Posts

Amid Discussions of FISA Reform, James Boasberg Pushes for Greater Reform

It’s not entirely clear what will happen in a few weeks when several existing FISA provisions expire; there are ongoing discussions about how much to reform FISA in the wake of the Carter Page IG Report. But before anyone passes legislation, they would do well to read the order presiding FISA Judge James Boasberg issued yesterday.

On its face, Boasberg’s order is a response to DOJ’s initial response to FISC’s order to fix the process, Amicus David Kris’ response to that, and DOJ’s reply to Kris. The order ends by citing In re Sealed Case, the 2002 FISCR opinion that limited how much change the FISA Court can demand of DOJ, and “acknowledging that significant change can take time, and recognizing the limits of its authority.” By pointing to In re Sealed Case, Boasberg highlights the limits of what FISC can do without legislation from Congress — and, importantly, it highlights the limits of what FISC could do to improve the process if Bill Barr were to convince Congress that DOJ can fix any problems itself, without being forced to do so by Congress.

After invoking In Re Sealed Case, Boasberg orders reports (due March 27, May 4, May 22, June 30, and July 3) on the progress of a number of improvements. He orders that any DOJ or FBI personnel under disciplinary or criminal review relating to work on FISA applications may not participate in preparing applications for FISC, and he requires additional signoffs on applications, including Section 215 orders, which currently don’t require such affirmations.

Boasberg recognizes that DOJ, not just FBI, needs to change

Remarkably, Boasberg notes what I have — the IG Report provides evidence, its focus on FBI notwithstanding, that some of the blame for the Carter Page application belongs with DOJ, not FBI.

According to the OIG Report, the DOJ attorney responsible for preparing the Page applications was aware that Page claimed to have had some type of reporting relationship with another government agency. See OIG Rpt. at 157. The DOJ attorney did not, however, follow up to confirm the nature of that relationship after the FBI case agent declared it “outside scope.” Id. at 157, 159. The DOJ attorney also received documents that contained materially adverse information, which DOJ advises should have been included in the application. Id. at 169-170. Greater diligence by the DOJ attorney in reviewing and probing the information provided by the FBI would likely have avoided those material omissions.

As a result, Boasberg requires the DOJ attorney signing off on a FISA application to attest to the accuracy of it as well. He also suggests DOJ attorneys “participate in field-office visits to assist in the preparation of FISA applications.”

Boasberg recognizes that DOJ’s existing plan doesn’t address any root cause

Similarly, Boasberg recognizes that if the real problem with the Carter Page FISA applications involved information withheld from the application, improving the Woods procedure won’t fix the problem. In an extended section on oversight, Boasberg strongly suggested that DOJ needs to review whether information was withheld from the application.

Amicus agrees that reviews designed to elicit any pertinent facts omitted from the application, rather than merely verifying the facts that were included, would be extremely valuable, but also recognizes that such in-depth reviews would be extremely resource intensive. See Amicus Letter Br. at 12. He thus recommends that such reviews be conducted periodically at least in some cases and, echoing Samuel Johnson, advises that selection of cases for such reviews should be unpredictable because the possibility that any case might be reviewed “should help concentrate the minds of FBI personnel in all cases.” Id. In its response, the government advised that “it will expand its oversight to include additional reviews to determine whether, at the time an application is submitted to the FISC, there was additional information of which the Government was aware that should have been included and brought to the attention of the Court.” Resp. to Amicus at 13. DOJ advised, however, that given limited personnel to conduct such reviews, it is still developing a process for such reviews and a sampling methodology to select cases for review. ld. The Court sees value in more comprehensive completeness reviews, and random selection of cases to be reviewed should increase that value. As DOJ is still developing the necessary process and methodology, the Court is directing further reporting on this effort.

Amicus also encouraged the Court to require a greater number of accuracy reviews using the standard processes already in place. See Amicus Letter Br. at 12. He believes that the FBI and DOJ have the resources to ensure that auditing occurs in a reasonable percentage of cases and suggested that it might be appropriate to audit a higher percentage of certain types of cases, such as those involving U.S. persons, certain foreign-agent definitions, or sensitive investigative matters. Id. The government did not address Amicus’s recommendation that it increase the number of standard reviews.

Even though accuracy reviews are conducted after the Court has ruled on the application in question, the Court believes that they have some positive effect on future accuracy. In addition to guarding against the repetition of errors in any subsequent application for the same target, they should provide a practical refresher on the level of rigor that should be employed when preparing any FISA application. It is, however, difficult to assess to what extent accuracy reviews contribute to the process as a whole, partly because it is not clear from the information provided how many cases undergo such reviews. The Court is therefore directing further reporting on DOJ’s current practices regarding accuracy reviews, as well as on the results of such reviews.

Finally, the FBI has directed its Office of Integrity and Compliance to work with its Resource Planning Office to identify and propose audit, review, and compliance mechanisms to assess the effectiveness of the changes to the FISA process discussed above. See OIG Rpt. app. 2 at 429. Although the Court is interested in any conclusions reached by those entities, it will independently monitor the government’s progress in correcting the failures identified in the OIG Report.

Again, as I already noted, Boasberg himself found DOJ’s oversight regime inadequate in a 702 opinion written last year. He knows this is insufficient.

But as noted above, all Boasberg can do is order up reports and attestations.

At a minimum, Congress should put legal language behind the oversight he has now demanded twice.

A far better solution, however, would be to provide the oversight on FISA applications that other criminal warrant applications receive: review by defense attorneys in any cases that move to prosecution, which by itself would build in “unpredictabl[y] because the possibility that any case might be reviewed.”

James Boasberg, the presiding judge of the FISA court, issued an order in the middle of a debate about reform that points to several ways FISA should be improved, ways that the he can’t do on his own.

Congress would do well to take note.

Useful But Not Sufficient: FBI’s FISA Fix Filing

As one of her last acts as presiding FISA judge, Rosemary Collyer ordered the government to explain how it will ensure the statement of facts in future FISA applications don’t have the same kind of errors laid out in the DOJ IG Report on Carter Page.

THEREFORE, the Court ORDERS that the government shall, no later than January 10, 2020, inform the Court in a sworn written submission of what it has done, and plans to do, to ensure that the statement of facts in each FBI application accurately and completely reflects information possessed by the FBI that is material to any issue presented by the application. In the event that the FBI at the time of that submission is not yet able to perform any of the planned steps described in the submission, it shall also include (a) a proposed timetable for implementing such measures and (b) an explanation of why, in the government’s view, the information in FBI applications submitted in the interim should be regarded as reliable.

DOJ and FBI submitted their response on Friday. (This post lays out new revelations about the FISA process in it.) While I think there are useful fixes, most laid out in FBI Director Chris Wray’s response to the IG Report itself, the fixes are insufficient to fix FISA.

The filing largely focuses on the institution and evolution of the current accuracy review process. It promises to review the memorandum guiding that process (though doesn’t set a deadline for doing so), and adds some forms and training to try to ensure that FBI Agents provide DOJ all the information that the lawyers should include in an application to FISA. One of those forms — pertaining to human sources — seems important though might lead to counterintelligence problems in the future. Another, requiring agents to provide all exculpatory information, may improve the process. But fundamentally, DOJ and FBI assume that the process they currently use just needs to be improved to make sure it works the way they intend it to.

They’re probably insufficient to fix the underlying problems in the Carter Page FISA application.

The FISA Fix Filing is based on faulty assumptions

I say that, first of all, because the FISA Fix Filing adopts certain assumptions from the DOJ IG Report that may not be valid. The FISA Fix Filing assumes that:

  • FBI was responsible for all the errors on the Carter Page application
  • The right people at FBI had the information they needed
  • The Carter Page application was an aberration

The IG Report ignored where DOJ’s National Security Division contributed to errors

As I note in this post, possibly because of institutional scope (DOJ IG cannot investigate DOJ’s prosecutors), possibly because of its own confirmation bias, the IG Report held the FBI responsible for all the information that was known to investigators, but not included in the Carter Page FISA applications. Yet the report showed that at least two of the things it says should have been included in the Page applications — Page’s own denials of a tie with Paul Manafort, and Steele’s own derogatory comments about Sergei Millian — were shared with DOJ’s Office of Intelligence, which writes the applications. Indeed, Rosemary Collyer even noted the latter example in her letter. It also shows DOJ’s National Security Division had confirmed a fact — that Carter Page had no role in the platform change at the RNC — before FBI had.

Because the FISA Fix Filing assumes FBI is responsible for everything mistakenly excluded from the applications, the proposed fixes shift even more responsibility to FBI, requiring agents, with FBI lawyers, to identify the information that should be in an application. But if — as the IG Report shows — sometimes FBI provides the relevant information but it’s not included by the lawyers, then ensuring they provide all the relevant information won’t be sufficient to fix the problem.

The focus on FBI to the detriment of NSD has one other effect. NSD includes few changes to their behaviors in the FISA Fix Filing (largely limited to training and inadequate accuracy reviews). And where they do consider changes, they do not — as ordered by the court — set deadlines for themselves.

