Jason Leopold had an important update on the torture report that — because he’s doing rolling updates — hasn’t gotten sufficient attention.
Leopold obtained the contracting documents of the company, Centra, that drove up costs for the report by reviewing every document turned over to the Senate Intelligence Committee. But after he posted those documents, the CIA’s story about how much Centra got paid for those specific tasks changed. After 7 months of public claims that the then-unnamed contractor had gotten paid $40 million, the CIA all of a sudden changed its mind.
CIA spokesman Ryan Trapani disputed VICE News’ “interpretation” of the Centra contract.
“A significant portion of the contract cost pertained to services completely distinct from, and wholly unrelated to, the Senate Intelligence Committee review,” Trapani said, backtracking on the agency’s statement last year that the $40 million the agency spent was due entirely to “the committee’s demands of CIA in this investigation.” “In terms of the services performed in support of the committee review, CIA dedicated substantial resources to provide the committee unprecedented access to millions of pages of documents as expeditiously as possible, consistent with the security requirements for such highly classified, sensitive documents.”
That’s troubling because it runs counter to what everyone on SSCI believed, including then Chair Dianne Feinstein, who has been rebutting claims that the committee itself spent the money ever since it became public last year.
The overwhelming majority of the $40 million cost was incurred by the CIA and was caused by the CIA’s own unprecedented demands to keep documents away from the committee. Rather than provide documents for the committee to review in its own secure Senate office—as is standard practice—the CIA insisted on establishing a separate leased facility and a “stand-alone” computer network for committee use.
Which raises the question of where the claim that the entirety of that $40 million was spent on the torture report came from — which Leopold notes in an update came from this footnote in the Republican views on the report (and by association, a 2012 letter from CIA’s then number 3, Sue Bromley).
Not only was Bromley CIA’s number 3 when she wrote the letter, but in the years in question, she cycled through as Deputy Director of the Counterterrorism Center.
V. Sue Bromley, an Agency veteran of 28 years, will become our new Associate Deputy Director. Sue has served as our Chief Financial Officer since June 2009. As a former OMB director, I can attest to her exceptional skill and diligence in managing one of the most complex budgets in government.
Before that, Sue helped lead our analytic effort for two years as Deputy Director for Intelligence. She has made vital contributions to the fight against al-Qa’ida and its violent allies, both as Deputy Director of the Counterterrorism Center and as Chief of the Operations and Management Staff in the National Clandestine Service, where she helped plan, justify, and distribute a large increase in funding for counterterrorism operations after the September 11th attacks.
Now, it’s possible that the Republicans just took her letter out of context and no one on the Democratic side checked their math. There are a lot of references in the minority report (heh) that don’t make sense.
But Bromley is a money gal. She shouldn’t be making mistakes about contracts, and certainly not to the scale that appears to have happened — all in such a way as to serve the pro-torture narrative which in turn serves to protect … the counterterrorism center.
At least according to the story the CIA is currently telling, everyone on the CIA’s oversight committee grossly misunderstood a $40 million expenditure.
I’ll have a piece in Salon shortly about the two hearings on whether FBI should be able to mandate back doors (they call them front doors because that fools some Senators about the security problems with that) in software.
One thing not in there, however, has to do with a bill the Senate Intelligence Committee is considering that would require Facebook and Twitter and other social media to report terrorist content to authorities. ABC News, quoting Richard Clarke (who hasn’t had an official role in government for some years but is on ABC’s payroll) reported that the social media companies were not now reporting terrorist content.
In the middle of the SSCI hearing on this topic, Dianne Feinstein asked Jim Comey whether social media companies were reporting such content. Comey said they are (he did say they’ve gotten far better of late). Feinstein asked whether there ought to be a law anyway, to mandate behavior the companies are already doing. Comey suggested it wasn’t necessary. Feinstein said maybe they should mandate it anyway, like they do for child porn.
All of which made it clear that such a law is unnecessary, even before you get into the severe problems with the law (such as defining who is a terrorist and what counts as terrorist content).
SSCI will probably pass it anyway, because that’s how they respond to threats of late: by passing legislation that won’t address it.
Note, Feinstein also got visibly and audibly and persistently pissed at Ron Wyden for accurately describing what Deputy Attorney General Sally Yates had said she wanted in an earlier hearing: for providers to have keys that the FBI could use. Feinstein seems to believe good PR will eliminate all the technical problems with a back door plan, perhaps because then she won’t be held responsible for making us less secure as a result.
Update: The measures is here, in the Intelligence Authorization.
Update: Title changed for accuracy.
By my calculation today marks the 91st day of the life of phone dragnet order BR 15-24, making it the longest running dragnet order ever. Though the order offered no explanation, FISC judge James Boasberg approved a 95-day expiration for this order back on February 26 so the dragnet order expiration would coincide with PATRIOT Act’s sunset.
