Posts

The Government Uses the Dragnets for Detainee Proceedings

/5 Comments/in /by

In the middle of a discussion of how the NSA let FBI, CIA, and NCTC directly access the database of Internet query results in the report accompanying the Internet dragnet End-to-End report, a footnote describes searches NSA’s litigation support team conducts. (See page 12)

In addition to the above practices, NSA’s litigation support team conducts prudential searches in response to requests from Department of Justice or Department of Defense personnel in connection with criminal or detainee proceedings. The team does not perform queries of the PR/TT metadata. This practice of sharing information derived from PR/TT metadata was later specifically authorized. See Primary Order, Docket Number PR/TT [redacted] at 12-13. The Government respectfully submits that NSA’s historic practice of sharing of U.S. person identifying information in this manner before it was specifically authorized does not constitute non-compliance with the PR/TT Orders.

Keith Alexander’s declaration accompanying the E2E adds more detail. (See page 16)

The designated approving official does not make a determination to release information in response to requests by Department of Justice or Department of Defense personnel in connection with criminal or detainee proceedings. In the case of such requests, NSA’s Litigation Support Team conducts prudential, specific searches of databases that contain both previously disseminated reporting and related analyst notes. The team does not perform queries of the PR/TT metadata. NSA then provides that research to Department of Justice or Department of Defense personnel for their review in connection with criminal or detainee proceedings. This practice of sharing information derived from the PR/TT metadata is now specifically authorized. See Primary Order, Docket Number PR/TT [redacted] at 12-13.

Language approving searches of the corporate store conducted on behalf of DOJ and DOD does not appear (at least not at 12-13) in the early 2009 — probably March 2, 2009 — Internet dragnet primary order. But related language was included in the September 3, 2009 phone dragnet order (it does not appear in the July 8, 2009 phone dragnet order, so that appears to have been the first approval for it). Given the timing, the language might stem either from another notice of violation to the FISC (one the government has redacted thus far); or, it might be a response to recommendations made in the Joint IG Report on the illegal dragnet, which was released July 10, 2009, and which did discuss discovery problems.

But the language describing the Litigation Support Team searches is far less descriptive in the September 3, 2009 phone dragnet order.

Notwithstanding the above requirements, NSA may share information derived from the BR metadata, including U.S. person identifying information, with Executive Branch personnel in order to enable them to determine whether the information contains exculpatory or impeachment information or is otherwise discoverable in legal proceedings.

The E2E and Alexander’s declaration make two things more clear.

First, NSA can disseminate this information without declaring the information is related to counterterrorism (that’s the primary dissemination limitation discussed in this section), and of course, without masking US person information. That would at least permit the possibility this data gets used for non-counterterrorism purposes, but only when it should least be permitted to, for criminal prosecutions of Americans!

Remember, too, the government has explicitly said it uses the phone dragnet to identify potential informants. Having non-counterterrorism data available to coerce cooperation would make that easier.

The E2E and Alexander declaration also reveal that the Litigation Support Team conducts these searches not just for DOJ, but also for DOD on detainee matters.

That troubles me.

According to the NYT’s timeline, only 20 detainees arrived at Gitmo after these dragnets got started, and 14 of those were High Value Detainees who had been stashed elsewhere for years (as were the last batch arrived in 2004). None of the men still detained at Gitmo, at least, had been communicating with anyone outside of very closely monitored situations for years. None of the Internet dragnet data could capture them (because no historical data gets collected). And what phone data might include them — and remember, the phone dragnet was only supposed to include calls with one end in the US — would be very dated.

So what would DOD be using these dragnets for?

Perhaps the detainees in question weren’t Gitmo detainees but Bagram detainees. Plenty of them had been out communicating more recently in 2004 and 2006 and even 2009, and their conversations might have been picked up on an Internet dragnet (though I find it unlikely any were making phone calls to the US).

It’s possible the dragnet was used, in part, to track released detainees. Is dragnet contact chaining one of the things that goes into claims about “recidivist” detainees?

Finally, a more troubling possibility is that detainee attorneys’ contacts with possible witnesses got tracked. Is it possible, for example, that DOD tracked attorneys’ contacts with detainee family members in places like Yemen? Given allegations the government spied on detainees’ lawyers, that’s certainly plausible. Moreover, since NSA does not minimize contacts between attorneys and their client until the client has been indicted, and so few of the Gitmo detainees have been charged, it would be utterly consistent to use the dragnet to track lawyers’ efforts to defend Gitmo detainees. Have the dragnets been focused on attorneys all this time?

One thing is clear. There is not a single known case where DOJ or DOD have used the dragnets to provide exculpatory information to someone; Dzhokhar Tsarnaev was unable to obtain discovery on dragnet information even after the government bragged about using the dragnet in his case.

Nevertheless, NSA has been sharing US person information without even having to attest it is counterterrorism related, outside of all the minimization procedures the government boasts about.

Dzhokhar’s Four Phones

/4 Comments/in /by

A month ago, the government argued in Dzhokhar Tsarnaev’s case it had no discovery obligations under Section 215, which top government officials have said they used to achieve piece of mind.

Yesterday, Dzhokhar’s college buddies challenged their confession based on a claim the government didn’t have a warrant when it surrounded their apartment with 60 cops. The government’s excuse is that Tsarnaev received the bills for four AT&T phones at that address, and one of the phones had recently been used to call Russia.

Tsarnaev was receiving AT&T bills for four phones at that address. One of the phones had called Russia from near the UMass-Dartmouth campus, which led investigators to think he might be nearby – perhaps at his friends’ apartment.

“I proceeded with all haste and with blue lights flashing” to where the phones suggested Tsarnaev might be, Walker said.

Soon about 60 officers had the New Bedford home surrounded.
Tsarnaev wasn’t inside, but his two friends were, along with Kadyrbayev’s girlfriend.

