Posts

putin

Seven Democrats Write Obama Asking Him to Declassify More Information on Russian Involvement in the Election

Ron Wyden, five other Democrats, and Dem caucusing Independent Angus King just wrote Obama a cryptic letter. The entire body of the letter reads:

We believe there is additional information concerning the Russian Government and the U.S. election that should be declassified and released to the public. We are conveying specifics through classified channels.

Thank you for your attention to this important matter.

Aside from the fact that this suggests (as Wyden’s cryptic letters always d0) there is something meaty that we really ought to know, I find the list of signers rather curious. In addition to Wyden, the following Senators signed the letter:

  • Jack Reed
  • Mark Warner
  • Barb Mikulski
  • Martin Heinrich
  • Angus King
  • Mazie Hirono

That is, every Democratic SSCI member except current Chair Dianne Feinstein, plus Senate Armed Services Chair Jack Reed, signed the letter. So every Democrat except DiFi and Majority Leader Harry Reid signed the letter, suggesting it is something that got briefed to the full Senate Intelligence Committee as well as the Ranking Members of SASC (the latter of which suggests NSA or CYBERCOM may be involved).

I’m as interested in the fact that DiFi and Reid didn’t sign as that the others did sign. It can’t be that Reid is retiring and DiFi is heading to SJC (it’s still unclear whether she’ll remain on SSCI or not). After all, Mikulski is retiring as well.

Plus, Harry Reid wrote a far more explicit letter last month to Jim Comey — apparently following up on a non-public letter send months earlier — alluding to direct coordination between Trump and Russia.

In my communications with you and other top officials in the national security community, it has become clear that you possess explosive information about close ties and coordination between Donald Trump, his top advisors, and the Russian government – a foreign interest openly hostile to the United States, which Trump praises at every opportunity. The public has a right to know this information. I wrote to you months ago calling for this information to be released to the public. There is no danger to American interests from releasing it. And yet, you continue to resist calls to inform the public of this critical information.

Finally, what to make of the fact that not even John McCain signed onto this letter? Reed’s inclusion makes it clear that McCain, too, must have been briefed. He has been outspoken about Trump’s moves to cozy up to Putin. If he has seen — and objects to — such coordination, why not sign onto this letter and give it the patina of bipartisanship?

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

On Responsible Sourcing for DNC Hack Stories

For some reason Lawfare thinks it is interesting that the two Democratic members of the Gang of Four — who have apparently not figured out there’s a difference between the hack (allegedly done by Russia) and the dissemination (done by Wikileaks, which has different motivations) are calling for information on the DNC hack to be released.

The recent hack into the servers of the Democratic National Committee (DNC) and the subsequent release via WikiLeaks of a cache of 20,000 internal e-mails, demonstrated yet again the vulnerability of our institutions to cyber intrusion and exploitation.  In its timing, content, and manner of release, the email dissemination was clearly intended to undermine the Democratic Party and the presidential campaign of Secretary Hillary Clinton, and disrupt the Democratic Party’s convention in Philadelphia.

[snip]

Specifically, we ask that the Administration consider declassifying and releasing, subject to redactions to protect sources and methods, any Intelligence Community assessments regarding the incident, including any that might illuminate potential Russian motivations for what would be an unprecedented interference in a U.S. Presidential race, and why President Putin could potentially feel compelled to authorize such an operation, given the high likelihood of eventual attribution.

For some equally bizarre reason, WaPo thinks Devin Nunes’ claim — in the same breath as he claims Donald Trump’s repeated calls on Russia to release Hillary’s email were sarcastic — that there is “no evidence, absolutely no evidence” that Russia hacked the DNC to influence the election is credible.

Rep. Devin Nunes (R-Calif.), the chairman of the House Intelligence Committee, told The Washington Post in an interview Wednesday that speculation about Russian attempts to sway the presidential election is unfounded.

“There is no evidence, absolutely no evidence, that the Russians are trying to influence the U.S. election,” Nunes said, repeatedly swatting away the suggestion made by some Democrats that the Russians may be using their intelligence and hacking capabilities to boost Donald Trump’s chances.

“There is evidence that the Russians are actively trying to hack into the United States — but it’s not only the Russians doing that. The Russians and the Chinese have been all over our networks for many years.”

These are two obvious (because they’re on the record) examples of partisans using their access to classified information to try to boost or refute a narrative that the Hillary Clinton campaign has explicitly adopted: focusing on the alleged Russian source of the hack rather on the content of the things the hack shows.

Kudos to Richard Burr, who is facing a surprisingly tough reelection campaign, for being the one Gang of Four member not to get involved in the partisan bullshit on this.

There are plenty of people with no known interest in either seeing a Trump or a Clinton presidency that have some measure of expertise on this issue (this is the rare moment, for example, when I’m welcoming the fact that FBI agents are sieves for inappropriate leaks). So no outlet should be posting something that obviously primarily serves the narrative one or the other candidate wants to adopt on the DNC hack without a giant sign saying “look at what partisans have been instructed to say by the campaign.” That’s all the more true for positions, like the Gang of Four, that we’d prefer to be as little politicized as possible. Please don’t encourage those people to use their positions to serve a partisan narrative, I beg of you!

For the same reason I’m peeved that Harry Reid suggested the Intelligence Community give Trump fake intelligence briefings. Haven’t we learned our lesson about politicizing intelligence?

More generally, I think journalists should be especially careful at this point to make it clear whether their anonymous sources have a partisan dog in this fight, because zero of those people should be considered to be unbiased when they make claims about the DNC hack.

A very special case of that comes in stories like this, where Neocon ideologue Eliot Cohen, identified as Bush appointee, is quoted attacking Trump for suggesting Russia should leak anymore emails.

But now Republican-aligned foreign policy experts are also weighing in along similar lines.

“It’s appalling,” Dr. Eliot A. Cohen, who was counselor of the State Department during the second term of George W. Bush’s presidency, said to me today. “Calling on a foreign government to go after your opponent in an American election?”

