The NYT today:
The National Security Agency has used its bulk domestic phone records program to search for operatives from the government of Iran and “associated terrorist organizations” — not just Al Qaeda and its allies — according to a document obtained by The New York Times.
The inclusion of Iran and allied terrorist groups — presumably the Shiite group Hezbollah — and the confirmation of the names of other participating companies add new details to public understanding of the once-secret program. The Bush administration created the program to try to find hidden terrorist cells on domestic soil after the attacks of Sept. 11, 2001, and government officials have justified it by using Al Qaeda as an example.
emptywheel, 15 months ago:
I want to post Dianne Feinstein’s statement about what Section 215 does because, well, it seems Iran is now a terrorist. (This is around 1:55)
The Section 215 Business Records provision was created in 2001 in the PATRIOT for tangible things: hotel records, credit card statements, etcetera. Things that are not phone or email communications. The FBI uses that authority as part of its terrorism investigations. The NSA only uses Section 215 for phone call records — not for Google searches or other things. Under Section 215, NSA collects phone records pursuant to a court record. It can only look at that data after a showing that there is a reasonable, articulable that a specific individual is involved in terrorism, actually related to al Qaeda or Iran. At that point, the database can be searched. But that search only provides metadata, of those phone numbers. Of things that are in the phone bill. That person, um [flips paper] So the vast majority of records in the database are never accessed, and are deleted after a period of five years. To look at, or use content, a court warrant must be obtained.
Is that a fair description, or can you correct it in any way?
Keith Alexander: That is correct, Senator. [underline/italics added]
Some time after this post Josh Gerstein reported on Keith Alexander confirming the Iran targeting.
The NYT today:
One document also reveals a new nugget that fills in a timeline about surveillance: a key date for a companion N.S.A. program that collected records about Americans’ emails and other Internet communications in bulk. The N.S.A. ended that program in 2011 and declassified its existence after the Snowden disclosures.
In 2009, the N.S.A. realized that there were problems with the Internet records program as well and turned it off. It then later obtained Judge Bates’s permission to turn it back on and expand it.
emptywheel in November 2013:
I’ve seen a lot of outright errors in the reporting on the John Bates opinion authorizing the government to restart the Internet metadata program released on Monday.
Bates’ opinion was likely written in July 2010.
It had to have been written after June 21, 2010 and probably dates to between June 21 and July 23, 2010, because page 92 footnote 78 cites Holder v. HLP (which was released on June 21), but uses a “WL” citation; by July 23 the “S. Ct.” citation was available. (h/t to Document Exploitation for this last observation).
So: it had to have been written between June 21, 2010 and October 3, 2011, but was almost certainly written sometime in the July 2010 timeframe.
The latter oversight is understandable, as this story — which has been cited in court filings — misread Claire Eagan’s discussions of earlier bulk opinions, which quoted several sentences of Bates’ earlier one (though it was not the among the stories that really botched the timing of the Bates opinion).
In September, the Obama administration declassified and released a lengthy opinion by Judge Claire Eagan of the surveillance court, written a month earlier and explaining why the panel had given legal blessing to the call log program. A largely overlooked passage of her ruling suggested that the court has also issued orders for at least two other types of bulk data collection.
Specifically, Judge Eagan noted that the court had previously examined the issue of what records are relevant to an investigation for the purpose of “bulk collections,” plural. There followed more than six lines that were censored in the publicly released version of her opinion.
There have been multiple pieces of evidence to confirm my earlier July 2010 deduction since.
The big news in the NYT story (though not necessarily the NYT documents, which I’ll return to) is that in 2010, Verizon Wireless also received phone dragnet orders. I’ll return to what that tells us too.
But the news that Iran was targeted under the phone dragnet was confirmed publicly — and reported here — in a prepared statement from the Senate Intelligence Chair and confirmed by the Director of National Security Agency a week after the first Snowden leak story.
A must-read Jason Leopold piece on the fight between the Senate Intelligence Committee and CIA over the torture report reveals that John Brennan apologized about hacking the SSCI website — before he unapologized .
John Brennan was about to say he was sorry.
On July 28, 2014, the CIA director wrote a letter to senators Dianne Feinstein and Saxby Chambliss — the chairwoman of the Senate Intelligence Committee (SSCI) and the panel’s ranking Republican, respectively. In it, he admitted that the CIA’s penetration of the computer network used by committee staffers reviewing the agency’s torture program — a breach for which Feinstein and Chambliss had long demanded accountability — was improper and violated agreements the Intelligence Committee had made with the CIA.
“I recently received a briefing on the [OIG’s] findings, and want to inform you that the investigation found support for your concern that CIA staff had improperly accessed the [Intelligence Committee] shared drive on the RDINet [an acronym for rendition, detention, and interrogation] when conducting a limited search for CIA privileged documents,” Brennan wrote. “In particular, the [OIG] judged that Agency officers’ access to the… shared drive was inconsistent with the common understanding reached in 2009 between the Committee and the Agency regarding access to RDINet. Consequently, I apologize for the actions of CIA officers…. I am committed to correcting the shortcomings that this report has revealed.”
