Posts

Judge Reggie Walton Is Pissed that Government Is Making Material Misstatements to FISC, Again

FISA Court Chief Judge Reggie Walton just issued a rather unhappy order requiring the government to explain why it materially misstated the facts about whether any plaintiffs had protection orders that governed the phone dragnet.

Generally, he wants to know why the government didn’t tell him that EFF had protection orders in the Jewel and Shubert cases. More specifically, he wants to know why they didn’t tell him that — as I reported here — the EFF had asked the government how they could claim there was no protection order when they had one in their suits of the larger dragnet.

A review of the E-mail Correspondence indicates that as early as February 26, 2014, the day after the government filed its February 25 Motion, the plaintiffs in Jewel and First Unitarian indeed sought to clarify why the preservation orders in Jewel and Shubert were not referenced in that motion. E-mail Correspondence at 6-7. The Court’s review of the E-mail Correspondence suggests that the DOJ attorneys may have perceived the preservation orders in Jewel and Shubert to be immaterial to the February 25 Motion because the metadata at issue in those cases was collected under what DOJ referred to as the “President’s Surveillance Program” (i.e., collection pursuant to executive authority), as opposed to having been collected under Section 215 pursuant to FISC orders — a proposition with which plaintiffs’ counsel disagreed. Id at 4. As this Court noted in the March 12 Order and Opinion, it is ultimately up to the Northern District of California, rather than the FISC, to determine what BR metadata is relevant to the litigation pending before the court.

As the government is well aware, it has a heightened duty of candor to the Court in ex parte procedings. See MODEL RULES OF PROF’L CONDUCT R. 3.3(d) (2013). Regardless of the government’s perception of the materiality of the preservation orders in Jewel and Shubert to its February 25 Motion, the government was on notice, as of February 26, 2014, that the plaintiffs in Jewel and First Unitarian believed that orders issued by the District Court for the Northern District of California required the preservation of the FISA telephony metadata at issue in the government’s February 25 Motion. E-mail Correspondence at 6-7. The fact that the plaintiffs had this understanding of the preservation orders–even if the government had a contrary understanding–was material to the FISC’s consideration of the February 25 Motion. The materiality of that fact is evidenced by the Court’s statement, based on the information provided by the government in the February 25 Motion, that “there is no indication that nay of the plaintiffs have sought discovery of this information or made any effort to have it preserved.” March 7 Opinion and Order at 8-9.

The government, upon learning this information, should have made the FISC aware of the preservation orders and of the plaintiffs’ understanding of their scopre, regardless of whether the plaintiffs had made a “specific request” that the FISC be so advised. Not only did the government fail to do so, but the E-mail Correspondence suggests that on February 28, 2014, the government sought to dissuade plaintiffs’ counsel from immediately raising this issue with the FISC or the Northern District of California. E-mail Correspondence at 5.

In a number of places, Walton provides an out for the government, suggesting they might just be stupid and not obstructing (those are my words, obviously). He even goes so far as to suggest that DOJ might have an internal communication problem between the Civil Division, which is litigating the EFF suits, and the National Security Division, which works with FISC.

But then he notes that both Civil AAG Stuart Delery and Acting NSD AAG John Carlin submitted the filings to him.

The government’s failure to inform the FISC of the plaintiffs’ understanding that the prior preservation orders require retention of Section 591 telephony metadata may have resulted from imperfect communication or coordination within the Department of Justice rather than from deliberate decision-making.4 Nonetheless, the Court expects the government to be far more attentive to its obligations in its practice before this Court.

4 Attorneys from the Civil Division of the Department of Justice participated in the E-Mail Correspondence with plaintiffs’ counsel. As a general matter, attorneys from the National Security Division represent the government before the FISC. The February 25 Motion, as well as the March 13 Response, were submitted by the Assistant Attorney General for the Civil Division and the Acting Attorney General for the National Security Division.

