Khan got a plea deal.

The NSA’s 5-Page Entirely Redacted Definition of Metadata

In 2010, John Bates redefined metadata. That five page entirely redacted definition became codified in 2011. Yet even as Congress moves to reauthorize 702, we don’t know what’s included in that definition (note: location would be included).

FISA and the Space-Time Continuum

This post talks about how NSA uses its various authorities to get around geographical and time restrictions on its spying.

The Senate Intelligence Committee 702 Bill Is a Domestic Spying Bill

This is one of the most important posts on FISA I’ve ever written. It explains how in 2014, to close an intelligence gap, the NSA got an exception to the rule it has to detask from a facility as soon as it identifies Americans using the facility. The government uses it to collect on Tor and, probably VPN, data. Because the government can keep entirely domestic communications that the DIRNSA has deemed evidence of a crime, the exception means that 702 has become a domestic spying authority for use with a broad range of crimes, not to mention anything the Attorney General deems a threat to national security.

“Hype:” How FBI Decided Searching 702 Content Was the Least Intrusive Means

In a response to a rare good faith defense of FBI’s back door searches, I pointed out that the FBI is obliged to consider the least intrusive means of investigation. Yet, even while it admits that accessing content like that obtained via 702 is extremely intrusive, it nevertheless uses the technique routinely at the assessment level.

Other Key Posts Threads

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

10 Years of emptywheel: Key Non-Surveillance Posts 2011-2012

10 Years of emptywheel: Key Non-Surveillance Posts 2013-2015

10 Years of emptywheel: Key Non-Surveillance Posts 2016-2017

10 Years of emptywheel: Jim’s Dimestore

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Intelligence Community’s Swiss Cheese Preemptive 702 Unmasking Reports: Now with Twice the Holes!

Because a white man still liked by some members of Congress had FISA-collected conversations leaked to the press, Republicans who used to applaud surveillance started to show some more concerns about it this year. That has been making reauthorization of Section 702 unexpectedly challenging. Both the HJC and SJC bills reauthorizing the law include new reporting requirements, which include mandates to provide real numbers for how many Americans get unmasked in FISA reports. There’s no such requirement on the SSCI bill.

Instead, explicitly in response to concerns raised in SSCI’s June 7 hearing on 702 reauthorization (even though the concern was also raised earlier in HJC and SJC hearings), I Con the Record has released an ODNI report on disseminations under FISA, a report it bills as “document[ing] the rigorous and multi-layered framework that safeguards the privacy of U.S. person information in FISA disseminations.”

The report largely restates language that is available in the law or declassified targeting and minimization procedures, though there are a few tidbits worth noting. Nevertheless, the report falls far short of what the SJC and HJC bills lay out, which is a specific count and explanation of the unmasking that happens (though NSA, in carrying out a review of a month’s worth of serialized reports, examining out their treatment of masking, does model what HJC and SJC would request).

The report consists of the DNI report with separate agency reports. I’ll deal with the latter first, then return to the DNI report.

NSA

The NSA report starts by narrowing the scope of the dissemination it will cover significantly in two ways.

This report examines the procedures and practices used by the National Security Agency (NSA) to protect U.S. person information when producing and disseminating serialized intelligence reports derived from signals intelligence (SIGINT) acquired pursuant to Title I and Section 702 of the Foreign Intelligence Surveillance Act of 1978, as amended (FISA). 1

1This report is limited to an examination of the procedures and practices used to protect FISA-acquired U.S. person information disseminated in serialized intelligence reports. This report does not examine other means of dissemination. For purposes of this report, the term “dissemination” should be interpreted as a reference to serialized intelligence reporting, unless otherwise indicated.

First, it treats just Title I and Section 702. That leaves out at least two other known collection techniques of content (to say nothing of metadata) under FISA: Title III (FBI probably does almost all of this, though it might be accomplished via hacking) and Section 704/705b targeting Americans overseas (which has been a significant problem of late).

More importantly, by limiting the scope to serialized reports, NSA’s privacy officer completely ignores the two most problematic means of disseminating US person data: by collecting it off Tor and other location obscured nodes and then deeming it evidence of a crime that can be disseminated in raw form to FBI, and by handing raw data to the FBI (and, to a lesser extent, CIA and NCTC).

As the report turns to whether NSA’s procedures meet Fair Information Practice Principles, then, the exclusion of these four categories of data permit the report to make claims that would be unsustainable if those data practices were included in the scope of the report.

The principle of Data Minimization states that organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose. The steps taken from the outset of the SIGINT production process to determine what U.S. person information can and should be disseminated directly demonstrate how this principle is met, as do NSA’s procedures and documentation requirements for the proactive and post-publication release of U.S. identities in disseminated SIGINT.

The principle of Use Limitation provides that organizations should use PII solely for the purposes specified in the notice. In other words, the sharing of PII should be for a purpose compatible with the purpose for which it was collected. NSA’s SIGINT production process directly reflects this principle.

[snip]

The principle of Accountability and Auditing states that organization should be accountable for complying with these principles, providing training to all employees and contractors who use personally identifiable information, auditing the actual use of personally identifiable information to demonstrate compliance with these principles and all applicable privacy protections.

For example, the collection of US person data off a Tor node is not relevant to the specified purpose (nor are the criminal categories under which NSA will pass on data). That’s true, too, of Use Limitation: the government is collecting domestic child porn information in the name of foreign intelligence, and the government is doing back door searches of raw 702 data for any matter of purpose. Finally, we know that the government has had auditing problems, particularly with 704/705b. Is that why they didn’t include it in the review, because they knew it would fail the auditing requirement?