But Brennan didn’t sign or send the apology letter.
Instead, four days later, he sent Feinstein and Chambliss a different letter — one without an apology or admission that the search of their computer network was improper.
Leopold includes the letter as an image in his story (and also at page 299 in the SCRIBD embed). The letter he did send appears at page 11 of the embed.
In addition to the dramatically different content, the later letter does not include — as the earlier one did — notice that carbon copies of the letter were sent to DNI James Clapper, White House Counsel Neil Eggleston, and CIA’s Inspector General David Buckley.
You can see the earlier letter (see page 298) was sent by some emoticon-wielding (presumed) Assistant who explained — at 4:32 that same day — “Sending anyway, Just in case you need it soft copy for any reason. :)”
It’s as if by that point the CIA had already decided to pursue a different option (which, if we can believe the CIA’s currently operative story to Leopold, was to apologize to Senator Feinstein in person rather than memorialize such an apology in writing).
But I wonder … given that they were going to include Eggleston on the original but saw no need to include him (and Clapper and Buckley) on the finalized letter … was the White House in the loop in the decision to unapologize?
As Leopold reminds in his story, Brennan looped Chief of Staff Denis McDonough in before the January searches of SSCI’s network, implicating (though insulated by two degrees of separation, if we believe the CIA’s story) the White House in the decision to spy on SSCI. Was the White House included in the decision on whether to apologize to Dianne Feinstein?
Dianne Feinstein just gave a long speech on the Senate floor supporting the Cyber Information Sharing Act.
She listed off a list of shocking hacks that happened in the last year or so — though made no effort (or even claim) that CISA would have prevented any of them.
She listed some of the 56 corporations and business organizations that support the bill.
Most interestingly, she boasted that yesterday she received a letter from GM supporting the bill. We should pass CISA, Feinstein suggests, because General Motors, on August 4, 2015, decided to support the bill.
I actually think that’s reason to oppose the bill.
As I have written elsewhere — most recently this column at the DailyDot — one of my concerns about the bill is the possibility that by sharing data under the immunity afforded by the bill, corporations might dodge liability where it otherwise might serve as necessary safety and security leverage.
Immunizing corporations may make it harder for the government to push companies to improve their security. As Wyden explained, while the bill would let the government use data shared to prosecute crimes, the government couldn’t use it to demand security improvements at those companies. “The bill creates what I consider to be a double standard—really a bizarre double standard in that private information that is shared about individuals can be used for a variety of non-cyber security purposes, including law enforcement action against these individuals,” Wyden said, “but information about the companies supplying that information generally may not be used to police those companies.”
Financial information-sharing laws may illustrate why Wyden is concerned. Under that model, banks and other financial institutions are obligated to report suspicious transactions to the Treasury Department, but, as in CISA, they receive in return immunity from civil suits as well as consideration in case of sanctions, for self-reporting. “Consideration,” meaning that enforcement authorities take into account a financial institution’s cooperation with the legally mandated disclosures when considering whether to sanction them for any revealed wrongdoing. Perhaps as a result, in spite of abundant evidence that banks have facilitated crimes—such as money laundering for drug cartels and terrorists—the Department of Justice has not managed to prosecute them. When asked during her confirmation hearing why she had not prosecuted HSBC for facilitating money laundering when she presided over an investigation of the company as U.S. Attorney for the Eastern District of New York, Attorney General Loretta Lynch said there was not sufficient “admissible” evidence to indict, suggesting they had information they could not use.
In the same column, I pointed out the different approach to cybersecurity — for cars at least — of the SPY Act — introduced by Ed Markey and Richard Blumenthal — which affirmatively requires certain cybersecurity and privacy protections.
Increased attention on the susceptibility of networked cars—heightened by but not actually precipitated by the report of a successful remote hack of a Jeep Cherokee—led two other senators, Ed Markey and Richard Blumenthal, to adopt a different approach. They introduced the Security and Privacy in Your Car Act, which would require privacy disclosures, adequate cybersecurity defenses, and additional reporting from companies making networked cars and also require that customers be allowed to opt out of letting the companies collect data from their cars.
The SPY Car Act adopts a radically different approach to cybersecurity than CISA in that it requires basic defenses from corporations selling networked products. Whereas CISA supersedes privacy protections for consumers like the Electronic Communications Privacy Act, the SPY Car Act would enhance privacy for those using networked cars. Additionally, while CISA gives corporations immunity so long as they share information, SPY Car emphasizes corporate liability and regulatory compliance.
I’m actually not sure how you could have both CISA and SPY Act, because the former’s immunity would undercut the regulatory limits on the latter. (And I asked both Markey and Blumenthal’s offices, but they blew off repeated requests for an answer on this point.)