Cohen recently organized an open letter from a range of GOP national security leaders that denounced Trump in harsh terms, arguing that Trump’s “own statements” indicate that “he would use the authority of his office to act in ways that make America less safe, and which would diminish our standing in the world.” The letter said: “As committed and loyal Republicans, we are unable to support a Party ticket with Mr. Trump at its head. We commit ourselves to working energetically to prevent the election of someone so utterly unfitted to the office.”

But this latest from Trump, by pushing the envelope once again, raises the question of whether other prominent Republicans are ever going to join in.

For instance, to my knowledge, top national security advisers to George W. Bush, such as Stephen Hadley and Condoleezza Rice (who was also secretary of state), have yet to comment on anything we’ve heard thus far from Trump. Also, there could theoretically come a point where figures like former Defense Secretary Donald Rumsfeld and possibly even Dubya and George H.W. Bush feel compelled to weigh in.

Meanwhile, senior Republican elected officials who have backed Trump continue to refrain from taking on his comments forcefully or directly. Some Republicans actually defended Trump’s comments today. Paul Ryan’s spokesman issued a statement saying this: “Russia is a global menace led by a devious thug. Putin should stay out of this election.”

I feel differently about Trump’s asinine comment than I do about attribution of the attack. I’m all in favor of Hillary’s campaign attacking Trump for it, and frankly Cohen is a far more credible person to do so than Jake Sullivan and Leon Panetta, who also launched such attacks yesterday, because as far as I know Cohen has not mishandled classified information like the other two have.

But I would prefer if, rather than IDing Cohen as one of the Republicans who signed a letter opposing Trump, Greg Sargent had IDed him as someone who has also spoken affirmatively for Hillary.

On foreign policy, Hillary Clinton is far better: She believes in the old consensus and will take tough lines on China and, increasingly, Russia. She does not hesitate to make the case for human rights as a key part of our foreign policy. True, under pressure from her own left wing, she has backtracked on the Trans-Pacific Partnership, a set of trade deals that supports American interests by creating a counterbalance to China and American values by protecting workers’ rights. But she might edge back toward supporting it, once in.

Admittedly, this was at a time when Cohen and others still hoped some Mike Bloomberg like savior would offer them a third choice; that was before Bloomberg gave a very prominent speech endorsing Hillary last night.

Here’s the thing. The Neocons (led by Robert Kagan, who’s wife got named as a target of Russian aggression in the Feinstein-Schiff letter) are functioning as surrogates for Hillary just like top Democrats are. They are, just like Democrats are, now scrambling to turn their endorsements into both policy and personnel wins. Therefore we should no more trust the independence of a pro-Hillary Neocon — even if he did work for George Bush — than we would trust the many Democrats who have used their power to help Hillary win this election. Progressives should be very wary about the promises Hillary has made to get the growing number of Neocons (and people like Bloomberg) to so aggressively endorse her. Because those endorsements will come with payback, just like union or superdelegate endorsements do.

In any case, it’s hard enough to tease out attribution for two separate hacks and the subsequent publication of the hacked data by Wikileaks. Relying on obviously self-interested people as sources only further obscures the process.

Update: The Grammar Police actually nagged me to fix “whose/who’s” error in the Kagan sentence. Fun!

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Key Area of Dispute on Drone Numbers: Number of Strikes

Dianne Feinstein is out with a statement applauding that I Con the Record has released drone kill numbers that — she suggests — proves the spooks know something we don’t and that the number of civilian casualties hasn’t been that high.

“I want to commend the administration for taking this important step toward transparency by releasing information on the number of civilian deaths as a result of U.S. drone strikes. I believe more can be done, but this release of data is a good start.

“I’ve been calling on the administration to release drone strike data for years. Varying numbers have been tallied by outside organizations but as today’s report makes clear, the government has access to unique information to help determine the number of civilian deaths. The American people should be able to weigh the necessity of counterterrorism programs with as much information as possible.

“I do believe that great care is taken to avoid noncombatant casualties during drone strike operations. Since 2009, the Senate Intelligence Committee has devoted significant time and attention to targeted strikes by drones, with a specific focus on civilian casualties.

“While a single civilian death is one too many, I believe this program is more precise than many alternatives such as strikes with cruise missiles, where far more civilians would be at risk.”

A fair response to Feinstein, I think, is to point to this piece from the Human Rights Watch researcher who tallied their count of civilian deaths in Yemen. As she notes, counting just the cases she has investigated on the ground would say there were only 7 other civilian casualties later in Yemen and in other theaters.

The US strikes on Al-Majalah in December 2009 killed 14 fighters with Al-Qaeda in the Arabian Peninsula—but they also killed 41 Bedouin civilians, more than two-thirds of them women and children, according to a Yemeni government probe. In an investigation for Human Rights Watch, I tallied the same toll. Yet the US government has never publicly acknowledged the Al-Majalah killings. Instead, two classified diplomatic cables released by Wikileaks revealed, the Obama administration made a concerted effort to conceal its role in the attack.

The White House release on July 1 of casualty figures for airstrikes outside conventional war zones since 2009 should have shed light on how many civilians were killed in attacks such as the one in Al-Majalah. Instead, its data dump, at the start of a holiday weekend, continues President Barack Obama’s obfuscation of its lethal strike program against armed groups such as Islamic State and Al-Qaeda. Even if the government’s definition of a “combatant” were fully consistent with international law, which only applies to armed conflict situations, the release raises more questions than it answers.

[snip]

Did the US kill only 7 civilians in 466 strikes? In 2012-13, I led Human Rights Watch investigations into seven of the US counterterrorism strikes in Yemen from 2009 to 2013 that were alleged to have killed civilians. We visited strike sites when possible, examined the remnants of ordnance, and interviewed a range of witnesses, relatives, tribal leaders and Yemeni officials—corroborating our findings in ways that the DNI cannot simply dismiss. We found that at least 57 of those killed were civilians, along with possibly 14 others, 12 of them in a strike on a wedding convoy. Subtracting our numbers from the DNI’s minimum estimates leaves only seven civilian deaths in the 466 strikes that we did not investigate. That would be a remarkably low toll. But based on the obscure data the Obama administration revealed last week, we cannot know if it is accurate.