It probably seemed wise at the time, but it definitely exacerbates the impact of Mitch McConnell’s miscalculation last week, as it means there’s is no grace period after the current order expires.
The 90-day renewals appear to arise out of both the Stellar Wind practice and the FISA Pen Register practice. Under the former, the Bush Administration reviewed the dragnet every 45 days to make sure it was still necessary and give it the appearance of oversight. (The renewal dates appear on this timeline.) When FISC approved the use of the Pen Register statute to collect the Internet dragnet, it adhered to that statute’s renewal process, which requires 90-day renewals. I assume the phone dragnet adopted the same, even though Section 215 has no renewal requirement, because the phone dragnet collected even more data than the Internet dragnet did.
So already, we’re a day longer than the spirit of the law should permit, four days before Sunday’s scheduled resolution (or lack thereof) of the current impasse.
Given Charlie Savage’s account, it appears the Administration did not — as ordered by Boasberg — brief the FISC on the impact of the 2nd Circuit decision if it would change the program. Rather, they’re just hiding out, hoping they don’t need to raise this or any other issue with regards to the dragnet with the FISC.
The Foreign Intelligence Surveillance Court had given the government a deadline of last Friday to file a new application to extend the bulk phone records program for 90 days. Given the disarray in the Senate and the looming deadline, the Justice Department did not file, the official said, speaking on condition of anonymity to discuss intelligence-related matters.
The administration is holding to its decision not to invoke the grandfather clause to keep collecting bulk phone records past next Monday, the official said. But the government has not ruled out invoking such a clause for using the business records provision — as well as the other two powers that are expiring — to gather specific records for more routine investigations.
“We will not use the grandfather clause in the Patriot Act to continue the bulk metadata collection program; it would not be tenable for us to do so,” the senior official said.
“Thus, because of the pending sunset of the current authority, we have not filed an application with the FISA court to continue collection,” the official said, referring to the Foreign Intelligence Surveillance Act court, also known as FISC.
The official added, “We will consider, in light of our national security needs and the status of our authorities, whether to make an appropriate filing with the FISC about accessing previously collected metadata.”
The administration is hoping to avoid any need to go to the court for permission to query already-acquired bulk phone data, which would raise additional legal complications.
But one plan being floated — Dianne Feinstein’s non-compromise compromise — would simply permit the FISC to extend the current order until a year after whenever her bill might be passed into law (which couldn’t be Sunday night), as if nothing had ever happened.
CONTINUED APPLICABILITY.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, the order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26, 2015, in Docket No. BR 15–24, may be extended by order of that court until the effective date established in subsection (a) [that is, one year after the passage of this bill]
In other words, Feinstein proposes to take a dragnet collecting the phone records of all Americans, and extend it for an entire year, when even a Pen Register targeting an individual would need to be formally renewed.
34 years ago Ronald Reagan issued the Executive Order that still governs most of our country’s intelligence activities, EO 12333.
As part of it, the EO required any agency using information concerning US persons to have a set of procedures laying out how it obtains, handles, and disseminates information (see the language of 2.3 below).
Only — as the Privacy and Civil Liberties Oversight Board started pointing out in August 2013 — some agencies have never complied. In February, PCLOB revealed the 4 agencies that are still flouting Reagan’s rules, along with what they have been using:
The Department of Homeland Security’s notoriously shoddy Office of Intelligence and Analysis: Pending issuance of final procedures, I&A is operating pursuant to Interim Intelligence Oversight Procedures, issued jointly by the Under Secretary for Intelligence and Analysis and the Associate General Counsel for Intelligence (April 3, 2008).
United States Coast Guard (USCG)- Intelligence and counterintelligence elements: Pending issuance of final procedures, operating pursuant to Commandant Instruction – COMDINST 3820.12, Coast Guard Intelligence Activities (August 28, 2003).
Department of Treasury Office of Intelligence and Analysis (OIA): Pending issuance of final procedures. While draft guidelines are being reviewed in the interagency approval process, the Office of Intelligence and Analysis conducts intelligence operations pursuant to EO 12333 and statutory responsibilities of the IC element, as advised by supporting legal counsel.
Drug Enforcement Administration, Office of National Security Intelligence (ONSI): Pending issuance of final procedures, operates pursuant to guidance of the Office of Chief Counsel, other guidance, and: Attorney General approved “Guidelines for Disclosure of Grand Jury and Electronic, Wire, and Oral Interception Information Identifying United States Persons” (September 23, 2002); Attorney General approved “Guidelines Regarding Disclosure to the Director of Central Intelligence and Homeland Security Officials of Foreign Intelligence Acquired in the Course of a Criminal Investigation” (September 23, 2002).
