Posts

The US Person Back Door Search Number DOJ Could Publish Immediately

The Senate Judiciary Committee had a first public hearing on Section 702 today, about which I’ll have several posts.

One piece of good news, however, is that both some of the witnesses (Liza Goitein and David Medine; Ken Wainstein, Matt Olsen, and Rachel Brand were the other witnesses) and some of the Senators supported more transparency, including requiring the FBI to provide a count of how many US person queries of 702-collected data it does, as well as a count of how many US persons get sucked up by Section 702 more generally.

Liza Goitein presented a very reasonable view of the efforts the privacy community is making to work with the government to come up with reasonable counts.

But no one mentioned the very easy count of US person back door searches that FBI could provide today.

As I noted when this was released, as part of last year’s 702 Certification process, Judge Thomas Hogan required FBI to report every time FBI reviews data on a US person query of 702 data that doesn’t pertain to National Security.

[Hogan] imposed a requirement that FBI “submit in writing a report concerning each instance … in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.” Such reporting, if required indefinitely, is worthwhile — and should have been required by Congress under USA Freedom Act.

But FBI can and presumably will game this information in two ways. First, FBI’s querying system can be set such that, even if someone has access to 702 data, they can run a query that will flag a hit in 702 data but won’t actually show the data underlying that positive return. This provides one way for 702-cleared people to learn that such information is in such a collection and — if they want the data without having to report it — may be able to obtain it another way. It is distinctly possible that once NSA shares EO 12333 data directly with FBI, for example, the same data will be redundantly available from that in such a way that would not need to be reported to FISC. (NSA used this arbitrage method after the 2009 problems with PATRIOT-authorized database collections.)

Plus, such reporting depends on the meaning of foreign intelligence information as defined under the Attorney General Guidelines.

FOREIGN INTELLIGENCE: information relating to the capabilities, intentions, or activities of foreign governments or elements thereof, foreign organizations or foreign persons, or international terrorists.

It would be relatively easy for FBI to decide that any conversation with a foreign person constituted foreign intelligence, and in so doing count even queries on US persons to identify criminal evidence as foreign intelligence information and therefore exempt from the reporting guidance. Certainly, the kinds of queries that might lead the FBI to profile St. Paul’s Somali community could be considered a measure of Somali activities in that community. Similarly, FBI might claim the search for informants who know those in a mosque with close ties overseas could be treated as the pursuit of information on foreign activities in US mosques.

Hogan imposed a worthwhile new reporting requirement. But that’s still a very far cry from conducing a fair assessment of whether FBI’s back door searches are constitutional.

This requirement went into effect on December 4, 2015, and Hogan required updates on such reporting by January 27, 2016, so FBI is already reporting on this.

It would take minimal effort for ODNI to release how many of these notices got sent to FISC — it could do it quarterly so we didn’t learn too much from the process. Maybe there wouldn’t be any notices, though for a variety of reasons I doubt it. Maybe, as I note, the number is too fake to be useful.

But it is a number, one FBI is already required to report. So they should start reporting it.

With Upcoming David Medine Departure, Will PCLOB Slip Back into Meaninglessness?

The Chair of the Privacy and Civil Liberties Oversight Board, David Medine, has announced he will resign effective  July 1 to work with a development organization “advising on data privacy and consumer protection for lower-income financial consumers.”

The move comes not long after Congress has, in several ways, affirmatively weakened or unexpectedly stopped short of expanding PCLOB’s mandate, by ensuring it could not review any covert programs, and by eliminating a PCLOB oversight role under OmniCISA.

In Medine’s statement, he promised the board would continue to work on their examination of CT activities relating to EO 12333.

I look forward to continuing to work on PCLOB’s current projects until my departure. I am pleased to know that, even after my departure, the Board Members and our dedicated staff remain committed to carrying forward the Board’s critical work, including its ongoing examination of counterterrorism activities under Executive Order 12333.

The EO 12333 approach (and the two CIA programs to examine) was formally approved July 1, a year to the day before Medine’s departure. It was initially scheduled to be done by the end of last year. But in their most recent semi-annual report (released at the end of December), PCLOB noted they were just starting on their public report.

In July, the Board voted to approve two in-depth examinations of CIA activities conducted under E.O. 12333. Board staff has subsequently attended briefings and demonstrations, as well as obtained relevant documents, related to the examinations. The Board also received a series of briefings from the NSA on its E.O. 12333 activities. Board staff held follow-up sessions with NSA personnel on the topics covered and on the agency’s E.O. 12333 implementing procedures. Just after the conclusion of the Reporting Period, the Board voted to approve one in-depth examination of an NSA activity conducted under E.O. 12333. Board staff are currently engaging with NSA staff to gather additional information and documents in support of this examination. Board staff also began work developing the Board’s public report on E.O. 12333, described above.