Viewed this way, it’s easy to see how ODNI’s numbers cannot add up. There must be some more basic reason their numbers are so different from every other outlet, having to do with methodology or scope. I’ve pointed to some potential explanations: CIA didn’t hand over all their numbers to ODNI, they didn’t include everything we’d include in terms of areas outside active hostilities, some strikes (and the al-Majalah one would be a likely candidate) were attributed to either the home country or some other ally (cough, KSA), even if the US conducted the strike; remember the US did a lot of “side payment” strikes in Pakistan to win the right to do our own strikes.

In other words, if “side payment” strikes — in Pakistan and Yemen (some of the latter of which may have been done for Saudi Arabia) — were the ones that killed a bunch of civilians, they might not show up in I Con the Record’s numbers.

But here’s how it would seem we could move forward: try to come to some agreement as to how many actual strikes are.

As Micah Zenko pointed out, there is a very big discrepancy between the numbers of total strikes counted by NGOs and the government. Effectively, the Administration doesn’t count 18% of the known air strikes as their own (based off the NGO average).

It’s easy to see where a disagreement about individual casualties, and of what type, would come from, but not of airstrikes themselves. Unless airstrikes generally assumed to be US airstrikes are being counted as someone else’s.

Update: Fixed that Yemen would be the recipient of side payment strikes, not Saudi Arabia.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Some Legislative Responses to Clinton’s Email Scandal

The Republicans have reverted to their natural “Benghazi witchhunt” form in the wake of Jim Comey’s announcement Tuesday that Hillary Clinton and her aides should not be charged, with Comey scheduled to testify before the House Oversight Committee at 10 AM.

Paul Ryan wrote a letter asking James Clapper to withhold classified briefings from Hillary. And the House Intelligence Committee is even considering a bill to prevent people who have mishandled classified information from getting clearances.

In light of the FBI’s findings, a congressional staffer told The Daily Beast that the House Intelligence Committee is considering legislation that could block security clearances for people who have been found to have mishandled classified information in the past.

It’s not clear how many of Clinton’s aides still have their government security clearances, but such a measure could make it more difficult for them to be renewed, should they come back to serve in a Clinton administration.

“The idea would be to make sure that these rules apply to a very wide range of people in the executive branch,” the staffer said. (Clinton herself would not need a clearance were she to become president.)

It’s nice to see the same Republicans who didn’t make a peep when David Petraeus kept — and still has — his clearance for doing worse than Hillary has finally getting religion on security clearances.

But this circus isn’t really going to make us better governed or safer.

So here are some fixes Congress should consider:

Add some teeth to the Federal/Presidential Records Acts

As I noted on Pacifica, Hillary’s real crime was trying to retain maximal control over her records as Secretary of State — probably best understood as an understandable effort to withhold anything potentially personal combined with a disinterest in full transparency. That effort backfired spectacularly, though, because as a result all of her emails have been released.

Still, every single Administration has had at least a minor email scandal going back to Poppy Bush destroying PROFS notes pertaining to Iran-Contra.

And yet none of those email scandals has ever amounted to anything, and many of them have led to the loss of records that would otherwise be subject to archiving and (for agency employees) FOIA.

So let’s add some teeth to these laws — and lets mandate and fund more rational archiving of covered records. And while we’re at it, let’s ensure that encrypted smart phone apps, like Signal, which diplomats in the field should be using to solve some of the communication problems identified in this Clinton scandal, will actually get archived.

Fix the Espionage Act (and the Computer Fraud and Abuse Act)

Steve Vladeck makes the case for this:

Congress has only amended the Espionage Act in detail on a handful of occasions and not significantly since 1950. All the while, critics have emerged from all corners—the academy, the courts, and within the government—urging Congress to clarify the myriad questions raised by the statute’s vague and overlapping terms, or to simply scrap it and start over. As the CIA’s general counsel told Congress in 1979, the uncertainty surrounding the Espionage Act presented “the worst of both worlds”:

On the one hand the laws stand idle and are not enforced at least in part because their meaning is so obscure, and on the other hand it is likely that the very obscurity of these laws serves to deter perfectly legitimate expression and debate by persons who must be as unsure of their liabilities as I am unsure of their obligations.

In other words, the Espionage Act is at once too broad and not broad enough—and gives the government too much and too little discretion in cases in which individuals mishandle national security secrets, maliciously or otherwise.

To underscore this point, the provision that the government has used to go after those who shared classified information with individuals not entitled to receive it (including Petraeus, Drake, and Manning), codified at 18 U.S.C. § 793(d), makes it a crime if:

Whoever, lawfully having possession of, access to, control over, or being entrusted with any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, instrument, appliance, or note relating to the national defense, or information relating to the national defense which information the possessor has reason to believe could be used to the injury of the United States or to the advantage of any foreign nation, willfully communicates, delivers, transmits or causes to be communicated, delivered, or transmitted … to any person not entitled to receive it, or willfully retains the same and fails to deliver it on demand to the officer or employee of the United States entitled to receive it …

This provision is stunningly broad, and it’s easy to see how, at least as a matter of statutory interpretation, it covers leaking—when government employees (“lawfully having possession” of classified information) share that information with “any person not entitled to receive it.” But note how this doesn’t easily apply to Clinton’s case, as her communications, however unsecured, were generally with staffers who were“entitled to receive” classified information.