Last year’s House Intelligence Committee version of NSA reform (the one I called RuppRoge) would have included language requiring agencies to finish these procedures — mandated 34 years ago — within 6 months. And now, over a year later, Dianne Feinstein’s latest attempt at reform echoed that language.
Which strongly suggests these agencies are still deadbeats.
As I said in February, I’m most concerned about DEA (because DEA is out of control) and, especially, Treasury (because Treasury’s intelligence activities are a black box with little court review). Treasury is making judgements that can blacklist someone financially, but it has thus far refused to institute procedures to protect Americans’ privacy while it does so.
And no one seems to be rushing to require them to do so.
2.3 Collection of Information. Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order. Those procedures shall permit collection, retention and dissemination of the following types of information:
(a) Information that is publicly available or collected with the consent of the person concerned;
(b) Information constituting foreign intelligence or counterintelligence, including such information concerning corporations or other commercial organizations. Collection within the United States of foreign intelligence not otherwise obtainable shall be undertaken by the FBI or, when significant foreign intelligence is sought, by other authorized agencies of the Intelligence Community, provided that no foreign intelligence collection by such agencies may be undertaken for the purpose of acquiring information concerning the domestic activities of United States persons;
(c) Information obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation;
(d) Information needed to protect the safety of any persons or organizations, including those who are targets, victims or hostages of international terrorist organizations;
(e) Information needed to protect foreign intelligence or counterintelligence sources or methods from unauthorized disclosure. Collection within the United States shall be undertaken by the FBI except that other agencies of the Intelligence Community may also collect such information concerning present or former employees, present or former intelligence agency contractors or their present or former employees, or applicants for any such employment or contracting;
(f) Information concerning persons who are reasonably believed to be potential sources or contacts for the purpose of determining their suitability or credibility;
(g) Information arising out of a lawful personnel, physical or communications security investigation;
(h) Information acquired by overhead reconnaissance not directed at specific United States persons;
(i) Incidentally obtained information that may indicate involvement in activities that may violate federal, state, local or foreign laws; and
(j) Information necessary for administrative purposes.
In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.
I wanted to provide some background of how we got to this week’s PATRIOT Reauthorization debate to explain what I believe the surveillance boosters are really aiming for. Rather than a response to Edward Snowden, I think it is more useful to consider “reform” as an Intelligence Community effort to recreate functionalities they had and then lost in 2009.
That history starts in 2009, when NSA was still operating under the system they had established under Stellar Wind while pretending to abide by FISC rules.
At the beginning of 2009, the NSA had probably close to full coverage of phone records in the US, and coverage on the most important Internet circuits as well. Contrary to the explicit orders of the FISC, NSA was treating all this data as EO 12333 data, not PATRIOT data.
On the Internet side, it was acquiring data that it considered Dialing, Routing, Addressing, and Signaling information but which also constituted content (and which violated the category limits Colleen Kollar-Kotelly had first imposed).
On the phone side, NSA was not only treating PATRIOT data according to NSA’s more general minimization procedures as opposed to those dictated by the FISC. But in violation of those minimization procedures, NSA was submitting phone dragnet data to all the automated procedures it submitted EO 12333 data to, which included automated searches and automatic chaining on other identifiers believed to belong to the same user (the latter of which NSA calls “correlations”). Either these procedures consisted of — or the data was also treated to — pattern analysis, chaining users on patterns rather than calls made. Of key importance, one point of having all the data in the country was to be able to run this pattern analysis. Until 2008 (and really until 2009) they were sharing the results of this data in real time.
Having both types of data allowed the NSA to chain across both telephony and Internet data (obtained under a range of authorities) in the same query, which would give them a pretty comprehensive picture of all the communications a target was engaging in, regardless of medium.
I believe this bucolic state is where the surveillance hawks want us to return to. Indeed, to a large extent that’s what Richard Burr’s bill does (with a lot of obstructive measures to make sure this process never gets exposed again).
But when DOJ disclosed the phone violations to FISC in early 2009, they shut down all those automatic processes. And Judge Reggie Walton took over 6 months before he’d even let NSA have full ability to query the data.
Then, probably in October 2009, DOJ finally confessed to FISC that every single record NSA had collected under the Internet dragnet for five years violated Kollar-Kotelly’s category rules. Walton probably shut down the dragnet on October 30, 2009, and it remained shut down until around July 2010.
At this point, not only didn’t NSA have domestic coverage that included Internet and phone, but the phone dragnet was a lot less useful than all the other phone data NSA collected because NSA couldn’t use its nifty automatic tools on it.
