Dianne Feinstein

1 2 3 32

Key Area of Dispute on Drone Numbers: Number of Strikes

Dianne Feinstein is out with a statement applauding that I Con the Record has released drone kill numbers that — she suggests — proves the spooks know something we don’t and that the number of civilian casualties hasn’t been that high.

“I want to commend the administration for taking this important step toward transparency by releasing information on the number of civilian deaths as a result of U.S. drone strikes. I believe more can be done, but this release of data is a good start.

“I’ve been calling on the administration to release drone strike data for years. Varying numbers have been tallied by outside organizations but as today’s report makes clear, the government has access to unique information to help determine the number of civilian deaths. The American people should be able to weigh the necessity of counterterrorism programs with as much information as possible.

“I do believe that great care is taken to avoid noncombatant casualties during drone strike operations. Since 2009, the Senate Intelligence Committee has devoted significant time and attention to targeted strikes by drones, with a specific focus on civilian casualties.

“While a single civilian death is one too many, I believe this program is more precise than many alternatives such as strikes with cruise missiles, where far more civilians would be at risk.”

A fair response to Feinstein, I think, is to point to this piece from the Human Rights Watch researcher who tallied their count of civilian deaths in Yemen. As she notes, counting just the cases she has investigated on the ground would say there were only 7 other civilian casualties later in Yemen and in other theaters.

The US strikes on Al-Majalah in December 2009 killed 14 fighters with Al-Qaeda in the Arabian Peninsula—but they also killed 41 Bedouin civilians, more than two-thirds of them women and children, according to a Yemeni government probe. In an investigation for Human Rights Watch, I tallied the same toll. Yet the US government has never publicly acknowledged the Al-Majalah killings. Instead, two classified diplomatic cables released by Wikileaks revealed, the Obama administration made a concerted effort to conceal its role in the attack.

The White House release on July 1 of casualty figures for airstrikes outside conventional war zones since 2009 should have shed light on how many civilians were killed in attacks such as the one in Al-Majalah. Instead, its data dump, at the start of a holiday weekend, continues President Barack Obama’s obfuscation of its lethal strike program against armed groups such as Islamic State and Al-Qaeda. Even if the government’s definition of a “combatant” were fully consistent with international law, which only applies to armed conflict situations, the release raises more questions than it answers.

[snip]

Did the US kill only 7 civilians in 466 strikes? In 2012-13, I led Human Rights Watch investigations into seven of the US counterterrorism strikes in Yemen from 2009 to 2013 that were alleged to have killed civilians. We visited strike sites when possible, examined the remnants of ordnance, and interviewed a range of witnesses, relatives, tribal leaders and Yemeni officials—corroborating our findings in ways that the DNI cannot simply dismiss. We found that at least 57 of those killed were civilians, along with possibly 14 others, 12 of them in a strike on a wedding convoy. Subtracting our numbers from the DNI’s minimum estimates leaves only seven civilian deaths in the 466 strikes that we did not investigate. That would be a remarkably low toll. But based on the obscure data the Obama administration revealed last week, we cannot know if it is accurate.

Viewed this way, it’s easy to see how ODNI’s numbers cannot add up. There must be some more basic reason their numbers are so different from every other outlet, having to do with methodology or scope. I’ve pointed to some potential explanations: CIA didn’t hand over all their numbers to ODNI, they didn’t include everything we’d include in terms of areas outside active hostilities, some strikes (and the al-Majalah one would be a likely candidate) were attributed to either the home country or some other ally (cough, KSA), even if the US conducted the strike; remember the US did a lot of “side payment” strikes in Pakistan to win the right to do our own strikes.

In other words, if “side payment” strikes — in Pakistan and Yemen (some of the latter of which may have been done for Saudi Arabia) — were the ones that killed a bunch of civilians, they might not show up in I Con the Record’s numbers.

But here’s how it would seem we could move forward: try to come to some agreement as to how many actual strikes are.

As Micah Zenko pointed out, there is a very big discrepancy between the numbers of total strikes counted by NGOs and the government. Effectively, the Administration doesn’t count 18% of the known air strikes as their own (based off the NGO average).

It’s easy to see where a disagreement about individual casualties, and of what type, would come from, but not of airstrikes themselves. Unless airstrikes generally assumed to be US airstrikes are being counted as someone else’s.

Update: Fixed that Yemen would be the recipient of side payment strikes, not Saudi Arabia.

Some Legislative Responses to Clinton’s Email Scandal

The Republicans have reverted to their natural “Benghazi witchhunt” form in the wake of Jim Comey’s announcement Tuesday that Hillary Clinton and her aides should not be charged, with Comey scheduled to testify before the House Oversight Committee at 10 AM.

Paul Ryan wrote a letter asking James Clapper to withhold classified briefings from Hillary. And the House Intelligence Committee is even considering a bill to prevent people who have mishandled classified information from getting clearances.

In light of the FBI’s findings, a congressional staffer told The Daily Beast that the House Intelligence Committee is considering legislation that could block security clearances for people who have been found to have mishandled classified information in the past.

It’s not clear how many of Clinton’s aides still have their government security clearances, but such a measure could make it more difficult for them to be renewed, should they come back to serve in a Clinton administration.

“The idea would be to make sure that these rules apply to a very wide range of people in the executive branch,” the staffer said. (Clinton herself would not need a clearance were she to become president.)

It’s nice to see the same Republicans who didn’t make a peep when David Petraeus kept — and still has — his clearance for doing worse than Hillary has finally getting religion on security clearances.

But this circus isn’t really going to make us better governed or safer.

So here are some fixes Congress should consider:

Add some teeth to the Federal/Presidential Records Acts

As I noted on Pacifica, Hillary’s real crime was trying to retain maximal control over her records as Secretary of State — probably best understood as an understandable effort to withhold anything potentially personal combined with a disinterest in full transparency. That effort backfired spectacularly, though, because as a result all of her emails have been released.