The IG Report barely noted the import of the failure to share information in timely fashion

The IG Report deviates radically from almost twenty years of after-action reports that have consistently advocated for more sharing of national security information. It recommends that Bruce Ohr be disciplined for doing just that. Perhaps to sustain that bizarre conclusion, the IG Report focuses almost no attention on an issue that is critical to fixing the problems in the Carter Page applications: ensuring that the people submitting a FISA application have all the information available to the US government. The IG Report showed a 2 month delay before the Crossfire Hurricane team obtained the Steele reports, a month delay in getting feedback from State Department official Kathleen Kavalec, and delays in obtaining the full extent of Bruce Ohr’s knowledge on the dossier, all of which contributed to the delayed vetting of the dossier. But the IG Report doesn’t explore why this happened. And the FBI FISA Fix only addresses it by reminding agents to consult with other agencies.

In another of the 17 problems with the FISA applications, the people submitting the applications apparently did not learn that Christopher Steele had admitted meeting with Yahoo in court filings.

According to the Rule 13 Letter and FBI officials, although there had been open source reporting in May 2017 about Steele’s statements in the foreign litigation, the FBI did not obtain Steele’s court filings until the receipt of Senators Grassley and Graham’s January 2018 letter to DAG Rosenstein and FBI Director Christopher Wray with the filings enclosed. We found no evidence that the FBI made any attempts in May or June 2017 to obtain the filings to assist a determination of whether to change the FBI’s assessment concerning the September 23 news article in the final renewal application.

In other instance (as noted above), while NSD had affirmative knowledge that Carter Page had not been involved in the change to the RNC platform, FBI had a different view, yet this issue was not resolved to fully discount the claim in FISA applications. The IG Report also faults FBI managers (but never NSD ones) for not aggressively questioning subordinates to get a full sense of problems with the applications. All of these are information sharing problems, not errors of transparency. Making the case agent fill out forms about what he or she knows will have only limited effect on ensuring that those agents obtain all the information they need, because if they don’t know it, they won’t know to look for it.

With the Crossfire Hurricane investigation, that problem was exacerbated by the close hold of the investigation (most notably by running the investigation out of Main Justice) and, probably, by the urgency of investigating an ongoing attack while it’s happening, which likely led personnel to focus more on collecting information about the attack than exculpatory information.

The FISA Fix Filing includes a vaguely worded document describing technological improvements — including a workflow document that sounds like bureaucratic annoyance as described — that suggest FBI is considering moving some of this to the cloud.

Corrective Action #11 requires the identification and pursuit of short- and long-term technological improvements, in partnership with DOJ, that aid in consistency and accountability. I have already directed executives in the FBI’s Information Technology Branch leadership to work with our National Security Branch leadership and other relevant stakeholders to identify technological improvements that will advance these goals. To provide one example of a contemplated improvement, the FBI is considering the conversion of the revised FISA Request Form into a workflow document that would require completion of every question before it could be sent to OI. The FBI proposes to update the Court on its progress with respect to this Corrective Action in a filing made by March 27, 2020.

It’s still not clear this would fix the problem (it’s still not clear how Bruce Ohr would have shared the information he had in such a way that he wouldn’t now be threatened with firing for doing so, for example). And for a close hold investigation like this, such a cloud might not work. But it would be an improvement (if FBI could keep it secure, which is a big if).

The FISA Fix Filing does have suggests to improve information sharing. But because the scope of the problem, as defined in the IG Report, doesn’t account for information that simply doesn’t get to the people submitting the application, it’s not clear it will fix that problem.

No one knows whether the Page applications are an aberration or not

Finally, no one yet knows whether the Carter Page application was an aberration, and thus far, no one at DOJ has committed to finding out. DOJ IG has committed to doing an audit of the Woods Procedure process that failed in the Carter Page case (and the FISA Fix Filing committed to respond to any findings from that).

The Government further notes that the OIG is conducting an audit of FBI’s process for the verification of facts included in FISA applications that FBI submits to the Court, including an evaluation of whether the FBI is in compliance with its Woods Procedures requirements. The Department will work with the OIG to address any issues identified in this audit.

Yet everyone involved admits that the most serious problems with the Page applications consisted of information excluded from the application, not inaccurate information in it.

Many of the most serious issues identified by the OIG Report were … [when] relevant information is not contained in the accuracy sub-file and has not been conveyed to the OI attorney.

Doing an audit of the Woods Procedures, then, does not test the conclusion that Page’s applications are an aberration, and therefore does not test whether more substantive fixes are necessary.

DOJ IG has considered doing more — and PCLOB suggested last year they might get involved (though technically, their counterterrorism scope wouldn’t even permit them to look at counterintelligence cases like Page’s) — but thus far there’s no plan in this filing to figure out of this is a broader problem.

The existing oversight for FISA may be inadequate

There are several reasons to believe that the existing oversight regime for FISA may be inadequate.

As noted, the existing IG plan to audit the Woods Procedure is insufficient to identify whether the existing FISA Fix Filing is sufficient to fix the problem. Also as noted above, the jurisdiction of DOJ’s IG, because it cannot review the actions of prosecutors, might not (and in this case, pretty demonstrably did not) adequately review all parts of the process, because it could not subject NSD attorneys to the same scrutiny it did FBI.

Then there are shortcomings to NSD’s oversight regime — shortcomings that Judge James Boasberg — the new presiding FISA Judge and so the just now in charge of overseeing these fixes — already highlighted in an opinion on problems with Section 702 queries.

As the FISA Fix Filing describes, OI (the same office that the IG Report let off when it received information but did not include it in applications) does a certain number of oversight reviews each year. But they don’t do reviews in every FBI field office (to which FBI devolved the FISA application process some years ago), and they don’t do accuracy reviews at every office where they do an oversight review.

OI’s Oversight Section conducts oversight reviews at approximately 25-30 FBI field offices annually. During those reviews, OI assesses compliance with Court-approved minimization and querying procedures, as well as the Court orders. Pursuant to the 2009 Memorandum, OI also conducts accuracy reviews of a subset of cases as part of these oversight reviews to ensure compliance with the Woods Procedures and to ensure the accuracy of the facts in the applicable FISA application. 5 OI may conduct more than one accuracy review at a particular field office, depending on the number ofFISA applications submitted by the office and factors such as whether there are identified cases where errors have previously been reported or where there is potential for use of FISA information in a criminal prosecution. OI has also, as a matter of general practice,_ conducted accuracy reviews of FISA applications for which the FBI has requested affirmative use of FISA-obtained or -derived information in a proceeding against an aggrieved person. See 50U.S.C. §§ 1806(c), 1825(d).

During these reviews, OI attorneys verify that every factual statement in the categories of review described in footnote 5 is supported by a copy of the most authoritative document that exists or, in enumerated exceptions, by an appropriate alternate document. With regard specifically to human source reporting included in an application, the 2009 Memorandum requires that the accuracy sub-file include the reporting that is referenced in the application and further requires that the FBI must provide the reviewing attorney with redacted documentation from the confidential human source sub-file substantiating all factual assertions regarding the source’s reliability and background.

As Boasberg noted in his 702 opinion last year, this partial review may result in problems going unaddressed for years.

Personnel from the Office of Intelligence (OI) within the Department of Justice’s National Security Division (NSD) visit about half of the FBI’s field offices for oversight purposes in a given year. Id at 35 & n 42. Moreover OI understandably devotes more resources to offices that use FISA authorities more frequently, so those offices [redacted] are visited annually, id at 35 n. 42, which necessitates that some other offices go for periods of two years or more between oversight visits. The intervals of time between oversight visits at a given location may contribute to lengthy delays in detecting querying violations and reporting them to the FISC. See, e.g., Jan. 18, 2019, Notice [redacted] had been conducting improper queries in a training context since 2011, but the practice was not discovered until 2017).

Furthermore, OI’s review of a subset of a subset of applications targeting Americans only reviews for things included in the application, not things excluded from it.

OI’s accuracy reviews cover four areas: (1) facts establishing probable cause to believe that the target is a foreign power or an agent of a foreign power; (2) the fact and manner of FBI’s verification that the target uses or is about to use each targeted facility and that property subject to search is or is about to be owned, used, possessed by, or in transit to or from the target; (3) the basis for the asserted U.S. person status of the target(s) and the means of verification; and (4) the factual accuracy of the related criminal matters section, such as types of criminal investigative techniques used (e.g., subpoenas) and dates of pertinent actions in the criminal case.

DOJ admits that this is a problem, and considers doing a check for the kind of information excluded from Carter Page’s applications, but doesn’t commit to doing so and (again, unlike FBI) doesn’t give itself a deadline to do so.

Admittedly, these accuracy reviews do not check for the completeness of the facts included in the application. That is, if additional, relevant information is not contained in the accuracy sub-file and has not been conveyed to the OI attorney, these accuracy reviews would not uncover the problem. Many of the most serious issues identified by the OIG Report were of this nature. Accordingly, OI is considering how to expand at least a subset of its existing accuracy reviews at FBI field offices to check for the completeness of the factual information contained in the application being reviewed. NSD will provide a further update to the Court on any such expansion of the existing accuracy reviews.

Improving these oversight reviews will have a salutary effect on all FISA authorities, not just individualized orders. Since Boasberg has already identified the inadequacies of the current reviews, I would hope he’d ask for at least an improved oversight regime.

Treating alleged subpoenas like they’re not subpoenas

There’s a change promised that I’m unsure about: Chris Wray’s voluntary decision to subject Section 215 and pen register orders to heightened accuracy reviews.