We know that NSA convinced John Bates to not only turn the Internet dragnet back on around July 2010 (though it took a while before they actually turned it on), but to expand collection to some or all circuits in the US. He permitted that by interpreting anything that might be Dialing, Routing, Addressing, and Signaling (DRAS) to be metadata, regardless of whether it also was content, and by pointing back to the phone dragnet to justify the extension of the Internet dragnet. Bates’ fix was short-lived, however, because by 2011, NSA shut down that dragnet. I wildarseguess that may partly because DOJ knew it was still collecting content, and when Bates told NSA if it knew it was collecting content with upstream collection, it would be illegal (NSA destroyed the Internet dragnet data at the same time it decided to start destroying its illegal upstream data). I also think there may have been a problem with Bates’ redefinition of DRAS, because Richard Burr explicitly adopted Bates’ definition in his bill, which would have given Bates’ 2010 opinion congressional sanction. As far as we know, NSA has been coping without the domestic Internet dragnet by collecting on US person Internet data overseas, as well as off PRISM targets.
Remember, any residual problems the Internet dragnet had may have affected NSA’s ability to collect any IP-based calls or at least messaging.
Meanwhile, NSA was trying to replace the automated functions it had up until 2009, and on November 8, 2012, the NSA finally authorized a way to do that. But over the next year plus, NSA never managed to turn it on.
Meanwhile, the phone dragnet was collecting less and less of the data out there. My current theory is that the gap arose because of two things involving Verizon. First, in 2009, part or all of Verizon dropped its contract with the FBI to provide enhanced call records first set up in 2002. This meant it no longer had all its data collected in a way that was useful to FBI that it could use to provide CDRs (though Verizon had already changed the way it complied with phone records in 2007, which had, by itself, created some technical issues). In addition, I suspect that as Verizon moved to 4G technology it didn’t keep the same kind of records for 4G calls that transited its backbone (which is where the records come from, not from customer bills). The problems with the Internet dragnet may have exacerbated this (and in any case, the phone dragnet orders only ask for telephony metadata, not IP metadata).
Once you lose cell calls transiting Verizon’s backbone, you’ve got a big hole in the system.
At the same time, more and more people (and, disproportionately, terrorist targets) were relying more and more on IP-based communications — Skype, especially, but also texting and other VOIP calls. And while AT&T gets some of what crosses its backbone (and had and still has a contract for that enhanced call record service with the FBI, which means it will be accessible), a lot of that would not be available as telephony. Again, any limits on Internet collection may also impact IP based calls and messaging.
Which brings you to where the dragnets were in 2013, when Edward Snowden alerted us to their presence. The domestic PATRIOT-authorized Internet dragnet had been shut down (and with it, potentially, Internet-based calls and messaging). The phone dragnet still operated, but there were significant gaps in what the telecoms would or could turn over (though I suspect NSA still has full coverage of data that transits AT&T’s backbone). And that data couldn’t be subjected to all the nifty kinds of analysis NSA liked to subject call data to. Plus, complying with the FISC-imposed minimization procedures meant NSA could only share query results in limited situations and even then with some bureaucratic limits. Finally, it could only be used for counterterrorism programs, and such data analysis had become a critical part of all of NSA’s analysis, even including US collection.
And this is where I suspect all those stories about NSA already considering, in 2009 and in 2013, shutting down the dragnet. As both Ken Dilanian stories on this make clear, DOJ believed they could not achieve the same search results without a new law passed by Congress. Bob Litt has said the same publicly. Which makes it clear these are not plain old phone records.
So while Edward Snowden was a huge pain in the ass for the IC, he also provided the impetus to make a decision on the phone dragnet. Obama made a big show of listening to his Presidential Review Group and PCLOB, both of which said to get rid of it (the latter of which said it was not authorized by Section 215). But — as I noted at the time — moving to providers would fix some of their problems.
In their ideal world, here’s what we know the IC would like:
And the IC wants this while retaining Section 215’s use of bulky collections that can be cross-referenced with other data, especially the other Internet collection it conducts using Section 215, which makes up a majority of Section 215 orders.
Those 5 categories are how I’ve been analyzing the various solutions (which is one of about 10 reasons I’m so certain that Mitch McConnell would never want straight reauthorization, because there’s nothing that straight reauthorization would have ratified that would have fixed the existing problems with the dragnet), while keeping in mind that as currently constructed, the Internet 215 collection is far more important to the IC than the phone dragnet.
USA F-ReDux, as currently incarnated, would vastly expand data sharing, because data would come in through FBI (as PRISM data does) and FBI metadata rules are very permissive. And it would give collection on telephony and IP-based calls (probably not from all entities, but probably from Apple, Google, and Microsoft). It would not permit use for all intelligence purposes. And it is unclear how many of NSA’s analytical tools they’d be able to use (I believe they’d have access to the “correlations” function directly, because providers would have access internally to customers’ other accounts, but with the House report, other kinds of analysis should be prohibited, though who knows what AT&T and Microsoft would do with immunity). The House report clearly envisions federated queries, but they would be awkward to integrate with the outsourced collection.