Still, every single Administration has had at least a minor email scandal going back to Poppy Bush destroying PROFS notes pertaining to Iran-Contra.

And yet none of those email scandals has ever amounted to anything, and many of them have led to the loss of records that would otherwise be subject to archiving and (for agency employees) FOIA.

So let’s add some teeth to these laws — and lets mandate and fund more rational archiving of covered records. And while we’re at it, let’s ensure that encrypted smart phone apps, like Signal, which diplomats in the field should be using to solve some of the communication problems identified in this Clinton scandal, will actually get archived.

Fix the Espionage Act (and the Computer Fraud and Abuse Act)

Steve Vladeck makes the case for this:

Congress has only amended the Espionage Act in detail on a handful of occasions and not significantly since 1950. All the while, critics have emerged from all corners—the academy, the courts, and within the government—urging Congress to clarify the myriad questions raised by the statute’s vague and overlapping terms, or to simply scrap it and start over. As the CIA’s general counsel told Congress in 1979, the uncertainty surrounding the Espionage Act presented “the worst of both worlds”:

On the one hand the laws stand idle and are not enforced at least in part because their meaning is so obscure, and on the other hand it is likely that the very obscurity of these laws serves to deter perfectly legitimate expression and debate by persons who must be as unsure of their liabilities as I am unsure of their obligations.

In other words, the Espionage Act is at once too broad and not broad enough—and gives the government too much and too little discretion in cases in which individuals mishandle national security secrets, maliciously or otherwise.

To underscore this point, the provision that the government has used to go after those who shared classified information with individuals not entitled to receive it (including Petraeus, Drake, and Manning), codified at 18 U.S.C. § 793(d), makes it a crime if:

Whoever, lawfully having possession of, access to, control over, or being entrusted with any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, instrument, appliance, or note relating to the national defense, or information relating to the national defense which information the possessor has reason to believe could be used to the injury of the United States or to the advantage of any foreign nation, willfully communicates, delivers, transmits or causes to be communicated, delivered, or transmitted … to any person not entitled to receive it, or willfully retains the same and fails to deliver it on demand to the officer or employee of the United States entitled to receive it …

This provision is stunningly broad, and it’s easy to see how, at least as a matter of statutory interpretation, it covers leaking—when government employees (“lawfully having possession” of classified information) share that information with “any person not entitled to receive it.” But note how this doesn’t easily apply to Clinton’s case, as her communications, however unsecured, were generally with staffers who were“entitled to receive” classified information.

Instead, the provision folks have pointed to in her case is the even more strangely worded § 793(f), which makes it a crime for:

Whoever, being entrusted with or having lawful possession or control of [any of the items mentioned in § 793(d)], (1) through gross negligence permits the same to be removed from its proper place of custody or delivered to anyone in violation of his trust, or to be lost, stolen, abstracted, or destroyed, or (2) having knowledge that the same has been illegally removed from its proper place of custody or delivered to anyone in violation of its trust, or lost, or stolen, abstracted, or destroyed … fails to make prompt report of such loss, theft, abstraction, or destruction to his superior officer …

Obviously, it’s easy to equate Clinton’s “extreme carelessness” with the statute’s “gross negligence.” But look closer: Did Clinton’s carelessness, however extreme, “[permit] … [classified information] to be removed from its proper place of custody or delivered to anyone in violation of [her] trust”? What does that even mean in the context of intangible information discussed over email? The short answer is nobody knows: This provision has virtually never been used at least partly because no one is really sure what it prohibits. It certainly appears to be focused on government employees who dispossess the government of classified material (like a courier who leaves a satchel full of secret documents in a public place). But how much further does it go?

There’s an easy answer here, and it’s to not use Clinton as a test case for an unprecedented prosecution pursuant to an underutilized criminal provision, even if some of us think what she did was a greater sin than the conduct of some who have been charged under the statute. The better way forward is for Congress to do something it’s refused to do for more than 60 years: carefully and comprehensively modernize the Espionage Act, and clarify exactly when it is, and is not, a crime to mishandle classified national security secrets.

Sadly, if Congress were to legislate the Espionage Act now, they might codify the attacks on whistleblowers. But they should not. They should distinguish between selling information to our adversaries and making information public. They should also make it clear that intent matters — because in the key circuit, covering the CIA, the Pentagon, and many contractors, intent hasn’t mattered since the John Kiriakou case.

Eliminate the arbitrariness of the clearance system

But part of that should also involve eliminating the arbitrary nature of the classification system.

I’ve often pointed to how, in the Jeffrey Sterling case, the only evidence he would mishandle classified information was his retention of 30-year old instructions on how to dial a rotary phone, something far less dangerous than what Hillary did.

Equally outrageous, though, is that four of the witnesses who may have testified against Sterling, probably including Bob S who was the key witness, have also mishandled classified information in the past. Those people not only didn’t get prosecuted, but they were permitted to serve as witnesses against Sterling without their own indiscretions being submitted as evidence. As far as we know, none lost their security clearance. Similarly, David Petraeus hasn’t lost his security clearance. But Ashkan Soltani was denied one and therefore can’t work at the White House countering cyberattacks.

Look, the classification system is broken, both because information is over-classified and because maintaining the boundaries between classified and unclassified is too unwieldy. That broken system is then magnified as people’s access to high-paying jobs are subjected to arbitrary review of security clearances. That’s only getting worse as the Intelligence Community ratchets up the Insider Threat program (rather than, say, technical means) to forestall another Manning or Snowden.

The IC has made some progress in recent years in shrinking the universe of people who have security clearances, and the IC is even making moves toward fixing classification. But the clearance system needs to be more transparent to those within it and more just.

Limit the President’s arbitrary authority over classification

Finally, Congress should try to put bounds to the currently arbitrary and unlimited authority Presidents claim over classified information.