CIA

CIA’s report is not as problematic as NSA’s one, but it does have some interesting tidbits. For example, because it mostly disseminates US person information for what it calls tactical purposes and to a limited audience, it rarely masks US person identities.

More specifically, unlike general “strategic” information regarding broad foreign intelligence threats, CIA’s disseminations of information concerning U.S. persons were “tactical” insofar as they were very often in response to requests from another U.S. intelligence agency for counterterrorism information regarding a specific individual, or in relation to a specific national security threat actor or potential or actual victim of a national security threat.

Relatedly, because these disseminations were generally for narrow purposes and sent to a limited number of recipients, the replacement of a U.S. person identity with a generic term (e.g., “named U.S. person,” sometimes colloquially referred to as “masking”) was rare, due to the need to retain the U.S. person identity in order to understand the foreign intelligence information by this limited audience.

CIA, like NSA, has its own unique definition of “dissemination:” That which gets shared outside the agency.

Information shared outside of CIA is considered a dissemination, and is required to occur in accordance with approved authorities, policies, and procedures.

Much later, dissemination is described as retaining information outside of an access-controlled system, which suggests fairly broad access to the databases that include such information.

Prior to dissemination of any information identifying, or even concerning, a U.S. person, the minimization procedures require that CIA make a determination that the information concerning the U.S. person may be retained outside of access-controlled systems accessible only to CIA personnel with specialized FISA training to review unevaluated information. I

Whereas NSA focused very little attention on its targeting process (which allows it to collect entirely domestic communications), CIA outsources much of its responsibility for limiting intake to FBI and NSA (note, unlike NSA, it includes Title III collection in its report, but also doesn’t treat 704/705b). For example, it focuses on the admittedly close FISA scrutiny FBI applications undergo for traditional FISA targeting, but then acknowledges that it can get “unevaluated” (that is, raw) information in some cases.

If requested by FBI in certain cases, unevaluated information acquired by FBI can be shared with CIA.

Likewise, the CIA notes that it can nominate targets to NSA, but falls back on NSA’s targeting process to claim this is not a bulk collection program (one of CIA’s greatest uses of this data is in metadata analysis).

CIA may nominate targets to NSA for Section 702 collection, but the ultimate decision to target a non-U.S. person reasonably believed to be located outside the United States rests with NSA.

[snip]

Section 702 is not a bulk collection program; NSA makes an individualized decision with respect to each non-U.S. person target.

Thus, the failure of the NSA report to talk about other collection methods (in CIA’s case, of incidental US person data in raw data) ports the same failure onto CIA’s report.

NCTC

NCTC’s report is perhaps the most amusing of all. It provides the history of how it was permitted to obtain raw Title I and Title III data in 2012 and 702 data in 2017 (like everyone else, it is silent on 704/705b data, though we know from this year’s 702 authorization they get that too), then says its use and dissemination of 702 data is too new to have been reviewed much.

Because NCTC just recently (in April 2017) obtained FISC authority to receive unminimized Section 702-acquired counterterrorism information, only a small number of oversight reviews have occurred. CLPT is directly involved in such reviews, including reviews of disseminations.

In other words, it is utterly silent about its dissemination of Title I and Title III data compliance. It is likewise silent on a dissemination that is probably unique to NCTC: the addition of US person names to watchlists based off raw database analysis. The dissemination of US person names in this way aren’t serialized reports, but they have a direct impact on the lives of Americans.

FBI

It’s hard to make sense of the FBI document because it lacks logical organization and includes a number of typos. More importantly, over and over it either materially misrepresents the truth (particularly in FBI’s access to entirely domestic communications collected under 702) or simply blows off requirements (most notably with its insistence that back door searches are important, without making any attempt to assess the privacy impact of them).

Bizarrely, the FBI treats just Title I and 702 in its report, even though it would be in charge of Title III collection in the US, and 705b collection would be tied to traditional FISA authorities.

Like CIA, FBI’s relies on NSA’s role in targeting, without admitting that NSA can collect on selectors that it knows to also be used by US persons, and can disseminate the US person data to FBI in case of a crime. Indeed, FBI specifically neglects to mention the 2014 exception whereby NSA doesn’t have to detask from a facility once it discovers US persons are using it as well as the foreign targets.

Targets under Section 702 collection who are subsequently found to be U.S. persons, or non-U.S. persons located in the U.S., must be detasked immediately

The end result if materially false, and false in a way that would involve dissemination of US person data (though not in a serialized report) from NSA to FBI.

The FBI report also pretends that a nomination would pertain primarily to an email address, rather than (for example) and IP address, in spite of later quoting from minimization procedures that reveal it is far broader than that: “electronic communication accounts/addresses/identifiers.”

After talking about its rules on dissemination, the FBI quickly turns to federated database “checks.”

Among other things, since 9/11, the FBI has dedicated considerable time, effort, and money to develop and operate a federated database environment for its agents and analysts to review information across multiple datasets to establish links between individuals and entities who may be associated with national security and/or criminal investigations. This allows FBI personnel to connect dots among various sources of information in support of the FBI’s investigations, including accessing data collected pursuant to FISA in a manner that is consistent with the statute and applicable FISA court orders. The FBI has done this by developing a carefully overseen system that enables its personnel to conduct database checks that look for meaningful connections in its data in a way that protects privacy and guards civil liberties. Maintaining the capability to conduct federated database checks is critical to the FBI’s success in achieving its mission.