Burr’s bill, on the other hand, would expand provider based querying to all intelligence uses. But even before querying might — maybe — probably wouldn’t — move to providers in 2 years, Burr’s bill would have immediately permitted NSA to obtain all the things they’d need to return to the 2009 bucolic era where US collected data had the same treatment as EO 12333 collected data. And Burr’s bill would probably permit federated queries with all other NSA data. This is why, I think, he adopted EO 12333 minimization procedures, which are far more restrictive than what will happen when data comes in via FBI, because since it will continue to come in in bulk, it needs to have an NSA minimization procedure. Burr’s bill would also sneak the Section 215 Internet collection back into NSL production, making that data more promiscuously available as well.
In other words, this is why so many hawks in the House are happy to have USA F-ReDux: because it is vastly better than the status quo. But it’s also why so many hawks in the Senate are unsatisfied with it: because it doesn’t let the IC do the other things — some of the analytical work and easy federated queries — that they’d like, across all intelligence functions. (Ironically, that means even while they’re squawking about ISIS, the capabilities they’d really like under Burr’s bill involve entirely other kinds of targets.)
A lot of the debate about a phone dragnet fix has focused on other aspects of the bill — on transparency and reporting and so on. And while I think those things do matter (the IC clearly wants to minimize those extras, and had gutted many of them even in last year’s bill), what really matters are those 5 functionalities.
Dianne Feinstein is the latest member of Congress to offer a non-compromise compromise to replace the compromise USA F-ReDux, this time with a bill that would:
This will be a working thread.
Update: Just to clarify, I believe Feinstein’s bill is almost certainly supposed to be the “face-saving” version of USA F-ReDux referred to in this article.
Feinstein accomplishes this:
Some leaders of the House Intelligence Committee, along with supporters in the Senate, hope they can assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in.
In Section 108, with the certification process.
Feinstein adds an odd data mandate — not listed in this story but a key complaint from Mitch and others — in Section 101 (page 4).
And Feinstein responds to this request,
Republicans have also expressed a desire to protect the phone companies against harassment from privacy activists over their participation in a new surveillance program.
By adopting the Section 215 dedicated Espionage Act at Section 501.
(3) DiFi’s bill explicitly permits the government to get call detail records in the old way.
(4) DiFi’s bill tweaks USA F-ReDux’s call chaining language for use with “individuals” who are not agents of foreign powers engaged in international terrorism. Those would be US persons.
(5) The data mandate is really fascinating. It only requires a company to retain data after getting a request but is vague about how much data must be retained (which is likely “all”).
(3) may include a request for an order that requires each recipient of the order under this section to retain the call detail records for up to 24 months from the date the call detail record was initially generated—
(A) if the request includes a certification made by the Director of the Federal Bureau of Investigation that the Government has reason to believe that the recipient of the order being applied for is not retaining call detail records for a period of up to 24 months and that the absence of call detail records for that period of time is resulting in, or is reasonably likely toresult in, the loss of foreign intelligence information relevant to an authorized investigation; and
(B) if the order provides that call detailrecords retained solely for purposes of complying with an order under this section may only be produced pursuant to an order under this section.
It’s an odd construct (though it does try to keep the records out of the hands of divorce lawyers, which I guess is good). Obviously, the government will have the records they actually ask for at any given time. So what it suggests is this will be a mandate on some or entire universe of the providers existing records so they can do pattern analysis.
(7) The scheme for call detail records is the same as in USA F-ReDux, but absent the HJC report language saying it can’t involve analysis I assume it does.
(12) DiFi retains the minimization procedures from USA F-ReDux.
(14) The bill adds immunity for records retention.
(17) The “limitation” language is different, and adds “indiscriminate.” Again, this still uses the IC definition of bulk, though, which is meaningless, even modified by “indiscriminate.” SST is the same, including the narrower limit for CDR function.
(19) DiFi eliminates IG reports, I guess because they show how sloppily these things are run and how generally useless they are.
(19) Here’s how DiFi deals w/Burr’s transition canard.
IN GENERAL.—The amendments made by sections 101 through 107 shall take effect on the date that is 180 days after the date of the enactment of this Act unless the President certifies to the appropriate committees of Congress that the transition from the existing procedures for the productionof business records under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.), as in effect prior to the effective date for the amendments made by section 101 through 107,to the new procedures, as amended by sections 101through 107, is not sufficiently operational to allow the timely retrieval of foreign intelligence information from recipients of an order under section 501 of such Act.
(2) EXTENSION FOR CERTIFICATION.—If the President makes a certification described in paragraph (1), the amendment made by sections 101 through 107 shall take effect on the date, that may be up to 1 year after the date of the enactment of this Act, that the President determines that the transition referred to in such paragraph is sufficiently operational to allow the timely retrieval of foreign intelligence information from recipients of an order under section 501 of such Act.