Which brings me back to GM’s decision — yesterday!!! — to support CISA.
The hackers that remotely hacked a car used a Jeep Cherokee. But analysis they did last year found the Cadillac Escalade to be the second most hackable car among those they reviewed (and I have reason to believe there are other GM products that are probably even more hackable).
So … hackers reveal they can remotely hack cars on July 21; Markey introduced his bill on the same day. And then on August 4, GM for the first time signs up for a bill that would give them immunity if they start sharing data with the government in the name of cybersecurity.
Now maybe I’m wrong in my suspicion that CISA’s immunity would provide corporations a way to limit their other liability for cybersecurity so long as they had handed over a bunch of data to the government, even if it incriminated them.
But we sure ought to answer that question before we go immunizing corporations whose negligence might leave us more open to attack.
Jason Leopold had an important update on the torture report that — because he’s doing rolling updates — hasn’t gotten sufficient attention.
Leopold obtained the contracting documents of the company, Centra, that drove up costs for the report by reviewing every document turned over to the Senate Intelligence Committee. But after he posted those documents, the CIA’s story about how much Centra got paid for those specific tasks changed. After 7 months of public claims that the then-unnamed contractor had gotten paid $40 million, the CIA all of a sudden changed its mind.
CIA spokesman Ryan Trapani disputed VICE News’ “interpretation” of the Centra contract.
“A significant portion of the contract cost pertained to services completely distinct from, and wholly unrelated to, the Senate Intelligence Committee review,” Trapani said, backtracking on the agency’s statement last year that the $40 million the agency spent was due entirely to “the committee’s demands of CIA in this investigation.” “In terms of the services performed in support of the committee review, CIA dedicated substantial resources to provide the committee unprecedented access to millions of pages of documents as expeditiously as possible, consistent with the security requirements for such highly classified, sensitive documents.”
That’s troubling because it runs counter to what everyone on SSCI believed, including then Chair Dianne Feinstein, who has been rebutting claims that the committee itself spent the money ever since it became public last year.
The overwhelming majority of the $40 million cost was incurred by the CIA and was caused by the CIA’s own unprecedented demands to keep documents away from the committee. Rather than provide documents for the committee to review in its own secure Senate office—as is standard practice—the CIA insisted on establishing a separate leased facility and a “stand-alone” computer network for committee use.
Which raises the question of where the claim that the entirety of that $40 million was spent on the torture report came from — which Leopold notes in an update came from this footnote in the Republican views on the report (and by association, a 2012 letter from CIA’s then number 3, Sue Bromley).
Not only was Bromley CIA’s number 3 when she wrote the letter, but in the years in question, she cycled through as Deputy Director of the Counterterrorism Center.
V. Sue Bromley, an Agency veteran of 28 years, will become our new Associate Deputy Director. Sue has served as our Chief Financial Officer since June 2009. As a former OMB director, I can attest to her exceptional skill and diligence in managing one of the most complex budgets in government.
Before that, Sue helped lead our analytic effort for two years as Deputy Director for Intelligence. She has made vital contributions to the fight against al-Qa’ida and its violent allies, both as Deputy Director of the Counterterrorism Center and as Chief of the Operations and Management Staff in the National Clandestine Service, where she helped plan, justify, and distribute a large increase in funding for counterterrorism operations after the September 11th attacks.
Now, it’s possible that the Republicans just took her letter out of context and no one on the Democratic side checked their math. There are a lot of references in the minority report (heh) that don’t make sense.
But Bromley is a money gal. She shouldn’t be making mistakes about contracts, and certainly not to the scale that appears to have happened — all in such a way as to serve the pro-torture narrative which in turn serves to protect … the counterterrorism center.
At least according to the story the CIA is currently telling, everyone on the CIA’s oversight committee grossly misunderstood a $40 million expenditure.
I’ll have a piece in Salon shortly about the two hearings on whether FBI should be able to mandate back doors (they call them front doors because that fools some Senators about the security problems with that) in software.
One thing not in there, however, has to do with a bill the Senate Intelligence Committee is considering that would require Facebook and Twitter and other social media to report terrorist content to authorities. ABC News, quoting Richard Clarke (who hasn’t had an official role in government for some years but is on ABC’s payroll) reported that the social media companies were not now reporting terrorist content.
In the middle of the SSCI hearing on this topic, Dianne Feinstein asked Jim Comey whether social media companies were reporting such content. Comey said they are (he did say they’ve gotten far better of late). Feinstein asked whether there ought to be a law anyway, to mandate behavior the companies are already doing. Comey suggested it wasn’t necessary. Feinstein said maybe they should mandate it anyway, like they do for child porn.
All of which made it clear that such a law is unnecessary, even before you get into the severe problems with the law (such as defining who is a terrorist and what counts as terrorist content).
SSCI will probably pass it anyway, because that’s how they respond to threats of late: by passing legislation that won’t address it.