As a reminder, the Executive Branch routinely cites the Navy v. Egan precedent to claim unlimited authority over the classified system. They did so when someone (it’s still unclear whether it was Bush or Cheney) authorized Scooter Libby to leak classified information — probably including Valerie Plame’s identity — to Judy Miller. And they did so when telling Vaughn Walker could not require the government to give al Haramain’s lawyers clearance to review the illegal wiretap log they had already seen before handing it over to the court.

And these claims affect Congress’ ability to do their job. The White House used CIA as cover to withhold a great deal of documents implicating the Bush White House in authorizing torture. Then, the White House backed CIA’s efforts to hide unclassified information, like the already-published identities of its torture-approving lawyers, with the release of the Torture Report summary. In his very last congressional speech, Carl Levin complained that he was never able to declassify a document on the Iraq War claims that Mohammed Atta met with a top Iraqi intelligence official in Prague.

This issue will resurface when Hillary, who I presume will still win this election, nominates some of the people involved in this scandal to serve in her White House. While she can nominate implicated aides — Jake Sullivan, Huma Abedin, and Cheryl Mills — for White House positions that require no confirmation (which is what Obama did with John Brennan, who was at that point still tainted by his role in torture), as soon as she names Sullivan to be National Security Advisor, as expected, Congress will complain that he should not have clearance.

She can do so — George Bush did the equivalent (remember he appointed John Poindexter, whose prosecution in relation to the Iran-Contra scandal was overturned on a technicality, to run the Total Information Awareness program).

There’s a very good question whether she should be permitted to do so. Even ignoring the question of whether Sullivan would appropriately treat classified information, it sets a horrible example for clearance holders who would lose their clearances.

But as far as things stand, she could. And that’s a problem.

To be fair, legislating on this issue is dicey, precisely because it will set off a constitutional challenge. But it should happen, if only because the Executive’s claims about Navy v. Egan go beyond what SCOTUS actually said.

Mandate and fund improved communication system

Update, after I posted MK reminded me I meant to include this.

If Congress is serious about this, then they will mandate and fund State to fix their decades-long communications problems.

But they won’t do that. Even 4 years after the Benghazi attack they’ve done little to improve security at State facilities.

Update: One thing that came up in today’s Comey hearing is that the FBI does not routinely tape non-custodial interviews (and fudges even with custodial interviews, even though DOJ passed a policy requiring it). That’s one more thing Congress could legislate! They could pass a simple law requiring FBI to start taping interviews.

Why Doesn’t Dianne Feinstein Want to Prevent Murders Like those Robert Dear Committed?

In response to Chris Murphy’s 15 hour filibuster, Democrats will get a vote on several gun amendments to an appropriations bill, one mandating background checks for all gun purchases, another doing some kind of check to ensure the purchaser is not a known or suspected terrorist.

The latter amendment is Dianne Feinstein’s (see Greg Sargent’s piece on it here). It started as a straight check against the No Fly list (which would not have stopped Omar Mateen from obtaining a gun), but now has evolved. It now says the Attorney General,

may deny the transfer of a firearm if [she] determines, based on the totality of the circumstances, that the transferee represents a threat to public safety based on a reasonable suspicion that the transferee is engaged, or has been engaged, in conduct constituting, in preparation for, in aid of, or related to terrorism, or providing material support or resources therefor.

[snip]

The Attorney General shall establish, within the amounts appropriated, procedures to ensure that, if an individual who is, or within the previous 5 years has been, under investigation for conduct related to a Federal crime of terrorism, as defined in section 2332b(g)(5) of title 18, United States Code, attempts to purchase a firearm, the Attorney General or a designee of the Attorney General shall be promptly notified of the attempted purchase.

The way it would work is a background check would trigger a review of FBI files; if those files showed any “investigation” into terrorism, the muckety mucks would be notified, and they could discretionarily refuse to approve the gun purchase, which they would almost always do for fear of being responsible if something happened.

The purchaser could appeal through the normal appeals process (which goes first to the AG and then to a District Court), but,

such remedial procedures and judicial review shall be subject to procedures that may be developed by the Attorney General to prevent the unauthorized disclosure of information that reasonably could be expected to result in damage to national security or ongoing law enforcement operations, including but not limited to procedures for submission of information to the court ex parte as appropriate, consistent of due process.

Given that an AG recently deemed secret review of Anwar al-Awlaki’s operational activities to constitute enough due process to execute him, the amendment really should be far more specific about this (including requiring the government to use CIPA). When you give the Executive prerogative to withhold information, they tend to do so, well beyond what is adequate to due process.

But there are two other problems with this amendment, one fairly minor, one very significant.

First, minor, but embarrassing, given that Feinstein is on the Senate Judiciary Committee and Ranking Member Pat Leahy is a cosponsor. This amendment doesn’t define what “investigate” means, which is a term of art for the FBI (which triggers each investigative method to which level of investigation you’re at). Given that it is intended to reach someone like Omar Mateen, it must intend to extend to “Preliminary Investigations,” which “may be opened on the basis of any ‘allegation or information’ indicative of possible criminal activity or threats to national security.” Obviously, the Mateen killing shows that someone can exhibit a whole bunch of troubling behaviors and violence yet not proceed beyond the preliminary stage (though I suspect we’ll find the FBI missed a lot of what they should have found, had they not had a preconceived notion of what terrorism looks like and an over-reliance on informants rather than traditional investigation). But in reality, a preliminary investigation is a very very low level of evidence. Yet it would take a very brave AG to approve a gun purchase for someone who had hit a preliminary stage, because if that person were to go onto kill, she would be held responsible.