So while Medine promises PCLOB will continue to work on the EO 12333 stuff, I do worry that it will stall after his departure. I’m concerned, as well, about the makeup of the board. Board member Jim Dempsey’s term officially ended on January 29, though President Obama nominated him for another term on March 17, which means he will serve out 2016 (I believe as a temporary appointment until the end of the congressional term, but am trying to confirm; Update: this stems from PCLOB’s statute, but the appointment would extend through the end of the Congressional term), and longer if and when the Senate confirms him. But Medine’s departure will leave 2 members (counting Dempsey) who have been firmly committed to conducting this review, Rachel Brand, who has been lukewarm but positive, and Elisabeth Collins Cook who was originally opposed. That is, unless Medine is replaced in timely fashion (and given that this is a multiple year appointment, Republicans would have incentive to stall to get a GOP Chair), the board may be split on its commitment to investigating these issues.

There are a few other things happening on the EO 12333 front. Most urgently, the Intelligence Community is as we speak implementing new procedures for the sharing of EO 12333 with law enforcement agencies. PCLOB was involved in a review of those procedures, and had successfully pressed for more controls on the FBI’s back door access to 702 data (which is one reason I find the timing of Medine’s departure of particular concern). Two years after PCLOB first outed Treasury as having no EO 12333 implementing guidelines, they still have none.

That is, particularly after Congress’ successful attempts at undercutting PCLOB’s power, Medine’s departure has me seriously worried about whether the Intelligence Committee is willing to undergo any scrutiny of its EO 12333 activities.

Why Is Congress Undercutting PCLOB?

As I noted last month, the Omnibus budget bill undercut the Privacy and Civil Liberties Oversight Board in two ways.

First, it affirmatively limited PCLOB’s ability to review covert actions. That effort dates to June, when Republicans responded to PCLOB Chair David Medine’s public op-ed about drone oversight by ensuring PCLOB couldn’t review the drone or any other covert program.

More immediately troublesome, last minute changes to OmniCISA eliminated a PCLOB review of the implementation of that new domestic cyber surveillance program, even though some form of that review had been included in all three bills that passed Congress. That measure may have always been planned, but given that it wasn’t in any underlying version of the bill, more likely dates to something that happened after CISA passed the Senate in October.

PCLOB just released its semi-annual report to Congress, which I wanted to consider in light of Congress’ efforts to rein in what already was a pretty tightly constrained mandate.

The report reveals several interesting details.

First, while the plan laid out in April had been to review one CIA and one NSA EO 12333 program, what happened instead is that PCLOB completed a review on two CIA EO 12333 programs, and in October turned towards one NSA EO 12333 program (the reporting period for this report extended from April 1 to September 30).

In July, the Board voted to approve two in-depth examinations of CIA activities conducted under E.O. 12333. Board staff has subsequently attended briefings and demonstrations, as well as obtained relevant documents, related to the examinations.

The Board also received a series of briefings from the NSA on its E.O. 12333 activities. Board staff held follow-up sessions with NSA personnel on the topics covered and on the agency’s E.O. 12333 implementing procedures. Just after the conclusion of the Reporting Period, the Board voted to approve one in-depth examination of an NSA activity conducted under E.O. 12333. Board staff are currently engaging with NSA staff to gather additional information and documents in support of this examination.

That’s interesting for two reasons. First, it means there are two EO 12333 programs that have a significant impact on US persons, which is pretty alarming since CIA is not supposed to focus on Americans. It also means that the PCLOB could have conducted this study on covert operations between the time Congress first moved to prohibit it and the time that bill was signed into law. There’s no evidence that’s what happened, but the status report, while noting it had been prohibited from accessing information on covert actions, didn’t seem all that concerned about it.

Section 305 is a narrow exception to the Board’s statutory right of access to information limited to a specific category of matters, covert actions.

Certainly, it seems like PCLOB got cooperation from CIA, which would have been unlikely if CIA knew it could stall any review until the Intelligence Authorization passed.

But unless PCLOB was excessively critical of CIA’s EO 12333 programs, that’s probably not why Congress eliminated its oversight role in OmniCISA.

Mind you, it’s possible it was. Around the time the CIA review should have been wrapping up though also in response to the San Bernardino attack, PCLOB commissioner Rachel Brand (who was the lone opponent to review of EO 12333 programs in any case) wrote an op-ed suggesting public criticism and increased restrictions on intelligence agencies risked making the intelligence bureaucracy less effective (than it already is, I would add but she didn’t).