What happened next could affect the outcome of the cases against Tsarnaev’s friends. Walker said the FBI had not obtained a search warrant. Agents took the two men from the apartment, handcuffed them and questioned them in unmarked cars, Walker said, before they agreed to go to the State Police barracks for further questioning.

Kadyrbayev’s attorney Robert Stahl said that amounted to “uncounseled, unwarranted seizures of these individuals.” If the FBI violated the defendants’ rights, then their statements, which prosecutors are calling “confessions,” could be excluded from their trials.

This all occurred while Dzhokhar was bleeding out in a boat in Watertown.

There are multiple ways the FBI could have gotten these phone records. They may well have a database of subscriber information for major providers, meaning they could learn which carrier he used quickly within FBI. The could have gotten the call records just with NSLs. (NSA’s phone dragnet wouldn’t be all that useful at that stage, though it might have provided interesting information on the Russia call.) The FBI might even have used Hemisphere, which provides geolocation. (Remember, though, that MA’s Supreme Court just ruled the police need a warrant for cell location.)

The defendants have already received some of Dzhokhar’s texts in discovery, so I assume there are no evidentiary problems with those.

In other words, we should assume this data came from normal FBI sources, not NSA ones. (If so, it’s another strike against the claim the NSA needs the phone dragnet for quickness, because this would have happened quickly if the FBI’s narrative is true.)

But it does raise interesting questions about dual sources for the data at hand.

Also remember, these are the same phones that the same buddies had limited discovery on texts from, because Dhokhar had destroyed the one he was using.

Dzhokhar Tsarnaev’s Search Motion: the Reddish-Brown Powder and the Pizza Papers

/9 Comments/in /by

In addition to his motion challenging his confession, Dzhokhar Tsarnaev also submitted at least one more motion to suppress on Wednesday (there’s a third motion to suppress the search of his laptop; that appears to be sealed document 284 in the docket), challenging the scope of and in one case the legality of the searches done on the Tsarnaev’s residences.

I’ll leave it to the lawyers to argue about the merits of the challenge. I’m primarily interested in what they show about the development of the investigation. They appear to show an evolution in FBI’s understanding of where and whether the explosives used in the attack were made.

The motion describes the following searches of the two residences associated with Dzhokhar Tsarnaev:

April 15, 2013: The attack

April 19, 2013: After IDing Tamerlan via fingerprints, FBI obtained a warrant for 410 Norfolk Street in Cambridge; that search lasted from 1 AM on April 20 until 1PM on April 20; this warrant included “Property, records, or other information related to the ordering, purchasing, manufacturing, storage, and transportation of firearms;”

Overnight April 20 to 21: FBI’s High Value Interrogation Team conducts first interrogation of Tsarnaev

3AM to 9AM April 22: FBI conducts search of Tsarnaev’s UMASS dorm room based on warrant issued at midnight that day

May 5: FBI conducts a second search on 410 Norfolk apartment, based off warrant issued on May 3; this search appears based on evidence obtained from surveillance video of people — including potentially a female — purchasing pressure cookers at Macys, but also included further search for low-explosive powder residue; no residue was found

June 27: On invitation from UMASS cops, FBI observes Dzhokhar’s dorm room again; UMASS cops obtain sample of reddish-brown powder; this is the search Dzhokhar claims was illegal

July 26: FBI searches Dzhokhar’s dorm room based on warrant issued July 24, claiming to have observed reddish-brown powder on previous April 21 warranted search; this warrant includes explosives and BBs

It appears that the FBI did initial broad-brush searches on both Norfolk and the dorm room after they caught the brothers (though I am intrigued that it took FBI 2 days to get to the dorm room, which is significant given issues of who tried to tamper evidence there). Then on May 5, FBI went back Norfolk Street to try to tie the purchase of pressure cookers to the Tsarnaevs, and obtain more evidence that the pressure cooker bombs were made at the Cambridge apartment. They didn’t, apparently, find any residue to support the latter claim.

Then, it appears UMASS invited the FBI into the dorm room for one more looksie before they crated up Dzhokhar’s stuff on June 27. Presumably acting on FBI’s instructions, UMASS cops swabbed the reddish-brown powder, and presumably sent it out for testing. Again presumably, once that test came back, the FBI invented the story that they had observed the reddish-brown powder on their original search so as to legally obtain a sample of it.

At least, that’s the scenario laid out in Dzhokhar’s challenge to its collection.

The application for the second search warrant for Mr. Tsarnaev’s dorm room and for his personal property, taken from his dorm room, recites facts gleaned from the investigation of the Boston Marathon bombings, a search of Mr. Tsarnaev’s laptop computer (the subject of a separate motion to suppress), another search of material found in a backpack located in a landfill, and the observations made by FBI agents during the June 27 warrantless entry . Some of this information was available well before the June 27 entry, yet the FBI had not sought a second warrant.

It appears that the warrant was aimed in large part at seizing the “reddish-brown powder” observed on the window sill of the room. The warrant application’s claim that this was seen during the April search by agents, who inexplicably failed to seize it, strains credulity. Reports regarding the April 21 search do not mention the powder. Photographs taken of the pyrotechnic found on the window sill do not show it. And the Evidence Recovery Team casebook twice states that the room was reviewed by a chemist “for potential areas for swabbing. None were located.”

As a reminder, two of Dzhokhar’s buddies, Dias Kadyrbayev and Azamat Tazkayakov, along with an unnamed co-conspirator allegedly removed the laptop and other materials from the dorm room on April 18; it took the FBI 6 days of searching a landfill to find those things on April 25. So whatever was in them (including the computer the search of which Dzhokhar is also challenging) was not available before the April 21 search.

The FBI looksie visit on June 27 was likely nothing more than UMASS trying to give the FBI one more pass at the room before they cleared it; while they did search for clothes (which is how they were trying to tie the pressure cooker purchase in), it’s not clear they were in search of anything in particular. (Though on the subsequent search they may have been looking for DNA of still unidentified people.)