Currently, the accuracy of facts contained in applications for pen register and trap and trace surveillance pursuant to 50 U.S.C. § 1841 , et seq. , or applications for business records pursuant to 50 U.S. C. § 1861 , et seq. , must, prior to submission to the Court, be reviewed for accuracy by the case agent and must be verified as true and correct under penalty ofpeijury pursuant to 28 U.S.C. § 1746 by the Supervisory Special Agent or other designated federal official submitting the application. Historically, the Woods Procedures described herein have not been formally applied by the FBI to applications for pen register and trap and trace surveillance or business records. As discussed in the FBI Declaration, FBI will begin to formally apply accuracy procedures to such applications and proposes to update the Court on this action by March 27, 2020.

FBI has, for years, told the public these are mere grand jury subpoena equivalents, and so the privacy impact is not that great. That Wray thinks these need accuracy reviews suggests they’re more intrusive than that, in which case by all means FBI should add these reviews.

But as I suggested in this post, some of the problems with the Carter Page applications might have been avoided had the Crossfire Hurricane team obtained call records from both Page and George Papadopoulos early in the process, which would not only have confirmed Page’s accurate claim that Paul Manafort never returned his emails (undermining a key claim from the dossier), but it would have revealed Papadopoulos’ interactions with suspect Russian asset Joseph Mifsud, thereby pinpointing where the investigative focus should have been (and making it a lot harder for Papadopoulos to obstruct the investigation in the way he did). The IG Report doesn’t ask why this didn’t happen, but it seems an important question because if the FBI chose not to use ostensibly less intrusive legal process because existing Section 215 applications are not worth the trouble, then making the purportedly less-intrusive applications even more onerous will only lead to a rush to use full FISA, as appears to have happened here.

Further breaking the affiant-officer of the court relationship

One of the more insightful observations from the IG Report described how OI attorneys and FBI agents applying for FISA orders don’t work as closely as prosecutors and agents on a normal case.

NSD officials told us that the nature of FISA practice requires that OI rely on the FBI agents who are familiar with the investigation to provide accurate and complete information. Unlike federal prosecutors, OI attorneys are usually not involved in an investigation, or even aware of a case’s existence, unless and until OI receives a request to initiate a FISA application. Once OI receives a FISA request, OI attorneys generally interact with field offices remotely and do not have broad access to FBI case files or sensitive source files. NSD officials cautioned that even if OI received broader access to FBI case and source files, they still believe that the case agents and source handling agents are better positioned to identify all relevant information in the files.

The proposed FISA fixes seem to derive from this OI viewpoint, that because OI don’t work closely with agents they need to replace cooperation that is often inadequate on normal criminal investigations with a process that has even less cooperation for applications that are supposed to have a higher degree of candor.

The FISA Fix Filing seems to envision FBI lawyers picking up this slack, but especially since DOJ devolved the application process to Field Agents some years ago, it’s not clear, at all, why this would result in better lawyering.

Formalizing the role of FBI attorneys in the legal review process for FISA applications, to include identification of the point at which SES-level FBI OGC personnel will be involved, which positions may serve as the supervisory legal reviewer, and establishing the documentation required for the legal review;

[snip]

Corrective Action #7 requires the formalization of the role of FBI attorneys in the legal review process for FISA applications, to include identification of the point at which SES-level FBI OGC personnel will be involved, which positions may serve as the supervisory legal reviewer, and establishing the documentation required for the legal reviewer. Through this Corrective Action, the FBI seeks to encourage legal engagement throughout the FISA process, while still ensuring that case agents and field supervisors maintain ownership of their contributions.

As it is, the FISA process requires a more senior agent to be the affiant on an application, which in at least one of the Page applications, resulted in someone who had less knowledge of the case making the attestation under penalty of perjury.

It may be that these changes go in the opposite direction from where FISA should go, which would be closer to the criminal warrant model where a judge will have an FBI affiant who anticipates taking the stand at a trial (and therefore needs to retain his or her integrity to avoid damaging the case), and an office of the court signing off on applications (whom judges can sanction directly). That is, by introducing more layers and absolving OI from some of the direct responsibility for the process, these proposed changes may make FISA worse, not better.

Remarkably, the court might consider something far more effective.

On Friday, Boasberg appointed David Kris as amicus for this consideration. Kris literally wrote the book on all this, in addition to writing the 2001 OLC memo that eliminated the wall between the intelligence collected under FISA and the prosecutions that arise out of them. In a recent podcast, he mused that the way to fix all this may be to give defendants review of their applications, something always envisioned by Congress, but something no defendant has done. That — along with a more robust oversight process — seems like it has a better chance of changing the way the FBI and DOJ approach FISA applications than adding a bunch more checklists for the process.

The frothy right is in a lather over Kris’ appointment, which is a testament to how little these people (up to and especially Devin Nunes) understand FISA. But he has the institutional clout to be able to recommend real fixes to FISA, rather than a bunch of paperwork to try to make the Woods Procedure to work the way it’s supposed to.

DOJ could, voluntarily, provide review to more defendants. Alternately, Congress could mandate it in whatever bill reauthorizes Section 215 this year. Or Kris could suggest that’s the kind of thing that should happen.

Update: David Kris submitted his recommendations to Boasberg. Like me, he finds Wray’s plan useful but not sufficient. Like me he notes that the agents doing the investigation should be the ones signing off on affidavits (and he suggests the FISC review more applications until new procedures are in place). Kris also focuses on cultural changes that need to happen.

One thing he doesn’t do is review DOJ’s role (though he does argue that part of this stems from conflict between DOJ and FBI).

He also notes that DOJ has not imposed deadlines for itself.

In 2017, the Government Withdrew Three FISA Collection Requests Rather than Face an Amicus Review

Last year’s Section 702 Reauthorization law included a bunch of technical fix language describing how appeals of FISA Court of Review decisions should work.

In this post on that technical language, I speculated that Congress may have added the language in response to a denial of a request by the FISCR, about the only thing that would have identified the need for such language.

As one piece of evidence to support that hypothesis, I noted that one of the times the FISC consulted with an amicus (probably Amy Jeffress), it did not make the topic or the result public.

There’s one other reason to think there must have been a significant denial: The report, in the 2015 FISC report, that an amicus curiae had been appointed four times.

During the reporting period, on four occasions individuals were appointed to serve as amicus curiae under 50 U.S.C. § 1803(i). The names of the three individuals appointed to serve as amicus curiae are as follows:  Preston Burton, Kenneth T. Cuccinelli II  (with Freedom Works), and Amy Jeffress. All four appointments in 2015 were made pursuant to § 1803(i)(2)(B). Five findings were made that an amicus curiae appointment was not appropriate under 50 U.S.C. § 1803(i)(2)(A) (however, in three of those five instances, the court appointed an amicus curiae under 50 U.S.C. § 1803(i)(2)(B) in the same matter).

We know of three of those in 2015: Ken Cuccinelli serving as amicus for FreedomWorks’ challenge to the restarted dragnet in June 2015, Preston Burton serving as amicus for the determination of what to do with existing Section 215 data, and Amy Jeffress for the review of the Section 702 certifications in 2015. (We also know of the consultation with Mark Zwillinger in 2016 and Rosemary Collyer’s refusal to abide by USA Freedom Act’s intent on amici on this year’s reauthorization.) I’m not aware of another, fourth consultation that has been made public, but according to this there was one more. I say Jeffress was almost certainly the amicus used in that case because she was one of the people chosen to be a formal amicus in November 2015, meaning she would have been called on twice. If it was Jeffress, then it likely happened in the last months of the year.

I raise that background because of a detail in the FISC report released yesterday, showing its approvals for 2017. It revealed that FISC told the government on three occasions it might appoint an amicus. On all three occasions, the government withdrew the request rather than undergo a FISC review with even a limited adversary.

During the reporting period, no individual was appointed to serve as amicus curiae by the FISA courts. No findings were made in 2017, pursuant to 50 U.S.C. § 1803(i)(2)(A), that an amicus curiae appointment was not appropriate. There were three matters in which the Court advised the government that it was considering appointment of an amicus curiae to address a novel or significant question of law raised in proposed applications, but the government ultimately did not proceed with the proposed applications at issue, or modified the final applications such that they did not present a novel or significant question of law, thereby obviating a requirement for consideration as to the appropriateness of appointment of amicus. These matters are reflected in the table above as, respectively, a modification to a proposed order, an application denied in full, and an application denied in part. This is the first report including information about such occurrences. A similarly small number of such events occurred during prior reporting periods but were not discussed in the reports for those years.

In one case, the government withdrew an entire application after learning the FISC might appoint an amicus to review the proposed technique. In two others, the final order in one or another way did not include the requested practice.

These three instances are not the first time the government has withdrawn a request after learning FISC would invite adversarial review. While the court doesn’t reveal how many or in what years, it does say that a “similarly small number of such events occurred during prior reporting periods.” Given that there have been just two other reporting periods (the report for part of 2015 and the report covering all of 2016), the language seems to suggest it happened in both years.

That the government has been withdrawing requests rather than submitting them to the scrutiny of an amicus suggests several things.

First, it may be withdrawing such applications out of reluctance to share details of such techniques even with a cleared amicus, not even one of the three who served as very senior DOJ officials in the past. If that’s right, that would reflect some pretty exotic requests, because some of the available amici (most notably former Assistant Attorney General David Kris) have seen all that DOJ was approving with NatSec collection.