Instead, the provision folks have pointed to in her case is the even more strangely worded § 793(f), which makes it a crime for:

Whoever, being entrusted with or having lawful possession or control of [any of the items mentioned in § 793(d)], (1) through gross negligence permits the same to be removed from its proper place of custody or delivered to anyone in violation of his trust, or to be lost, stolen, abstracted, or destroyed, or (2) having knowledge that the same has been illegally removed from its proper place of custody or delivered to anyone in violation of its trust, or lost, or stolen, abstracted, or destroyed … fails to make prompt report of such loss, theft, abstraction, or destruction to his superior officer …

Obviously, it’s easy to equate Clinton’s “extreme carelessness” with the statute’s “gross negligence.” But look closer: Did Clinton’s carelessness, however extreme, “[permit] … [classified information] to be removed from its proper place of custody or delivered to anyone in violation of [her] trust”? What does that even mean in the context of intangible information discussed over email? The short answer is nobody knows: This provision has virtually never been used at least partly because no one is really sure what it prohibits. It certainly appears to be focused on government employees who dispossess the government of classified material (like a courier who leaves a satchel full of secret documents in a public place). But how much further does it go?

There’s an easy answer here, and it’s to not use Clinton as a test case for an unprecedented prosecution pursuant to an underutilized criminal provision, even if some of us think what she did was a greater sin than the conduct of some who have been charged under the statute. The better way forward is for Congress to do something it’s refused to do for more than 60 years: carefully and comprehensively modernize the Espionage Act, and clarify exactly when it is, and is not, a crime to mishandle classified national security secrets.

Sadly, if Congress were to legislate the Espionage Act now, they might codify the attacks on whistleblowers. But they should not. They should distinguish between selling information to our adversaries and making information public. They should also make it clear that intent matters — because in the key circuit, covering the CIA, the Pentagon, and many contractors, intent hasn’t mattered since the John Kiriakou case.

Eliminate the arbitrariness of the clearance system

But part of that should also involve eliminating the arbitrary nature of the classification system.

I’ve often pointed to how, in the Jeffrey Sterling case, the only evidence he would mishandle classified information was his retention of 30-year old instructions on how to dial a rotary phone, something far less dangerous than what Hillary did.

Equally outrageous, though, is that four of the witnesses who may have testified against Sterling, probably including Bob S who was the key witness, have also mishandled classified information in the past. Those people not only didn’t get prosecuted, but they were permitted to serve as witnesses against Sterling without their own indiscretions being submitted as evidence. As far as we know, none lost their security clearance. Similarly, David Petraeus hasn’t lost his security clearance. But Ashkan Soltani was denied one and therefore can’t work at the White House countering cyberattacks.

Look, the classification system is broken, both because information is over-classified and because maintaining the boundaries between classified and unclassified is too unwieldy. That broken system is then magnified as people’s access to high-paying jobs are subjected to arbitrary review of security clearances. That’s only getting worse as the Intelligence Community ratchets up the Insider Threat program (rather than, say, technical means) to forestall another Manning or Snowden.

The IC has made some progress in recent years in shrinking the universe of people who have security clearances, and the IC is even making moves toward fixing classification. But the clearance system needs to be more transparent to those within it and more just.

Limit the President’s arbitrary authority over classification

Finally, Congress should try to put bounds to the currently arbitrary and unlimited authority Presidents claim over classified information.

As a reminder, the Executive Branch routinely cites the Navy v. Egan precedent to claim unlimited authority over the classified system. They did so when someone (it’s still unclear whether it was Bush or Cheney) authorized Scooter Libby to leak classified information — probably including Valerie Plame’s identity — to Judy Miller. And they did so when telling Vaughn Walker could not require the government to give al Haramain’s lawyers clearance to review the illegal wiretap log they had already seen before handing it over to the court.

And these claims affect Congress’ ability to do their job. The White House used CIA as cover to withhold a great deal of documents implicating the Bush White House in authorizing torture. Then, the White House backed CIA’s efforts to hide unclassified information, like the already-published identities of its torture-approving lawyers, with the release of the Torture Report summary. In his very last congressional speech, Carl Levin complained that he was never able to declassify a document on the Iraq War claims that Mohammed Atta met with a top Iraqi intelligence official in Prague.

This issue will resurface when Hillary, who I presume will still win this election, nominates some of the people involved in this scandal to serve in her White House. While she can nominate implicated aides — Jake Sullivan, Huma Abedin, and Cheryl Mills — for White House positions that require no confirmation (which is what Obama did with John Brennan, who was at that point still tainted by his role in torture), as soon as she names Sullivan to be National Security Advisor, as expected, Congress will complain that he should not have clearance.

She can do so — George Bush did the equivalent (remember he appointed John Poindexter, whose prosecution in relation to the Iran-Contra scandal was overturned on a technicality, to run the Total Information Awareness program).

There’s a very good question whether she should be permitted to do so. Even ignoring the question of whether Sullivan would appropriately treat classified information, it sets a horrible example for clearance holders who would lose their clearances.

But as far as things stand, she could. And that’s a problem.

To be fair, legislating on this issue is dicey, precisely because it will set off a constitutional challenge. But it should happen, if only because the Executive’s claims about Navy v. Egan go beyond what SCOTUS actually said.

Mandate and fund improved communication system

Update, after I posted MK reminded me I meant to include this.

If Congress is serious about this, then they will mandate and fund State to fix their decades-long communications problems.

But they won’t do that. Even 4 years after the Benghazi attack they’ve done little to improve security at State facilities.

Update: One thing that came up in today’s Comey hearing is that the FBI does not routinely tape non-custodial interviews (and fudges even with custodial interviews, even though DOJ passed a policy requiring it). That’s one more thing Congress could legislate! They could pass a simple law requiring FBI to start taping interviews.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Why Doesn’t Dianne Feinstein Want to Prevent Murders Like those Robert Dear Committed?

In response to Chris Murphy’s 15 hour filibuster, Democrats will get a vote on several gun amendments to an appropriations bill, one mandating background checks for all gun purchases, another doing some kind of check to ensure the purchaser is not a known or suspected terrorist.