But that reddish-brown powder seems to have sparked their interest.

I raise all this, in part, because of a recent report that the pressure cooker bombs couldn’t have been based solely on the Inspire magazine instructions (and I had heard similar things almost immediately after the bombing).

ABC News has learned that many within the FBI, law enforcement and counter-terrorism strongly disagree they could have become good enough to make the improvised explosive devices (IEDs) from online how-to’s and suspect an expert taught or instructed Tamerlan on the craft of bombmaking while he was overseas in 2012.

[snip]

But an analysis of the bombs done by FBI technicians at the Terrorist Explosive Device Analytical Center (TEDAC) in Quantico, Virginia in late April 2013 found that the bombs in Boston had a much more sophisticated design that that in [Inspire], including differences in the initiators, power source and switch/trigger, which utilized a toy car remote control. Inspire never contained instructions for that type of switch/trigger used to remotely set off the IEDs but had directions for a different type using a motorcycle remote starter.

“While the RC concept is similar, TEDAC assesses INSPIRE  would not provide an individual with the appropriate details to translate these instructions for use with RC toy car components. Such construction would likely require previous knowledge of, or additional research into, RC toy car circuitry,” a TEDAC analysis document said.

That is, the understanding they had of how and where the bombs were made — based in part on Dzhokhar’s confession — seems to have evolved after the initial searches. The FBI appears not to have found evidence backing their public claims that the bombs were made in Cambridge. And now we find something — which admittedly could just as easily be pot residue as bomb residue — that focuses on the explosives found in the dorm room.

One more detail, that I only raise because of my continued obsession with the role of Gerry’s Italian Kitchen in this attack. The suppression motion also notes that the April searches included evidence relating to pizza.

Among the items seized from the Norfolk Street apartment was a paystub for Tamerlan from a 2010 job at a pizza restaurant. Agents seized a pizza box from Mr. Tsarnaev’s dorm room.

These were from the initial April searches. But particularly the seizure of Tamerlan’s paystub suggest they were interested in his ties to pizza joints in the area.

DOJ Abused Classification to Delay Dzhokhar Tsarnaev’s Presentment

/7 Comments/in /by

As a number of outlets are reporting, Dzhokhar Tsarnaev’s lawyers have submitted a long anticipated motion to suppress the statements he made during the weekend the FBI interviewed him while he kept asking — 10 times — for a lawyer.

The motion also provides detail on something that bmaz and I found to be just as important — DOJ’s delay in presentment, basically delaying the time before he got a lawyer. It describes how the Public Defenders Office tried to inform Dzhokhar they could represent him, twice trying to give the FBI lawyers letters to do so. The FBI refused the letters each time.

More troubling still, after the Court assured the Public Defenders they would be informed and appointed as soon as Dzhokhar was charged, that didn’t happen. Instead, the court permitted DOJ to seal the complaint, thereby delaying notice to the PDs, permitting another long interrogation session.

Throughout April 20 and 21, the Federal Public Defender and other lawyers from her office contacted court officials, asking to be appointed. Court personnel informed the lawyers that they would be appointed as soon as a complaint was filed. McGinty Aff.

This turned out to be incorrect. A complaint was signed at 6:47 pm on April 21, DE 3, and filed under seal. Interrogation continued through the night and well into the morning of April 22. The government’s motion to seal, DE 1, explained that “public disclosure of these materials might jeopardize the ongoing investigation of this case.” This baffling assertion ignores the fact, well-known to anyone with access to a television, radio, newspaper, smartphone or computer, that Mr. Tsarnaev was in custody. Nothing in the application for the complaint revealed information that had not already been reported by media around the world. It thus appears that the sole reason to seal the complaint was to allow the interrogation to continue by delaying the defendant’s initial appearance before a judicial officer and the appointment of counsel.

And, as the motion notes, the FBI was well beyond asking public safety questions.

The government needs none of this testimony to convict Dzhokhar, even assuming this thing would go to trial.

Which is probably why DOJ and the Court assumed they could get away with this.

DOJ Says You Can’t Know If They’ve Used the Dragnet Against You … But FISC Says They’re Wrong

/3 Comments/in , /by

As I noted the other day in yet another post showing why investigations into intelligence failures leading up to the Boston Marathon attack must include NSA, the government outright refuses to tell Dzhokhar Tsarnaev whether it will introduce evidence obtained using Section 215 at trial.

Tsarnaev’s further request that this Court order the government to provide notice of its intent to use information regarding the “. . . collection and examination of telephone and computer records pursuant to Section 215 . . .” that he speculates was obtained pursuant to FISA should also be rejected. Section 215 of Pub. L. 107-56, conventionally known as the USA PATRIOT Act of 2001, is codified in 50 U.S.C. § 1861, and controls the acquisition of certain business records by the government for foreign intelligence and international terrorism investigations. It does not contain a provision that requires notice to a defendant of the use of information obtained pursuant to that section or derived therefrom. Nor do the notice provisions of 50 U.S.C. §§ 1806(c), 1825(d), and 1881e apply to 50 U.S.C § 1861. Therefore, even assuming for the sake of argument that the government possesses such evidence and intends to use it at trial, Tsarnaev is not entitled to receive the notice he requests.

This should concern every American whose call records are likely to be in that database, because the government can derive prosecutions — which may not even directly relate to terrorism — using the digital stop-and-frisk standard used in the dragnet, and never tell you they did so.

Note, too, Dzhokhar’s lawyers are  not just asking for phone records, but also computer records collected using Section 215, something Zoe Lofgren has made clear can be obtained under the provision.

And in the case in which Dzhokhar’s college buddies are accused of trying to hide his computer and some firecracker explosives, prosecutors profess to be unable to provide any of the text messages Dzhokhar sent after his last text to them. That stance seems to pretend they couldn’t get at least the metadata from those texts from the phone dragnet.