Second, remember that for at least one practice (the collection of location information), the government has admitted to opting to using criminal process rather than FISA where more lenient precedents exist in particular jurisdictions. That might happen, for example, if a target could be targeted in a state that didn’t require a warrant for some kinds of location data whereas FISC does.

Starting in 2017, the government would have the ability to share raw EO 12333 with the FBI, which might provide another alternative means to collect the desired data.

All of which is to say these withdrawals don’t necessarily mean the government gave up. Rather, past history has shown that the government often finds another way to get information denied by the FISC, and that may have happened with these three requests.

Finally, remember that as part of 702 reauthorization last year, Ron Wyden warned that reauthorization should include language preventing the government from demanding that companies provide technical assistance (which obviously includes, but is probably not limited to, bypassing or weakening encryption) as part of 702 directives. The threat the government might do so under 702 is particularly acute, because unlike with individual orders (which is what the withdrawn requests here are), the FISC doesn’t review the directives submitted under 702. Some of these withdrawn requests — which may number as many as nine — may reflect such onerous technical requests.

Importantly, one reason the government might withdraw such requests is to avoid any denials that would serve as FISC precedent for individualized  and 702 requests. That is, if the government believed the court might deny an individual request, it might withdraw it and preserve its ability to make the very same demand in a 702 context, where the FISC doesn’t get to review the techniques use.

Whatever the case, the government has clearly been bumping up against the limits of what it believes FISC will approve in individualized requests. But that doesn’t mean it hasn’t been surpassing those limits via one or another technical or legal means.

The Precedent for Using Presidential National Emergency Proclamations to Expand Surveillance

On September 14, 2001 — 3 days before signing an expansive Memorandum of Notification that would authorize a suite of covert operations against al Qaeda, and 4 days before signing an AUMF that would give those operations the appearance of Congressional sanction — President Bush declared a National Emergency in response to the 9/11 attack.

The following day, according to a 2002 motion to the FISC to be able to share raw FISA-derived information with CIA and NSA (this was liberated by Charlie Savage), FISC suspended its rules on sharing intelligence derived under FBI-obtained FISA warrants with criminal investigations (see page 26 of this paper for background).

On September 15, 2001, upon motion of the Government, the [FISA] Court suspended the “Court wall,” certification, and caveat requirements that previously had applied to Court-authorized electronic surveillance and physical search of [redacted] related targets, while directing that the FBI continue to apply the standard minimization procedures applicable in each case. As stated in the order resulting from that motion, the Court took this action in light of inter alia:

“the President’s September 14, 2001, declaration of a national emergency and the near war conditions that currently exist;”

“the personal meeting the Court had with the Director of the FBI on September 12, 2001, in which he assured the Court of the collection authority requested from this Court in the face of the nature and scope of the multi-faced response of the United States to the above-referenced attacks;

“the need for the Government to rapidly disseminate pertinent foreign intelligence information to appropriate authorities.”

Ten days after FISC dismantled its role in “the wall” between intelligence and criminal investigations in response to the Executive’s invocation of a National Emergency, on September 25, 2001, John Yoo finished an OLC memo considering the constitutionality of dismantling the wall by replacing “the purpose” in FISA orders with “a purpose.”

A full month later, on October 25, 2001, Congress passed the PATRIOT Act. For over 13 years, analysis of the PATRIOT Act has explained that it eliminated “the wall” between intelligence and criminal investigations by replacing language requiring foreign intelligence be “the purpose” of FISA wiretaps with language requiring only that that be “a significant purpose” of the wiretap. But the FISC suspension had already removed the biggest legal barrier to eliminating that wall.

In other words, the story we’ve been telling about “the wall” for over 13 years is partly wrong. The PATRIOT Act didn’t eliminate “the wall.” “The wall” had already been suspended, by dint of Executive Proclamation and a secret application with the FISC, over a month before the PATRIOT Act was initially introduced as a bill.

FISC suspended it, without congressional sanction, based on the President’s invocation of a National Emergency.

That’s not the only case where the Executive invoked that National Emergency in self-authorizing or getting FISC to authorize expansive new surveillance authorities (or has hidden the authorities under which it makes such claims).

Perhaps most illustratively, on May 6, 2004, Jack Goldsmith pointed to the National Emergency when he reauthorized most aspects of Stellar Wind.

On September 14, 2001. the President declared a national emergency “by reason of the terrorist attacks at the World Trade Center, New York, New York, and the Pentagon, and the continuing and immediate threat of further attacks on the United States.” Proclamation No. 7463, 66 Fed. Reg. 43, !99 (Sept. 14, 2001). The United States also launched a massive military response, both at home and abroad. In the United States, combat air patrols were immediately established over major metropolitan areas and were maintained 24 hours a day until April 2002, The United States also immediately began plans for a military response directed at al Qaeda’s base of operations in Afghanistan.

Only after invoking both the Proclamation and the immediate military response that resulted did Goldsmith note that Congress supported such a move (note, he cited Congress’ September 14 passage of the AUMF, not Bush signing it into law on September 18, thought that may be in part because Michael Hayden authorized the first expansions of surveillance September 14; also remember there are several John Yoo memos that remain hidden) and then point to an article on the friendly-fire death of Pat Tillman as proof that combat operations continued.

On September 14, 2001, both houses of Congress passed a joint resolution authorizing the President “to use all necessary and appropriate force against those nations, organizations, or persons he determines planned, authorized, committed, or aided the terrorist attacks” of September I I. Congressional Authorization § 2(a). Congress also expressly acknowledged that the attacks rendered it “necessary and appropriate” for the United States to exercise its right “to protect United States citizens both at home and abroad,” and acknowledged in particular that the “the President has authority under the Constitution to take action to deter and prevent acts of international terrorism against the United States.” id. pmbl. Acting under his constitutional authority as Commander in Chief, and with the support of Congress, the President dispatched forces to Afghanistan and, with the cooperation of the Northern Alliance, toppled the Taliban regime from power Military operations to seek out resurgent elements of the Taliban regime and al Qaeda fighters continue in Afghanistan to this day. See, e.g., Mike Wise and Josh White, Ex-NFL Player Tillman Killed in Combat, Wash. Post, Apr. 24, 2004, at AI (noting that “there are still more than 10,000 U.S. troops in the country and fighting continues against remains of the Taliban and al Qaeda”).

That is, even in an OLC memo relying on the AUMF to provide legal sanction for President Bush’s systematic flouting of FISA for 2.5 years, Goldsmith relied primarily on the National Emergency Proclamation, and only secondarily on Congress’ sanction of such invocation with the AUMF.

The White Paper released in 2006 largely regurgitating Goldsmith’s opinion for more palatable consumption mentions the AUMF first in its summary, but then repeats Goldsmith’s emphasis on the Proclamation in the background section (see pages 2 and 4).

Paragraphs that may discuss such authorizations get redacted in the 2006 application to move content collection under FISC (see page 6). The entire background section (starting at page 5) of the initial Internet dragnet application is also redacted. While we can’t be sure, given parallel claims made in the same 2004 to 2006 period, it seems likely those memoranda also repeated this formula.

Such a formula was definitely dropped. The 2006 memorandum in support of using Section 215 to create a phone dragnet included no mention of authorities. The 2007 memorandum to compel Yahoo to fulfill Protect American Act orders cites PAA, not Emergency Declarations.

But the formula was retained in all discussions of the Administration’s illegal wiretap program in secret declarations submitted in court in 2006, 2007, and 2009, being repeated again in an unclassified 2013 declaration. While these declarations likely all derive, at least in part, from Goldsmith’s memo, it’s worth noting that the government has consistently suggested it could conduct significant surveillance programs without Congressional sanction by pointing to the that National Emergency Proclamation.

This is the precedent I meant to invoke when I expressed concern about President Obama’s expansive Executive Order of the other day, declaring a National Emergency because of cybersecurity.

Ranking House Intelligence Member Adam Schiff’s comment that Obama’s EO is “a necessary part of responding to the proliferation of dangerous and economically devastating cyber attacks facing the United States,” but that it will be “coupled with cyber legislation moving forward in both houses of Congress” only adds to my alarm (particularly given Schiff’s parallel interest in giving Obama soft cover for his ISIL AUMF while having Congress still involved).  It sets up the same structure we saw with Stellar Wind, where the President declares an Emergency and only a month or so later gets sanction for and legislative authorization for actions taken in the name of that emergency.

And we know FISC has been amenable to that formula in the past.

We don’t know that the President has just rolled out a massive new surveillance program in the name of a cybersecurity Emergency (rooted in a hack of a serially negligent subsidiary of a foreign company, Sony Pictures, and a server JP Morgan Chase forgot to update).

We just know the Executive has broadly expanded surveillance, in secret, in the past and has never repudiated its authority to do so in the future based on the invocation of an Emergency (I think it likely that pre FISA Amendments Act authorization for the electronic surveillance of weapons proliferators, even including a likely proliferator certification under Protect America Act, similarly relied on Emergency Proclamations tied to all such sanctions).

I’m worried about the Cyber Intelligence Sharing Act, the Senate version of the bill that Schiff is championing. But I’m just as worried about surveillance done by the executive prior to and not bound by such laws.

Because it has happened in the past.

Update: In his October 23, 2001 OLC memo authorizing the President to suspend the Fourth Amendment (and with it the First), John Yoo said this but did not invoke the September 14, 2001 proclamation per se.