The latter amendment is Dianne Feinstein’s (see Greg Sargent’s piece on it here). It started as a straight check against the No Fly list (which would not have stopped Omar Mateen from obtaining a gun), but now has evolved. It now says the Attorney General,

may deny the transfer of a firearm if [she] determines, based on the totality of the circumstances, that the transferee represents a threat to public safety based on a reasonable suspicion that the transferee is engaged, or has been engaged, in conduct constituting, in preparation for, in aid of, or related to terrorism, or providing material support or resources therefor.

[snip]

The Attorney General shall establish, within the amounts appropriated, procedures to ensure that, if an individual who is, or within the previous 5 years has been, under investigation for conduct related to a Federal crime of terrorism, as defined in section 2332b(g)(5) of title 18, United States Code, attempts to purchase a firearm, the Attorney General or a designee of the Attorney General shall be promptly notified of the attempted purchase.

The way it would work is a background check would trigger a review of FBI files; if those files showed any “investigation” into terrorism, the muckety mucks would be notified, and they could discretionarily refuse to approve the gun purchase, which they would almost always do for fear of being responsible if something happened.

The purchaser could appeal through the normal appeals process (which goes first to the AG and then to a District Court), but,

such remedial procedures and judicial review shall be subject to procedures that may be developed by the Attorney General to prevent the unauthorized disclosure of information that reasonably could be expected to result in damage to national security or ongoing law enforcement operations, including but not limited to procedures for submission of information to the court ex parte as appropriate, consistent of due process.

Given that an AG recently deemed secret review of Anwar al-Awlaki’s operational activities to constitute enough due process to execute him, the amendment really should be far more specific about this (including requiring the government to use CIPA). When you give the Executive prerogative to withhold information, they tend to do so, well beyond what is adequate to due process.

But there are two other problems with this amendment, one fairly minor, one very significant.

First, minor, but embarrassing, given that Feinstein is on the Senate Judiciary Committee and Ranking Member Pat Leahy is a cosponsor. This amendment doesn’t define what “investigate” means, which is a term of art for the FBI (which triggers each investigative method to which level of investigation you’re at). Given that it is intended to reach someone like Omar Mateen, it must intend to extend to “Preliminary Investigations,” which “may be opened on the basis of any ‘allegation or information’ indicative of possible criminal activity or threats to national security.” Obviously, the Mateen killing shows that someone can exhibit a whole bunch of troubling behaviors and violence yet not proceed beyond the preliminary stage (though I suspect we’ll find the FBI missed a lot of what they should have found, had they not had a preconceived notion of what terrorism looks like and an over-reliance on informants rather than traditional investigation). But in reality, a preliminary investigation is a very very low level of evidence. Yet it would take a very brave AG to approve a gun purchase for someone who had hit a preliminary stage, because if that person were to go onto kill, she would be held responsible.

Also note, though, that I don’t think Syed Rizwan Farook had been preliminarily investigated before his attack last year, though he had been shown to have communicated with someone of interest (which might trigger an assessment). So probably, someone would try to extend it to “assessment” or “lead” stages, which would be an even crazier level of evidence. By not carefully defining what “investigate” means, then, the amendment invites a slippery slope in the future to include those who communicate with people of interest (which is partly what the Terrorist Watch — not No-Fly — list consists of now).

Here’s the bigger problem. As I’ve noted repeatedly, our definition of terrorism (which is the one used in this amendment) includes a whole bunch of biases, which not only disproportionately affect Muslims, but also leave out some of our most lethal kinds of violence. For example, the law treats bombings as terrorist activities, but not mass shootings (so effectively, this law would seem to force actual terrorists into pursuing bombings, because they’d still be able to get those precursors). It is written such that animal rights activists and some environmentalists get treated as terrorists, but not most right wing hate groups. So for those reasons, the law would not reach a lot of scary people with guns who might pose as big a threat as Mateen or Farook.

Worse, the amendment reaches to material support for terrorism, which in practice (because it is almost always applied only for Muslim terrorist groups) has a significantly disproportionate affect on Muslims. In Holder v Humanitarian Law Project, SCOTUS extended material support to include speech, and Muslims have been prosecuted for translating violent videos and even RTing an ISIS tweet. Speech (and travel) related “material support” don’t even have to extend to formal terrorist organizations, meaning certain kinds of anti-American speech or Middle East travel may get you deemed a terrorist.

In other words, this amendment would deprive Muslims simply investigated (possibly even just off a hostile allegation) for possibly engaging in too much anti-American speech of guns, but would not keep guns away from anti-government or anti-choice activists advocating violence.

Consider the case of anti-choice Robert Dear, the Colorado Springs Planned Parenthood killer. After a long delay (in part because his mass killing in the name of a political cause was not treated as terrorism), we learned that Dear had previously engaged in sabotage of abortion clinics (which might be a violation of FACE but which is not treated as terrorism), and had long admired clinic killer Paul Hill and the Army of God. Not even Army of God’s ties to Eric Rudolph, the 1996 Olympics bomber, gets them treated as a terrorist group that Dear could then have been deemed materially supporting. Indeed, it was current Deputy Attorney General Sally Yates who chose not to add any terrorism enhancement to Rudolph’s prosecution. Dear is a terrorist, but because his terrorism doesn’t get treated as such, he’d still have been able to obtain guns legally under this amendment.

For a whole lot of political reasons, Muslims engaging in anti-American rants can be treated as terrorists but clinic assassins are not, and because of that, bills like this would not even keep guns out of the hands of some of the most dangerous, organizationally networked hate groups.

Now, I actually have no doubt that Feinstein would like to keep guns out of the hands of people like Robert Dear and — especially given her personal tie to Harvey Milk’s assassination — out of the hands of violent homophobes. But this amendment doesn’t do that. Rather, it predominantly targets just one group of known or suspected “terrorists.” And while the instances of Islamic extremists using guns have increased in recent years (as more men attempt ISIS-inspired killings of soft targets), they are still just a minority of the mass killings in this country.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The SSCI Contemplates Splitting CyberCommand from DIRNSA

The Intercept’s Jenna McLaughlin liberated a copy of the Senate Intelligence Committee’s Intelligence Authorization for 2017 which was passed out of committee a few weeks back. There are two really shitty things — a move to enable FBI to get Electronic Communications Transaction Records with NSLs again (which I’ll return to) and a move to further muck up attempts to close Gitmo.