Frankly, I hope Walton ultimately tries to learn why he wasn’t told about these protection orders in more detail years ago, when the government was deciding whether or not to destroy evidence of lawbreaking that Walton first identified in 2009. I also hope he gets to the bottom of why Deputy Attorney General James Cole had to intervene in this issue. But for now, I’m happy to see DOJ taken to the woodshed for misinforming the Court.

Update: Meanwhile, on the other coast, Judge Jeffrey White issued a protection order that is far broader than the government would prefer it to be. The government had implied that the First Unitarian Church suit only covered Section 215; earlier this week (I’ve got a post half written on it), EFF argued they’re challenging the dragnet, irrespective of what authorization the government used to collect it. Nothing in White’s order limits the protection order to Section 215 and this passage seems to encompass the larger dragnet.

Defendants’ searching of the telephone communications information of Plaintiffs is done without lawful authorization, probable cause, and/or individualized suspicion. It is done in violation of statutory and constitutional limitations and in excess of statutory and constitutional authority. Any judicial, administrative, or executive authorization (including any business records order issued pursuant to 50 U.S.C. § 1861) of the Associational Tracking Program or of the searching of the communications information of Plaintiffs is unlawful and invalid.

Update: fixed a typo in which I inadvertently said Walton caused rather than found the lawbreaking in 2009.

The Government Has a Festering EO 12333 Problem In Jewel/First Unitarian

The government claims it does not have a protection order pertaining to the phone dragnet lawsuits because the suits with a protection order pertain only to presidentially-authorized programs.

The declaration made clear, in a number of places, that the plaintiffs challenged activities that occurred under presidential authorization, not under orders of the Foreign Intelligence Surveillance Court (FISC), and that the declaration was therefore limited to describing information collected pursuant to presidential authorization and the retention thereof.

Therefore, the government is challenging the EFF’s effort to get Judge Jeffrey White to reaffirm that the preservation orders in the Multidistrict Litigation and Jewel apply to the phone dragnet.

Fine. I think EFF can and should challenge that claim.

But let’s take the government at its word. Let’s consider what it would obliged to retain under the terms laid out.

The government agrees it was obliged, starting in 2007, to keep the content and metadata dragnets that were carried out exclusively on presidential authorization. Indeed, the declaration from 2007 they submitted describing the material they’ve preserved includes telephone metadata (on tapes) and the queries of metadata, including the identifiers used (see PDF 53). It also claimed it would keep the reports of metadata analysis.

That information is fundamentally at issue in First Unitarian Church, the EFF-litigated challenge to the phone dragnet. That’s true for three reasons.

First, the government makes a big deal of their claim, made in 2007, that the metadata dragnet databases were segregated from other programs. Whether or not that was a credible claim in 2007, we know it was false starting in early 2008, when “for the purposes of analytical efficiency,” a copy of that metadata was moved into the same database with the metadata from all the other programs, including both the Stellar Wind phone dragnet data, and the ongiong phone dragnet information collected under EO 12333.

And given the government’s promise to keep reports of metadata analysis, from that point until sometime several years later, it would be obliged to keep all phone dragnet analysis reports involving Americans. That’s because — as is made clear from this Memorandum of Understanding issued sometime after March 2, 2009 — the analysts had no way of identifying the source of the data they were analyzing. The MOU makes clear that analysts were performing queries on data including “SIGINT” (EO 12333 collected data), [redacted] — which is almost certainly Stellar Wind, BRFISA, and PR/TT. So to the extent that any metadata report didn’t have a clear time delimited way of identifying where the data came from, the NSA could not know whether a query report came from data collected solely pursuant to presidential authorization or FISC order. (The NSA changed this sometime during or before 2011, and now metadata all includes XML tags showing its source; though much of it is redundant and so may have been collected in more than one program, and analysts are coached to re-run queries to produce them under EO 12333 authority, if possible.)