The government, then, claims that defendants can’t have access to data collected using Section 215. They base that claim on the absence of any language in the Section 215 statute, akin to that found in FISA content collection statutes, providing for formal notice to defendants.

But at least in the case of the phone dragnet, that stance appears to put them in violation of the dragnet minimization procedures. That’s because since at least September 3, 2009 and continuing through the last dragnet order released (note, ODNI seems to be taking their time on releasing the March 28 order),  the minimization procedures have explicitly provided a way to make the query results available for discovery. Here’s the language from 2009.

Notwithstanding the above requirements, NSA may share information derived from the BR metadata, including U.S. person identifying information, with Executive Branch personnel in order to enable them to determine whether the information contains exculpatory or impeachment information or is otherwise discoverable in legal proceedings.

The government routinely points to these very same minimization procedures to explain why it can’t provide information to Congress or other entities. But if the minimization procedures trump other statutes to justify withholding information, surely they must have the weight of law for disclosure to criminal defendants. And all that’s before you consider the Brady and Constitutional reasons that should trump the government’s interpretation as well.

Using the formulation the government always uses when making claims about the dragnet’s legality, on at least 21 occasions, FISC judges have envisioned discovery to be part of the minimization procedures with which the government must comply. At least 7 judges have premised their approval of the dragnet, in part, on the possibility exculpatory information may be shared in discovery.

Now, there is a limit to the discovery envisioned by these 21 FISA orders; this discovery language, in the most recently published order, reads:

Notwithstanding the above requirements, NSA may share results from intelligence analysis queries of the BR metadata, including U.S. person identifying information, with Executive Branch personnel (1) in order to enable them to determine whether the information contains exculpatory or impeachment information or is otherwise discoverable in legal proceedings …

That is, this discovery language only includes the “results from intelligence analysis queries.” It doesn’t permit new queries of the entire database, a point the government makes over and over. But in the case of the Marathon bombing, we know the queries have been run, because Executive Branch officials have been bragging about the queries they did after the bombing that gave them “peace of mind.”

Those query results are there, and the FISC judges explicitly envisioned the queries to be discoverable. And yet the government, in defiance of the minimization procedures they claim are sacred, refuse to comply.

The Day After Government Catalogs Data NSA Collected on Tsarnaevs, DOJ Refuses to Give Dzhokhar Notice

/10 Comments/in , , /by

On Thursday, the Inspectors General of the Intelligence Community, DOJ, CIA, and DHS (but not NSA) released their report on the Marathon Bombing. While the public release was just a very condensed summary, included the redaction of both classified and “sensitive” information, and made no attempt to reconstruct data government agencies had or could have had on Dzhokhar Tsarnaev, the report did show that the NSA had data on Tamerlan Tsarnaev and that the FBI found information on his computers that NSA might have gotten via other means.

On Friday, prosecutors in the case against Dzhokhar refused to tell him what they collected under FISA.

Before I get into the government’s refusal on FISA notice — some of which has repercussions for other cases — let’s go over what electronic communications the government did have or could have had.

First, the IG Report (which did not specifically involve NSA’s IG and did not include Dzhokhar in its scope) nevertheless points to information NSA collected in 2012 that was not turned over to FBI until after the attack.

Screen Shot 2014-04-12 at 12.37.13 PM

The report also points to communications dating to January 2011, which is entirely redacted. This probably refers to communications the Russians intercepted, not the NSA (indeed, the report discusses NSA data, above, later in the same section, which indicates the earlier redaction doesn’t pertain to NSA). Though there’s no indication whether the NSA received notice of these communications, including the non-US person interlocutor located overseas involved in them, who would have been a legal NSA target.

Read more

Working Thread on the Combined Marathon IG Report

/7 Comments/in , /by

I started reading the Combined IG Report on the Marathon attack (including the DOJ, CIA, DHS, and Intelligence Community IGs, but not NSA). And the whole thing looked so bogus from the start, I figured a working thread was in order.

One thing to remember here: we’ve only got a 32-page summary that includes 5 pages of agency (but not CIA) response and a title page. We’re getting a mere fraction of the 168-page report.

To make things worse, some things are redacted that aren’t even classified, they’re just sensitive.

Redactions in this document are the result of classification and sensitivity designations we received from agencies and departments that provided information to the OIGs for this review. As to several of these classification and sensitivity designations, the OIGs disagreed with the bases asserted. We are requesting that the relevant entities reconsider those designations so that we can unredact those portions and make this information available to the public.

(PDF 2) Several things in this passage:

Law enforcement officials identified brothers Tamerlan and Dzhokhar Tsarnaev as primary suspects in the bombings. After an extensive search for the then unidentified suspects, law enforcement officials encountered Tamerlan and Dzhokhar Tsarnaev in Watertown, Massachusetts. Tamerlan Tsarnaev was shot during the encounter and was pronounced dead shortly thereafter.

First, they don’t say what law enforcement officials IDed the brothers. That sentence precedes one which claims there were “unidentified suspects,” which suggests they had suspicions before they were “IDed.” The word “encountered” is awfully suspicious, given that explanations of how the shootout in Watertown happened have been contradictory. And note they don’t say whether Tamerlan died immediately or not–again, an issue about which there’s some contention.

(PDF 2) Note they tell us Anzor’s ethnicity, but not his wife’s (who is more central to this narrative)?

(PDF 2) The report dodges legitimate questions about why the family got refugee status by referring only to “an immigration benefit.” Given reports the uncle had ties to the CIA, that benefit may be more than a simple asylum request.

(PDF 3) Note that, after having previously said the brothers were ID’ed by LE, they now specify FBI [Actually, I think that’s wrong: this is still ambiguous about who IDed them]. But the timing is crazy: it says FBI reviewed its records by April 19, but never says when they were IDed, and doesn’t say whether they were reviewed during a period of suspicion.