But there are a remarkable number of non-stupid things in the bill.

I’m particularly interested in this language.

Screen Shot 2016-06-10 at 9.01.03 AM

Unless I’m completely misreading it, this section would require the Director of NSA to be a separate person from the head of CyberCommand. It would require Admiral Mike Rogers’ current dual hat to be split.

Correction: DIRNSA and CyberCom would only need to be split if CyberCom gets elevated to be a full combatant command.

That’s a recommendation the President’s own Review Group made back in 2013, only to have the President pre-empt PRG’s recommendation before they could publicize it. It would also likely have some impact on NSA’s decision, earlier this year, to combine the Information Assurance Directorate — NSA’s defensive organization — in with its offensive mission.

Frankly, I think our entire cybersecurity approach deserves a more open debate. The IC has done a pretty crummy job at defending us from attacks, and it’s not clear what purpose their secrecy about that serves.

But I am intrigued that SSCI seems to think NSA should retain its defensive capability, independent of all its offensive ones.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Why Is the Government Poison-Pilling ECPA Reform?

Back in 2009, the Obama Administration had Jeff Sessions gut an effort by Dianne Feinstein to gut an effort by Patrick Leahy to gut an effort by Russ Feingold to halt the phone and Internet dragnet programs (as well as, probably, some Post Cut Through Dialed Digit collections we don’t yet know about).

See what Jeff Sesssions–I mean Barack Obama–did in complete secrecy and behind the cover of Jeff Sessions’ skirts the other night?

They absolutely gutted the minimization procedures tied to pen registers! Pen registers are almost certainly the means by which the government is conducting the data mining of American people (using the meta-data from their calls and emails to decide whether to tap them fully). And Jeff Sesssions–I mean Barack Obama–simply gutted any requirement that the government get rid of all this meta-data when they’re done with it. They gutted any prohibitions against sharing this information widely. In fact, they’ve specified that judges should only require minimization procedures in extraordinary circumstances. Otherwise, there is very little limiting what they can do with your data and mine once they’ve collected it. [no idea why I was spelling Sessions with 3 ses]

At each stage of this gutting process, Feingold’s effort to end bulk collection got watered down until, with Sessons’ amendments, the Internet dragnet was permitted to operate as it had been. Almost the very same time this happened, NSA’s General Counsel finally admitted that every single record the agency had collected under the dragnet program had violated the category restrictions set back in 2004. Probably 20 days later, Reggie Walton would shut down the dragnet until at least July 2010.

But before that happened, the Administration made what appears to be — now knowing all that we know now — an effort to legalize the illegal Internet dragnet that had replaced the prior illegal Internet dragnet.

I think that past history provides an instructive lens with which to review what may happen to ECPA reform on Thursday. A version of the bill, which would require the government to obtain a warrant for any data held on the cloud, passed the House unanimously. But several amendments have been added to the bill in the Senate Judiciary Committee that I think are designed to serve as poison pills to kill the bill.

The first is language that would let the FBI resume obtaining Electronic Communication Transaction Records with just a National Security Letter (similar language got added to the Intelligence Authorization; I’ll return to this issue, which I think has been curiously reported).

The second is language that would provide a vast emergency exception to the new warrant requirement, as described by Jennifer Daskal in this post.

[T]here has been relatively little attention to an equally, if not more, troubling emergency authorization provision being offered by Sen. Jeff Sessions. (An excellent post by Al Gidari and op-ed by a retired DC homicide detective are two examples to the contrary.)

The amendment would allow the government to bypass the warrant requirement in times of claimed emergency. Specifically, it would mandate that providers turn over sought-after data in response to a claimed emergency from federal, state, or local law enforcement officials. Under current law, companies are permitted, but not required, to comply with such emergency — and warrantless — requests for data.

There are two huge problems with this proposal. First, it appears to be responding to a problem that doesn’t exist. Companies already have discretion to make emergency disclosures to governmental officials, and proponents of the legislation have failed to identify a single instance in which providers failed to disclose sought-after information in response to an actual, life-threatening emergency. To the contrary, the data suggest that providers do in fact regularly cooperate in response to emergency requests. (See the discussion here.)

Second, and of particular concern, the emergency disclosure mandate operates with no judicial backstop. None. Whatsoever. This is in direct contrast with the provisions in both the Wiretap Act and Foreign Intelligence Surveillance Act (FISA) that require companies to comply with emergency disclosure orders, but then also require subsequent post-hoc review by a court. Under the Wiretap Act, an emergency order has to be followed up with an application for a court authorization within 48 hours (see 18 U.S.C. § 2518(7)). And under FISA, an emergency order has to be followed with an application to the court within 7 days (see 50 U.S.C. § 1805(5)). If the order isn’t filed or the court application denied, the collection has to cease.

The proposed Sessions amendment, by contrast, allows the government to claim emergency and compel production of emails, without any back-end review.

Albert Gidari notes that providers are already getting a ton of emergency requests, and a good number of them turn out to be unfounded.

For the last 15 years, providers have routinely assisted law enforcement in emergency cases by voluntarily disclosing stored content and transactional information as permitted by section 2702 (b)(8) and (c)(4) of Title 18. Providers recently began including data about emergency disclosures in their transparency reports and the data is illuminating. For example, for the period January to June 2015, Google reports that it received 236 requests affecting 351 user accounts and that it produced data in 69% of the cases. For July to December 2015, Microsoft reports that it received 146 requests affecting 226 users and that it produced content in 8% of the cases, transactional information in 54% of the cases and that it rejected about 20% of the requests. For the same period, Facebook reports that it received 855 requests affecting 1223 users and that it produced some data in response in 74% of the cases. Traditional residential and wireless phone companies receive orders of magnitude more emergency requests. AT&T, for example, reports receiving 56,359 requests affecting 62,829 users. Verizon reports getting approximately 50,000 requests from law enforcement each year.