Finally, the real problem for the NSA is that the data “alerted” illegally up until 2009 — including the 3,000 US persons watchlisted without undergoing the legally required First Amendment review — was done so precisely because when NSA merged its the phone dragnet data with the data collected under Presidential authorization — either under Stellar Wind or EO 12333 — it applied the rules applying to the presidentially-authorized data, not the FISC-authorized data. We know that the NSA broke the law up until about 5 years ago. We know the data from that period — the data that is under consideration for being aged off now — broke the law precisely because of the way the NSA mixed EO 12333 and FISC regulations and data.

The NSA’s declarations on document preservation — not to mention the declarations about the dragnets more generally — don’t talk about how the EO 12333 data gets dumped in with and mixed up with the FISC-authorized data. That’s NSA’s own fault (and if I were Judge White it would raise real questions for me about the candor of the declarants).

But since the government agreed to preserve the data collected pursuant to presidential authorization without modification (without, say, limiting it to the Stellar Wind data), that means they agreed to preserve the EO 12333 collected data and its poisonous fruit which would just be aging off now.

I will show in a follow-up post why that data should be utterly critical, specifically as it pertains to the First Unitarian Church suit.

But suffice it to say, for now, that the government’s claim that it is only obliged to retain the US person data collected pursuant to Presidential authorization doesn’t help it much, because it means it has promised to retain all the data on Americans collected under EO 12333 and queries derived from it.

The Clear Precedent for Carrie Cordero’s “Uncharted Territory” of Destruction of Evidence

Shane Harris has a report on the government’s odd behavior in regards to preserving the phone dragnet data in light of the suits challenging its legality.

It’s surprising on three counts. First, because he claims the legal back and forth has not previously been reported.

Now, that database will include phone records that are older than five years — not exactly the outcome that critics of the NSA program were hoping for. A dramatic series of legal maneuvers, which have not been previously reported, led the outcome.

It’s surprising not just because the “legal maneuvers” have in fact been reported before (though not the detail that James Cole got involved, though it’s not yet clear how his involvement affected the actual legal maneuvers rather than the internal DOJ communication issues). But also because Harris neglects to mention key details of those legal maneuvers — notably that EFF reminded DOJ, starting on February 26, that it had preservation orders that should affect the dragnet data, reminders which DOJ stalled and then ignored.

Harris’ piece is also surprising because of the implicit suggestion that NSA hasn’t been aging off data regularly, as it is supposed to be.

A U.S. official familiar with the legal process said the question about what to do with the phone records needn’t have been handled at practically the last minute. “The government was coming up on a five-year deadline to delete the data. Lawsuits were pending. The Justice Department could have approached the FISC months ago to resolve this,” the official said, referring to the Foreign Intelligence Surveillance Court.

There should be no “deadline” here — aside from the daily “deadline” that should automatically age off the five year old data. Now, the WSJ had previously reported that that’s not actually how age-off works.

As the NSA program currently works, the database holds about five years of data, according to officials and some declassified court opinions. About twice a year, any call record more than five years old is purged from the system, officials said.

But even assuming NSA only ages off data twice a year (in which case they should stop claiming they only “keep” data for 5 years because they already keep some of it for 5 1/2 years), most of these suits are well older than 6 months old, predating what might have been an August age-off, which means unless NSA already deviated from its normal pattern, it deleted data relevant to the suits.

By far the most surprising detail in Harris’ story, however, is this response from former DOJ National Security Division Counsel Carrie Cordero to the news that Deputy Attorney General James Cole has gotten involved. This is, Cordero claims, “uncharted territory.”

“This is all uncharted territory,” said Carrie Cordero, a former senior Justice Department official who recently served as the counsel to the head of the National Security Division. “Given the complexity and the novelty of this chain of events, it’s a good thing that the deputy attorney general is personally engaged, and it demonstrates the significant attention that they’re giving to it.”

To be more specific about Cordero’s work history, from 2007 to 2011, she was deeply involved in FISA-related issues, first at ODNI and then at DOJ’s NSD.