In response to the public outcry following the leaks, Congress enacted several provisions restricting intelligence programs. The president unilaterally imposed several more restrictions. Many of these may protect privacy. Some of them, if considered in isolation, might not seem a major imposition on intelligence gathering. But in fact none of them operate in isolation. Layering all of these restrictions on top of the myriad existing rules will at some point create an encrusted intelligence bureaucracy that is too slow, too cautious, and less effective. Some would say we have already reached that point. There is a fine line between enacting beneficial reforms and subjecting our intelligence agencies to death by a thousand cuts.

Still, that should have been separate from efforts focusing on cybersecurity.

There was, however, one thing PCLOB did this year that might more directly have led to Congress’ elimination of what would have been a legislatively mandated role in cybersecurity related privacy: its actions under EO 13636, which one of the EOs that set up a framework that OmniCISA partly fulfills. Under the EO, DHS and other departments working on information sharing to protect critical infrastructure were required to produce a yearly report on how such shared affected privacy and civil liberties.

The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities.

As PCLOB described in its report, “toward the end of the reporting period” (that is, around September), it was involved in interagency meetings discussing privacy.

The Board’s principal work on cybersecurity has centered on its role under E.O. 13636. The Order directs DHS to consult with the Board in developing a report assessing the privacy and civil liberties implications of cybersecurity information sharing and recommending ways to mitigate threats to privacy and civil liberties. At the beginning of the Reporting Period, DHS issued its second E.O. 13636 report. In response to the report, the Board wrote a letter to DHS commending DHS and the other reporting agencies for their early engagement, standardized report format, and improved reporting. Toward the end of the Reporting Period, the Board commenced its participation in its third annual consultation with DHS and other agencies reporting under the Order regarding privacy and civil liberties policies and practices through interagency meetings.

That would have come in the wake of the problems DHS identified, in a letter to Al Franken, with the current (and now codified into law) plan for information sharing under OmniCISA.

Since that time, Congress has moved first to let other agencies veto DHS’ privacy scrubs under OmniCISA and, in final execution, provided a way to create an entire bypass of DHS in the final bill before even allowing DHS as much time as it said it needed to set up the new sharing portal.

That is, it seems that the move to take PCLOB out of cybersecurity oversight accompanied increasingly urgent moves to take DHS out of privacy protection.

All this is just tea leaf reading, of course. But it sure seems that, in addition to the effort to ensure that PCLOB didn’t look too closely at CIA’s efforts to spy on — or drone kill — Americans, Congress has also decided to thwart PCLOB and DHS’ efforts to put some limits on how much cybersecurity efforts impinge on US person privacy.

PCLOB Member Rachel Brand Asked NSA General Counsel to Help Her Dissent from PCLOB

Let me say straight out: Privacy and Civil Liberties Oversight Board member Rachel Brand is no slouch. She’s very smart and very accomplished.

All that said, I am rather intrigued by the way she consulted NSA General Counsel Raj De several times — as illustrated by these emails Jason Leopold liberated from PCLOB —  as she worked on her dissent to the Democratic PCLOB members’ conclusion that the Section 215 dragnet is illegal.

On January 6, Brand emailed De. “Do you have a couple minutes to talk about a PCLOB matter today or tomorrow?” They scheduled some time to talk at midday the next day — though a request from Keith Alexander appears to have forced De to delay. Nevertheless, by 1:30 on January 7, it appears De and Brand spoke, because De forwarded two things: I Con the Record’s press release announcing the FISA Court had reauthorized the dragnet even after Judge Richard Leon ruled it unconstitutional (De makes no mention in his email, but the order had considered Leon’s ruling before reauthorizing the program), and the GPO transcript of Robert Mueller’s claim in a June 2013 House Judiciary Committee hearing that the dragnet would have prevented 9/11.

Ten days later, on January 17, Brand was emailing De again, after having seen each other that morning (that was the morning President Obama announced his own reforms to the dragnet, so it may have been in that context). She sent NSA’s General Counsel a paragraph, with one sentence highlighted, asking if it was accurate. He responded with “some suggestions for accuracy for your consideration … Feel free to give a call if you want to discuss, or would like more detail.”