Note, Feinstein also got visibly and audibly and persistently pissed at Ron Wyden for accurately describing what Deputy Attorney General Sally Yates had said she wanted in an earlier hearing: for providers to have keys that the FBI could use. Feinstein seems to believe good PR will eliminate all the technical problems with a back door plan, perhaps because then she won’t be held responsible for making us less secure as a result.
Update: The measures is here, in the Intelligence Authorization.
Update: Title changed for accuracy.
By my calculation today marks the 91st day of the life of phone dragnet order BR 15-24, making it the longest running dragnet order ever. Though the order offered no explanation, FISC judge James Boasberg approved a 95-day expiration for this order back on February 26 so the dragnet order expiration would coincide with PATRIOT Act’s sunset.
It probably seemed wise at the time, but it definitely exacerbates the impact of Mitch McConnell’s miscalculation last week, as it means there’s is no grace period after the current order expires.
The 90-day renewals appear to arise out of both the Stellar Wind practice and the FISA Pen Register practice. Under the former, the Bush Administration reviewed the dragnet every 45 days to make sure it was still necessary and give it the appearance of oversight. (The renewal dates appear on this timeline.) When FISC approved the use of the Pen Register statute to collect the Internet dragnet, it adhered to that statute’s renewal process, which requires 90-day renewals. I assume the phone dragnet adopted the same, even though Section 215 has no renewal requirement, because the phone dragnet collected even more data than the Internet dragnet did.
So already, we’re a day longer than the spirit of the law should permit, four days before Sunday’s scheduled resolution (or lack thereof) of the current impasse.
Given Charlie Savage’s account, it appears the Administration did not — as ordered by Boasberg — brief the FISC on the impact of the 2nd Circuit decision if it would change the program. Rather, they’re just hiding out, hoping they don’t need to raise this or any other issue with regards to the dragnet with the FISC.
The Foreign Intelligence Surveillance Court had given the government a deadline of last Friday to file a new application to extend the bulk phone records program for 90 days. Given the disarray in the Senate and the looming deadline, the Justice Department did not file, the official said, speaking on condition of anonymity to discuss intelligence-related matters.
The administration is holding to its decision not to invoke the grandfather clause to keep collecting bulk phone records past next Monday, the official said. But the government has not ruled out invoking such a clause for using the business records provision — as well as the other two powers that are expiring — to gather specific records for more routine investigations.
“We will not use the grandfather clause in the Patriot Act to continue the bulk metadata collection program; it would not be tenable for us to do so,” the senior official said.
“Thus, because of the pending sunset of the current authority, we have not filed an application with the FISA court to continue collection,” the official said, referring to the Foreign Intelligence Surveillance Act court, also known as FISC.
The official added, “We will consider, in light of our national security needs and the status of our authorities, whether to make an appropriate filing with the FISC about accessing previously collected metadata.”
The administration is hoping to avoid any need to go to the court for permission to query already-acquired bulk phone data, which would raise additional legal complications.
But one plan being floated — Dianne Feinstein’s non-compromise compromise — would simply permit the FISC to extend the current order until a year after whenever her bill might be passed into law (which couldn’t be Sunday night), as if nothing had ever happened.
CONTINUED APPLICABILITY.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, the order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26, 2015, in Docket No. BR 15–24, may be extended by order of that court until the effective date established in subsection (a) [that is, one year after the passage of this bill]
In other words, Feinstein proposes to take a dragnet collecting the phone records of all Americans, and extend it for an entire year, when even a Pen Register targeting an individual would need to be formally renewed.
34 years ago Ronald Reagan issued the Executive Order that still governs most of our country’s intelligence activities, EO 12333.
As part of it, the EO required any agency using information concerning US persons to have a set of procedures laying out how it obtains, handles, and disseminates information (see the language of 2.3 below).
Only — as the Privacy and Civil Liberties Oversight Board started pointing out in August 2013 — some agencies have never complied. In February, PCLOB revealed the 4 agencies that are still flouting Reagan’s rules, along with what they have been using:
The Department of Homeland Security’s notoriously shoddy Office of Intelligence and Analysis: Pending issuance of final procedures, I&A is operating pursuant to Interim Intelligence Oversight Procedures, issued jointly by the Under Secretary for Intelligence and Analysis and the Associate General Counsel for Intelligence (April 3, 2008).
United States Coast Guard (USCG)- Intelligence and counterintelligence elements: Pending issuance of final procedures, operating pursuant to Commandant Instruction – COMDINST 3820.12, Coast Guard Intelligence Activities (August 28, 2003).
Department of Treasury Office of Intelligence and Analysis (OIA): Pending issuance of final procedures. While draft guidelines are being reviewed in the interagency approval process, the Office of Intelligence and Analysis conducts intelligence operations pursuant to EO 12333 and statutory responsibilities of the IC element, as advised by supporting legal counsel.