Also note, though, that I don’t think Syed Rizwan Farook had been preliminarily investigated before his attack last year, though he had been shown to have communicated with someone of interest (which might trigger an assessment). So probably, someone would try to extend it to “assessment” or “lead” stages, which would be an even crazier level of evidence. By not carefully defining what “investigate” means, then, the amendment invites a slippery slope in the future to include those who communicate with people of interest (which is partly what the Terrorist Watch — not No-Fly — list consists of now).

Here’s the bigger problem. As I’ve noted repeatedly, our definition of terrorism (which is the one used in this amendment) includes a whole bunch of biases, which not only disproportionately affect Muslims, but also leave out some of our most lethal kinds of violence. For example, the law treats bombings as terrorist activities, but not mass shootings (so effectively, this law would seem to force actual terrorists into pursuing bombings, because they’d still be able to get those precursors). It is written such that animal rights activists and some environmentalists get treated as terrorists, but not most right wing hate groups. So for those reasons, the law would not reach a lot of scary people with guns who might pose as big a threat as Mateen or Farook.

Worse, the amendment reaches to material support for terrorism, which in practice (because it is almost always applied only for Muslim terrorist groups) has a significantly disproportionate affect on Muslims. In Holder v Humanitarian Law Project, SCOTUS extended material support to include speech, and Muslims have been prosecuted for translating violent videos and even RTing an ISIS tweet. Speech (and travel) related “material support” don’t even have to extend to formal terrorist organizations, meaning certain kinds of anti-American speech or Middle East travel may get you deemed a terrorist.

In other words, this amendment would deprive Muslims simply investigated (possibly even just off a hostile allegation) for possibly engaging in too much anti-American speech of guns, but would not keep guns away from anti-government or anti-choice activists advocating violence.

Consider the case of anti-choice Robert Dear, the Colorado Springs Planned Parenthood killer. After a long delay (in part because his mass killing in the name of a political cause was not treated as terrorism), we learned that Dear had previously engaged in sabotage of abortion clinics (which might be a violation of FACE but which is not treated as terrorism), and had long admired clinic killer Paul Hill and the Army of God. Not even Army of God’s ties to Eric Rudolph, the 1996 Olympics bomber, gets them treated as a terrorist group that Dear could then have been deemed materially supporting. Indeed, it was current Deputy Attorney General Sally Yates who chose not to add any terrorism enhancement to Rudolph’s prosecution. Dear is a terrorist, but because his terrorism doesn’t get treated as such, he’d still have been able to obtain guns legally under this amendment.

For a whole lot of political reasons, Muslims engaging in anti-American rants can be treated as terrorists but clinic assassins are not, and because of that, bills like this would not even keep guns out of the hands of some of the most dangerous, organizationally networked hate groups.

Now, I actually have no doubt that Feinstein would like to keep guns out of the hands of people like Robert Dear and — especially given her personal tie to Harvey Milk’s assassination — out of the hands of violent homophobes. But this amendment doesn’t do that. Rather, it predominantly targets just one group of known or suspected “terrorists.” And while the instances of Islamic extremists using guns have increased in recent years (as more men attempt ISIS-inspired killings of soft targets), they are still just a minority of the mass killings in this country.

The SSCI Contemplates Splitting CyberCommand from DIRNSA

The Intercept’s Jenna McLaughlin liberated a copy of the Senate Intelligence Committee’s Intelligence Authorization for 2017 which was passed out of committee a few weeks back. There are two really shitty things — a move to enable FBI to get Electronic Communications Transaction Records with NSLs again (which I’ll return to) and a move to further muck up attempts to close Gitmo.

But there are a remarkable number of non-stupid things in the bill.

I’m particularly interested in this language.

Screen Shot 2016-06-10 at 9.01.03 AM

Unless I’m completely misreading it, this section would require the Director of NSA to be a separate person from the head of CyberCommand. It would require Admiral Mike Rogers’ current dual hat to be split.

Correction: DIRNSA and CyberCom would only need to be split if CyberCom gets elevated to be a full combatant command.

That’s a recommendation the President’s own Review Group made back in 2013, only to have the President pre-empt PRG’s recommendation before they could publicize it. It would also likely have some impact on NSA’s decision, earlier this year, to combine the Information Assurance Directorate — NSA’s defensive organization — in with its offensive mission.

Frankly, I think our entire cybersecurity approach deserves a more open debate. The IC has done a pretty crummy job at defending us from attacks, and it’s not clear what purpose their secrecy about that serves.

But I am intrigued that SSCI seems to think NSA should retain its defensive capability, independent of all its offensive ones.

Why Is the Government Poison-Pilling ECPA Reform?

Back in 2009, the Obama Administration had Jeff Sessions gut an effort by Dianne Feinstein to gut an effort by Patrick Leahy to gut an effort by Russ Feingold to halt the phone and Internet dragnet programs (as well as, probably, some Post Cut Through Dialed Digit collections we don’t yet know about).

See what Jeff Sesssions–I mean Barack Obama–did in complete secrecy and behind the cover of Jeff Sessions’ skirts the other night?

They absolutely gutted the minimization procedures tied to pen registers! Pen registers are almost certainly the means by which the government is conducting the data mining of American people (using the meta-data from their calls and emails to decide whether to tap them fully). And Jeff Sesssions–I mean Barack Obama–simply gutted any requirement that the government get rid of all this meta-data when they’re done with it. They gutted any prohibitions against sharing this information widely. In fact, they’ve specified that judges should only require minimization procedures in extraordinary circumstances. Otherwise, there is very little limiting what they can do with your data and mine once they’ve collected it. [no idea why I was spelling Sessions with 3 ses]

At each stage of this gutting process, Feingold’s effort to end bulk collection got watered down until, with Sessons’ amendments, the Internet dragnet was permitted to operate as it had been. Almost the very same time this happened, NSA’s General Counsel finally admitted that every single record the agency had collected under the dragnet program had violated the category restrictions set back in 2004. Probably 20 days later, Reggie Walton would shut down the dragnet until at least July 2010.