As applied to the present circumstances, the [War Powers Resolution] signifies Congress’ recognition that the President’s constitutional authority alone enables him to take military measures to combat the organizations or groups responsible for the September 11 incidents, together with any governments that may have harbored or supported them, if such actions are, in his judgment, a necessary and appropriate response to the national emergency created by those incidents.

Update: Thanks to Allen and Joanne Leon for the suspend/suspect correction.

Why Did ODNI Fight So Hard to Hide the Census Opinion?

Congratulations to EFF, which yesterday liberated another document on Section 215: a 2010 OLC opinion finding that the Department of Commerce (then counseled by Cameron Kerry who, curiously enough, hosted the Bob Litt speech the other day) did not have to turn over data to the FBI under Section 215 (which was the only one of many statutes it reviewed that OLC considered possibly binding).

After reviewing a bunch of legislative language on both Congress’ intent to provide affirmative confidentiality to census data and on its silence on census data during the PATRIOT Act reauthorization debates, Deputy Assistant Attorney Genereal Jeannie Rhee concluded,

We therefore conclude that section 215 should not be construed torepeal otherwise applicable Census Act protections for covered census information, such that they would require their disclosure by the Department of Commerce.Because no other PatriotAct provision that you have, identified, nor any such provision that we have separately reviewed, would appear to have that effect, we agree that the Patriot Act, as amended, does not alter the. confidentiality protections in sections 8, 9, and 214 of the Census Act in a manner that could require the Secretary of Commerce to disclose such information.

Many outlets are hailing this as OLC noting some limits to the otherwise unlimited demands the government thinks it can make under Section 215.

But I’m left puzzled.

Why did the Administration fight so hard to keep this secret? This suit has been going on for years, and ODNI tried to keep this secret long after reams of more interesting — and more classified — information got released on the phone dragnet and related authorities.

I can think of several possible reasons (and these are all speculative):

FISC decisions

Perhaps the government thinks this might endanger FISC’s decision that Section 215 does repeal two other privacy statutes. In 2008, Judge Reggie Walton found that Section 215 overrode the privacy protections for call data under ECPA [SCA]. And in 2010, John Bates found that it overrode the privacy protections in RFPA. Effectively, both decisions found that the government could do with Section 215 (and court review) what the FBI could otherwise do with NSLs. But of course, by doing them under Section 215, the government managed to do them in greater bulk, and probably with some exotic requests added in. At least the ECPA opinon was probably elicited by DOJ IG pointing out that the NSL rule did prevent other access to such data. In both opinions, the FISC reviewed the absence of legislative language and used it to conclude something dissimilar to what OLC concluded here: that in the absence of language, it provided permission. Does ODNI think the publication of this OLC opinion will make it easier to challenge the use of Section 215 for phone and financial records?

Update: This passage, from ACLU’s challenge to the phone dragnet, more eloquently suggests this is precisely why ODNI wanted to bury this opinion. It cites the importance of statutory construction, and then notes ties it to earlier statements on the Census Act.

On its face, Section 215 provides the government with general authority to compel the disclosure of tangible things. However, the Stored Communications Act (“SCA”) specifically addresses the circumstances in which the government can compel the disclosure of phone records in particular. The SCA provision states that a “provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service . . . to any governmental entity.” 18 U.S.C. § 2702(a)(3). While the SCA provision lists exceptions to its otherwise categorical prohibition, see id. §§ 2702(c), 2703, Section 215 is not among them. This omission is particularly notable because Congress enacted sections 2702(c) and 2703 in the same bill as Section 215.

The district court held that Section 215 constitutes an implicit exception to Section 2702 because Section 215 orders “are functionally equivalent to grand jury subpoenas.” SPA027. But well-settled rules of statutory construction require that the list of exceptions in section 2702 and 2703 be treated as exhaustive. See United States v. Smith, 499 U.S. 160, 167 (1991) (“Where Congress explicitly enumerates certain exceptions . . . additional exceptions are not to be implied, in the absence of evidence of a contrary legislative intent.” (quotation marks omitted)). Congress has enacted a comprehensive scheme to regulate the government’s collection of electronic communications and records relating to those communications. That comprehensive scheme, which addresses the precise circumstances in which the government can collect the records at issue in this case, must be given precedence over provisions that are more general. See In re Stoltz, 315 F.3d 80, 93 (2d Cir. 2002) (holding that it is a “basic principle of statutory construction that a specific statute . . . controls over a general provision” (quoting HCSC–Laundry v. United States, 450 U.S. 1, 6 (1981))); see also PCLOB Report 92–93.

Indeed, the Justice Department has itself acknowledged that it would contravene the structure of the SCA to “infer additional exceptions” to the “background rule of privacy” set out in section 2702(a). See Office of Legal Counsel, Memorandum Opinion for the General Counsel [of the] FBI: Requests for Information Under the Electronic Communications Privacy Act 3 (Nov. 5, 2008), http://1.usa.gov/1e5GbvC (concluding that the FBI could not use national security letters to compel the production of records beyond those specifically exempted from the general privacy rule). Moreover, it has acknowledged that principle with respect to Section 215 itself, concluding that the statute does not override the privacy protections of the Census Act, 13 U.S.C. §§ 8, 9, 214. Letter from Ronald Weich, Assistant Attorney General, to Hon. Nydia Velázquez, Chair, Congressional Hispanic Caucus, U.S. House of Representatives (Mar. 3, 2010), http://wapo.st/aEsETd. [my emphasis]

The Second Circuit already sounded like it wanted to boot the dragnet on statutory grounds (if they did, doing so should have the same effect for financial records as well). And the release of this opinion may well help them do that.

Presumptive Section 215 Collection

In 2010, this OLC memo reveals, DOJ’s National Security Division — then headed by David Kris — believed that the government ought to be able to use Section 215 to obtain raw census data (the rest of DOJ, curiously, did not agree). Kris lost that battle.

But data very similar to census data is readily available, from private marketing brokers. If NSD saw the need to obtain this kind of data, it’s not clear what would prevent the government from just obtaining very similar data from marketing firms. Should we assume it has done so?

Census data in racial profiling

I also wonder whether this came up in the context of ways both the NYPD (with CIA assist) and FBI have used census data to conduct their racial profiling efforts. Both have relied on published (aggregated) census data to find which neighborhoods to spy on. Was there some kind of effort to fine tune this racial profiling by using the underlying data?

NCTC’s access to internal databases

Finally, I wonder whether ODNI’s reticence about this OLC opinion pertains to its own National Counterterrorism Center guidelines  on information sharing, which permit NCTC to demand entire databases from other government agencies if it says the database includes information on terrorists (effectively making us all terrorists). Discussions about doing so started in 2011 and resulted in broad new data sharing guidelines in 2012, so that change actually took place after this opinion. Also note the opinion’s interesting timing: January 4, 2010, so probably too soon after the UndieBomb attempt on Christmas day in 2009 to be considered part of the expanded information sharing that happened after that attack, though not so long after the Nidal Hassan attack.

Whatever the timing, I’m curious how this opinion has influenced discussions about and limits to that data-sharing initiative — and how it should have influenced such data sharing?

 

The FBI PRTT Documents: The Paragraph 31 PCTDD Technique

I’ve been working my way through a series of documents in EPIC’s FOIA for FISA PRTT documentsThis is the last of a series of posts where I unpack the Internet dragnet documents. This post tracks what the reports to Congress reveal (largely about the language the government used to hide programs). And this post shows that the government probably used combined PRTT and Section 215 orders to get real-time cell location. The last chunk of documents withheld pertain to what I’ll call “the Paragraph 31” technique, after the entirely redacted paragraph in the first David Hardy declaration describing it. The technique is some application of what gets treated as Post Cut-Through Dialed Digits (PCTDD), those digits a person enters after being connected to a phone number, which might include phone tree responses, credit card information, or password information.

The PCTDD DIOG section withheld

We know Paragraph 31 pertains to PCTDD because one of the documents withheld — described as document 1 in the first Hardy declaration — is a section of the Domestic Investigations and Operations Guide that pertains to PCTDD.

The first document is comprised of pages 186-189 of the DIOG. The DIOG is a manual used by FBI Special Agents in conducting and carrying out investigations. This particular excerpt of the DIOG provides a step-by-step guide in assisting Special Agents in determining whether to utilize a specific method in collecting information such as (1) when to use the method and technique; (2) factors to consider when making this determination; (3) how to go about using the specific method and technique; and (4) the type of information that can be gleaned from it

The paragraph cites paragraph 31, so we know it’s the same method. As reflected by the Vaughn Index, the pages in question appear to be from the 2008 DIOG, not the 2011 one. The pagination of the two documents reinforces that. There’s no way to work the pagination of the 2011 DIOG to land in the PRTT section, whereas those page numbers do point to the PRTT section in the 2008 DIOG. The section in question starts at PDF 79. The key unredacted part reads,

The definition of both a pen register device and a trap and trace device provides that the information collected by these devices “shall not include the contents of any communication.” See 18 U.S.C. § 3127(3) and (4). In addition, 18 U.S.C. § 3121(c) makes explicit the requirement to “use technology reasonably available” that restricts the collection of information “so as not to include the contents of any wire or electronic communications.” “Content” includes any information concerning the substance, purport, or meaning of a communication. See 18 U.S.C. §2510(8). When the pen register definition is read in conjunction with the limitation provision, however, it suggests that although a PR/TT device may not be used for the express purpose of collecting content, the incidental collection of content may occur despite the use of “reasonably available” technology to minimize, to the extent feasible, any possible over collection while still allowing the device to collect all of the dialing and signaling information authorized.