Drug Enforcement Administration, Office of National Security Intelligence (ONSI): Pending issuance of final procedures, operates pursuant to guidance of the Office of Chief Counsel, other guidance, and: Attorney General approved “Guidelines for Disclosure of Grand Jury and Electronic, Wire, and Oral Interception Information Identifying United States Persons” (September 23, 2002); Attorney General approved “Guidelines Regarding Disclosure to the Director of Central Intelligence and Homeland Security Officials of Foreign Intelligence Acquired in the Course of a Criminal Investigation” (September 23, 2002).
Last year’s House Intelligence Committee version of NSA reform (the one I called RuppRoge) would have included language requiring agencies to finish these procedures — mandated 34 years ago — within 6 months. And now, over a year later, Dianne Feinstein’s latest attempt at reform echoed that language.
Which strongly suggests these agencies are still deadbeats.
As I said in February, I’m most concerned about DEA (because DEA is out of control) and, especially, Treasury (because Treasury’s intelligence activities are a black box with little court review). Treasury is making judgements that can blacklist someone financially, but it has thus far refused to institute procedures to protect Americans’ privacy while it does so.
And no one seems to be rushing to require them to do so.
2.3 Collection of Information. Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order. Those procedures shall permit collection, retention and dissemination of the following types of information:
(a) Information that is publicly available or collected with the consent of the person concerned;
(b) Information constituting foreign intelligence or counterintelligence, including such information concerning corporations or other commercial organizations. Collection within the United States of foreign intelligence not otherwise obtainable shall be undertaken by the FBI or, when significant foreign intelligence is sought, by other authorized agencies of the Intelligence Community, provided that no foreign intelligence collection by such agencies may be undertaken for the purpose of acquiring information concerning the domestic activities of United States persons;
(c) Information obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation;
(d) Information needed to protect the safety of any persons or organizations, including those who are targets, victims or hostages of international terrorist organizations;
(e) Information needed to protect foreign intelligence or counterintelligence sources or methods from unauthorized disclosure. Collection within the United States shall be undertaken by the FBI except that other agencies of the Intelligence Community may also collect such information concerning present or former employees, present or former intelligence agency contractors or their present or former employees, or applicants for any such employment or contracting;
(f) Information concerning persons who are reasonably believed to be potential sources or contacts for the purpose of determining their suitability or credibility;
(g) Information arising out of a lawful personnel, physical or communications security investigation;
(h) Information acquired by overhead reconnaissance not directed at specific United States persons;
(i) Incidentally obtained information that may indicate involvement in activities that may violate federal, state, local or foreign laws; and
(j) Information necessary for administrative purposes.
In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.
I wanted to provide some background of how we got to this week’s PATRIOT Reauthorization debate to explain what I believe the surveillance boosters are really aiming for. Rather than a response to Edward Snowden, I think it is more useful to consider “reform” as an Intelligence Community effort to recreate functionalities they had and then lost in 2009.
That history starts in 2009, when NSA was still operating under the system they had established under Stellar Wind while pretending to abide by FISC rules.
At the beginning of 2009, the NSA had probably close to full coverage of phone records in the US, and coverage on the most important Internet circuits as well. Contrary to the explicit orders of the FISC, NSA was treating all this data as EO 12333 data, not PATRIOT data.
On the Internet side, it was acquiring data that it considered Dialing, Routing, Addressing, and Signaling information but which also constituted content (and which violated the category limits Colleen Kollar-Kotelly had first imposed).
On the phone side, NSA was not only treating PATRIOT data according to NSA’s more general minimization procedures as opposed to those dictated by the FISC. But in violation of those minimization procedures, NSA was submitting phone dragnet data to all the automated procedures it submitted EO 12333 data to, which included automated searches and automatic chaining on other identifiers believed to belong to the same user (the latter of which NSA calls “correlations”). Either these procedures consisted of — or the data was also treated to — pattern analysis, chaining users on patterns rather than calls made. Of key importance, one point of having all the data in the country was to be able to run this pattern analysis. Until 2008 (and really until 2009) they were sharing the results of this data in real time.
Having both types of data allowed the NSA to chain across both telephony and Internet data (obtained under a range of authorities) in the same query, which would give them a pretty comprehensive picture of all the communications a target was engaging in, regardless of medium.
I believe this bucolic state is where the surveillance hawks want us to return to. Indeed, to a large extent that’s what Richard Burr’s bill does (with a lot of obstructive measures to make sure this process never gets exposed again).
But when DOJ disclosed the phone violations to FISC in early 2009, they shut down all those automatic processes. And Judge Reggie Walton took over 6 months before he’d even let NSA have full ability to query the data.
Then, probably in October 2009, DOJ finally confessed to FISC that every single record NSA had collected under the Internet dragnet for five years violated Kollar-Kotelly’s category rules. Walton probably shut down the dragnet on October 30, 2009, and it remained shut down until around July 2010.