But before that happened, the Administration made what appears to be — now knowing all that we know now — an effort to legalize the illegal Internet dragnet that had replaced the prior illegal Internet dragnet.

I think that past history provides an instructive lens with which to review what may happen to ECPA reform on Thursday. A version of the bill, which would require the government to obtain a warrant for any data held on the cloud, passed the House unanimously. But several amendments have been added to the bill in the Senate Judiciary Committee that I think are designed to serve as poison pills to kill the bill.

The first is language that would let the FBI resume obtaining Electronic Communication Transaction Records with just a National Security Letter (similar language got added to the Intelligence Authorization; I’ll return to this issue, which I think has been curiously reported).

The second is language that would provide a vast emergency exception to the new warrant requirement, as described by Jennifer Daskal in this post.

[T]here has been relatively little attention to an equally, if not more, troubling emergency authorization provision being offered by Sen. Jeff Sessions. (An excellent post by Al Gidari and op-ed by a retired DC homicide detective are two examples to the contrary.)

The amendment would allow the government to bypass the warrant requirement in times of claimed emergency. Specifically, it would mandate that providers turn over sought-after data in response to a claimed emergency from federal, state, or local law enforcement officials. Under current law, companies are permitted, but not required, to comply with such emergency — and warrantless — requests for data.

There are two huge problems with this proposal. First, it appears to be responding to a problem that doesn’t exist. Companies already have discretion to make emergency disclosures to governmental officials, and proponents of the legislation have failed to identify a single instance in which providers failed to disclose sought-after information in response to an actual, life-threatening emergency. To the contrary, the data suggest that providers do in fact regularly cooperate in response to emergency requests. (See the discussion here.)

Second, and of particular concern, the emergency disclosure mandate operates with no judicial backstop. None. Whatsoever. This is in direct contrast with the provisions in both the Wiretap Act and Foreign Intelligence Surveillance Act (FISA) that require companies to comply with emergency disclosure orders, but then also require subsequent post-hoc review by a court. Under the Wiretap Act, an emergency order has to be followed up with an application for a court authorization within 48 hours (see 18 U.S.C. § 2518(7)). And under FISA, an emergency order has to be followed with an application to the court within 7 days (see 50 U.S.C. § 1805(5)). If the order isn’t filed or the court application denied, the collection has to cease.

The proposed Sessions amendment, by contrast, allows the government to claim emergency and compel production of emails, without any back-end review.

Albert Gidari notes that providers are already getting a ton of emergency requests, and a good number of them turn out to be unfounded.

For the last 15 years, providers have routinely assisted law enforcement in emergency cases by voluntarily disclosing stored content and transactional information as permitted by section 2702 (b)(8) and (c)(4) of Title 18. Providers recently began including data about emergency disclosures in their transparency reports and the data is illuminating. For example, for the period January to June 2015, Google reports that it received 236 requests affecting 351 user accounts and that it produced data in 69% of the cases. For July to December 2015, Microsoft reports that it received 146 requests affecting 226 users and that it produced content in 8% of the cases, transactional information in 54% of the cases and that it rejected about 20% of the requests. For the same period, Facebook reports that it received 855 requests affecting 1223 users and that it produced some data in response in 74% of the cases. Traditional residential and wireless phone companies receive orders of magnitude more emergency requests. AT&T, for example, reports receiving 56,359 requests affecting 62,829 users. Verizon reports getting approximately 50,000 requests from law enforcement each year.

[snip]

Remember, in an emergency, there is no court oversight or legal process in advance of the disclosure. For over 15 years, Congress correctly has relied on providers to make a good faith determination that there is an emergency that requires disclosure before legal process can be obtained. Providers have procedures and trained personnel to winnow out the non-emergency cases and to deal with some law enforcement agencies for whom the term “emergency” is an elastic concept and its definition expansive.

Part of the problem, and the temptation, is that there is no nunc pro tunc court order or oversight for emergency requests or disclosures. Law enforcement does not have to show a court after the fact that the disclosure was warranted at the time; indeed, no one may ever know about the request or disclosure at all if it doesn’t result in a criminal proceeding where the evidence is introduced at trial. In wiretaps and pen register emergencies, the law requires providers to cut off continued disclosure if law enforcement hasn’t applied for an order within 48 hours.  But if disclosure were mandatory for stored content, all of a user’s content would be out the door and no court would ever be the wiser. At least today, under the voluntary disclosure rules, providers stand in the way of excessive or non-emergency disclosures.

[snip]

A very common experience among providers when the factual basis of an emergency request is questioned is that the requesting agency simply withdraws the request, never to be heard from again. This suggests that to some, emergency requests are viewed as shortcuts or pretexts for expediting an investigation. In other cases when questioned, agents withdraw the emergency request and return with proper legal process in hand shortly thereafter, which suggests it was no emergency at all but rather an inconvenience to procure process. In still other cases, some agents refuse to reveal the circumstances giving rise to the putative emergency. This is why some providers require written certification of an emergency and a short statement of the facts so as to create a record of events — putting it in writing goes a long way to ensuring an emergency exists that requires disclosure. But when all is in place, providers respond promptly, often within an hour because most have a professional, well-trained team available 7×24.

In other words, what seems to happen now, is law enforcement use emergency requests to go on fishing expeditions, some of which are thwarted by provider gatekeeping. Jeff Sessions — the guy who 7 years ago helped the Obama Administration preserve the dragnets — now wants to make it so these fishing expeditions will have no oversight at all, a move that would make ECPA reform meaningless.

The effort to lard up ECPA reform with things that make surveillance worse (not to mention the government’s disinterest in reforming ECPA since 2007, when it first started identifying language it wanted to reform) has my spidey sense tingling. The FBI has claimed, repeatedly, in sworn testimony, that since the 2010 Warshak decision in the Sixth Circuit, it has adopted that ruling everywhere (meaning that it has obtained a warrant for stored email). If that’s true, it should have no objection to ECPA reform. And yet … it does.