In addition to this statutory obligation, DOJ has issued a directive in [redacted half line in 2011 DIOG] to all DOJ agencies requiring that no affirmative investigative use may be made of PCTDD incidentally collected that constitutes content, except in cases of emergency–to prevent an immediate danger of death, serious physical injury, or harm to the national security.

The criminal context of FBI’s PCTDD FISA usage

As with the “hybrid” use of PRTT and toll record orders, the concern about PCTDD may have had some tie to criminal proceedings.

On May 24, 2002, Deputy Attorney General Larry Thompson issued a directive on “avoiding collection and investigative use of content in the operation of Pen Registers.” It explicitly said that FISA was “outside the scope of this Memorandum.”

In 2006 and 2007, the government applied for Pen Registers in EDNY, including PCTDD. The magistrate judge denied the request for PCTDD as content, which led to a process of reconsideration and further briefing, including amicus briefs from EFF and Federal Defenders of NY. [Update: I’ve been reliably informed that Kollar-Kotelly’s request was a response to a MJ Stephen Smith ruling issued in Texas in July 2006.]

During this period, on August 7, 2006, Colleen Kollar-Kotelly ordered briefing in docket PRTT 06-102 on how FBI was fulfilling its obligation, apparently under the 2002 DOJ directive FBI maintained did not apply to FISA, not to affirmatively use PCTDD for any investigative purpose.  PDF 39-40

Judge Kotelly has ordered the FBI to submit a report no later than September 25 (2006). This report must contain:

(1) an explanation of how the FBI is implementing its obligation to make no affirmative investigative use, through pen register authorization, of post-cut-through digits that do not constitute call dialing, routing, addressing or signaling information, except in a rare case in order to prevent an immediate danger of death, serious physical injury or harm to the National Security, addressing in particular: a) whether post-cut-through digits obtained via FISA pen register surveillance are uploaded into TA, Proton, IDW, EDMS, TED, or any other FBI system; and b) if so what procedures are in place to ensure that no affirmative investigative use is made of postcut-through digits that do not constitute call dialing, routing, addressing or signaling information, including whether such procedures mandate that this information be deleted from the relevant system.

(2) an explanation of what procedures are in place to ensure that the Court is notified, as required pursuant to the Courts Order in the above captioned matter, whenever the government decides to make affirmative investigative use of post-cut-through digits that do not constitute call dialing, routing, addressing or signaling information in order to prevent an immediate danger of death, serious physical injury, or harm to the national security.

At the time, at least some of FBI’s lawyers believed that for FISA Pen Registers, FBI retained all the PCTDD. PDF 38

When DSC 3000 is used for a FISA collection, doesn’t the DCS 3000 pass all to the [redacted](DSC 5000) including the PCTDD–in other words for FISAs the DCS3000 does NOT use the default of not recoding [sic] the PCTTD???? [sic]

This report — dated September 25, 2006 — appears to be the report Kollar-Kotelly requested. It implores her not to follow [redacted], which appears to is a reference the EDNY court Texas decision.

That report is followed by this one — which was submitted on November 1, 2006 — which appears to propose new procedures to convince her to permit the FBI to continue to collect and retain PCTDD.

In other words, during the early part of the period when the FBI was bumping up against a criminal standard prohibiting the retention of PCTDD under protection of minimization procedures, Judge Kollar-Kotelly required FBI to prove its existing (and new) minimization procedures to ensure they were strong enough to comport with the law.

The original PCTDD question was still burbling away in EDNY, however, and in November 2008 Judge Nicholas Garaufis mooted the question of PCTDD based on the government’s representation that it would delete the information when it received it.

On June 11, 2008, the Government applied to Judge Orenstein for authorization to install and use a pen register and trap and trace device on two wireless telephones (the “SUBJECT WIRELESS TELEPHONES”). (Gov. Br. at 5.) The Government requested, inter alia, an Order authorizing the recording of post-cut-through dialed digits (“PCTDD”) via pen register. PCTDD are digits dialed from a telephone after a call is connected or “cut through.” In the Matter of Applications, 515 F.Supp.2d 325515F.Supp.2d325, 328 (E.D.N.Y.2007) *204 (“Azrack Opinion”). Because PCTDD sometimes transmit information such as bank account numbers and Social Security numbers which constitutes “contents of communications,” and because the Pen Register Statute defines a pen register as “a device or process which records or decodes dialing … or signaling information… provided, however, that such information shall not include the contents of any communication,” 18 U.S.C. § 3127(3) (emphasis added), Judge Orenstein denied the Government’s request for authorization to record PCTDD. The Government subsequently appealed Judge Orenstein’s denial of its request to this court, asking this court to authorize it to record PCTDD.

On September 23, 2008, in response to the court’s request for clarification of the specifics of its request for pen register data, the Government informed the court that the law enforcement agency involved in the investigation of the SUBJECT WIRELESS TELEPHONES will configure its computers so as to immediately delete all PCTDD received from the provider. (Government’s September 23, 2008 letter to the court.) Therefore, as the pen registers sought by the Government in this application will not “record” or “decode” content within the meaning of the Pen Register Statute, the legal question presented by the Government in its appeal is moot.[3] As the Government is entitled to the information it now seeks, the court directs the Magistrate Judge to issue, if still necessary, an order authorizing the installation of the pen registers on the SUBJECT WIRELESS TELEPHONES that is consistent with the representations in the Government’s letter of September 23, 2008.

Note that Garaufis also embraced the hybrid theory other judges had started rejecting in 2005, which I believe lies behind the BRPR orders.

Behind the scenes, there appear to have been changes to the way the government dealt with PCTDD information under FISA collection. This August 17, 2009 Memo of Law appears to revisit the issue (perhaps in light of the final ruling in EDNY in 2008 and/or as part of the PRTT review of that year). It argues over some of the same Pat Leahy language as the other documents do. It appears to refer to the November 2006 document. It discusses the May 24, 2002 over-collection directive as applying only to the criminal context.

But it also describes some changes implemented in July and December 2008 (it’s possible there are references to revisions to the DIOG in this section).

That’s one reason why several changes between the 2008 and 2011 DIOG are of interest. In addition to the redacted passage on DOJ’s 2002 directive (above) probably affirmatively asserting now that the directive does not apply to FISA, there are two other changes in the Pen Register that are unclassified between the two DIOGs. First, the 2011 one reflects a 2010 change in FISC procedure (see Procedure 15 and Section 18 .6.9.5.1.4), no longer permitting (or requiring) the sequestration of over-collected information at FISC. In addition, the 2011 DIOG appears to show an extra use of PCTDD collection (showing 7 total across subsections A and B, as compared to 6).

What becomes clear reviewing the public records (these reports say this explicitly) is that the 2002 DOJ directive against retaining PCTDD applies to the criminal context, not the FISA context. When judges started challenging FBI’s authority to retain PCTDD that might include content under criminal authorities, FBI fought for and won the authority to continue to treat PCTDD using minimization procedures, not deletion. And even the standard for retention of PCTDD that counts as content permits the affirmative investigative use of incidentally collected PCTDD that constitutes content in cases of “harm to the national security.”

Whateverthefuck that is.

Which is, I guess, how FBI still has 7 uses of PCTDD, including one new one since 2008.

The details on the withheld documents

Which brings us to the remaining documents on Paragraph 31 the FBI is withholding. In addition to the DIOG and a Westlaw print out (which I would guess is the opinion in the criminal case), there are 4 memoranda and one report described in the first Hardy Declaration, as well as a PRBR motion to retain data that I wouldn’t be surprised if FBI used to request the authority to retain, under FISA authority, the materials it said it wouldn’t obtain in the EDNY case (in any case, it requested approval to retain some data collected under a hybrid PRBR order). One of the documents in that bunch includes both electronic surveillance (the collection of content) and the use of a pen register (ostensibly non-content).  The second Hardy declaration includes 9 FISC orders pertaining to the method, along with a District Court order pertaining to it (which might be that 2008 opinion).

Significantly, 4 of those orders are Primary Orders, suggesting multiple Secondary Orders to providers of some sort, and a program of some bulk. And those documents are only the ones that got shared with Congress, so only the ones that reflected some significant decision.

The declarations don’t tell us much about how they’re using this PCTDD information. Here are the most informative passages (some of which show up in both).

The ability to conduct electronic surveillance through the installation and use of pen registers and trap and trace devices has proven to be an indispensable investigative tool and continues to serve as a building block in many of the FBI’s counterterrorism and counterintelligence investigations. The specific type of electronic surveillance has resulted in numerous benefits by providing the FBI valuable substantive information in connection with national security investigations. The information gathered has either confirmed prior investigative information or has contributed to the development of additional investigative information, and has been invaluable in providing investigative leads.

[snip]

[T]he release of such information would reveal actual intelligence activities and methods used by the FBI against specific targets who are the subject of foreign counterintelligence investigations or operations; identify a target of a foreign counterintelligence investigation; or disclose the intelligence gathering capabilities of the activities or methods directed at specific targets.