[snip]

Remember, in an emergency, there is no court oversight or legal process in advance of the disclosure. For over 15 years, Congress correctly has relied on providers to make a good faith determination that there is an emergency that requires disclosure before legal process can be obtained. Providers have procedures and trained personnel to winnow out the non-emergency cases and to deal with some law enforcement agencies for whom the term “emergency” is an elastic concept and its definition expansive.

Part of the problem, and the temptation, is that there is no nunc pro tunc court order or oversight for emergency requests or disclosures. Law enforcement does not have to show a court after the fact that the disclosure was warranted at the time; indeed, no one may ever know about the request or disclosure at all if it doesn’t result in a criminal proceeding where the evidence is introduced at trial. In wiretaps and pen register emergencies, the law requires providers to cut off continued disclosure if law enforcement hasn’t applied for an order within 48 hours.  But if disclosure were mandatory for stored content, all of a user’s content would be out the door and no court would ever be the wiser. At least today, under the voluntary disclosure rules, providers stand in the way of excessive or non-emergency disclosures.

[snip]

A very common experience among providers when the factual basis of an emergency request is questioned is that the requesting agency simply withdraws the request, never to be heard from again. This suggests that to some, emergency requests are viewed as shortcuts or pretexts for expediting an investigation. In other cases when questioned, agents withdraw the emergency request and return with proper legal process in hand shortly thereafter, which suggests it was no emergency at all but rather an inconvenience to procure process. In still other cases, some agents refuse to reveal the circumstances giving rise to the putative emergency. This is why some providers require written certification of an emergency and a short statement of the facts so as to create a record of events — putting it in writing goes a long way to ensuring an emergency exists that requires disclosure. But when all is in place, providers respond promptly, often within an hour because most have a professional, well-trained team available 7×24.

In other words, what seems to happen now, is law enforcement use emergency requests to go on fishing expeditions, some of which are thwarted by provider gatekeeping. Jeff Sessions — the guy who 7 years ago helped the Obama Administration preserve the dragnets — now wants to make it so these fishing expeditions will have no oversight at all, a move that would make ECPA reform meaningless.

The effort to lard up ECPA reform with things that make surveillance worse (not to mention the government’s disinterest in reforming ECPA since 2007, when it first started identifying language it wanted to reform) has my spidey sense tingling. The FBI has claimed, repeatedly, in sworn testimony, that since the 2010 Warshak decision in the Sixth Circuit, it has adopted that ruling everywhere (meaning that it has obtained a warrant for stored email). If that’s true, it should have no objection to ECPA reform. And yet … it does.

I’m guessing these emergency requests are why. I suspect, too, that there are some providers that we haven’t even thought of that are even more permissive when turning over “emergency” content than the telecoms.

 

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

CIA Achieves a Whole New Scale of Torture Evidence Destruction

I once made a list of all the evidence of torture the CIA or others in the Executive Branch destroyed.

I thought it time to start cataloging them, to keep them all straight.

  • Before May 2003: 15 of 92 torture tapes erased or damaged
  • Early 2003: Dunlavey’s paper trail “lost”
  • Before August 2004: John Yoo and Patrick Philbin’s torture memo emails deleted
  • June 2005: most copies of Philip Zelikow’s dissent to the May 2005 CAT memo destroyed
  • November 8-9, 2005: 92 torture tapes destroyed
  • July 2007 (probably): 10 documents from OLC SCIF disappear
  • December 19, 2007: Fire breaks out in Cheney’s office

(I put in the Cheney fire because it happened right after DOJ started investigating the torture tape destruction.)

Since that time, there have been at least two more:

  • CIA stealing back copies of cables implicating the President from SSCI servers
  • Someone modifying one of the black sites at which the 9/11 defendants were tortured, with Gitmo approval

But apparently, last summer, CIA’s Inspector General destroyed something else: both his disk-based and server based copies of the Torture Report.

But last August, a chagrined Christopher R. Sharpley, the CIA’s acting inspector general, alerted the Senate intelligence panel that his office’s copy of the report had vanished. According to sources familiar with Sharpley’s account, he explained it this way: When it received its disk, the inspector general’s office uploaded the contents onto its internal classified computer system and destroyed the disk in what Sharpley described as “the normal course of business.” Meanwhile someone in the IG office interpreted the Justice Department’s instructions not to open the file to mean it should be deleted from the server — so that both the original and the copy were gone.

At some point, it is not clear when, after being informed by CIA general counsel Caroline Krass that the Justice Department wanted all copies of the document preserved, officials in the inspector general’s office undertook a search to find its copy of the report. They discovered, “S***, we don’t have one,” said one of the sources briefed on Sharpley’s account.

Sharpley was apologetic about the destruction and promised to ask CIA director Brennan for another copy. But as of last week, he seems not to have received it; after Yahoo News began asking about the matter, he called intelligence committee staffers to ask if he could get a new copy from them.

Sharpley also told Senate committee aides he had reported the destruction of the disk to the CIA’s general counsel’s office, and Krass passed that information along to the Justice Department. But there is no record in court filings that department lawyers ever informed the judge overseeing the case that the inspector general’s office had destroyed its copy of the report.

Two key parts of this story: Sharpley appears to have no idea who decided to nuke the report off the IG server. Hmmmm.

And DOJ has been suppressing this detail in filings in the FOIAs for the Torture Report itself (which may be what led Dianne Feinstein to make an issue of it last week).

Click through if you want a really depressing list of all the ways Richard Burr is trying to disappear the report.

I guess I shouldn’t be surprised that the entire report got disappeared. But destroying the whole thing is rather impressive.