(3) LIMITATION ON TRANSITION PERIOD.—If the President makes a certification under paragraph(1) and does not determine an effective date under paragraph (2), the amendments made by sections 101 through 107 shall take effect on the date that is 1 year after the date of the enactment of this Act.
(b) NO EFFECT ON PRIOR AUTHORITY.—Nothing in this Act, or any amendment made by this Act, shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.) as in effect on May 31, 2015, during the period ending on such effective date.
(c) TRANSITION.—(1) ORDERS IN EFFECT ON MA
Y 31, 2015.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, any order issued or made under title V of the Foreign Intelligence Surveillance Act of 1978 and in effect on May 31, 2015, shall continue in effect until the date of the expiration of such order.
(2) CONTINUED APPLICABILITY.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, the order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26, 2015, in Docket No. BR 15–24, may be extended by order of that court until the effective date established in subsection (a).
(3) USE OF INFORMATION.—
(A) IN GENERAL.—Information acquired from the call detail records pursuant to an order issued under section 501 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861) prior to the effective date in subsection (a) may continue to be used after the effective date of this Act, subject to the limitation in subparagraph (B).
(B) DESTRUCTION OF INFORMATION.—
Any record produced under any order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26 2015, in Docket No. BR 15–24 , or any predecessor order for such an order shall be destroyed no later than 5 years after the date such record was initially collected. Until that time, such a record may be used in accordance with the purpose prescribed and the procedures established in such order.
(23) DiFi’s bill takes out this language, which was in USA F-ReDux, in the PRTT section, but it does retain privacy procedures.
(C) For purposes of subparagraph (A), the term ‘address’ means a physical address or electronic address, such as an electronic mail address or temporarily assigned network address (including an Internet protocol address).
(24) Difi includes bulk controls on NSLs, but not the gag fix.
(26) The 215 reporting takes out the reporting on bulk collection to Congress that was in USA F-ReDux. Sharing of this is extended to everyone in Congress whom the HPSCI chair likes.
(33) DiFi gets rid of two-track reporting on all non-215 and consolidates it. The reporting is somewhat different (for example, Congress will no longer know when something has been used in a trial). DiFi pretends to extend this reporting to everyone in Congress, but since it’s subject to Congressional rules that will only happen in the senate.
(40) DiFi does include significant matter of law reporting to the appropriate committees (which exists).
(45) DiFi continues Burr’s Espionage Act.
(47) The amicus curiae is the John Bates Richard Burr version, which I think might be counterproductive.
(55) DiFi requires agencies that have not established minimization procedures required under the original EO 12333. See this post for more background.
As I noted here, given the content of the radical bill Richard Burr introduced on Friday, it appears likely that his claim Section 215 sIpported an IP dragnet was no misstatement, as he claimed when I called him on it. But that — and the misstatements Mitch McConnell made on Friday about the bill — are not the only lies the authoritarians have been telling.
Just after USA F-ReDux failed in the Senate Friday night and Barbara Boxer tried to call it back up for a vote, Mitch McConnell falsely claimed that Dianne Feinstein was involved in Burr’s radical bill. Senator Feinstein actually had to interrupt and point out that not only doesn’t she think Burr’s bill is the way to go, but that pushing for it might put all the expiring provisions at risk. (h/t Steven Aftergood for pulling Congressional Research Service records)
McCONNELL. Mr. President, the Senate has demonstrated that the House-passed bill lacks the support of 60 Senators. I would urge a “yes” vote on the 2-month extension. Senator Burr, the chairman of the Intelligence Committee, and Senator Feinstein, the ranking member, as we all know, have been working on a proposal that they think would improve the version that the Senate has not accepted that the House sent over. It would allow the committee to work on this bill, refine it, and bring it before us for consideration. So the 2-month extension, it strikes me, would be in the best interest of getting an outcome that is acceptable to both the Senate and the House and hopefully the President.
Mrs. FEINSTEIN. Mr. President, if I may a point of personal privilege. Mr. President, I would like to correct the majority leader, regretfully. I did not support the Burr bill. I do not believe that is the way to go. I have taken a good look at this. For those who want reform and want to prevent the government from holding the data, the FREEDOM Act is the only way to do it. The House has passed it. The President wants it. All of the intelligence personnel have agreed to it, and I think not to pass that bill is really to throw the whole program–that whole section 215 as well as the whole business records, the “lone wolf,” the roving wiretaps–into serious legal jeopardy.
That is, of course, precisely what has happened. In his bid to ram through Burr’s expanded dragnet, Mitch has now made it increasingly likely that all the expiring provisions will lapse on June 1.