By April 19, 2013, after the Tsarnaev brothers were identified as suspects in the bombings, the FBI reviewed its records and determined that in early 2011 it had received lead information from the FSB about Tamerlan Tsarnaev, had conducted an assessment of him, and had closed the assessment after finding no link or “nexus” to terrorism.

(PDF 4) This seems very broad. I wonder what they’re including? Online communications?

As a result, the scope of this review included not only information that was in the possession of the U.S. government prior to the bombings, but also information that existed during that time and that the federal government reasonably could have been expected to have known before the bombings.

(PDF 4) This passage and footnote are huge dodges, making the entire report meaningless.

We carefully tailored our requests for information and interviews to focus on information available before the bombings and, where appropriate, coordinated with the U.S. Attorney’s Office conducting the prosecution of alleged bomber Dzhokhar Tsarnaev.1

1 The initial lead information from the FSB in March 2011 focused on Tamerlan Tsarnaev, and to a lesser extent his mother Zubeidat Tsarnaeva. Accordingly, the FBI and other agencies did not investigate Dzhokhar Tsarnaev’s possible nexus to terrorism before the bombings, and the OIGs did not review what if any investigative steps could have been taken with respect to Dzhokhar Tsarnaev.

I’ll come back to this. But the indictment lists a number of things that the FBI, in their stings, have found and used to identify easy marks. They did not do so here, with Dzhokhar. Which raises real questions about why they chose not to pursue him when they’ve pursued so many other young men like Dzhokhar?

(PDF 4) Here’s who was included in this review:

We also requested other federal agencies to identify relevant information they may have had prior to the bombings. These agencies included the Department of Defense (including the National Security Agency (NSA)), Department of State, Department of the Treasury, Department of Energy, and the Drug Enforcement Administration.

There has been little discussion of DEA’s likely awareness of the brothers, but it is likely, given that they were dealing drugs with potential ties to organized crime. And NSA, but I harp on that too much. I’m curious what role DOE might have.

(PDF 4) Again, they specify they’re only looking at pre-attack data. Which dodges what they could have collected but didn’t.

Additionally, each OIG conducted or directed its component agencies to conduct database searches to identify relevant pre-bombing information.

(PDF 4-5) As with HHSC’s report, the FBI stalled here.

As described in more detail in the classified report, the DOJ OIG’s access to certain information was significantly delayed at the outset of the review by disagreements with FBI officials over whether certain requests fell outside the scope of the review or could cause harm to the criminal investigation. Only after many months of discussions were these issues resolved, and time that otherwise could have been devoted to completing this review was instead spent on resolving these matters.

(PDF 5) The 12333 passage makes it clear NSA had a big role here. But, again, its IG did not conduct an investigation.

(PDF 6-7) The CIA section is very thin. I assume some stuff is missing.

(PDF 8) Note the importance of NSA’s sharing with FBI here?

Of particular relevance to this review are the relationships between the FBI, CIA, and DHS, as well as the relationship between the FBI and the NSA, and the NCTC’s relationships throughout the Intelligence Community.

(PDF 8) This makes clear that the transcription and birthdate errors were in both FSB warnings; it’s just that CIA didn’t fix the second one.

Importantly, the memorandum included two incorrect dates of birth (October 21, 1987 or 1988) for Tamerlan Tsarnaev, and the English translation used by the FBI transliterated their last names as Tsarnayev and Tsarnayeva, respectively.

(PDF 10) This passage seems to admit that FBI could have, but did not, search FISA related databases. It also suggests there was a “certain telephone database,” which might include the Hemisphere database, which performs the same function as the NSA claims (falsely) the phone dragnet does. Note, too, that they’ve only checked for the Tsarnaevs in FBI databases. I’ll come back to these databases in a later post.

Additionally, the DOJ OIG determined that the CT Agent did not use every relevant search term known or available at the time to query the FBI systems, including certain telephone databases and databases that include information collected under authority of the Foreign Intelligence Surveillance Act (FISA). However, searches of FBI databases conducted at the direction of the DOJ OIG during this review produced little information beyond that identified by the CT Agent during the assessment, with the exception of additional travel-related data for Zubeidat Tsarnaeva.

(PDF 11) Note that the second FBI letter to FSB, dated October 7, 2011, postdated the FSB notice to CIA. But it also comes at a time when Boston area law enforcement were conducting an investigation into the murder of Tamerlan’s best friend. The Waltham murders are not mentioned at all in the unclassified report.

(PDF 12) The IG Report does not tell us the date in September when FSB provided notice to CIA. Given that Tamerlan may have just been or was about to be involved in a grisly murder, I find that omission very notable.

(PDF 12) Note you can be watchlisted without derogatory information. This seems to be because of the exception mentioned in FN 10. But fat lot of good it did in this case. Per the footnote, that exception subsequently got disqualified, though I bet it has been qualified again.

(PDF 12) The IG Report doesn’t even acknowledge there was some other kind of difference between the first and the later watchlist entries as indicated on pp 33-4 of the HHSAC Committee report, which suggests that discussion may be redacted entirely.

(PDF 16) Note that, as happens with all Legal Permanent Residents, Tamerlan was photographed (and fingerprinted) during immigration. I’m surprised there isn’t more discussion of this (though it may be classified). But one big point of this relatively new border protocol is to have recent pictures on hand in case, say, you need to do facial recognition on pictures from a terrorist attack. Were they used?

(PDF 19) Note the big redaction describing intercepted communications. This may simply describe what the Russians had collected, which led to their tip. But I do wonder whether NSA collected its own version, not least because details of the Russian intercept has been widely reported.

(PDF 20) Note that the discussion of Tamerlan’s (remember, Dzhokhar is not included here) computer materials is described solely in terms of what FBI could do. That’s different from what both DHS does (they track public online speech) and NSA. It’s unclear whether they could have found some of this using methods available to them, but the report’s silence on that point is notable.