I’m guessing these emergency requests are why. I suspect, too, that there are some providers that we haven’t even thought of that are even more permissive when turning over “emergency” content than the telecoms.

 

CIA Achieves a Whole New Scale of Torture Evidence Destruction

I once made a list of all the evidence of torture the CIA or others in the Executive Branch destroyed.

I thought it time to start cataloging them, to keep them all straight.

  • Before May 2003: 15 of 92 torture tapes erased or damaged
  • Early 2003: Dunlavey’s paper trail “lost”
  • Before August 2004: John Yoo and Patrick Philbin’s torture memo emails deleted
  • June 2005: most copies of Philip Zelikow’s dissent to the May 2005 CAT memo destroyed
  • November 8-9, 2005: 92 torture tapes destroyed
  • July 2007 (probably): 10 documents from OLC SCIF disappear
  • December 19, 2007: Fire breaks out in Cheney’s office

(I put in the Cheney fire because it happened right after DOJ started investigating the torture tape destruction.)

Since that time, there have been at least two more:

  • CIA stealing back copies of cables implicating the President from SSCI servers
  • Someone modifying one of the black sites at which the 9/11 defendants were tortured, with Gitmo approval

But apparently, last summer, CIA’s Inspector General destroyed something else: both his disk-based and server based copies of the Torture Report.

But last August, a chagrined Christopher R. Sharpley, the CIA’s acting inspector general, alerted the Senate intelligence panel that his office’s copy of the report had vanished. According to sources familiar with Sharpley’s account, he explained it this way: When it received its disk, the inspector general’s office uploaded the contents onto its internal classified computer system and destroyed the disk in what Sharpley described as “the normal course of business.” Meanwhile someone in the IG office interpreted the Justice Department’s instructions not to open the file to mean it should be deleted from the server — so that both the original and the copy were gone.

At some point, it is not clear when, after being informed by CIA general counsel Caroline Krass that the Justice Department wanted all copies of the document preserved, officials in the inspector general’s office undertook a search to find its copy of the report. They discovered, “S***, we don’t have one,” said one of the sources briefed on Sharpley’s account.

Sharpley was apologetic about the destruction and promised to ask CIA director Brennan for another copy. But as of last week, he seems not to have received it; after Yahoo News began asking about the matter, he called intelligence committee staffers to ask if he could get a new copy from them.

Sharpley also told Senate committee aides he had reported the destruction of the disk to the CIA’s general counsel’s office, and Krass passed that information along to the Justice Department. But there is no record in court filings that department lawyers ever informed the judge overseeing the case that the inspector general’s office had destroyed its copy of the report.

Two key parts of this story: Sharpley appears to have no idea who decided to nuke the report off the IG server. Hmmmm.

And DOJ has been suppressing this detail in filings in the FOIAs for the Torture Report itself (which may be what led Dianne Feinstein to make an issue of it last week).

Click through if you want a really depressing list of all the ways Richard Burr is trying to disappear the report.

I guess I shouldn’t be surprised that the entire report got disappeared. But destroying the whole thing is rather impressive.

Update: Katherine Hawkins reminds of of another one: the hood Manadel al-Jamadi wore when he suffocated to death while being tortured disappeared under circumstances the CIA IG considered non-credible.

Richard Burr’s Encryption (AKA Cuckoo) Bill, Working Thread

A version of Richard Burr and Dianne Feinstein’s ill-considered encryption bill has been released here. They’re calling it the “Compliance with Court Orders Act of 2016,” but I think I’ll refer to it as the Cuckoo bill. This will be a working thread.

(2) Note the bill starts by suggesting economic prosperity relies on breaking encryption. There are many reasons that’s not true, most obviously that it will put US products at a disadvantage in other countries.

(2) Note this only applies to “providers of communications services and products (including software).” Does it apply to financial companies? Because they’re encrypting data between themselves that should be accessible to law enforcement. Does it apply to car companies? IoT companies?

(2) Note they mention “judicial order” and “court order” here. It’s clear (and becomes clearer later) that this includes orders that aren’t warrants, so FISA orders. Which suggests they’re having a problem with encryption under FISA too.

(3) The Cuckoo Bill builds in compensation. That’s one way companies could fight this: to make sure it would take a lot to render data intelligible.

(4) I suspect this license language would expand to do scary things with other “licensing” products.

(4) Note that they’ve expanded the definition of metadata to include “switching, processing, and transmitting” data. I bet that has already been done in secret somewhere.

(5) The language on destination and switching suggests they’re trying to include location data in metadata.

(6) Note the “order or warrant” language.

(6) The covered entity might include banks and cars, though not obviously so.

(8) An odd use of “original form” in decrypted definition.

(9) Wow, they even want to require entities to have to provide decrypted data in motion.

On the Coming Showdown over Promiscuous Sharing of EO 12333 Data

A number of outlets are reporting that Ted Lieu and Blake Farenthold have written a letter to NSA Director Mike Rogers urging him not to implement the new data sharing effort reported by Charlie Savage back in February. While I’m happy they wrote the letter, they use a dubious strategy in it: they suggest their authority to intervene comes from Congress having “granted” NSA authority to conduct warrantless collection of data.

Congress granted the NSA extraordinary authority to conduct warrantless collection of communications and other data.2

2 See Foreign Intelligence Surveillance Act and the Patriot Act.

As an initial matter, they’ve sent this letter to a guy who’s not in the chain of approval for the change. Defense Secretary Ash Carter and Attorney General Loretta Lynch will have to sign off on the procedures developed by Director of National Intelligence James Clapper; they might consult with Rogers (if he isn’t the one driving the change), but he’s out of the loop in terms of implementing the decision.