Then, over that weekend, Brand and De exchanged the following emails:

Saturday, January 18, 12:31: Brand sends “the current draft of my separate statement” stating she wants “to be sure there is nothing factually or legally inaccurate in it;” she says it is currently 5 pages and tells De she needs to give PCLOB Chair David Medine the final by Sunday night

Saturday, January 18, 2:11: De responds, “happy to”

Sunday, January 19, 10:51: De responds, saying, “not that you need or want my validation, but for what’s [sic] it is worth it really reads quite well.” De then provides 3 “additional factual details” which “might fit in if you wanted to use them;” those bullets are redacted

Sunday, January 19, 3:47: Brand replies, stating that Beth (Elisebeth Collins Cook, the other Republican on PCLOB) “explicitly makes the first two in her separate statement” and that she’s “trying to keep this short, so have to forego making every available point”

Read more

In Advance of USA Freedom and CISA Fights, PCLOB Pretends Section 702 Doesn’t Have a Cyber Function

In a piece for Salon, I note some of the weird silences in yesterday’s PCLOB report, from things like the failure to give defendants notice (which I discussed yesterday) to the false claim that Targeting Procedures haven’t been released (they have been — by Edward Snowden). One of the most troubling silences, however, pertains to cybersecurity.

That’s especially true in one area where PCLOB inexplicably remained entirely silent. PCLOB noted in its report that, because Congress limited its mandate to counterterrorism programs, it focused primarily on those uses of Section 702. That meant a number of PCLOB’s discussions — particularly regarding “incidental collections” of Americans sucked up under Section 702 — minimized the degree to which Americans who corresponded with completely innocent foreigners could be in a government database. That said, PCLOB did admit there were other uses, and it discussed the government’s use of Section 702 to pursue weapons proliferators.

Yet PCLOB remained silent about a use of Section 702 that both Director of National Intelligence James Clapper’s office, in its very first information sheet on Section 702 released in June 2013, and multiple government witnesses at PCLOB’s own hearing on this topic in March, discussed: cybersecurity. Not only should that have been discussed because Congress is preparing to debate cybersecurity legislation that would be modeled on Section 702. But the use of Section 702 for cybersecurity presents a number of unique, and potentially more significant, privacy concerns.

And PCLOB just dodged that issue entirely, even though Section 702′s use for cybersecurity is unclassified.

In the transcript of the March PCLOB hearing on Section 702 uses, the word “cyber” shows up 12 times. Four of those references come from DOJ’s Deputy Assistant Attorney General Brad Wiegmann’s description of the kinds of foreign intelligence uses targeted under Section 702. (The other references came from Information Technology Industry Council President Dean Garfield.)

MR. WIEGMANN: You task a selector. So you’re identifying, that’s when you take that selector to the company and say this one’s been approved. You’ve concluded that it is, does belong to a non-U.S. person overseas, a terrorist, or a proliferator, or a cyber person, right, whoever it is, and then we go to the company and get the information.

[snip]

It’s aimed at only those people who are foreign intelligence targets and you have reason to believe that going up on that account that I mentioned, bad guy at Google.com is going to give you back information, information that is foreign intelligence, like on cyber threats, on terrorists, on proliferation, whatever it might be.

[snip]

So in other words, if I need to, if it’s Joe Smith and his name is necessary if I’m passing it to that foreign government and it’s key that they understand that it’s Joe Smith because that’s relevant to understanding what the threat is, or what the information is, let’s say he’s a cyber, malicious cyber hacker or whatever, and it was key to know the information, then you might pass Joe Smith’s name.

Yesterday’s report, however, doesn’t mention “cyber” a single time. Indeed, it seems to go out of its way to avoid mentioning it.

As discussed elsewhere in this Report, the Board believes that the Section 702 program significantly aids the government’s efforts to prevent terrorism, as well as to combat weapons proliferation and gather foreign intelligence for other purposes.

[snip]

The Section 702 program, for instance, is also used for surveillance aimed at countering the efforts of proliferators of weapons of mass destruction.473 Given that these other foreign intelligence purposes of the program are not strictly within the Board’s mandate, we have not scrutinized the effectiveness of Section 702 in contributing to those other purposes with the same rigor that we have applied in assessing the program’s contribution to counterterrorism. Nevertheless, we have come to learn how the program is used for these other purposes, including, for example, specific ways in which it has been used to combat weapons proliferation and the degree to which the program supports the government’s efforts to gather foreign intelligence for the benefit of policymakers.

Its footnote to that last section cites DOJ’s 2012 report to SSCI on the uses of Section 702 (which doesn’t mention cyber) rather than the information sheet released in June 2013, which does.

I find PCLOB’s silence about the use of Section 702 to pursue cyber targets particularly interesting for several reasons.