The FBI’s analysis was based in part on other government agency information showing that Tsarnaev created a YouTube account on August 17, 2012, and began posting the first of several jihadi-themed videos in approximately October 2012. The FBI’s analysis was based in part on open source research and analysis conducted by other U.S. government agencies shortly after the bombings showing that Tsarnaev’s YouTube account was created with the profile name “Tamerlan Tsarnaev.”

[snip]

The DOJ OIG concluded that because another government agency was able to locate Tsarnaev’s YouTube account through open source research shortly after the bombings, the FBI likely would have been able to locate this information through open source research between February 12 and April 15, 2013. The DOJ OIG could not determine whether open source queries prior to that date would have revealed Tsarnaev to be the individual who posted this material.

The passage goes on to report the 7 copies of Inspire on one of the computers used by Tamerlan (again, there’s no mention of Dzhokhar here).

Something they’re not saying, but we know to be true.  Had they picked up Inspire either through a 702 upstream search or XKeyscore, they would have had identifiers that could have pegged Tsarnaev’s identity and tied it to all his other identities, regardless of the fact Tamerlan used an alias until February 2013.

And note the big redaction: NSA had information that dated to 2012, which may well have been the intercepts with Plotnikov.

Finally, note that FBI never turned over most of the information about Tamerlan’s Google accounts. The excuse (as noted above) was the ongoing investigation. But I wonder whether that’s ongoing investigation into the Waltham murder or the Marathon attack.

(PDF 25) Note the discussion of enhancement in the 2nd-to-last bullet. I believe this suggests that transliteration questions are only addressed with this enhancement.

(PDF 25) Note that they at least used to delete US person travel info after 6 months unless it represents terrorism information. This would arise from NCTC’s minimization procedures.

(PDF 32) As noted above, we don’t get John Brennan’s response to this, though he presumably sent one. I suspect that means there are classified recommendations for the Agency and that his response reflects that. While it’s not clear what the foreign target would be in this context (perhaps an investigation of the person to whom Zubeidat was speaking about Tamerlan wanting to join jihad?) but there seems to have been some.

DOJ Doesn’t Want You to Know about Any Inspire-related FISA Surveillance Programs

/10 Comments/in /by

I have written repeatedly about the case of Adel Daoud (see these two posts). The FBI caught him in a sting in 2012 where they had him perform bombing a night club. He was 18 at the time he caught.

While the government immediately informed Daoud they would use evidence derived from FISA against him, subsequent information — both comments Dianne Feinstein made during the debate about renewing the FISA Amendments Act and in further details we’ve gotten about back door searches — have suggested there might be something exotic about his targeting. (I have speculated he got identified via a back door search off a traditional FISA tap on someone — or something — else.)

On Monday, the government submitted its appeal of Judge Sharon Coleman’s decision.

DOJ complains that Judge Sharon Coleman did not reveal the classified things she finds so problematic about this case

Hilariously, key to their appeal is that Coleman didn’t lay out what it was she saw in the FISA materials she reviewed that led her to grant Daoud’s lawyer review of the underlying application materials.

Rather than address the specific facts of this case, the district court ordered disclosure because it believed that resolving the legality of the FISA collection is “best made in this case as part of an adversarial proceeding.” Id. at 5; SA 5. The court noted that “the adversarial process is integral to safeguarding the rights of all citizens” and quoted the Supreme Court’s language that the Sixth Amendment “right to the effective assistance of counsel is thus the right of the accused to require the prosecution’s case to survive the crucible of meaningful adversarial testing.” Id.

[snip]

For FISA and its procedures to have meaning, the need for disclosure must stem from unique, case-specific facts, and not a general preference that would apply to all FISA litigation. After all, the statute mandates that courts review the FISA applications and orders in camera and ex parte before even contemplating disclosure. Thus, a court cannot order disclosure of FISA materials unless it concludes, based on facts specific to the FISA applications in that case, that it cannot accurately resolve the legality of the collection without such disclosure.

The legislative history of FISA reinforces the conclusion that disclosure cannot be “necessary” absent a case-specific reason that would justify a departure from the default ex parte process.

Think about this. The government is arguing Coleman was wrong to grant Daoud’s lawyers review — which would effectively allow a lawyer to conduct a secret review of the FISA application — without explaining in a court opinion what is so unique about this case that it merits such a review.

To do so, she’d either have to reveal the secrets the government says Daoud’s lawyers can’t review, even in secret. Or she’d have to issue a partially classified opinion that would deprive Daoud’s lawyers of an opportunity to support her decision on appeal.

DOJ complains that Coleman did not think their secret declarations they insist are persuasive are persuasive

DOJ is also angry that Coleman was not sufficiently impressed by their plea of national security, insisting that their sworn declarations were “persuasive” even though she obviously was not persuaded.

The “need-to-know” prerequisite matters all the more here because, as persuasively articulated in the sworn declarations from the Attorney General of the United States and the FBI’s Acting Assistant Director for Counterterrorism, these FISA applications deal with exceptionally sensitive issues with profound national security implications.

[CLASSIFIED MATERIAL REDACTED]

The district court’s order ignored these declarations and brushed aside the considered judgment of two senior executive branch officials who carefully concluded—based on the particular facts of this case—that disclosure may lead to an unacceptable risk of compromising the intelligence gathering process and undercut the FBI’s ongoing ability to pursue national security investigations. If permitted to stand, the district court’s order would impose upon the government a lose-lose dilemma: disclose sensitive classified information to defense counsel—an option unlikely to be sanctioned by the owners of that information—or forfeit all FISA-derived evidence against the defendant, which in many cases may be critical evidence for the government.

In other words, in spite of FISA’s clear provision allowing for review in certain circumstances, DOJ maintains that judges must accept whatever classified declarations they submit even if — as Coleman said — they’re not at all persuasive.