At this point, not only didn’t NSA have domestic coverage that included Internet and phone, but the phone dragnet was a lot less useful than all the other phone data NSA collected because NSA couldn’t use its nifty automatic tools on it.
We know that NSA convinced John Bates to not only turn the Internet dragnet back on around July 2010 (though it took a while before they actually turned it on), but to expand collection to some or all circuits in the US. He permitted that by interpreting anything that might be Dialing, Routing, Addressing, and Signaling (DRAS) to be metadata, regardless of whether it also was content, and by pointing back to the phone dragnet to justify the extension of the Internet dragnet. Bates’ fix was short-lived, however, because by 2011, NSA shut down that dragnet. I wildarseguess that may partly because DOJ knew it was still collecting content, and when Bates told NSA if it knew it was collecting content with upstream collection, it would be illegal (NSA destroyed the Internet dragnet data at the same time it decided to start destroying its illegal upstream data). I also think there may have been a problem with Bates’ redefinition of DRAS, because Richard Burr explicitly adopted Bates’ definition in his bill, which would have given Bates’ 2010 opinion congressional sanction. As far as we know, NSA has been coping without the domestic Internet dragnet by collecting on US person Internet data overseas, as well as off PRISM targets.
Remember, any residual problems the Internet dragnet had may have affected NSA’s ability to collect any IP-based calls or at least messaging.
Meanwhile, NSA was trying to replace the automated functions it had up until 2009, and on November 8, 2012, the NSA finally authorized a way to do that. But over the next year plus, NSA never managed to turn it on.
Meanwhile, the phone dragnet was collecting less and less of the data out there. My current theory is that the gap arose because of two things involving Verizon. First, in 2009, part or all of Verizon dropped its contract with the FBI to provide enhanced call records first set up in 2002. This meant it no longer had all its data collected in a way that was useful to FBI that it could use to provide CDRs (though Verizon had already changed the way it complied with phone records in 2007, which had, by itself, created some technical issues). In addition, I suspect that as Verizon moved to 4G technology it didn’t keep the same kind of records for 4G calls that transited its backbone (which is where the records come from, not from customer bills). The problems with the Internet dragnet may have exacerbated this (and in any case, the phone dragnet orders only ask for telephony metadata, not IP metadata).
Once you lose cell calls transiting Verizon’s backbone, you’ve got a big hole in the system.
At the same time, more and more people (and, disproportionately, terrorist targets) were relying more and more on IP-based communications — Skype, especially, but also texting and other VOIP calls. And while AT&T gets some of what crosses its backbone (and had and still has a contract for that enhanced call record service with the FBI, which means it will be accessible), a lot of that would not be available as telephony. Again, any limits on Internet collection may also impact IP based calls and messaging.
Which brings you to where the dragnets were in 2013, when Edward Snowden alerted us to their presence. The domestic PATRIOT-authorized Internet dragnet had been shut down (and with it, potentially, Internet-based calls and messaging). The phone dragnet still operated, but there were significant gaps in what the telecoms would or could turn over (though I suspect NSA still has full coverage of data that transits AT&T’s backbone). And that data couldn’t be subjected to all the nifty kinds of analysis NSA liked to subject call data to. Plus, complying with the FISC-imposed minimization procedures meant NSA could only share query results in limited situations and even then with some bureaucratic limits. Finally, it could only be used for counterterrorism programs, and such data analysis had become a critical part of all of NSA’s analysis, even including US collection.
And this is where I suspect all those stories about NSA already considering, in 2009 and in 2013, shutting down the dragnet. As both Ken Dilanian stories on this make clear, DOJ believed they could not achieve the same search results without a new law passed by Congress. Bob Litt has said the same publicly. Which makes it clear these are not plain old phone records.
So while Edward Snowden was a huge pain in the ass for the IC, he also provided the impetus to make a decision on the phone dragnet. Obama made a big show of listening to his Presidential Review Group and PCLOB, both of which said to get rid of it (the latter of which said it was not authorized by Section 215). But — as I noted at the time — moving to providers would fix some of their problems.
In their ideal world, here’s what we know the IC would like:
And the IC wants this while retaining Section 215’s use of bulky collections that can be cross-referenced with other data, especially the other Internet collection it conducts using Section 215, which makes up a majority of Section 215 orders.
Those 5 categories are how I’ve been analyzing the various solutions (which is one of about 10 reasons I’m so certain that Mitch McConnell would never want straight reauthorization, because there’s nothing that straight reauthorization would have ratified that would have fixed the existing problems with the dragnet), while keeping in mind that as currently constructed, the Internet 215 collection is far more important to the IC than the phone dragnet.