Furthermore, the Congressionally granted authority to conduct warrantless surveillance under FISA has nothing to do with the authority under which NSA collects this data, EO 12333. In his story, Savage makes clear that the change relies on the [what he called “little-noticed,” which is how he often describes stuff reported here years earlier] changes Bush implemented in the wake of passage of FISA Amendments Act. As I noted in 2014,

Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.

The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,

In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.

In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.

Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.

In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.

What Bush did just as he finished moving most of Stellar Wind over to FISA authorities, was to make it permissible to share EO 12333 data with other intelligence agencies under the same kind of DNI/AG/DOD approval process already in place for surveillance. They’ve already been using this change (though as I note, in some ways the new version of EO 12333 made FAA sharing even more permissive than EO 12333 sharing). And Savage’s article describes that they’ve intended to roll out this further expansion since Obama’s first term.

Obama administration has been quietly developing a framework for how to carry it out since taking office in 2009.

[snip]

Intelligence officials began working in 2009 on how the technical system and rules would work, Mr. Litt said, eventually consulting the Defense and Justice Departments. This month, the administration briefed the Privacy and Civil Liberties Oversight Board, an independent five-member watchdog panel, seeking input. Before they go into effect, they must be approved by James R. Clapper, the intelligence director; Loretta E. Lynch, the attorney general; and Ashton B. Carter, the defense secretary.

“We would like it to be completed sooner rather than later,” Mr. Litt said. “Our expectation is months rather than weeks or years.”

All of which is to say that if Lieu and Farenthold want to stop this, they’re going to have to buckle down and prepare for a fight over separation of powers, because Congress has had limited success (the most notable successes being imposition of FAA 703-705 and Section 309 of last year’s intelligence authorization) in imposing limits on EO 12333 collection. Indeed, Section 309 is the weak protection Dianne Feinstein and Mark Udall were able to get for activities they thought should be covered under FAA.

Two more points. First, I suspect such expanded sharing is already going on between NSA and DEA. I’ve heard RUMINT that DEA has actually been getting far more data since shutting down their own dragnets in 2013. The sharing of “international” narcotics trade data has been baked into EO 12333 from the very start. So it would be unsurprising to have DEA replicate its dragnet using SPCMA. There’s no sign, yet, that DEA has been included under FAA certifications (and there’s not, as far as we know, an FAA narcotics certificate). But EO 12333 sharing with DEA would be easier to implement on the sly than FAA sharing. And once you’ve shared with DEA, you might as well share with everyone else.

Finally, this imminent change is why I was so insistent that SPCMA should have been in the Brennan Center’s report on privacy implications of EO 12333 collection. What the government was doing, explicitly, in 2007 when they rolled that out was making the US person participants in internationally collected data visible. We’ve seen inklings of how NSA coaches analysts to target foreigners to get at that US person content. The implications of basing targeting off of SPCMA enabled analysis under PRISM (which we know they do because DOJ turned over the SPCMA document, but not the backup, to FISC during the Yahoo challenge), currently, are that US person data can get selected because US persons are involved and then handed over to FBI with no limits on its access. Doing so under EO 12333 will only expand the amount of data available — and because of the structure of the Internet, a great deal of it is available.

Probably, the best way to combat this change is to vastly expand the language of FAA 703-705 to over US person data collected incidentally overseas during next year’s FAA reauthorization. But it will take language like that, because simply pointing to FISA will not change the Executive’s ability to change EO 12333 — even secretly! — at will.

As Recently as 2012, FBI Didn’t Think Your Phone Number Was Your Identity

Last week, Charlie Savage liberated additional disclosures on three IG reports he liberated last year: the 2007 NSL report, the 2009 Stellar Wind report, and a 2012 DOJ IG Section 702 report. With the NSL report, DOJ disclosed numbers that I believe were otherwise public or intuitable. With the Stellar Wind report, DOJ disclosed additional information on how the Department was dodging its obligation to notify defendants of the surveillance behind their cases; I hope to return to this issue.

By far the most important new disclosure, however, pertains to the FBI’s reporting on reports on US persons identified under Section 702 (see pages 17-18, highlighted by Savage here). Introducing the Executive Summary description of whether FBI was fulfilling reporting requirements, the report explained that the IG had adopted a fairly strict understanding of what constituted a US person dissemination.

Screen Shot 2016-01-11 at 2.08.00 PM

Although the key passage is redacted (and the report body on this topic is almost entirely redacted), it’s clear that the IG considered reports that identified a US person via something other than his or her name without sharing the content of communications constituted a report “with respect to” 702 acquisitions.

The FBI had been arguing about these definitions internally  and with DOJ’s IG since at least 2006, when it failed to comply with the legally mandated requirement for new minimization procedures to go with Section 215.  One way to understand an early version of the debate is whether, by retaining call records that don’t include a name but do include phone numbers that clearly belong to a specific person, the FBI was retaining US person identifying information. For obvious reasons — because if their minimization procedures treated a phone number as US person identifying information, then it would mean it couldn’t retain 5 years of phone records — FBI didn’t want to treat a person’s unique identifiers as person identifying information. The minimization procedures adopted in 2013 must mirror this problem given that FBI and NSA kept those records for another two years.

It appears the IG found the FBI’s reporting lacking in several ways: it did not include Section 702 related reports that identify a US person if that person (which I assume to mean that person’s identity) was identified via other means, and argued FBI should also count reports if the US person information in it was publicly available. In addition, the IG considered a metadata reference to also constitute a US person reference.

Screen Shot 2016-01-11 at 6.04.42 PM

This suggests the FBI was, until 2012, at least, not including the sharing of an email or even a report that identified the person tied to an email if it found that email, but not that person’s identity, via Section 702 in its reports to Congress. Imagine, for example, if FBI didn’t consider my emptywheel  email personally identifying of me, emptywheel, until such time as it publicly tied that email address to me. It would be bullshit, but we know that seems to be the kind of game FBI was and probably still is playing.