And while the government’s complaints are, in significant part, about ensuring that allowing defendants to review these applications doesn’t begin to happen more frequently, this is also a bid to ensure that any Title III review of FISA warrants remains narrowly limited to whether,

  • FISA rightly found probable cause that the target of the FISA warrant was an agent of a foreign power
  • The certifications submitted in support of the warrant complied with FISA’s requirements
  • FISA information was appropriately minimized

The last bullet, which I suspect is the most important one in this case, will measure not whether minimization meets the standards required under the Fourth Amendment, but whether DOJ (or rather NSA and/or FBI) followed the rules approved by FISA. And limiting the review to whether the government met the minimization procedures approved by FISA brackets off the question of whether this use of FISA abided the Fourth Amendment.

Elsewhere, DOJ describes the case they need to make differently.

A court reviewing the applications would have no difficulty determining that they established probable cause to believe that the target was an agent of a foreign power and that a significant purpose of the collection was to obtain foreign intelligence information.

That’s significant because if this does involve a back door search, it raises questions about the degree to which the government collects this data, at this point, just to find young Muslim men to catch in stings.

More bread-crumbs pointing to targeting off Inspire

Which is particularly important given the bread-crumbs in the opinion pointing to the targeting of Daoud off some kind of collection targeted at Inspire, AQAP’s magazine.

Read more

Why Does NSA Get a Pass on the Boston Marathon Attack?

/7 Comments/in /by

In addition to a motion claiming the FBI asked Tamerlan Tsarnaev to become an informant during their investigation of him in 2011, Dzhokhar Tsarnaev’s lawyers submitted a motion requesting notice of whether the government intends to submit as evidence or has in its possession surveillance information that would be helpful to Dzhokhar’s defense.

This motion is not going anywhere.

The government would generally be obliged to turn this over only if they planned to use it (or evidence derived from it, in the still very attenuated way they define such things) in trial. And as the defense notes in the motion, any surveillance that might exist would most likely be of Dzhokhar’s family, especially his brother, not him. Moreover, the defense points to Amnesty v. Clapper to invoke the government’s admission that it collects data not just in FISA-authorized programs, but also in EO 12333 ones.

And, although we do not reach the question, the Government contends that it can conduct FISA-exempt human and technical surveillance programs that are governed by Executive Order 12333. See Exec. Order No. 12333,

Yet there is no established obligation to notice such evidence, as there is for FISA.

All that said, to justify their demand, the defense notes the government’s non-response to three past attempts to get such information. And they note two passages from the recently released House Homeland Security Committee report on the bombing to justify their renewed claim.

This threat assessment included a check of “U.S. government databases and other information to look for such things as derogatory telephone communications, possible use of online sites associated with the promotion of radical activity, associations with other persons of interest, travel history and plans, and education history.” Id. at 12. The report also states that, according to FBI officials in Moscow, “electronic communication” between Tamerlan and a jihadist named William Plotnikov “may have been collected.”

If any “derogatory” telephone communications had been discovered, presumably the assessment into Tamerlan wouldn’t have been closed after less than 4 months, as the report makes clear it was (the Russian notice was March 4, 2011; the FBI set an alert on Tamerlan on March 22, 2011; the FBI closed the assessment on June 24, 2011). Ditto if Tamerlan had significant online activity “associated with the promotion of radical activity” (he would have, after his return from Russia). So for the moment assume nothing significant came of these searches, which are attributed to the FBI. Nevertheless, these comments at least nod to databases that may be, or may be derived from, NSA databases.

The possible intercept between Tamerlan and Plotnikov may have dated to a year after the FBI’s assessment, although this NBC report, which seems to have been based on an unredacted report, suggests it predated the warnings. In any case, it’s almost certainly a Russian intercept, not an NSA one: the paragraph reporting it (see the partly redacted paragraph on page 15) is one of just a few in this report classified FGI, indicating it derives from foreign government intelligence. If the FBI (and later, CIA) did learn that Tamerlan had come up in incriminating intercepts with Plotnikov in 2011, that’s something the NSA presumably could have replicated (and would be solidly within NSA’s interpretation of permissible taps under reverse targeting restrictions as laid out in the most recent PCLOB hearing, even assuming such tasking were done under FAA).

Dzhokhar’s defense doesn’t deal with what I consider a far more intriguing mention, undoubtedly because it remains heavily redacted (see page 32-34). This one deals with the second Russian alert later that fall — it is another FGI paragraph and footnote — this time to the CIA. It reveals that in providing a warning reported to be largely the same as one sent 6 or 7 months earlier, the CIA version of the Russian warning used the wrong year of birth and transliterated his name differently. There was some other difference in this alert as well (this would be described in the sentence at 33-34, which the following sentence on the name and date inaccuracy add to). And while much of this heavily redacted discussion involves the mechanics of data sharing, what is clear is CIA added Tamerlan (with the wrong birth date and transliteration) to two more databases than FBI had, TIDES (a kind of centralized database) and TSDB (a centralized terrorist screening database) based on some reason to be suspicious. Just as significantly, according to NBC (which also spoke to a “US intelligence official,” though it doesn’t attribute this specific claim at all), CIA also passed on this information to several other agencies. “On Oct. 19, 2011, the CIA shared information on Tsarnaev with the National Counterterrorism Center (NCTC), DHS, the State Department and the FBI.”

Take a step back here and consider this claim. First, NBC’s source (or the unredacted report) would have you believe a legal alien in the US got added to the TSDB for alleged ties with extremists in Russia without NSA also getting notice of it. It would also have you believe that any further checks done into Tamerlan at this time never stumbled over the grisly Waltham murder committed just weeks earlier, or Tamerlan’s odd behavior afterwards. Tamerlan was getting added to databases, but no one made a Request for Information about the underlying claims involving people who could be legally targeted in Russia to the NSA, at least as far as the public story goes.

And note what doesn’t appear in the House report, but which does appear in Dzhokhar’s indictment?