But it doesn’t distinguish the legal difference between dissemination and checks. Far more importantly, it doesn’t talk about the privacy impact of these “checks,” a tacit admission that FBI doesn’t even feel the need to try to justify this from a privacy perspective.

Unlike NSA, FBI talks about the so-called prohibition on reverse targeting.

Reverse targeting is specifically prohibited under Section 702.31 “Reverse targeting” is defined as targeting a non-U.S. person who is reasonably believed to be located outside of the U.S. with the true purpose of acquiring communications of either (1) a U.S. person or (2) any individual reasonably believed to be located inside of the U.S. with whom the non-U.S. person is in contact.32

Yet we know from Ron Wyden that this prohibition actually permits FBI to nominate a foreigner even if a purpose of that targeting is to get to the Americans communications.

FBI talks about its new Title I minimization procedures, without mentioning that requirements on access controls and auditing arose in response to violations of such things.

The SMPs require, for example, FISA-acquired information to be kept under appropriately secure conditions that limit access to only those people who require access to perform their official duties or assist in a lawful and authorized governmental function.37 The SMP also impose an auditing requirement for the FBI to “maintain accurate records of all persons who have accessed FISA-acquired information in electronic and data storage systems and audit its access records regularly to ensure that FISA-acquired information is only accessed by authorized individuals.”38

And nowhere does FBI talk about the dissemination of US person data to ad hoc databases.

Remarkably, unlike NSA, FBI didn’t actually appear to review its dissemination practices (at least there’s no described methodology as such). Instead, it reviews its dissemination policy.

The instant privacy review found that the FBI’s SMP and Section 702 MP, which are subject to judicial review, protect the privacy rights of U.S. persons by limiting the acquisition, retention, and dissemination of their non-publicly available information without their consent. In addition, both sets of minimization procedures require that FISA-acquired information only be used for lawful purposes.42

Then it engages in a cursory few line review of whether it complies with FIPP. Whereas NSA assessed compliance with “Transparency, Use Limitation, Data Minimization, Security, Quality and Integrity, Accountability, and Auditing (but found Purpose specification not considered directly relevant), FBI at first assessed only Purpose specification. After noting that such a privacy review is not required in any case because FBI’s systems have been deemed a national security system, it then asserts that “DOJ and FBI conducted a review for internal purposes to ensure that all relevant privacy issues are addressed. These reviews ensure that U.S. person information is protected from potential misuse and/or improper dissemination.”

Later, it uses the affirmative permission to share data with other state and local law enforcement and foreign countries as a privacy limit, finding that it fulfills data minimization and transparency (and purpose, again).

Like the SMP for Title I of FISA, the Section 702 MP permits the FBI to disseminate Section 702-acquired U.S. person information that reasonably appears to be foreign intelligence information or is necessary to understand foreign intelligence information or assess its importance to federal, state, local, and tribal officials and agencies with responsibilities relating to national security that require access to intelligence information.50 The FBI is also permitted to disseminate U.S. person information that reasonably appears to be evidence of a crime to law enforcement authorities.51 In addition, the Section 702 MP provides guidelines that must be met before dissemination of U.S. person information to foreign governments is allowed.52 The dissemination of Section 702 information to a foreign government requires legal review by the NSCLB attorney assigned to the case.53 In light of the above judicially-reviewed minimization procedures for the dissemination of FISA acquired information, the FBI’s current implementation satisfies the data minimization and transparency FIPPs.

With respect to dissemination, FBI focuses on finished intelligence reports, not investigative files, where most data (including data affecting Mike Flynn) would be broadly accessed. Then, far later, it says this review found no violations, “in finished intelligence.”

Finally, the instant review found no indication of noncompliance with the required authorities governing dissemination of U.S. person information in finished intelligence.

At this point, the report appears to be a flashing siren of all the things it either clearly didn’t investigate or wouldn’t describe. Which worries me.

It then turns FBI’s failures to give notice that data derives from FISA as a privacy benefit, rather than a violation of the laws mandating disclosure.

While the redaction of U.S. person information may commonly be referred to as “masking,” the FBI does not generally use that term.

In addition, disseminations or disclosures of FISA-acquired information must be accompanied by a caveat. All caveats must contain, at a minimum, a warning that the information may not be used in a legal proceeding without the advanced authorization of the FBI or Attorney General.48 This helps ensure the information is properly protected.

And in the four paragraphs FBI dedicates to public transparency, it not only doesn’t admit that it has been exempted from most reporting on 702 use, but it doesn’t once mention mandated notice to defendants, which it has only complied with around 8 times.

There are many ways FBI could have handled this report to avoid making it look like a guilty omission that, while its finished intelligence reports aren’t a big US person data dissemination problem, virtually every other way it touches 702 data is. But it didn’t try any of those. Instead, it just engaged in omission after omission.

DNI

My unease over the giant holes in the FBI report carry over to a one detail in the DNI report. It’s only there that the government admits something that Semiannual 702 reports have admitted since FBI dispersed targeting to field offices. While the 702 reviews review pretty much everything NSA does and many things CIA does, the reviews don’t review all FBI disseminations, and they only include in their sample disseminations affirmatively identified as US person information.