First, because cyber targets pose unique privacy threats — in part because cyberattackers are more likely to hide their location and exploit the communications of entirely innocent people, meaning Section 702’s claimed targeting limits offer no protection to Americans. Additionally, targeting (as Wiegmann describes it) a “malicious cyber hacker” goes beyond any traditional definition of foreign agent; it is telling he didn’t use a Chinese military hacker as his example instead! Indeed, while proliferation (along with foreign governments, the other presumed certification) is solidly within FISA Amendment Act’s definition of foreign intelligence, cybersecurity is not. In its discussion of back door searches, PCLOB admits there are concerns raised by back door searches that are heightened (or perhaps more sensitive, because they involve affluent white people) outside the counterterrorism context, that’s especially true for cybersecurity targeting.

Consider, too, the likelihood that cyber collection is among the categories of about collection that PCLOB obliquely mentions but doesn’t describe due to classification.

Although we cannot discuss the details in an unclassified public report, the moniker “about” collection describes a number of distinct scenarios, which the government has in the past characterized as different “categories” of “about” collection. These categories are not predetermined limits that confine what the government acquires; rather, they are merely ways of describing the different forms of communications that are neither to nor from a tasked selector but nevertheless are collected because they contain the selector somewhere within them.

At the beginning of the report, PCLOB repeated the government’s claim this is primarily about emails; here in the guts of it, it obliquely references other categories of collection, without really considering whether these categories present different privacy concerns.

Remember, too, that the original, good version of USA Freedom Act remains before the Senate Judiciary Committee. That bill would disallow the use of upstream 702 for any use but counterterrorism and counterproliferation. Did PCLOB ignore this use of Section 702 just to avoid alerting Senators who haven’t been briefed on it that it exists?

Finally, I also find PCLOB’s silence about NSA’s admitted use of Section 702 to pursue cyberattackers curious given that, after Congress largely ditched ideas to involve PCLOB in various NSA oversight — such as providing it a role in the FISA Advocate position — Dianne Feinstein’s Cyber Information Sharing Act all of a sudden has found a use for PCLOB again (serving a function, I should add, that arguably replaces FISC review).

(1) BIENNIAL REPORT FROM PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD.—Not later than 1 year after the date of the enactment of this Act and not less frequently than once every 2 years thereafter, the Privacy and Civil Liberties Oversight Board shall submit to Congress and the President a report providing—

(A) an assessment of the privacy and civil liberties impact of the type of activities carried out under this Act; and

(B) an assessment of the sufficiency of the policies, procedures, and guidelines established pursuant to section 5 in addressing privacy and civil liberties concerns.

Feinstein introduced this bill on June 17, several weeks after PCLOB briefed her staffers on their report (they briefed Congressional committee aides on June 2, and the White House on June 17 — see just after 9:00).

A renewed openness to expanding PCLOB’s role may be entirely unmotivated, or it may stem from PCLOB’s chastened analysis of the legal issues surrounding Section 702.

But I do find it interesting that PCLOB uttered, literally, not one word about the topic that, if DiFi’s bill passes, would expand their mandate.

PCLOB Ignores Glaring Section 702 Non-Compliance: Notice to Defendants

I will have far more to say about PCLOB once I finish my working thread. But there’s one glaring flaw in the report’s claim that the government complies with the statute.

Based on the information that the Board has reviewed, the government’s PRISM collection complies with the structural requirements of the statute.

But here’s the report’s discussion of what happens with aggrieved persons — those prosecuted based in information derived from Section 702 information.

Further, FISA provides special protections in connection with legal proceedings, under which an aggrieved person — a term that includes non-U.S. persons — is required to be notified prior to the disclosure or use of any Section 702–related information in any federal or state court.447 The aggrieved person may then move to suppress the evidence on the grounds that it was unlawfully acquired and/or was not in conformity with the authorizing Section 702 certification.448 Determinations regarding whether the Section 702 acquisition was lawful and authorized are made by a United States District Court, which has the authority to suppress any evidence that was unlawfully obtained or derived.449 

But for 5 years after the passage of the law, the government never once gave defendants notice they were aggrieved under Section 702. It lied to the Supreme Court about not having done so. And even while it has since given a limited number of defendants — like Mohamed Osman Mohamud — notice, there are others — David Headley, Najibullah Zazi and Adis Medunjanin, and Khalid Ouazzani — who are known to be aggrieved under Section 702 who have never received notice. Finally, there is the case of the Qazi brothers, which seems to be a case where the government is parallel constructing right in the face of the magistrate.

PCLOB said that the government is generally in compliance with the statute. And yet, it made no mention of known, fairly egregious violations of the statute.

That suggests the report as a whole may be flawed.

Working Thread, PCLOB Report

The pre-release PCLOB report on Section 702 is here. This will be a working thread.

PDF 16: First recommendation is to include more enunciation of foreign intel purpose. This was actually a Snowden revelation the govt poo pooed.