USA F-ReDux, as currently incarnated, would vastly expand data sharing, because data would come in through FBI (as PRISM data does) and FBI metadata rules are very permissive. And it would give collection on telephony and IP-based calls (probably not from all entities, but probably from Apple, Google, and Microsoft). It would not permit use for all intelligence purposes. And it is unclear how many of NSA’s analytical tools they’d be able to use (I believe they’d have access to the “correlations” function directly, because providers would have access internally to customers’ other accounts, but with the House report, other kinds of analysis should be prohibited, though who knows what AT&T and Microsoft would do with immunity). The House report clearly envisions federated queries, but they would be awkward to integrate with the outsourced collection.
Burr’s bill, on the other hand, would expand provider based querying to all intelligence uses. But even before querying might — maybe — probably wouldn’t — move to providers in 2 years, Burr’s bill would have immediately permitted NSA to obtain all the things they’d need to return to the 2009 bucolic era where US collected data had the same treatment as EO 12333 collected data. And Burr’s bill would probably permit federated queries with all other NSA data. This is why, I think, he adopted EO 12333 minimization procedures, which are far more restrictive than what will happen when data comes in via FBI, because since it will continue to come in in bulk, it needs to have an NSA minimization procedure. Burr’s bill would also sneak the Section 215 Internet collection back into NSL production, making that data more promiscuously available as well.
In other words, this is why so many hawks in the House are happy to have USA F-ReDux: because it is vastly better than the status quo. But it’s also why so many hawks in the Senate are unsatisfied with it: because it doesn’t let the IC do the other things — some of the analytical work and easy federated queries — that they’d like, across all intelligence functions. (Ironically, that means even while they’re squawking about ISIS, the capabilities they’d really like under Burr’s bill involve entirely other kinds of targets.)
A lot of the debate about a phone dragnet fix has focused on other aspects of the bill — on transparency and reporting and so on. And while I think those things do matter (the IC clearly wants to minimize those extras, and had gutted many of them even in last year’s bill), what really matters are those 5 functionalities.
Dianne Feinstein is the latest member of Congress to offer a non-compromise compromise to replace the compromise USA F-ReDux, this time with a bill that would:
This will be a working thread.
Update: Just to clarify, I believe Feinstein’s bill is almost certainly supposed to be the “face-saving” version of USA F-ReDux referred to in this article.
Feinstein accomplishes this:
Some leaders of the House Intelligence Committee, along with supporters in the Senate, hope they can assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in.
In Section 108, with the certification process.
Feinstein adds an odd data mandate — not listed in this story but a key complaint from Mitch and others — in Section 101 (page 4).
And Feinstein responds to this request,
Republicans have also expressed a desire to protect the phone companies against harassment from privacy activists over their participation in a new surveillance program.
By adopting the Section 215 dedicated Espionage Act at Section 501.
(3) DiFi’s bill explicitly permits the government to get call detail records in the old way.
(4) DiFi’s bill tweaks USA F-ReDux’s call chaining language for use with “individuals” who are not agents of foreign powers engaged in international terrorism. Those would be US persons.
(5) The data mandate is really fascinating. It only requires a company to retain data after getting a request but is vague about how much data must be retained (which is likely “all”).
(3) may include a request for an order that requires each recipient of the order under this section to retain the call detail records for up to 24 months from the date the call detail record was initially generated—
(A) if the request includes a certification made by the Director of the Federal Bureau of Investigation that the Government has reason to believe that the recipient of the order being applied for is not retaining call detail records for a period of up to 24 months and that the absence of call detail records for that period of time is resulting in, or is reasonably likely toresult in, the loss of foreign intelligence information relevant to an authorized investigation; and
(B) if the order provides that call detailrecords retained solely for purposes of complying with an order under this section may only be produced pursuant to an order under this section.
It’s an odd construct (though it does try to keep the records out of the hands of divorce lawyers, which I guess is good). Obviously, the government will have the records they actually ask for at any given time. So what it suggests is this will be a mandate on some or entire universe of the providers existing records so they can do pattern analysis.
(7) The scheme for call detail records is the same as in USA F-ReDux, but absent the HJC report language saying it can’t involve analysis I assume it does.
(12) DiFi retains the minimization procedures from USA F-ReDux.
(14) The bill adds immunity for records retention.
(17) The “limitation” language is different, and adds “indiscriminate.” Again, this still uses the IC definition of bulk, though, which is meaningless, even modified by “indiscriminate.” SST is the same, including the narrower limit for CDR function.
(19) DiFi eliminates IG reports, I guess because they show how sloppily these things are run and how generally useless they are.
(19) Here’s how DiFi deals w/Burr’s transition canard.
IN GENERAL.—The amendments made by sections 101 through 107 shall take effect on the date that is 180 days after the date of the enactment of this Act unless the President certifies to the appropriate committees of Congress that the transition from the existing procedures for the productionof business records under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.), as in effect prior to the effective date for the amendments made by section 101 through 107,to the new procedures, as amended by sections 101through 107, is not sufficiently operational to allow the timely retrieval of foreign intelligence information from recipients of an order under section 501 of such Act.