As it pertains to reviewing dissemination of Section 702 information, ODNI and DOJ’s National Security Division (NSD) review many of the agencies’ disseminations as part of the oversight reviews to assess compliance with each agency’s respective minimization procedures and with statutory requirements.25 NSD and ODNI examine the disseminations to assess whether any information contained therein that appears to be of or concerning U.S. persons meets the applicable dissemination standard found in the agency’s minimization procedures; whether other aspects of the dissemination requirements (to include limitations on the dissemination of attorney-client communications and the requirement of a FISA warning statement as required by 50 U.S.C. § 1806(b)) have been met; and whether the information disseminated is indicative of reverse targeting of U.S. persons or persons located in the United States.

25For example, as it pertains to NSA, NSD currently reviews all of the serialized reports (with ODNI reviewing a sample) that NSA has disseminated and identified as containing Section 702-acquired U.S. person information. For CIA and NCTC, NSD currently reviews all dissemination (with ODNI reviewing a sample) of information acquired under Section 702 that the agency identified as potentially containing U.S. person information. For FBI, both NSD and ODNI currently review a sample of disseminations of information acquired under Section 702 that FBI identifies as potentially containing U.S. person information.

This is one of a number of reasons why FBI only identified one criminal 702 query last year — only after that one query was selected as part of the review, and only after some haranguing, was it identified as an entirely criminal query.

The DNI report makes one more incorrect claim — that all incidents of non-compliance have been remediated.

Disseminating FISA information in a manner that violates the minimization procedures would, therefore, be a violation of the statute, as would use or disclosure of the information for unlawful purposes. As noted above, identified incidents of non-compliance with the minimization procedures, to include improper disseminations, are reported to the FISC and to the congressional intelligence committees and those incidents are remediated.

That was true before this year, I guess. But Rosemary Collyer, in a deviation from past practice of requiring the government to destroy data collected without authorization, did not require NSA to destroy the poison fruit of unauthorized 704b and other back door queries (though perhaps DNI believes their claim is true given the way everyone has avoided talking about the more troubled collection techniques).

The DNI report ends with a boast about what it calls “transparency.”

These reviews also illustrate the importance of transparency. Historically, many of the documents establishing this framework were classified and not available to the public. In recent years, much progress has been made in releasing information from these documents, and providing context and explanations to make them more readily understandable. We trust that these reviews are a further step in enhancing public understanding of these key authorities. It is important to continue with transparency efforts like these on issues of public concern, such as the protection of U.S. person information in FISA disseminations.

It is true that these reports rely on a great deal of declassified information. But that does not amount to “transparency,” unless you’re defining that to mean something that hides the truth with a bunch of off-topic mumbo jumbo.

This report appears to be an attempt to stave off real reporting requirements for unmasked information — an attempt to placate the Republicans who are rightly troubled that the contents of FISA intercepts in which Mike Flynn was incidentally collected.

But no person concerned about the impact on US persons of FISA should find these reports reassuring. On the contrary, the way in which, agency after agency, the most important questions were dodged should raise real alarms, particularly with respect to FBI.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Ned Price Rebuts HPSCI’s Ignorance on Unmasking with His Own Stupid Obfuscation

Former Obama NSC staffer Ned Price has a piece on Section 702 at Lawfare that embodies the stupidity surrounding Section 702 reauthorization debate. He apparently doesn’t realize it, but his post effectively argues, “the people in Congress who oversee FISA have no clue how it works but reauthorize it forever anyway.”

Price’s post features all the typical things that Section 702 boosterism does: the false pretense that the value of Section 702 means it must be passed without even the most obvious reforms, such as ensuring FISC uses an amicus during the annual recertification so they know more than Rosemary Collyer did in this year’s go-around.

Administration officials privately concede that, in light of this conflation, Section 702 stands little chance for a clean reauthorization later this year.

[snip]

White House officials have vocally supported the clean reauthorization of Section 702 authorities.

Nor does Price admit that when he says “clean reauthorization” what he really means is “dramatic change to the norm, because it’d be permanent reauthorization.”

Further, like most 702 booster pieces, Price dismisses the real complaints of those of us who’ve raised concerns about 702, without even responding to them.

To be sure, several lawmakers from both parties have long voiced opposition to Section 702 over sincerely held, if misguided, concerns about privacy and civil liberties.

Instead of doing that, Price hauls out the old canard that this is not about “surveillance” of Americans.

All the while, law enforcement and intelligence officials—including former FBI director James Comey, Director of National Intelligence Dan Coats, and National Security Agency Director Mike Rogers—reminded lawmakers in hearing after hearing this year that the tool is not intended for surveillance of U.S. citizens,

In one of those hearings where, Price claims, these men offered reassurances about the surveillance of Americans, Coats lied about whether 702 will collect entirely domestic communications, after having just signed a certificate saying it could. And Rogers was less than forthcoming about NSA’s repeated and consistent failures to inform FISC of compliance problems in timely fashion. As I said after the key one, “given the dodgy testimony of the two men running that dragnet, Americans should have more worries than ever before.”

Worse, Price is engaged in the same old fiction: in spite of the fact that witnesses and members of Congress have made it clear for years that a key purpose of 702 is to learn what Americans are saying to 702 targets, he wields that word “target” as if it doesn’t affect Americans. It does. It permits the warrantless access to Americans’ communications, and is queried routinely by the FBI even before they open investigations on someone. If you won’t honestly deal with that, you’re unwilling to defend the program as it exists.