On May 7, the very same day the Second Circuit ruled that Congress has to say specifically what a surveillance bill means for the bill to mean that thing, Richard Burr engaged in a staged colloquy on the Senate floor where he claimed that the Section 215 bulk collection program collects IP addresses. After Andrew Blake alerted me to that and I wrote it up, Burr stuffed the claim into the memory hole and claimed, dubiously, to have made a misstatement in a planned colloquy.
Then, after Mitch McConnell created a crisis by missing the first Section 215 reauthorization deadlines, Burr submitted a bill that would immediately permit the bulk collection of IP addresses, plus a whole lot more, falsely telling reporters this was a “compromise” bill that would ensure a smooth transition between the current (phone) dragnet and its replacement system.
Which strongly suggests Burr’s initial “misstatement” was simply an attempt to create a legislative record approving a vast expansion of the current dragnet that, when he got caught, led Burr to submit a bill that actually would implement that in fact.
This has convinced me we’re going to need to watch these authoritarians like hawks, to prevent them from creating the appearance of authorizing vast surveillance systems without general knowledge that’s what’s happening.
So I reviewed the speech Mitch made on Friday (this appears after 4:30 to 15:00; unlike Burr’s speech, the congressional record does reflect what Mitch actually said; h/t Steve Aftergood for Congressional Record transcript). And amid misleading claims about what the “compromise” bill Burr was working on, Mitch suggested something remarkable: among the data he’s demanding be retained are documents, not just call data.
I’ve placed the key part of Mitch’s comments below the rule, with my interspersed comments. As I show, one thing Mitch does is accuse providers of an unwillingness to provide data when in fact what he means is far more extensive cooperation. But I’m particularly interested in what he says about data retention:
The problem, of course, is that the providers have made it abundantly clear that they will not commit to retaining the data for any period of time as contemplated by the House-passed bill unless they are legally required to do so. There is no such requirement in the bill. For example, one provider said the following: “[We are] not prepared to commit to voluntarily retain documents for any particular period of time pursuant to the proposed USA FREEDOM Act if not otherwise required by law.”
Now, one credulous journalist told me the other day that telecoms were refusing to speak to the Administration at all, which he presumably parroted from sources like Mitch. That’s funny, because not only did the telecom key to making the program work — Verizon — provide testimony to Congress (which is worth reviewing, because Verizon Associate General Counsel — and former FBI lawyer — Michael Woods pointed to precisely what the dragnet would encompass under Burr’s bill, including VOIP, peer-to-peer, and IP collection), but Senator Feinstein has repeatedly made clear the telecoms have agreed with the President to keep data for two years.
Furthermore, McConnell’s quotation of this line from a (surely highly classified letter) cannot be relied on. Verizon at first refused to retain data before it made its data handshake with the President. So when did this provider send this letter, and does their stance remain the same? Mitch doesn’t say, and given how many other misleading comments he made in his speech, it’s unwise to trust him on this point.
Most curiously, though, look at what they’re refusing to keep. Not phone data! But documents.
Both USA F-ReDux and Burr’s bill only protect messaging contents, not other kinds of content (and Burr’s excludes anything that might be Dialing, Routing Addressing and Signaling data from his definition of content, which is the definition John Bates adopted in 2010 to be able to permit NSA to resume collecting Internet metadata in bulk). Both include remote computing services (cloud services) among the providers envisioned to be included not just under the bill, but under the “Call Detail Record” provision.
Perhaps there’s some other connotation for this use of the word “documents.” Remember, I think the major target of data retention mandates is Apple, because Jim Comey wants iMessage data that would only be available from their cloud.
But documents? What the hell kind of “Call Detail Records” is Mitch planning on here?
One more thing is remarkable about this. Mitch is suggesting it will take longer for providers to comply with this system than it took them to comply with Protect America Act. Yahoo, for example, challenged its orders and immediately refused to comply on November 8, 2007. Yet, even in spite of challenging that order and appealing, Yahoo started complying with it on May 5, 2008, that same 180-time frame envisioned here. And virtually all of the major providers already have some kind of compliance mechanism in place, either through PRISM (Apple, Google, and Microsoft) or upstream 702 compliance (AT&T and Verizon).
Sometime after 2 today, the House will pass USA F-ReDux by a large margin. Last night the Rules Committee rejected all amendments, including two (a version of the Massie-Lofgren amendment prohibiting back doors and a Kevin Yoder amendment that would improved ECPA protections) that have majority support in the House.
After the bill passes the House today it will go to the Senate where Mitch McConnell will have his way with it.
What happens in the Senate is anyone’s guess.