In 2009, I served as Counsel to the Assistant Attorney General for National Security at the Unit ed States Department of Justice, where I co – chaired an interagency group created by the Director of National Intelligence (DNI) to improve FISA processes. From 2007 – 2009, I served in a joint duty capacity as a Senior Associate General Counsel at the Office of the Director of National Intelligence, where I worked behind the scenes on matters relating to the legislative efforts that resulted in the FISA Amendments Act of 2008.

Given her position in the thick of FISA-related issues, one would think she was at least aware of the protection order Vaughn Walker issued on November 6, 2007 ordering the preservation of evidence, up to and including “tangible things,” in the multidistrict litigation issues pertaining to the dragnet.

[T]he court reminds all parties of their duty to preserve evidence that may be relevant to this action. The duty extends to documents, data and tangible things in the possession, custody and control of the parties to this action,

And Cordero presumably should be aware that Walker renewed the same order on November 13, 2009, extending it to cover the Jewel suit, which had an ongoing focus.

Cordero is presumably aware of two other details. First, there should be absolutely no dispute that the phone dragnet was covered by these suits. That’s because at least as early as May 25, 2007 (and again in a declaration submitted October 2009), Keith Alexander included the phone dragnet among the things he considered related to the EFF and other suits over which he claimed state secrets.

In particular, disclosure of the NSA’s ability to utilize the TSP (or, therefore, the current FISA Court-authorized content collection) in conjunction with contact chaining [redacted–probably relating to data mining] would severely undermine efforts to detect terrorist activities.

[snip]

To the extent that the NSA’s bulk collection and targeted analysis of communication meta data may be at issue in this case, those activities–as described in paragraphs 27 and 28 above–must also be protected from disclosure.

In paragraphs 27 and 28 and the following paragraphs, Alexander named the FISC Pen Register and Telephone Records Orders by name.

Thus, as far back as 2007, the NSA acknowledged that it used its content collection in conjunction with its metadata dragnets, including data obtained pursuant to the FISA dragnet orders.

Read more

The Government Tries to Quickly Force Feed Its Dog Its Phone Dragnet Homework

I have been following the government’s claims that it needs to make the phone dragnet plaintiffs look bad preserve evidence in the phone dragnet cases. I noted:

  1. NSA’s claim, on February 20, that it might need to preserve the phone dragnet information
  2. EFF Legal Director Cindy Cohn’s observation that NSA already should have been preserving phone dragnet data because of earlier orders in EFF cases
  3. NSA’s own claim, in 2009, that it was under a preservation order that might prevent it from destroying illegal alert information
  4. NSA’s own quickness to destroy 3,000 violative files in 2012 when caught retaining data in ways it shouldn’t have been
  5. NSA’s rather bizarre claim — given their abysmal track record on this point — that a great concern about defendants’ rights meant they had to keep the data
  6. The likelihood that, that claim of concern about defendants’ rights notwithstanding, NSA had probably already destroyed highly relevant data pertaining to Basaaly Moalin
  7. FISC’s equally bizarre — given their own destruction of any normal meaning of the word, “relevant” — order to force the government to continue destroying the dragnet data

That last bit — FISC’s order that the government go on destroying data in spite of existing protection orders to retain it — happened Friday.

Since Friday, the EFF has been busy.

First, it filed a motion for a Temporary Restraining Order to retain the records, pointing out that there have been two preservation order in effect for at least 5 years that should govern the phone dragnet.

There has been litigation challenging the lawfulness of the government’s telephone metadata collection activity, Internet metadata collection activity, and upstream collection activity pending in the Northern District of California continuously since 2006. The government has been under evidence preservation orders in those lawsuits continuously since 2007.

The first-filed case was Hepting v. AT&T, No. 06-cv-0672 (N.D. Cal). It became the lead case in the MDL proceeding in this district, In Re: National Security Agency Telecommunications Records Litigation, MDL No. 06-cv-1791-VRW (N.D. Cal). On November 6, 2007, this Court entered an evidence preservation order in the MDL proceeding. ECF No. 393 in MDL No. 06-cv- 1791-VRW. One of the MDL cases, Virginia Shubert, et al., v. Barack Obama, et al. No. 07-cv- 0603-JSW (N.D. Cal.), remains in litigation today before this Court, and the MDL preservation order remains in effect today as to that case.