But all that’s just the typical 702 boosterism, which serves as backdrop for Price’s central project: to explain how Devin Nunes’ panic about unmasking this year threatens 702 reauthorization.

Within the pantheon of Trump administration scandals, the manufactured uproar over “unmasking” came and went quicker than most. It was last spring that White House officials, working in tandem with House intelligence committee Chairman Devin Nunes, laundered intelligence information in an effort to train Americans’ sights on a practice that is routine—if highly regulated—within our national security establishment.

The effort blew up in their faces. The House Ethics Committee opened an investigation into Nunes,  who partially recused himself from the Russia investigation. The White House staffer who oversaw the secret political operation has since been fired. Even prominent Republicans, including Richard Burr, the chairman of the Senate intelligence committee, have publicly distanced themselves from the affair.

Price is right that Nunes’ stunt was a manufactured scandal. That’s something I’ve been saying for months.

But along the way he engages in the same kind of stupidity as the hacks he criticizes. First, he suggests that unmasking is an entirely separate issue than 702.

Nevertheless, administration allies on Capitol Hill have repeatedly obscured those facts, publicly conflating Section 702 authorities with unmasking and leaking,

While I’ve long pointed out that back door searches Price ignores are the more common way Americans would have their communications exposed by 702 surveillance, it is nevertheless the case that Americans whose names appear in reports based off 702 are usually eventually unmasked.

ICTR provided better information on unmasked US person identities this year than last, revealing how many USP identities got released.

As I said last year, ICTR is not doing itself any favors by revealing what a tiny fraction of all 702 reports the 3,914 — it must be truly miniscule.

All that said if you do get reported in one of those rare 702 reports that includes a USP identity, chances are very good you’ll be unmasked. In 30% of the reports with USP identities, last year, at least one USP identity was released in original form unmasked (as might happen, for example, if Carter Page or Mike Flynn’s identity was crucial to understanding the report). Of the remainder, though, 65% had at least one more US person identity unmasked. I believe that means that only roughly 26% of the names originally masked remained masked in the reports.

You actually cannot separate 702 from questions about how Americans’ communications get accessed without a warrant via the authority, and contrary to what Price suggests, unmasking is one of those ways (albeit the less troubling and less common).

More importantly, Price ignores what the unmasking scandal proves.  He cites both Trey Gowdy and Tom Rooney (whom he calls Tim) raising concerns about 702 because of the treatment of Title I intercepts targeting Sergey Kislyak. He specifically describes Gowdy’s comments as being “impermeable to fact.”

The political narrative, however, has thus far proven impermeable to fact. Rep. Trey Gowdy, a proponent of Section 702, last month summarized the zeitgeist of his caucus, telling Bloomberg: “A lot of my colleagues right now are very skeptical of reauthorizing this because of how little we know about unmasking.”

But what Price doesn’t tell you is that both Gowdy and Rooney (and Mike Lee, whose citation I think Price uses disingenuously) are the key overseers in Congress of FISA. As I noted in March when Gowdy and Rooney first started pursuing this hoax, these comments prove that the people purportedly closely overseeing NSA and FISA have no fucking clue how FISA works.

I mean, these two men who ostensibly provide oversight of FISA clearly didn’t understand what the biggest risk to privacy is –back door searches of US person content — which at the FBI doesn’t even require any evidence of wrong-doing. That is the biggest impediment to reauthorizing FISA.

And testimony about the intricacies of unmasking a US person identity — particularly when a discussion of traditional FISA serves as stand-in for Section 702 — does nothing more than expose that the men who supposedly oversee FISA closely have no fucking clue — and I mean really, not a single fucking clue — how it works. Devin Nunes, too, has already expressed confusion on how access to incidentally collected US person content works.

Does anyone in the House Intelligence Committee understand how FISA works? Bueller?

So it’s not just that Price misrepresents the risk to Americans (more often brown people, not top White House officials) from 702, or that he pretends unmasking is completely separate from 702, but he actually proves that the people overseeing the authority don’t understand it.

And based on that argument, Price says we should reauthorize the authority forever.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Domestic Communications NSA Won’t Reveal Are Almost Certainly Obscured Location Communications

The other day, I laid out the continuing fight between Director of National Intelligence Dan Coats and Senator Ron Wyden over the former’s unwillingness to explain why he can’t answer the question, “Can the government use FISA Act Section 702 to collect communications it knows are entirely domestic?” in unclassified form. As I noted, Coats is parsing the difference between “intentionally acquir[ing] any communication as to which the sender and all intended recipients are known at the time of acquisition to be located in the United States,” which Section 702 prohibits, and “collect[ing] communications [the government] knows are entirely domestic,” which this exchange and Wyden’s long history of calling out such things clearly indicates the government does.

As I noted, the earlier iteration of this debate took place in early June. Since then, we’ve gotten two sets of documents that all but prove that the entirely domestic communication the NSA refuses to tell us about involves communications that obscure their location, probably via Tor or VPNs.

Most Entirely Domestic Communications Collected Via Upstream Surveillance in 2011 Obscured Their Location

The first set of documents are those on the 2011 discussion about upstream collection liberated just recently by Charlie Savage. They show that in the September 7, 2011 hearing, John Bates told the government that he believed the collection of discrete communications the government had not examined in their sampling might also contain “about” communications that were entirely domestic. (PDF 113)

We also have this other category, in your random sampling, again, that is 9/10ths of the random sampling that was set aside as being discrete communications — 45,000 out of the 50,0000 — as to which our questioning has indicataed we have a concern that some of the about communications may actually have wholly domestic communications.