One reason no one knows what Mitch has planned is because most people haven’t figured out what Mitch really wants. I think there are 3 possibilities:
I think — though am not certain — that it’s the first bullet, though Burr’s so-called misstatement the other day makes me wonder. If so Mitch’s procedural move is likely to consist of starting with his straight reauthorization but permitting amendments, Patrick Leahy introducing USA F-ReDux as an amendment, Ron Wyden and Rand Paul unsuccessfully pushing some amendments to improve the bill, and Richard Burr adding tweaks to USA F-ReDux that will make it worse. After that, it’s not clear how the House will respond.
Which brings me to what I think Burr would want to add.
As I’ve said before, I think hawks in the Senate would like to have data mandates, rather than the data handshake that Dianne Feinstein keeps talking about. While last year bill supporters — including corporate backers — suggested that would kill the bill, I wonder whether everyone has grown inured to the idea of data retention, given that they’ve been silent about the data handshake since November.
I also suspect the IC would like to extend the CDR authority to non-terrorism functions, even including drug targets (because they probably were already using it as such).
The Senate may try to tweak the Specific Selection Term language to broaden it, but it’s already very very permissive.
I’m also wondering if the Senate will introduce language undermining the limiting language HJC put in its report.
Those are the predictable additions Burr might want. There are surely a slew more (and there will be very little time to review it to figure out the intent behind what they add).
The two big questions there are 1) are any of those things significant enough to get the House to kill it if and when it gets the bill back and 2) will the House get that chance at all?
As I noted last November, in her defense of USA Freedom Act last year, Dianne Feinstein suggested the telecoms (principally, Verizon) had agreed to retain their data for longer than their business purposes required without any mandate — what I dubbed the “data handshake.”
On Tuesday, Nov. 18, Feinstein explained how she had resolved the problem presented by telecoms like Verizon that don’t hold these records as long as the NSA currently does. She and Chambliss had written the country’s four biggest telecom companies a letter — she didn’t say when — asking whether the companies would retain phone records longer than they currently do. Two said yes; two said no. “Since that time, the situation has changed,” Feinstein said. “Not in writing, but by personal testament from two of the companies that they will hold the data for at least two years for business reasons.” President Barack Obama even vouched for the telecom companies’ willingness to hold the data. “The fact is that the telecoms have agreed to hold the data. The president himself has assured me of this,” Feinstein said.
Taken in context, Feinstein’s comments reveal how proponents of the USA Freedom Act solved the intelligence community’s problem with the reform bill — that the period of time that records would be held would shrink dramatically. Rather than a legal mandate requiring that telecoms hold onto the data — which some members of the Senate Intelligence Committee demanded in June — the reform bill would use a “data handshake.”
The terms of the data handshake are the most interesting part. This promise is not in writing. According to Feinstein, it is a “personal testament.” (And of course it wasn’t in the bill, where privacy advocates might have objected to it.) The telecom companies could say they were retaining the data for business purposes, though, until now, they’ve had no business purpose to keep the records.
While some, like Bob Litt, have suggested one challenge for having telecoms retain phone records concerned whether telecoms would retain enough of their call records to do pattern analysis, the issue of data retention has largely been unspoken in this round of debate over USA F-ReDux.
But Dianne Feinstein just raised it again this morning on Meet the Press, again endorsing a “data handshake” behind USA F-ReDux and seemingly referring to the assurances the President got from telecoms they would keep the data.
Senator, while I have you, the Patriot Act, obviously the big, bulk data collection was struck down, in Court. Not quite saying it was unconstitutional, basically saying that the law doesn’t cover what the administration has said it covers, which is this idea of bulk data collection. And says, “If Congress wants to be able to do this, then they need to explicitly pass a law that forces telephone companies to do this or not.” Where are you on this? Are you willing to pass a specific law that allows for bulk data collection, whether held by the phone companies or the government?
SENATOR DIANNE FEINSTEIN:
I think here’s the thing. The president, the House and a number of members of the Senate believe that we need to change that program. And the way to change it is simply to go to the FISA Court for a query, permission to go to a telecom and get that data. The question is whether the telecoms will hold the data. And the answer to that question is somewhat mixed. I know the president believes that the telecoms will hold the data. I think we should try that.
An act of Congress could force them to do that, correct?
SENATOR DIANNE FEINSTEIN:
An act of Congress could force them to do that.
And can that pass this Congress?
SENATOR DIANNE FEINSTEIN:
Well, that’s the problem. The House does not have it in their bill. Senator Leahy does not have that in his bill.
If I had to bet on the most likely outcome for the USA F-ReDux bill, it would be USA F-ReDux, with some more shit added in because USA F-ReDux boosters are reluctant to talk about how much more it gives the Intelligence Community than what they have now, and with data retention mandates. As I have said, I think that’s one of the ultimate purposes of Mitch McConnell’s PATRIOT gambit.
One thing is clear, however, which is that Intelligence insiders like Feinstein are talking about data mandates among themselves, even if they’re not discussing them publicly.