In 2008, movants filed this action—Jewel v. NSA—and this Court related it to the Hepting action. This Court entered an evidence preservation order in Jewel. ECF No. 51. The Jewel evidence preservation order remains in effect as of today.

EFF also filed a similar motion with the FISA Court.

And it provided all the emailed reminders it sent the government, starting on February 26 after the government filed a motion with FISC to destroy the data, that it was already under a preservation order. On February 28, DOJ asked EFF to hold off until roughly March 5. But DOJ did nothing at that time, and EFF followed up again on March 7, after the order, asking how it was that the FISC didn’t know that existing preservation orders covered the phone dragnet. In response, DOJ’s Marcia (Marcy) Berman got dragged back into the case to give this convincing response.

[T]he Government’s motion fo the FISC, and the FISC’s decision today [March 7], addressed the recent litigation challenging the FISC-authorized telephony metadata collection under Section 215-litigation as to which there are no preservation orders. As we indicated last week, the Government’s motion did not address the pending Jewel (and Shubert) litigation because the district court had previously entered preservation orders applicable to those cases. As we also indicated, since the entry of those orders the Government has complied with our preservation obligations in those cases. At the time the preservation issue was first litigated in the MDL proceedings in 2007, the Government submitted a classified ex parte, in camera declaration addressing in detail the steps taken to meet our preservation obligations. Because the activities undertaken in connection with the President’s Surveillance Program (PSP) were not declassified until December 2013, we were not able to consult with you previously about the specific preservation steps that have been taken with respect to the Jewel litigation. However, the Government described for the district court in 2007 how it was meeting its preservation obligations, including with respect to the information concerning the PSP activities declassified last December. We have been working with our clients to prepare an unclassified summary of the preservation steps described to the court in 2007 so that we can address your questions in an orderly fashion with Judge White, if you continue to believe that is necessary.

After San Francisco Judge Jeffrey White ordered the government to explain itself, the government changed the timeline, suppressing the fact that they told EFF to hold off on making any filings. It also said it would just have to keep destroying data.

Therefore, in light of the FISC’s March 7 order, the Government currently remains subject to orders of the FISC—the Article II Court established by Congress with authority to issue orders pursuant to FISA and to impose specific minimization requirements—which orders require the destruction of call-details records collected by the NSA pursuant to Section 215 that are more than five years old.

In light of the obligations created by those orders, on March 7, 2014, upon receipt of the FISC’s decision, the Government filed a notice in First Unitarian and other cases challenging the legality of the Section 215 telephony metadata program of the Government’s intention, as of the morning of Tuesday, March 11, 2014, to comply with applicable FISC orders requiring the destruction of call-detail records at this time, absent a court order to the contrary.

Judge White was not impressed — he issued an order requiring the government to retain the data.

There are two things, even at first glance, that don’t make sense about all this.

First, there’s still one case that hasn’t been officially mentioned in any court discussion of retaining data I know of: Basaaly Moalin’s challenge to his dragnet identification, based off 2007 data that has probably already been destroyed but which almost certainly would reflect the many violations characteristic of the program at the time.

Then there’s the likelihood that one or both of the EFF cases was the case mentioned on February 17, 2009 — just over the 5 year age-off period at this point — regarding age-off requirements. If it was relevant then, why isn’t it now? Note, Reggie Walton is still presiding over the same decisions, so if that earlier case were an EFF one, Walton should know about it.

I would normally think this charade was just two sides lobbying for good press. Except that the phone dragnet data from just over 5 years ago — the stuff that would age off if the government followed FISC’s order — would show a great deal of violations, almost certainly constitutionally so.

So who is the entity in such a rush to destroy that data? DOJ? Or the FISC?

Is Twitter EFF’s Second NSL Client?