Inspire magazine is an English language online publication of al-Qaeda in the Arabian Peninsula. Volume One of Inspire magazine, which is dated summer 2010, contains detailed instructions for constructing IEDs using pressure cookers, explosive powder from fireworks, shrapnel, adhesive, and other materials. IEDs constructed in this manner are designed to shred flesh, shatter bone, and cause extreme pain and suffering, as well as death.

[snip]

At a time unknown to the Grand Jury, but before on or about April IS, 2013, DZHOKHAR A. TSARNAEV downloaded to his computer a copy of Volume One of Inspire magazine, which includes instructions on how to build IEDs using pressure cookers or sections of pipe, explosive powder from fireworks, and shrapnel, among other things.

There are codes within Inspire that could and presumably are targeted under NSA’s upstream collection, meaning if such downloads in any way crossed key international switches, they might have been identified and tracked, along with metadata identifying Dzhokhar’s computer.

And yet, in spite of all these potential bread crumbs the NSA might have had, no one has thought to ask NSA whether they did. The HHSC didn’t ask NSA for information, And the joint IG report on the attacks did not include NSA’s IG.

Don’t get me wrong. I’m actually sympathetic to the idea that even the most diligent effort cannot prevent every attack. I’m not endorsing doing any more domestic collection than NSA already does — though what it does, it does precisely to identify people like Tamerlan, people who have conversations with known extremists overseas. According to both NSA and FBI’s rules, neither would have needed even Reasonable Articulable Suspicion into Tamerlan — though they clearly had that — to do a back door search on, say, Plotnikov’s communications. I’m also not saying this would make a lick of difference in Dzhokhar’s trial (though the allegation is that his computer, not Tamerlan’s, is the one with Inspire on it).

But if we’re going to do drawn out assessments every time we miss a terrorist attack, shouldn’t we also be assessing the actions or inactions of the people who run massive dragnets ostensibly because they’ll identify people like Tamerlan? If we’re going to have this dragnet — and if NSA is going to justify it by pointing to terrorism — shouldn’t we be assessing its role in actually preventing terrorism?

In Tsarnaev-Related Case, DOJ Suggests There Is No Dragnet

/31 Comments/in , /by

As a number of stories reported last week, two of Dzhokhar Tsarnaev’s college buddies charged with obstruction lost their bid to get the prosecution to turn over texts Dzhokhar sent. The AP has the most detailed account:

The defense requested all communications between Tsarnaev and the three men, as well as all communications between Tsarnaev and other people.

[snip]

Robert Stahl, [Dias] Kadyrbayev’s lawyer, said prosecutors told defense attorneys that Tsarnaev destroyed his cellphone before his arrest. Stahl said that in other cases he’s had, some text messages have been retrieved from cellphones through a service provider. He asked Judge Douglas Woodlock to ask prosecutors to seek those text messages and turn them over to the defense.

Assistant U.S. Attorney Stephanie Siegmann said prosecutors have already given the defense text messages between Tsarnaev and the three friends taken from the cellphones of the friends.

“I believe the messages we’ve given them are all we could get,” Siegmann told the judge.

Woodlock said the defense was not entitled to get text messages between Tsarnaev and anyone else because they would not be relevant to the defendants’ cases.

The BoGlo describes the dispute slightly differently, suggesting the defense asked for texts involving the defendants, with the prosecution responding they had provided the texts between Tsarnaev and the defendants.

He asked Woodlock to ask prosecutors to seek any text messages involving the defendants and turn them over to the defense.

Siegmann said prosecutors have already given the defense text messages between Tsarnaev and the three friends taken from the cellphones of the friends.

Which would be rather interesting given the way NSA collects communications about people (though it’s unclear how quickly an emergency collection can be collected).

Here’s ABC on that dispute. Reuters and Boston Herald focused on other disputes, including that witnesses gave a statement and/or were videotaped by cops, but that this was suppressed.

Before getting too far into these competing claims (at least as presented without a transcript, which I’ll take a look at down the road), let me take a step back.

The docket in this case, like Dzhokhar’s docket, has a bunch of gaps which presumably reflect sealed filings. Part of that involves the protective order in this case, though it (plus a presumed sealed motion “taken under advisement” is referenced in the minutes for an October hearing).

According to a schedule set on January 15, defendants were supposed to submit motions to compel discovery by February 28. But on some date (the official file date is March 3, which can’t be right), defendants filed to extend the deadline to March 1, in part because of new discovery that week. The defense submitted their motion to compel on March 3, the prosecution responded on March 7; both those filings are still sealed. The hearing was on March 10. So it’s possible that some of these issues, including the question of what texts are accessible to prosecutors in a case related to the Boston Marathon attack, just came up in the last several weeks.

So.

In response to a defense demand that — in a case where the key physical evidence (the computer and firecracker casings Dzhokhar’s friends are accused of throwing away) yielded no DNA or fingerprint evidence, where Dzhokhar is accused of destroying his phone within a day of the time he texted his friends suggesting they “take” what they want — the defense get the other texts Dzhokhar may have sent during this period, the prosecution did not, apparently make the argument the judge ultimately adopted, that these texts weren’t relevant. Rather, AUSA Stephanie Siegmann seems to have suggested that the government had no ability to get any other texts.

Not only would that suggest Dzhokhar managed to destroy his cell phone in precisely the sweet spot between the time the cops admit to having IDed them (assuming that claim is credible) and when he lost the physical ability to do so as he bled out in the boat in Watertown. (Remember, according to some narratives he was using it during the car chase the night before.) But it would also suggest the NSA has no ability to get text messages from providers once a cell phone has been destroyed (nor was able to get the receiving end of those text messages based on the metadata of the texts).

Golly. It’s as if no dragnet exists, even in spite of NSA claims they used that very same dragnet to gain “peace of mind” after the attack.

We won’t learn any more of this claim unless and until the defense appeals this decision.

But FBI’s claimed inability to access Dzhokhar’s text messages in this case does seem remarkable.