[snip]

The information protected under this [7(E)] exemption contain details about sensitive law enforcement techniques used by the FBI in gathering valuable intelligence information in current and prospective criminal, counterintelligence, and national security investigations.

What I find most interesting about these declarations, however, is the near total (maybe even total) silence about terrorism. These are used for “national security” and “counterintelligence” investigations, but nothing explicitly described as a counterterrorism investigation.

While I can see some especially useful applications of PCTDD information in the CI context — imagine how valuable it would be to know the voicemail passwords of Chinese targets, for example — I also wonder whether the FBI is using this stuff primarily for cyber targets. Whatever it is, the government has apparently argued for and maintained the authority to retain PCTDD data in the FISA context, with the ability to use actual content in the event of possible harm to national security.

The Foreign Metadata Problem

In this post, I argued that a likely explanation for the NSA’s limits on collecting domestic cell phone data stem from a decision Verizon made in 2009 to stop participating in an FBI call records program. I’m not sure if I’m right about the cause (I know I’m not right about the timing), but I based part of my argument on how the FISA Court resolved a problem with telecoms turning over foreign data in 2009. And that resolution definitely indicates there’s something different about the way Verizon produces dragnet data from how AT&T does (Sprint is probably a third case, but not as important for these purposes).

Let me be clear: Verizon was not the only telecom to have the problem. It affected at least one other telecom; I believe it may have affected all of them. But the FISC resolved it differently with Verizon, which I believe shows that Verizon complies with the Section 215 orders in different fashion than AT&T and Sprint.

The problem was first identified when, in May 2009, Verizon informed the NSA it had been including foreign-to-foreign records in the data it provided to the NSA. Here’s how David Kris explained it in his report accompanying the phone dragnet end to end report.

NSA advised that for the first time, in May 2009, [redacted–Verizon] stated it produced foreign-to-foreign record pursuant to the Orders. [redacted–Verizon] stopped its production of this set of foreign-to-foreign records on May 29, 2009, after service of the Secondary Order in BR 09-06, which carves out foreign-to-foreign records from the description of records to be produced. (19)

In an accompanying declaration Keith Alexander provided more detail.

In May 2009, during a discussion between NSA and [redacted–Verizon] regarding the production of metadata, a [redacted–Verizon] representative stated that [redacted] produced the records [redacted] pursuant to the BR FISA Orders. This was the first indication that NSA had ever received from [redacted–Verizon] of its contrary understanding. At the May 28, 2009, hearing in docket number BR 09-06, the government informed the Court of [redacted redacted]. To address the issue, based on the government’s proposal, the Court issued a Secondary Order to [redacted] in docket number BR 09-06 that expressly excluded foreign-to-foreign call detail records from the scope of records to be produced. On May 29, 2009, upon service of the Secondary Order in docket number  BR 09-06, [redacted–Verizon] ceased providing foreign-to-foreign records [redacted]. (42/PDF67)

Almost every dragnet order since that May 29, 2009 one has broken its production order out into two subparagraphs to reflect this change.

Screen Shot 2014-11-09 at 11.28.29 AM

We can be virtually certain that Verizon is this provider, because the Verizon secondary order leaked by Edward Snowden includes the language excluding foreign-to-foreign data. That long redaction likely hides Verizon’s full name under this program, “Verizon Business Network Services, Inc. on behalf of MCI Communication Services Inc., d/b/a Verizon Business Services (individually and collectively “Verizon”), which is the name initially used in the secondary order.

Additionally, ODNI originally released the January 20, 2011 primary order with the paragraph that clarifies this with Verizon’s name unredacted. The paragraph remains in the dragnet orders, even after Verizon and Vodaphone split earlier this year (though if the split affected this issue, they may have hidden the fact by retaining the paragraph, given that they’re now anticipating declassification of the orders).

Less than a month after this incident, on June 25, the NSA finished its End-to-End report, which reported just the Verizon issue. Sometime between then and July 9, the FISC appears to have realized one of the other providers had a similar problem. The July 9, 2009 dragnet order, in the only exception I know to the two-part production order, looked like this:

Screen shot 2014-11-09 at 2.07.33 PM

The production order is to plural custodians of records, meaning at least two providers must be named. But it applies the Verizon rules to all of the named providers.

The order also requires an explanation for inclusion of the foreign-to-foreign records (see the bullet at 16-17). It is redacted in the released order but the DOJ submission (see page 6) shows that Judge Walton ordered,

a full explanation of the extent to which NSA has acquired call detail records of foreign-to-foreign communications from [redacted–too long to just be Verizon] pursuant to orders of the FISC, and whether the NSA’s storage, handling, and dissemination of information in those records, or derived therefrom, complied with the Court’s orders;

The September 3, 2009 order reverts to the two-paragraph structure. But it also orders retroactive production from one of the providers (AT&T or Sprint, probably the latter based on redaction length) named in the first paragraph (I first wrote about this here).

In addition, the Custodian of Records of [redacted] shall produce to NSA upon service of the appropriate Secondary Order an electronic copy of the same tangible things created by [redacted] for the period from 5:11 p.m. on July 9, 2009 to the date of this Order, to the extent those records still exist.

And adds a requirement that NSA report on any significant changes in reapplications, including on any changes to how the government obtains the data from carriers.

Any application to renew or reinstate the authority granted herein shall include a report describing: (1) the queries made since the end of the reporting period of the last report filed with the Court; (ii) the manner in which NSA applied the procedures set forth in paragraph (3)C above; and (iii) any proposed changes in the way in which the call detail records would be received from the carriers and any significant changes to the systems NSA uses to receive, store, process, and disseminate BR metadata. [my emphasis]

The DOJ report provides further evidence that at least one other provider provided foreign-to-foreign records. When Kris introduces this problem (see page 18), he references a three part discussion in Alexander’s declaration.

Screen shot 2014-11-09 at 3.52.19 PM

You can see the heading for the third provider on page 46/PDF 71 of the Alexander declaration.

So the report appears to have commented on all three providers. The problem clearly affected two of them.

But FISC only retains the clarification for Verizon.

As I said, I appear to be wrong about the timing of this. I had suggested it was tied to Verizon deciding not to reup its contract under the FBI phone program in 2009. That almost certainly had to have happened (as Charlie Savage noted to me via Twitter, the Exigent Letter IG Report was focused on AT&T, MCI, and Verizon, and one of the latter two, which means basically one part of Verizon, backed out).

But the End-to-End Report makes it clear Verizon first started turning over this data in January 2007.

This foreign-to-foreign metadata started coming into NSA in January 2007. (15)

There was not even a dragnet order signed in January 2007, so it can’t be tied primarily to the phone dragnet. It also preceded the end of the on-site phone provider program (which ended in December 2007) and even the release of the first NSL IG Report in March 2007, which led the providers to get squirrelly (see page 191 for these dates).

The details regarding the potential problems with Verizon’s provision of foreign-to-foreign records suggests this may have something to do with upstream production (Verizon had been providing upstream records to the NSA for years, but it only came under the oversight of the FISC in January 2007).

Furthermore, because the records are records of foreign-to-foreign communications, almost all of them do not concern the communications of U.S. persons. To the extent any of the records concern the communications of U.S. persons, such communications would be afforded the same protections as any other U.S. person communication [redacted] authorities. Id. at 43. (19)

[snip]

almost all of them concern the communications of non-U.S. persons located outside the United States. If NSA were to find that any of the records concerned U.S. persons, their dissemination would be governed by the terms of USSID 18 which are the procedures established pursuant to EO 12333, as amended. (68)

The discussion of records that might “concern the communications” sounds like an “about” search (though I’m not sure of what).

All that said, AT&T should have had the same upstream “about” obligations starting in January 2007 that Verizon did. I suspect (based on my guess that Sprint is the production that got shut down) the order in the July 9, 2009 order is the only instruction they ever got to stop providing foreign-to-foreign records. Yet FISC felt the need — still feels the need — to keep that explicit order to Verizon in every single primary order.

Mind you, all this shows that Verizon was able to shut down the foreign production immediately, on the same day. So it’s clear they can shut down certain kinds of production.

All this seems to suggest that — in addition to at least some part of Verizon withdrawing from the FBI’s records program, and to Verizon not retaining records for the same length of time AT&T does — Verizon also produces phone dragnet data differently than AT&T does.

Awlaki Really Seems to Have Been Drone-Killed Exclusively on Presidential Authority

Jason Leopold liberated another White Paper — this one dated May 25, 2011 —  on drone killing.

Man. It’s just like they kept throwing legal arguments against the wall in hopes that one saying “You can kill Americans with no due process” would stick. And since this one is not signed, we may never know what lawyer gets rewarded with a lifetime judicial sinecure!

I’ll have a lot more to say on the logistics of all this in a later post.

But I want to comment briefly on a point that Kevin Jon Heller made in his post on the memo (remember, Heller’s the guy who forced David Barron to write more than 7 pages to authorize killing Awlaki by raising a statute Barron hadn’t considered).

Heller still sees absolutely no justification for CIA being granted public authority to kill Americans in this White Paper.

Like the earlier memorandum, the White Paper is largely devoted to establishing that the public-authority justification applies to the foreign-murder statute and that members of the US military would be entitled to the justification. (Two conclusions I agree with.) It then simply says this (pp. 14-15):

Given the assessment that an analogous operation carried out pursuant to the AUMF would fall within the scope of the public-authority justification, there is no reason to reach a different conclusion for a CIA operation.