And I don’t think that you’ve really assessed that, either theoretically or by any actual examination of those particular transactions or communications. And I’m not indicating to you what I expect you to do, but I do have this concern that there are a fair number of wholly domestic communications in that category, and there’s nothing–you really haven’t had an opportunity to address that, but there’s nothing that has been said to date that would dissuade me from that conclusion. So I’m looking there for some convincing, if you will, assessment of why there are not wholly domestic communications with that body which is 9/10s of the random sample.

In a filing submitted two days later, the government tried to explain away the possibility this would include (many) domestic communications. (The discussion responding to this question starts at PDF 120.) First, the NSA used technical means to determine that 41,272 of the 45,359 communications in the sample were not entirely domestic. That left 4,087 communications, which the NSA was able to analyze in just 48 hours. Of those, the NSA found just 25 that were not to or from a tasked selector (meaning they were “abouts” or correlated identities, described as “potentially alternate accounts/addresses/identifiers for current NSA targets” in footnote 7, which may be the first public confirmation that NSA collects on correlated identifiers). NSA then did the same kind of analysis it does on the communications that it does as part of its pre-tasking determination that a target is located outside the US. This focused entirely on location data.

Notably, none of the reviewed transactions featured an account/address/identifier that resolved to the United States. Further, each of the 25 communications contained location information for at least one account/address/identifier such that NSA’s analysts were able assess [sic] that at least one communicant for each of these 25 communications was located outside of the United States. (PDF 121)

Note that the government here (finally) drops the charade that these are simply emails, discussing three kinds of collection: accounts (which could be both email and messenger accounts), addresses (which having excluded accounts would significantly include IP addresses), and identifiers. And they say that having identified an overseas location for the communication, NSA treats it as an overseas communication.

The next paragraph is even more remarkable. Rather than doing more analysis on those just 25 communications it effectively argues that because latency is bad, it’s safe to assume that any service that is available entirely within the US will be delivered to an American entirely within the US, and so those 25 communications must not be American.

Given the United States’ status as the “world’s premier electronic communications hub,” and further based on NSA’s knowledge of Internet routing patterns, the Government has already asserted that “the vast majority of communications between persons located in the United States are not routed through servers outside the United Staes.” See the Government’s June 1, 2011 Submission at 11. As a practical matter, it is a common business practice for Internet and web service providers alike to attempt to deliver their customers the best user experience possible by reducing latency and increasing capacity. Latency is determined in part by the geographical distance between the user and the server, thus, providers frequently host their services on servers close to their users, and users are frequently directed to the servers closest to them. While such practices are not absolute in any respect and are wholly contingent on potentially dynamic practices of particular service providers and users,9 if all parties to a communication are located in the United States and the required services are available in the United States, in most instances those communications will be routed by service providers through infrastructure wholly within the United States.

Amid a bunch of redactions (including footnote 9, which is around 16 lines long and entirely redacted), the government then claims that its IP filters would ensure that it wouldn’t pick up any of the entirely domestic exceptions to what I’ll call its “avoidance of latency” assumption and so these 25 communications are no biggie, from a Fourth Amendment perspective.

Of course, the entirety of this unredacted discussion presumes that all consumers will be working with providers whose goal is to avoid latency. None of the unredacted discussion admits that some consumers choose to accept some latency in order to obscure their location by routing it through one (VPN) or multiple (Tor) servers distant from their location, including servers located overseas.

For what it’s worth, I think the estimate Bates did on his own to come up with a number of these SCTs was high, in 2011. He guessed there would be 46,000 entirely domestic communications collected each year; by my admittedly rusty math, it appears it would be closer to 12,000 (25 / 50,000 comms in the sample = .05% of the total; .05% of the 11,925,000 upstream transactions in that 6 month period = 5,962, times 2 = roughly 12,000 a year). Still, it was a bigger part of the entirely domestic upstream collection than those collected as MCTs, and all those entirely domestic communications have been improperly back door searched in the interim.

Collyer claims to have ended “about” collection but admits upstream will still collect entirely domestic communications

Now, if that analysis done in 2011 were applicable to today’s collection, there shouldn’t be a way for the NSA to collect entirely domestic communications today. That’s because all of those 25 potentially domestic comms were described as “about” collection. Rosemary Collyer has, according to her IMO apparently imperfect understanding of upstream collection, shut down “about” collection. So that should have eliminated the possibility for entirely domestic collection via upstream, right?

Nope.

As she admits in her opinion, it will still be possible for the NSA to “acquire an MCT” (that is, bundled collection) “that contains a domestic communication.”

So there must be something that has changed since 2011 that would lead NSA to collect entirely domestic communications even if that communication didn’t include an “about” selector.

In 2014 Collyer enforced a practice that would expose Americans to 702 collection

Which brings me back to the practice approved in 2014 in which, according to providers newly targeted under the practice, “the communications of U.S. person will be collected as part of such surveillance.”

As I laid out in this post, in 2014 Thomas Hogan approved a change in the targeting procedures. Previously, all users of a targeted facility had to be foreign for it to qualify as a foreign target. But for some “limited” exception, Hogan for the first time permitted the NSA to collect on a facility even if Americans used that facility as well, along with the foreign targets.