PDF 17: Recommends new limits on non-FI criminal use of FBI back door searches, and some better tracking of it (surprised that’s not stronger!). Also recommends new documentation for NSA, CIA back door queries.  Must mean CIA is a problem.

PDF 17: Recommends FISC get the “rules” NSA uses. That suggests there may be some differences between what the govt does and what it tells FISC it does.

PDF 17: Recommends better assessment of filtering for upstream to leave out USP data. John Bates was skeptical there wasn’t better tech too.

PDF 18: Suggestion there are more types of upstream collection than there needs to be.

PDF 27 fn 56: Notes some room in the definition of Foreign Intelligence.

PDF 30: Note how PCLOB deals with issues of scope.

PDF 34: Note the discussion of due diligence. Due diligence problems amount for about 9% of NSA violations.

PDF 34-35: This must be a response to violations reported by Risen and Lichtblau, and is probably one of the things referred to in NSA’s review of its own COINTELPRO like problems.

In a still-classified 2009 opinion, the FISC held that the judicial review requirements regarding the targeting and minimization procedures required that the FISC be fully informed of every incident of noncompliance with those procedures. In the 2009 opinion, the court analyzed whether several errors in applying the targeting and minimization procedures that had been reported to the court undermined either the court’s statutory or constitutional analysis. (The court concluded that they did not.)

PDF 39: NSA gets all PRISM collection, and it goes from there to CIA and FBI. CIA and FBI get only PRISM data.

PDF 42: Another FISC opinion to be released.

In a still-classified September 2008 opinion, the FISC agreed with the government’s conclusion that the government’s target when it acquires an “about” communication is not the sender or recipients of the communication, regarding whom the government may know nothing, but instead the targeted user of the Section 702–tasked selector.

PDF 43: This sounds like a lot of about collection is of forwarded emails.

There are technical reasons why “about” collection is necessary to acquire even some communications that are “to” and “from” a tasked selector. In addition, some types of “about” communications actually involve Internet activity of the targeted person.138 The NSA cannot, however, distinguish in an automated fashion between “about” communications that involve the activity of the target from communications that, for instance, merely contain an email address in the body of an email between two non-targets.139 

PDF 45: I’ll have to check but some of these cites to Bates may be to still redacted sections.

[Headed to bed–will finish my read in the AM]

PDF 47: One thing PCLOB doesn’t explain is if the FBI and CIA targeting takes place at NSA or at those agencies. In the past, it had been the former.

PDF 49: .4% o f targeting ends up getting an American.

PDF 55: NSA shares technical data for collection avoidance purposes. This sounds like the defeat list in the phone dragnet, and like that, seems tailored not just for protecting USPs generally, but sensitive communications (like those of MoCs) more specifically.

PDF 57: This was implicit in some of the docs released by Snowden, but the govt now tags Section 702 data, as they do Section 215, so as to ensure it gets the heightened treatment provided by the law.

Read more

USA Freedumb Act: The Timing

A number of people have expressed appreciation for this analysis: if you find this useful, please consider donating to support my work. 

I’m going to do a series of more finished posts on the “compromised” version of Jim Sensenbrenner’s USA Freedom Act, which I hereby dub the USA Freedumb Act (thanks to Fake John Schindler for the suggestion), because so many of the reforms have been gutted. Here’s the initially proposed bill. Here’s my working thread on USA Freedumb.

You will hear a great many respectable people making positive comments about this bill, comments they normally would not make. That’s because of the carefully crafted timing.

As you recall, Mike Rogers originally got the House Parliamentarian to rule that the bill could go through the House Intelligence Committee. And his bill, which I affectionately call “RuppRoge” after Rogers and Dutch Ruppersberger and Scooby Doo’s “Rut Roh” phase, is genuinely shitty. Not only does it put the NSA onsite at providers and extend call records collection beyond terrorism applications, but it also extends such collection beyond call records generally. It is likely an attempt to get the US back into the Internet dragnet business. Shitty bill.

That said, in key ways RuppRoge is very similar to USA Freedumb. Both “limit” bulk collection by limiting collection to selectors (Freedumb does so across the board, including for NSLs, whereas RuppRoge does so for sensitive Business Records, call records, and Internet metadata). Both propose a similarly (IMO) flimsy FISC advocate. Both propose laughably weak FISC transparency measures. Both will include compensation and immunity for providers they don’t currently have.