Update: Katherine Hawkins reminds of of another one: the hood Manadel al-Jamadi wore when he suffocated to death while being tortured disappeared under circumstances the CIA IG considered non-credible.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Richard Burr’s Encryption (AKA Cuckoo) Bill, Working Thread

A version of Richard Burr and Dianne Feinstein’s ill-considered encryption bill has been released here. They’re calling it the “Compliance with Court Orders Act of 2016,” but I think I’ll refer to it as the Cuckoo bill. This will be a working thread.

(2) Note the bill starts by suggesting economic prosperity relies on breaking encryption. There are many reasons that’s not true, most obviously that it will put US products at a disadvantage in other countries.

(2) Note this only applies to “providers of communications services and products (including software).” Does it apply to financial companies? Because they’re encrypting data between themselves that should be accessible to law enforcement. Does it apply to car companies? IoT companies?

(2) Note they mention “judicial order” and “court order” here. It’s clear (and becomes clearer later) that this includes orders that aren’t warrants, so FISA orders. Which suggests they’re having a problem with encryption under FISA too.

(3) The Cuckoo Bill builds in compensation. That’s one way companies could fight this: to make sure it would take a lot to render data intelligible.

(4) I suspect this license language would expand to do scary things with other “licensing” products.

(4) Note that they’ve expanded the definition of metadata to include “switching, processing, and transmitting” data. I bet that has already been done in secret somewhere.

(5) The language on destination and switching suggests they’re trying to include location data in metadata.

(6) Note the “order or warrant” language.

(6) The covered entity might include banks and cars, though not obviously so.

(8) An odd use of “original form” in decrypted definition.

(9) Wow, they even want to require entities to have to provide decrypted data in motion.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

On the Coming Showdown over Promiscuous Sharing of EO 12333 Data

A number of outlets are reporting that Ted Lieu and Blake Farenthold have written a letter to NSA Director Mike Rogers urging him not to implement the new data sharing effort reported by Charlie Savage back in February. While I’m happy they wrote the letter, they use a dubious strategy in it: they suggest their authority to intervene comes from Congress having “granted” NSA authority to conduct warrantless collection of data.

Congress granted the NSA extraordinary authority to conduct warrantless collection of communications and other data.2

2 See Foreign Intelligence Surveillance Act and the Patriot Act.

As an initial matter, they’ve sent this letter to a guy who’s not in the chain of approval for the change. Defense Secretary Ash Carter and Attorney General Loretta Lynch will have to sign off on the procedures developed by Director of National Intelligence James Clapper; they might consult with Rogers (if he isn’t the one driving the change), but he’s out of the loop in terms of implementing the decision.

Furthermore, the Congressionally granted authority to conduct warrantless surveillance under FISA has nothing to do with the authority under which NSA collects this data, EO 12333. In his story, Savage makes clear that the change relies on the [what he called “little-noticed,” which is how he often describes stuff reported here years earlier] changes Bush implemented in the wake of passage of FISA Amendments Act. As I noted in 2014,

Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.

The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,

In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.

In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.

Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.

In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.

What Bush did just as he finished moving most of Stellar Wind over to FISA authorities, was to make it permissible to share EO 12333 data with other intelligence agencies under the same kind of DNI/AG/DOD approval process already in place for surveillance. They’ve already been using this change (though as I note, in some ways the new version of EO 12333 made FAA sharing even more permissive than EO 12333 sharing). And Savage’s article describes that they’ve intended to roll out this further expansion since Obama’s first term.

Obama administration has been quietly developing a framework for how to carry it out since taking office in 2009.

[snip]

Intelligence officials began working in 2009 on how the technical system and rules would work, Mr. Litt said, eventually consulting the Defense and Justice Departments. This month, the administration briefed the Privacy and Civil Liberties Oversight Board, an independent five-member watchdog panel, seeking input. Before they go into effect, they must be approved by James R. Clapper, the intelligence director; Loretta E. Lynch, the attorney general; and Ashton B. Carter, the defense secretary.

“We would like it to be completed sooner rather than later,” Mr. Litt said. “Our expectation is months rather than weeks or years.”

All of which is to say that if Lieu and Farenthold want to stop this, they’re going to have to buckle down and prepare for a fight over separation of powers, because Congress has had limited success (the most notable successes being imposition of FAA 703-705 and Section 309 of last year’s intelligence authorization) in imposing limits on EO 12333 collection. Indeed, Section 309 is the weak protection Dianne Feinstein and Mark Udall were able to get for activities they thought should be covered under FAA.

Two more points. First, I suspect such expanded sharing is already going on between NSA and DEA. I’ve heard RUMINT that DEA has actually been getting far more data since shutting down their own dragnets in 2013. The sharing of “international” narcotics trade data has been baked into EO 12333 from the very start. So it would be unsurprising to have DEA replicate its dragnet using SPCMA. There’s no sign, yet, that DEA has been included under FAA certifications (and there’s not, as far as we know, an FAA narcotics certificate). But EO 12333 sharing with DEA would be easier to implement on the sly than FAA sharing. And once you’ve shared with DEA, you might as well share with everyone else.

Finally, this imminent change is why I was so insistent that SPCMA should have been in the Brennan Center’s report on privacy implications of EO 12333 collection. What the government was doing, explicitly, in 2007 when they rolled that out was making the US person participants in internationally collected data visible. We’ve seen inklings of how NSA coaches analysts to target foreigners to get at that US person content. The implications of basing targeting off of SPCMA enabled analysis under PRISM (which we know they do because DOJ turned over the SPCMA document, but not the backup, to FISC during the Yahoo challenge), currently, are that US person data can get selected because US persons are involved and then handed over to FBI with no limits on its access. Doing so under EO 12333 will only expand the amount of data available — and because of the structure of the Internet, a great deal of it is available.

Probably, the best way to combat this change is to vastly expand the language of FAA 703-705 to over US person data collected incidentally overseas during next year’s FAA reauthorization. But it will take language like that, because simply pointing to FISA will not change the Executive’s ability to change EO 12333 — even secretly! — at will.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.