The first revision to the NSA Targeting Procedures concerns who will be regarded as a “target” of acquisition or a “user” of a tasked facility for purposes of those procedures. As a general rule, and without exception under the NSA targeting procedures now in effect, any user of a tasked facility is regarded as a person targeted for acquisition. This approach has sometimes resulted in NSA’ s becoming obligated to detask a selector when it learns that [redacted]

The relevant revision would permit continued acquisition for such a facility.

It appears that Hogan agreed it would be adequate to weed out American communications after collection in post-task analysis.

Some months after this change, some providers got some directives (apparently spanning all three known certificates), and challenged them, though of course Collyer didn’t permit them to read the Hogan opinion approving the change.

Here’s some of what Collyer’s opinion enforcing the directives revealed about the practice.

Collyer’s opinion includes more of the provider’s arguments than the Reply did. It describes the Directives as involving “surveillance conducted on the servers of a U.S.-based provider” in which “the communications of U.S. person will be collected as part of such surveillance.” (29) It says [in Collyer’s words] that the provider “believes that the government will unreasonably intrude on the privacy interests of United States persons and persons in the United States [redacted] because the government will regularly acquire, store, and use their private communications and related information without a foreign intelligence or law enforcement justification.” (32-3) It notes that the provider argued there would be “a heightened risk of error” in tasking its customers. (12) The provider argued something about the targeting and minimization procedures “render[ed] the directives invalid as applied to its service.” (16) The provider also raised concerns that because the NSA “minimization procedures [] do not require the government to immediately delete such information[, they] do not adequately protect United States person.” (26)

[snip]

Collyer, too, says a few interesting things about the proposed surveillance. For example, she refers to a selector as an “electronic communications account” as distinct from an email — a rare public admission from the FISC that 702 targets things beyond just emails. And she treats these Directives as an “expansion of 702 acquisitions” to some new provider or technology.

Now, there’s no reason to believe this provider was involved in upstream collection. Clearly, they’re being asked to provide data from their own servers, not from the telecom backbone (in fact, I wonder whether this new practice is why NSA has renamed “PRISM” “downstream” collection).

But we know two things. First: the discrete domestic communications that got sucked up in upstream collection in 2011 appear to have obscured their location. And, there is now a means of collecting bundles of communications via upstream collection (assuming Collyer’s use of MCT here is correct, which it might not be) such that even communications involving no “about” collection would be swept up.

Again, the evidence is still circumstantial, but there is increasing evidence that in 2014 the NSA got approval to collect on servers that obscure location, and that that is the remaining kind of collection (which might exist under both upstream and downstream collection) that will knowingly be swept up under Section 702. That’s the collection, it seems likely, that Coats doesn’t want to admit.

The problems with permitting collection on location-obscured Americans

If I’m right about this, then there are three really big problems with this practice.

First, in 2011, location-obscuring servers would not themselves be targeted. Communications using such servers would only be collected (if the NSA’s response to Bates is to be believed) if they included an “about’ selector.

But it appears there is now some collection that specifically targets those location-obscuring servers, and knowingly collects US person communications along with whatever else the government is after. If that’s right, then it will affect far more than just 12,000 people a year.

That’s especially true given that a lot more people are using location-obscuring servers now than on October 3, 2011, when Bates issued his opinion. Tor usage in the US has gone from around 150,000 mean users a day to around 430,000 users.

And that’s just Tor. While fewer VPN users will consistently use overseas servers, sometimes it will happen for efficacy reasons and sometimes it will happen to access content that is unavailable in the US (like decent Olympics coverage).

In neither of Collyer’s opinions did she ask for the kind of numerical counts of people affected that Bates asked for in 2011. If 430,000 Americans a day are being exposed to this collection under the 2014 change, it represents a far bigger problem than the one Bates called a Fourth Amendment violation in 2011.

Finally, and perhaps most importantly, Collyer newly permitted back door searches on upstream collection, even though she knew that (for some reason) it would still collect US person communications. So not only could the NSA collect and hold location obscured US person communications, but those communications might be accessed (if they’re not encrypted) via back door searches that (with Attorney General approval) don’t require a FISA order (though Americans back door searched by NSA are often covered by FISA orders).

In other words, if I’m right about this, the NSA can use 702 to collect on Americans. And the NSA will be permitted to keep what they find (on a communication by communication basis) if they fall under four exceptions to the destruction requirement.

The government is, once again, fighting Congressional efforts to provide a count of how many Americans are getting sucked up in 702 (even though the documents liberated by Savage reveal that such a count wouldn’t take as long as the government keeps claiming). If any of this speculation is correct, it would explain the reluctance. Because once the NSA admits how much US person data it is collecting, it becomes illegal under John Bates’ 2010 PRTT order.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Coats v. Wyden, the Orwellian Reclassification Edition

Back on June 7, Ron Wyden asked a question similar to the one he asked James Clapper in 2013: “Can the government use FISA 702 to collect communications it knows are entirely domestic?” As Clapper did 4 years before ,Coats denied that it could. “Not to my knowledge. It would be against the law.”

The claim was particularly problematic, given that less than two months earlier, Coats had signed a Section 702 certificate that admitted that the NSA would acquire entirely domestic communications via upstream collection.

When I asked ODNI about Coats’ comment, they responded by citing FISA.

Section 702(b)(4) plainly states we “may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of acquisition to be located in the United States.” The DNI interpreted Senator Wyden’s question to ask about this provision and answered accordingly.