Aside from three areas where RuppRoge is better — it forces agencies to update their EO 12333 proposals, doesn’t extend the PATRIOT Act, and provides a (not very useful) way to challenge certificates, all the way up to SCOTUS — and three where it is far worse — it develops more Insider Threat measures, it applies for uses beyond terrorism and beyond call records, and doesn’t include new (but now circumscribed) IG reporting  — they’re not all that different. [Correction: USA Freedumb ALSO applies beyond terrorism.]

They’re differently shitty, but both are pretty shitty.

The reason why otherwise respectable people are welcoming the shitty Freedumb bill, however, is that it gives House Judiciary Committee — with a number of real reformers on it — first pass on this bill. It’s a jurisdictional issue. It puts the jurisdiction for surveillance bills back where it belongs, at the Judiciary Committee.

Oh, by the way, one of the more extensive (in terms of text) real changes in Freedumb is it finally includes the House Judiciary Committee, along with the House and Senate Intelligence Committees and Senate Judiciary Committee, among the committees that get certain kinds of reporting. Jurisdiction. (No, I can’t explain to you why it wasn’t included in the first place in 2008, and no, I can’t explain why that detail is not better known.) It gives everyone on HJC a tiny reason to support the bill, because they’ll finally get the reporting they should have gotten in 2008.

The House Intelligence Committee will consider RuppRoge the day after HJC considers Freedumb, Thursday. Which has elicited hasty (overly hasty, IMO) statements of support for Freedumb, as a way to head off the shitty RuppRoge.

Effectively, the National Security State has managed to put two differently shitty bills before Congress and forced reformers to choose. Freedumb is the better (as in less horrible) bill, and it might get better in Committee. But it’s not a runaway call. And the haste has prevented anyone from really figuring out what a central change to both programs means, which limits collection to selectors, which could be defined in very broad terms (and about which — you’ll have to take my word for now — the NSA has lied in public comments).

One more timing issue that I suspect explains the sudden activity surrounding “reform.” The Privacy and Civil Liberties Oversight Board is due to release a report on Section 702 in the next month or so (its comment period for the report closed on April 11). Given the comments of David Medine, James Dempsey, and Patricia Wald at hearings, I strongly suspect PCLOB will recommend reforms — at least — to back door searches, and possibly to upstream collection. Both are items which were gutted as USA Freedom became Freedumb. (In addition, two aspects that would have expanded PCLOB’s authorities — giving it a role in picking the FISC advocate and giving it subpoena power — have been removed.) So in the same way that President Obama rushed to reaffirm NSA’s unified structure, in which the Information Assurance Division and Cybercommand functions are unified with the more general NSA spying function, before his handpicked Review Group recommended they be split, this seems to be a rush to pre-empt any recommendations PCLOB makes.

Ultimately, these two shitty bills are destined to be merged in conference anyway, and reformers seem to have given up 75% of the field before we get started.

Which means just about the only “reform” we’ll get are actually tactical fixes to help the Security State deal with legal and technical issues they’ve been struggling with.

The USA Freedumb Act has become — with DiFi’s Fake FISA Fix and RuppRoge before it — the third fake reform since Edward Snowden’s leaks first got published. Wearing down the reformers seems to be working.

Does FBI EVER Age Off Its Section 702 Data?

The Privacy and Civil Liberties Oversight Board has released the transcript of the first panel from its hearing on Wednesday.

And while I was concerned by the following exchange — between Principal Deputy Assistant Attorney General Brad Wiegmann and PCLOB Chair David Medine — in real time, I find it even more troubling on second pass.

MR. MEDINE: And could you address why the minimization procedures make it a reasonable form of collection under the Fourth Amendment?

[snip]

MR. WIEGMANN: You have retention rules. I believe in some cases, for NSA for example, you have a five year retention limit on how long the information can be retained. And so these are procedures that the courts have found protect U.S. privacy and make the collection reasonable for Fourth Amendment purposes.

MR. MEDINE: And under the minimization procedures I understand that the agency, the NSA, FBI, the CIA have their own minimization procedures and they’re not the same with each other?

MR. WIEGMANN: That’s right.

MR. MEDINE: Can you address why that shouldn’t be a concern that this information is not being subjected to the same minimization standards?

MR. WIEGMANN: So each of them have their own minimization procedures based on their unique mission, and the court reviews each of those for CIA, FBI, NSA, and it’s found them all reasonable for each different agency. They’re slightly different based on the operational needs, but they’re similar.

MR. MEDINE: Would it make more sense then if the same set of minimization procedures apply across the board for this kind of information?

MR. WIEGMANN: I don’t think. Again, just to contrast, for example, FBI and NSA that are using information in different ways. The FBI has a little more latitude with respect to U.S. person information in terms of criminal activity and evidence of a crime than NSA, which doesn’t have that law enforcement mission. So I think it is important to have some differences between the agencies in terms of how they handle the information.