I’m particularly interested in this because of a speech Dianne Feinstein made in December 2012 — presumably after FBI had made whatever response they might make to this IG report — that named a number of people as if they had been IDed using Section 702. But when several of them demanded notice of Section 702 surveillance, none of them got it, and Feinstein and the Senate’s lawyer insisted they could not make anything of her insinuation that Section 702 had discovered them.

In other words, the two standards at issue here — the minimization procedures standard and the notice one — may be implicated in DOJ’s opaque notice guidelines. We don’t know whether it is or not, of course, but if it is, it would suggest that DOJ is limiting 702 notices based on what kinds of identifiers 702 produces.

1/13: Tweaked this post for clarity. In addition, note these letters from the Brennan Center which relate to this issue.

 

James Clapper’s Twisted Definition of an Insider Threat

Back when I reviewed the goodies the House Intelligence Committee had given James Clapper in this year’s Intelligence Authorization, I noted the bill eliminated this report on potential conflicts in outside employment (see clause u).

The Director of National Intelligence shall annually submit to the congressional intelligence committees a report describing all outside employment for officers and employees of elements of the intelligence community that was authorized by the head of an element of the intelligence community during the preceding calendar year.

That change — which will make it harder for people to track the kinds of conflicts of interest a number of top NSA officials recently got caught with — survived in the Omnibus into which the Intelligence Authorization got integrated. Which probably means we’ll be seeing more spooks getting paid by contractors on the side.

Yesterday, WaPo described a reporting requirement that had been in the Senate Intelligence Authorization, but got watered down in the Omnibus: a report on promotions revealing whether those being promoted were “unfit or unqualified.”

Under a provision drafted by the Senate Intelligence Committee this year, intelligence agencies would have been required to regularly provide names of those being promoted to top positions and disclose any “significant and credible information to suggest that the individual is unfit or unqualified.”

As WaPo explained, the measure was an effort by Dianne Feinstein to prevent the kinds of things reported in the SSCI Torture Report, where people with a history of abuse were put in charge of interrogation programs, or the example of Alfreda Bikowsky (whom WaPo describes but doesn’t name), whose series of failures qualified her for increasingly senior positions at CIA. WaPo makes clear this kind of failing upwards continues at CIA.
More recently, a top CIA manager who had been removed from his job for abusive treatment of subordinates was reinstated this year as deputy chief for counterintelligence at the Counterterrorism Center.
In short, the measure was meant to ensure that CIA (and other agencies) weren’t led by a bunch of abusive incompetents. But James Clapper couldn’t allow that apparently, because abusive incompetents would apparently decline promotion if they would be revealed to oversight committees as abusive incompetents.

U.S. officials offered multiple explanations for Clapper’s objections. Several said that his main concern was the bureaucratic workload that would be generated by legislation requiring so much detail about potentially hundreds of senior employees across the U.S. intelligence community.

But others said that U.S. spy chiefs chafed at the idea of subjecting their top officials to such congressional scrutiny and went so far as to warn that candidates for certain jobs would probably withdraw.

Lawmakers were told that “some intelligence personnel would be reluctant to seek promotions out of concern that information about them would be presented to the Hill,” said a U.S. official involved in the discussions.

So he balked and Congress watered down the requirement. Here’s what remains of the measure:

(a) DIRECTIVE REQUIRED.—The Director of National Intelligence shall issue a directive containing a written policy for the timely notification to the congressional intelligence committees of the identities of individuals occupying senior level positions within the intelligence community.

The fine print on the requirement probably provides ways for Clapper to squish out of it in many cases by invoking covert status (which, in turn, likely means CIA will expand its current practice of pretending top managers are covert to protect them from scrutiny) or otherwise claiming senior people are not sufficiently senior to require notice.

So rather than preventing the CIA and other agencies from promoting abusive incompetents, the measure will likely lead to them being hidden further behind CIA’s secrecy.

Which is interesting, especially given another Intel Authorization measure that survived in the Omnibus, that I earlier described as an effort to make sure spooks and those in sensitive positions aren’t joining EFF or similar organizations.

The committee description of this section explains it will require DNI to do more checks on spooks (actually spooks and “sensitive” positions, which isn’t full clearance).

Section 306 directs the Director of National Intelligence (DNI) to develop and implement a plan for eliminating the backlog of overdue periodic investigations, and further requires the DNI to direct each agency to implement a program to provide enhanced security review to individuals determined eligible for access to classified information or eligible to hold a sensitive position.

These enhanced personnel security programs will integrate information relevant and appropriate for determining an individual’s suitability for access to classified information; be conducted at least 2 times every 5 years; and commence not later than 5 years after the date of enactment of the Fiscal Year 2016 Intelligence Authorization Act, or the elimination of the backlog of overdue periodic investigations, whichever occurs first.

Among the things ODNI will use to investigate its spooks are social media, commercial data sources, and credit reports. Among the things it is supposed to track is “change in ideology.” I’m guessing they’ll do special checks for EFF stickers and hoodies, which Snowden is known to have worn without much notice from NSA.

Remember, one complaint Clapper had about the gutted requirement he identify the abusive incompetents being promoted at intelligence agencies is the added bureaucracy of tracking just those being promoted in management ranks. But he apparently had no problem with a requirement that ODNI track the social media of everyone at all agencies to make sure they’re going to keep secrets and don’t harbor any “ideology” changes like support for the Bill of Rights.

That is, Clapper’s perfectly willing to expand his bureaucracy to look for leakers, but not to weed out the dangerously incompetent people ordering potential leakers around.

Apparently, to James Clapper, people who might leak about those unfit for management are more dangerous insider threats than having entire centers run by people unfit for management.

1 2 3 32