That’s it. That’s the sum total of the unredacted argument. But there is a reason to reach a different conclusion “for a CIA operation” — as pointed out above, the AUMF does not apply to the CIA. Which means that the source of the public-authority justification must lie elsewhere.

Now let me be clear: I am not saying the CIA cannot be entitled to the public-authority justification. I am simply pointing out that the AUMF does not provide the CIA with the necessary authority. Perhaps there is another source, such as Title 50 of the US Code, as my co-blogger Deb Pearlsteinhas suggested. Indeed, the redaction on page 16 of the new White Paper may well refer to that other source of authority, given that five or six lines of redacted text follow this statement:

Thus, just as Congress would not have intended section 1119 to bar a military attack on the sort of individual described above, neither would it have intended the provision to prohibit an attack on the same target, in the same authorized conflict and in similar compliance with the laws of war, carried out by the CIA in accord with _____.

I don’t understand why the OLC would need to redact a reference to Title 50 (or to some other source of authority). The legal source of the CIA’s authorization to kill Americans overseas — if one exists — hardly seems like a state secret. Until the government reveals that source, however, we remain entitled to conclude that the CIA drone-strike that killed Anwar al-Awlaki violated 18 USC 1119.

I don’t think those redacted lines he points to are a reference directly to statute.

I think it’s a reference to the September 17, 2001 Gloves Come Off Memorandum of Notification which we know authorized killing high value al Qaeda figures with drones.

After all, that’s precisely where Stephen Preston — then CIA’s General Counsel before he moved onto bigger and better General Counseling at DOD — said he’d look to for the authority for CIA to carry out certain operations (and when he gave this speech, it was regarded to be part of the set of drone killing speeches Obama’s top officials gave in 2012, and he discusses assassination, which several of the drone authorizations also do, specifically).

Authority to Act under U.S. Law.

First, we would confirm that the contemplated activity is authorized by the President in the exercise of his powers under Article II of the U.S. Constitution, for example, the President’s responsibility as Chief Executive and Commander-in-Chief to protect the country from an imminent threat of violent attack. This would not be just a one-time check for legal authority at the outset. Our hypothetical program would be engineered so as to ensure that, through careful review and senior-level decision-making, each individual action is linked to the imminent threat justification.

A specific congressional authorization might also provide an independent basis for the use of force under U.S. law.

In addition, we would make sure that the contemplated activity is authorized by the President in accordance with the covert action procedures of the National Security Act of 1947, such that Congress is properly notified by means of a Presidential Finding.

Preston would look to a Finding, and we know there was (still is, as far as we know!) a Finding authorizing precisely the thing the government claimed to have done, kill a top al Qaeda figure.

Remember, too, David Kris — who left DOJ not long before this White Paper explicitly authorizing CIA’s execution of the execution got written — issued this warning about the real secrets behind the National Security Act’s language prohibiting CIA from violating US statute.

For example, the covert action statute could be interpreted and applied in ways that may be extraordinarily important, but about which very, very few Members of Congress, let alone the American People, ever learn. The statute defines covert action to exclude “traditional” military and law-enforcement activities, provides that a covert action finding “may not authorize any action that would violate the Constitution or any statute of the United States,” and specifically warns that “No covert action may be conducted which is intended to influence United States political processes, public opinion, policies, or media.” Without making any comment, express or implied, on any actual or hypothetical covert action, or even acknowledging that any covert action of any kind has ever actually taken place, it is quite obvious that each of those elements of the statute could raise enormously difficult and complex interpretive questions, some of which might affect many Americans. Yet it might be impossible, in many cases, to explain those interpretations without revealing the most sensitive classified information. [60; footnotes removed]

In killing Awlaki, CIA was acting in both a law enforcement (that’s where the Fourth Amendment argument derives from) and Traditional Military capacity (which is how these endless justifications apply the public authority to CIA, by claiming CIA officers are just like soldiers). Kris tells us the statute says CIA can’t, but that the NSA “could be interpreted and applied in ways [that] very few Members of Congress, let alone the American People, ever learn.”

It has to have in this case, because CIA acted as both law enforcement and military in violating a slew of statutes to carry out the drone killing of an American citizen as part of a covert op. Kris is basically saying that part of the NSA doesn’t mean what it says. That it means something far more horrible.

Which means he’s also saying — as was Preston — that the drone killing of Anwar al-Awlaki was done on Article II authority.

It is, admittedly, a guess. But I believe that behind that redaction, the White Paper makes it clear this killing was done on Presidential authorization.

Working Thread, Internet Dragnet 5: The Audacious 2010 Reapplication

At some point (perhaps at the end of 2009, but sometime before this application), the government tried to reapply, but withdrew their application. The three letters below were sent in response to that. But they were submitted with the reapplication.

See also Working Thread 1Working Thread 2Working Thread 3, Working Thread 4, and Internet Dragnet Timeline. No one else is doing this tedious work; if you find it useful, please support it.

U. First Letter in Response to FISC Questions Concerning NSA bulk Metadata Collection Using Pen Register/Trap and Trace Devices,

(15/27) In addition to tagging data itself, the source now gets noted in reports.

(16/27) NSA wanted all analysts to be able to query.

(16/27) COntrary to what redaction seemed to indicate elsewhere, only contact chaining will be permitted.

(17/27) This implies that even technical access creates a record, though not about what they access, just when and who did it.

(17/27) NSA asked for the same RAS timelines as in BRFISA — I think this ends up keeping RAS longer than an initial PRTT order.

(18/27) “Virtually every PR/TT record contains some metadata that was authorized for collection, and some metadata that was not authorized for collection … virtually every PR/TT record contains some data that was not authorized by prior orders and some that was not.”

(21/27) No additional training for internal sharing of emails.

(21/27) Proof they argue everything that comes out of a query is relevant to terrorism:

Results of queries of PR/TT-sourced metadata are inherently germane to the analysis of counterterrorism-related foreign intelligence targets. This is because of NSA’s adherence to the RAS standard as a standard prerequisite for querying PR/TT metadata.

(22/27) Note “relevance” creep used to justify sharing everywhere. I really suspect this was built to authorize the SPCMA dragnet as well.

(23/27) Curious language about the 2nd stage marking: I think it’s meant to suggest that there will be no additional protection once it circulates within the NSA.

(24/27) NSA has claimed they changed to the 5 year age-off in December 2009. Given the question about it I wonder if that’s when these letters were sent?

(24/27) Their logic for switching to USSID-18:

these procedures form the very backbone for virtually all of NSA’s dissemination practices. For this reason, NSA believes a weekly dissemination report is no longer necessary.

(24-5/27) The explanation for getting rid of compliance meetings is not really compelling. Also note that they don’t mention ODNI’s involvement here.

(25/27) “effective compliance and oversight are not performed simply through meetings or spot checks.”

(27/27) “See the attached word and pdf documents provided by OIG on an intended audit of PR/TT prior to the last Order expiring as an example.” Guess this means the audit documents are from that shutdown period.

V. Second Letter in Response to FISC Questions concerning NSA bulk Metadata Collection Using Pen Register/Trap and Trace Devices,

W. Third Letter in Response to FISC Questions Concerning NSA Bulk Metadata Collection Using Pen Register/Trap and Trace Devices.

(2) DNI adopted new serial numbers for reports, so as to be able to recall requests.

(3) THey’re tracking the query reports to see if they can withdraw everything.

(3) THis is another of the places they make it clear they can disseminate law enforcement information without the USSID requirements.

(4) It appears the initial application was longer than the July 2010, given the reference to pages 78-79.

Q: Government’s Application for Use of Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes. (around July 2010)

There are some very interesting comparisons with the early 2009 application, document AA.

(1)  Holder applied directly this time rather than a designee (Holder may not have been confirmed yet for the early 2009 one).

(2) The redacted definition of foreign power in AA was longer.

(3) “collect” w/footnote 3 was redacted in AA.

(3) Takes out reference to “email” metadata.

(3) FN 4 both focuses on “Internet communication” rather than “email [redacted]” as AA did, but it also scopes out content in a nifty way.

Read more

Working Thread, Internet Dragnet 4: Later 2009 Documents

The early focus on the dragnet violations was on the phone dragnet. At the end of March, however, DOJ started preparing to look more closely at the PRTT program in late April 2009, which may be why some of the following violations got disclosed to Reggie Walton in conjunction with a May reauthorization application. The CIA, FBI, and NCTC access to the PRTT seems to have been a bigger issue than the BR  FISA data.

All that said, when the NSA completed its End-to-End report sometime in fall 2009, they didn’t report all that much beyond the violations noted in May (though they did note the NSA did not shut down some automatic process when it said it did), mostly by claiming they didn’t realize the original dragnet order meant what it said (in spite of the violation in the first dragnet order).

It was only after that that they noticed FISC NSA had been collecting content from the start of the program (see document O). Once they admitted that, NSA decided not to reapply for a Primary Order, and Reggie Walton issued a supplemental order (document E) ordering them not to collect any more, but also not to access the data they did have. Only after that did DOJ submit the End-to-End report, accompanied by DOJ and Keith Alexander reports that admitted the content violation.

See also Working Thread 1, Working Thread 2, Working Thread 3, and Internet Dragnet Timeline. No one else is doing this tedious work; if you find it useful, please support it.

Read more