We know what the NSA minimization procedures look like. Not only do they permit dissemination use of US person data in more than the examples described by Wiegmann, they’re frightfully permissive on other points (such as the retention of data for technical database purposes, or the limits on Attorney-Client privilege). Moreover, they permit the retention of data because of a threat to property, a clear expansion on the legal requirements.

But from Wiegmann’s description, it sounds like FBI’s minimization procedures (which are used as a basis for National Counterterrorism Center’s minimization procedures) are worse. Worse because they permit FBI even more leeway to use FISA authorized data in criminal investigations.

And worse because it’s not clear whether there’s even any retention time limits. Indeed, if you watch the clip above, it might be more accurate to punctuate that data retention sentence this way:

You have retention rules, I believe, in some cases. For NSA, for example, you have a five year retention limit.

In any case, the comment seems to suggest that in other cases — like, perhaps, the FBI and derivatively NCTC — you don’t have temporal limits. That would be consistent with FBI’s retention of many kinds of investigative data forever. But it would mean a great deal of data involving innocent Americans collected without a warrant remains in the FBI’s hands forever.

And all that’s before you consider that FBI has always, since the passage of FISA Amendments Act (or at least the first certifications later that year), been permitted to conduct backdoor searches on incidentally collected data. So they may not only be keeping this data forever, but performing warrantless back door searches on it.

PCLOB Chair David Medine on the 30% Claims

As Ken Dilanian pointed out in his story on the claim that NSA only collects 30% of phone records, in his testimony before the House Judiciary Committee, David Medine suggested “virtually all telephone records of every American” are collected — and he suggests these records are collected under Section 215.

Yet his references are more ambiguous than that. He admits that only some telecoms receive Section 215 orders.

The FISC order authorizes the NS A to collect nearly all call detail records generated by certain telephone companies in the United States, and specifies detailed rules for the use and retention of these records.

But then he makes 3 further references to some form of comprehensive collection.

And while eliminating a U.S. nexus to foreign plots can help the intelligence community focus its limited investigatory resources in time – sensitive situations by channeling efforts where they are needed most, our report questions whether the American public should accept the government’s routine collection of all of its telephone records because it helps in cases where there is no threat to the United States.

[snip]

Moreover, when the government collects all of a person’s telephone records, storing them for five years in a government database that is subject to high – speed digital searching and analysis, the privacy implications go far beyond what can be revealed by the metadata of a single telephone call.

[snip]

But while those rules offer many valuable safeguards designed to curb the intrusiveness of the program, in the Board’s view they cannot fully ameliorate the implications for privacy, speech, and association that follow from the government’s ongoing collection of virtually all telephone records of every American. [my emphasis]

With that in mind, I wanted to consider Medine’s answer to Richard Blumenthal’s questions about the 30% claims.

He starts by suggesting that if the claim were true it would not change PCLOB’s analysis.

Blumenthal: Would the apparent revelation that perhaps only a proportion of this telephone data was collected change in any way the conclusions of your report?

Medine: I don’t think we can address in public session the pros and cons of that conclusion but we’d be happy to meet with the committee in private session. But even if the reports are true it still means that hundreds of millions of telephone records are being collected and so, at least it’s my view, that it would not change the recommendations of the board.

The implication from this passage is that PCLOB did not know the collection was partial when they made their recommendations.

Medine’s dodges are more interesting in response to Blumenthal’s suggestion the Government has made false representations to Courts about obtaining all records (though note my comments on the ambiguity of that language here).

Blumenthal: Would it undercut the accuracy of the representations made by the United States Government to the Courts to justify this program?

Medine: Again, I don’t want to comment on that because some of this matter still remains classified and I think there’s more to be said on that but I don’t think it can be said in public session.

It seems that Medine suggests the Government’s claims are more complex than they might appear (though I may be reading into his answer my observation that the claims actually are ambiguous about how the government obtains its complete haystack).

Finally, Medine dodges again wholesale.

Blumenthal: Well, let me put it differently, wouldn’t you agree with me that the United States government has misled the Courts, whether purposefully or inadvertently in justifying this program on the basis that all telephone records are collected?

Medine: Again, I’m not prepared to confirm any of the reports that have been made and so I don’t want to draw any conclusions about representations that were made in court proceedings.

This answer may support the 30% claims more than earlier ones: it suggests Medine might be able to confirm such a claim.

Nevertheless, if the government has misrepresented the program, than so has Medine,

The one explanation that would address all this ambiguity, of course, is if the few providers that do receive orders provide the call records their backbones treat, not just the call records their own customers generate.