On June 15, Wyden — as he had in 2013 — insisted that Coats answer the question he asked, not the one that made for easy public assurances.

That was not my question. Please provide a public response to my question, as asked at the June 7, 2017 hearing.

After Wyden asked a few more times — again, as happened in 2013 — Coats provided a classified response on July 24. On September 1, however, Coats wrote Wyden stating that,

After consulting with the relevant intelligence agencies, I concluded that releasing the information you are asking to be made public would cause serious damage to national security. To that end, I provided you a comprehensive classified response to your question on July 24.

[snip]

While I recognize your goal of an unclassified response, given the need to include classified information to fully address your question, the classified response provided on July 24 stands as our response on this matter.”

Wyden is … unsatisfied … with this response.

It is hard to view Director Coats’ behavior as anything other than an effort to keep Americans in the dark about government surveillance. I asked him a simple, yes-or-no question: Can the government use FISA Act Section 702 to collect communications it knows are entirely domestic?

What happened was almost Orwellian. I asked a question in an open hearing. No one objected to the question at the time. Director Coats answered the question. His answer was not classified. Then, after the fact, his press office told reporters, in effect, Director Coats was answering a different question.

I have asked Director Coats repeatedly to answer the question I actually asked. But now he claims answering the question would be classified, and do serious damage to national security.

The refusal of the DNI to answer this simple yes-no question should set off alarms. How can Congress reauthorize this surveillance when the administration is playing games with basic questions about this program?

This is on top of the administration’s recent refusal even to estimate how many Americans’ communications are swept up under this program.

The Trump administration appears to have calculated that hiding from Americans basic information relevant to their privacy is the easiest way to renew this expansive surveillance authority. The executive branch is rejecting a fundamental principle of oversight by refusing to answer a direct question, and saying that Americans don’t deserve to know when and how the government watches them.

Significantly, in the midst of this back-and-forth about targeting, Wyden and Coats were engaged in a parallel back-and-forth about counting how many US persons are impacted by Section 702. In a letter sent to Coats on August 3, Wyden suggested that it might be easier for NSA to count how many people located in the US are affected by Section 702.

First, whatever challenges there may be arriving at an estimate of U.S. persons whose communications have been collected under Section 702, those challenges may not apply equally to persons located in the United States. I believe that the impact of Section 702 on persons inside the United States would constitute a “relevant metric,” and that your conclusion that an estimate can and should be revisited on that basis.

So effectively, Coats is willing to say publicly that the NSA can’t knowingly target entirely domestic communications, but it does knowingly collect entirely domestic communications. But he’s unwilling to explain how or why it continues to do so in the wake of ending “about” collection.

And in the middle of Coats’ non-admission, Wyden challenged him to come up with a count of how many people in America are affected by Section 702, which would presumably include those incidentally collected because they were communicated with a target, but also these entirely domestic communications that Coats admits exist but won’t explain.

I’ll try to explain in a follow-up what I think this is about.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Former Senators Sessions and Coats Likely Just Set Off a Conflict with Congress

I’ll have more to say about Jeff Sessions’ new witch hunt on leaks later. But for now I want to look at what former Assistant Director Ron Hosko had to say to Daily Beast.

Ron Hosko, former deputy director of the FBI, said these changes could result in prosecution of members of Congress and Hill staffers. In the past, he said the FBI identified members of Congress who leaked classified information, who the Justice Department then declined to prosecute. Agents were often frustrated by this, Hosko added. Given the attorney general’s announcement, he said, members of Congress and Hill staffers may be more likely to face prosecution.

As I was listening to the press presentation (I won’t call it a conference because Sessions and Coats ran away without answering questions), I couldn’t help but thinking what a shitshow these two former Senators were likely setting off.

That’s because the universe of potential leakers is fraught for DOJ especially.

There are the various White House leakers (not including the President, who will escape notice even though he is one of the most prolific and dangerous leakers). Prosecuting them will be difficult politically in this contentious Administration.

There are the IC leakers. While some will likely be charged, a good many will be — like David Petraeus — too dangerous to aggressively prosecute, because they know where the truly interesting secrets are.

Most of all, though, there are the current and former members of Congress and their staffers, who have clearly been a central source of leaks embarrassing the White House.

Hosko is right that FBI has bumped up against limits in prosecuting Congress before. In the Jeffrey Sterling case, for example, SSCI staff director Bill Duhnke was FBI’s first and primary suspect (and a far more likely source for James Risen’s 2003 story than Sterling, not least because the final form of that story included a seeming reference to Iraq that Sterling wouldn’t have known). But SSCI refused to cooperate with the FBI investigation for years, and Duhnke reportedly never did. Duhnke remains in the Senate, working as the Rules Staff Director.

There’s nothing the Sessions hearing today included that would change the circumstances of Congress’ non-participation in the prosecution of Duhnke going forward (except perhaps the threat to jail journalists, but that’s still not likely to be enough to get past Congressional Speech and Debate privilege.

Moreover, if the FBI pushes too hard, Congress will just legislate itself — and reporters — protections (as Congress has been threatening to do for some time).

Given the Fourth Circuit precedents tied to the Sterling case, I think it will be easier for FBI to go after low level IC staffers. But I’m fairly confident if it gets close to Congress there will be a significant backlash that will make former Senators Sessions and Coats regret they didn’t account for their former colleagues’ equities before rolling out a witch hunt.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.