(2) EXTENSION FOR CERTIFICATION.—If the President makes a certification described in paragraph (1), the amendment made by sections 101 through 107 shall take effect on the date, that may be up to 1 year after the date of the enactment of this Act, that the President determines that the transition referred to in such paragraph is sufficiently operational to allow the timely retrieval of foreign intelligence information from recipients of an order under section 501 of such Act.
(3) LIMITATION ON TRANSITION PERIOD.—If the President makes a certification under paragraph(1) and does not determine an effective date under paragraph (2), the amendments made by sections 101 through 107 shall take effect on the date that is 1 year after the date of the enactment of this Act.
(b) NO EFFECT ON PRIOR AUTHORITY.—Nothing in this Act, or any amendment made by this Act, shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.) as in effect on May 31, 2015, during the period ending on such effective date.
(c) TRANSITION.—(1) ORDERS IN EFFECT ON MA
Y 31, 2015.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, any order issued or made under title V of the Foreign Intelligence Surveillance Act of 1978 and in effect on May 31, 2015, shall continue in effect until the date of the expiration of such order.
(2) CONTINUED APPLICABILITY.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, the order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26, 2015, in Docket No. BR 15–24, may be extended by order of that court until the effective date established in subsection (a).
(3) USE OF INFORMATION.—
(A) IN GENERAL.—Information acquired from the call detail records pursuant to an order issued under section 501 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861) prior to the effective date in subsection (a) may continue to be used after the effective date of this Act, subject to the limitation in subparagraph (B).
(B) DESTRUCTION OF INFORMATION.—
Any record produced under any order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26 2015, in Docket No. BR 15–24 , or any predecessor order for such an order shall be destroyed no later than 5 years after the date such record was initially collected. Until that time, such a record may be used in accordance with the purpose prescribed and the procedures established in such order.
(23) DiFi’s bill takes out this language, which was in USA F-ReDux, in the PRTT section, but it does retain privacy procedures.
(C) For purposes of subparagraph (A), the term ‘address’ means a physical address or electronic address, such as an electronic mail address or temporarily assigned network address (including an Internet protocol address).
(24) Difi includes bulk controls on NSLs, but not the gag fix.
(26) The 215 reporting takes out the reporting on bulk collection to Congress that was in USA F-ReDux. Sharing of this is extended to everyone in Congress whom the HPSCI chair likes.
(33) DiFi gets rid of two-track reporting on all non-215 and consolidates it. The reporting is somewhat different (for example, Congress will no longer know when something has been used in a trial). DiFi pretends to extend this reporting to everyone in Congress, but since it’s subject to Congressional rules that will only happen in the senate.
(40) DiFi does include significant matter of law reporting to the appropriate committees (which exists).
(45) DiFi continues Burr’s Espionage Act.
(47) The amicus curiae is the John Bates Richard Burr version, which I think might be counterproductive.
(55) DiFi requires agencies that have not established minimization procedures required under the original EO 12333. See this post for more background.
As I noted here, given the content of the radical bill Richard Burr introduced on Friday, it appears likely that his claim Section 215 sIpported an IP dragnet was no misstatement, as he claimed when I called him on it. But that — and the misstatements Mitch McConnell made on Friday about the bill — are not the only lies the authoritarians have been telling.
Just after USA F-ReDux failed in the Senate Friday night and Barbara Boxer tried to call it back up for a vote, Mitch McConnell falsely claimed that Dianne Feinstein was involved in Burr’s radical bill. Senator Feinstein actually had to interrupt and point out that not only doesn’t she think Burr’s bill is the way to go, but that pushing for it might put all the expiring provisions at risk. (h/t Steven Aftergood for pulling Congressional Research Service records)
McCONNELL. Mr. President, the Senate has demonstrated that the House-passed bill lacks the support of 60 Senators. I would urge a “yes” vote on the 2-month extension. Senator Burr, the chairman of the Intelligence Committee, and Senator Feinstein, the ranking member, as we all know, have been working on a proposal that they think would improve the version that the Senate has not accepted that the House sent over. It would allow the committee to work on this bill, refine it, and bring it before us for consideration. So the 2-month extension, it strikes me, would be in the best interest of getting an outcome that is acceptable to both the Senate and the House and hopefully the President.
Mrs. FEINSTEIN. Mr. President, if I may a point of personal privilege. Mr. President, I would like to correct the majority leader, regretfully. I did not support the Burr bill. I do not believe that is the way to go. I have taken a good look at this. For those who want reform and want to prevent the government from holding the data, the FREEDOM Act is the only way to do it. The House has passed it. The President wants it. All of the intelligence personnel have agreed to it, and I think not to pass that bill is really to throw the whole program–that whole section 215 as well as the whole business records, the “lone wolf,” the roving wiretaps–into serious legal jeopardy.
That is, of course, precisely what has happened. In his bid to ram through Burr’s expanded dragnet, Mitch has now made it increasingly likely that all the expiring provisions will lapse on June 1.