In the past, I’ve tracked the efforts of a telecom — which WSJ convincingly argued was Credo — to challenge a 2011 National Security Letter. It has the support of EFF on that challenge. I also noted language in Credo’s Transparency Report (which was issued after DOJ permitted providers to give broad bands for NSLs, but before DOJ permitted them to give broad bands for other national security demands) saying it was prohibited from giving more information about NSLs and Section 215 orders.

It is important to note that it may not be possible for CREDO or any telecom carrier to release to the public a full transparency report, as the USA PATRIOT Act and other statutes give law enforcement the ability to prevent companies from disclosing whether or not they have received certain orders, such as National Security Letters (NSLs) and Section 215 orders seeking customer information. [my emphasis]

Today, EFF noted that it has filed what should be its response to the government’s appeal in that case.

Only, it makes it it representing not just the known telecom client, but also an Internet client.

The Electronic Frontier Foundation (EFF) filed two briefs on Friday challenging secret government demands for information known as National Security Letters (NSLs) with the Ninth Circuit Court of Appeals.  The briefs—one filed on behalf of a telecom company and another for an Internet company—remain under seal because the government continues to insist that even identifying the companies involved might endanger national security.

While the facts surrounding the specific companies and the NSLs they are challenging cannot be disclosed, their legal positions are already public: the NSL statute is a violation of the First Amendment as well as the constitutional separation of powers.

Now, one obvious potential Internet client would be Google. It is known to have fought NSLs in Judge Susan Illston’s court and lost.

But I wonder whether it isn’t Twitter.

I say that, first of all, because of the cryptic language in Twitter’s own Updated Transparency Report, which was released after the DOJ settlement which should have permitted it to report NSLs. But instead of doing so, it pointed out that it can’t report its national security orders, if any, with enough particularity. It called out NSLs specifically. And it used a language of prohibition.

Last week, the U.S. Department of Justice and various communications providers reached an agreement allowing disclosure of national security requests in very large ranges. While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public, especially for entities that do not receive a significant number of – or any – national security requests.

As previously noted, we think it is essential for companies to be able to disclose numbers of national security requests of all kinds – including national security letters and different types of FISA court orders – separately from reporting on all other requests. For the disclosure of national security requests to be meaningful to our users, it must be within a range that provides sufficient precision to be meaningful. Allowing Twitter, or any other similarly situated company, to only disclose national security requests within an overly broad range seriously undermines the objective of transparency. In addition, we also want the freedom to disclose that we do not receive certain types of requests, if, in fact, we have not received any.

Unfortunately, we are currently prohibited from providing this level of transparency. We think the government’s restriction on our speech not only unfairly impacts our users’ privacy, but also violates our First Amendment right to free expression and open discussion of government affairs. We believe there are far less restrictive ways to permit discussion in this area while also respecting national security concerns. Therefore, we have pressed the U.S. Department of Justice to allow greater transparency, and proposed future disclosures concerning national security requests that would be more meaningful to Twitter’s users. We are also considering legal options we may have to seek to defend our First Amendment rights. [my emphasis]

It was a defiant Transparency Report, and it discussed prohibitions in a way that no one else — except Credo — had done.

Moreover, it would make sense that EFF would be permitted to represent Twitter in such a matter, because it already had a role in Twitter’s challenge of the Administrative subpoena for various WikiLeaks’ associates Twitter data.

Finally, EFF notes that this Internet client is fighting just 2 NSLs; Google is fighting 19.

The very same day that the district court issued that order striking down the statute, a second EFF client filed a similar petition asking the same court to declare the NSL statute to be unconstitutional and to set aside the two NSLs that it received.

Notwithstanding the fact that it had already struck down the NSL statute on constitutional grounds in EFF’s first NSL case, but indicating that it would be up to the Ninth Circuit to evaluate whether that evaluation was correct, the district court denied EFF’s client’s petitionand ordered them to comply with the remaing NSL in the interim.

If Twitter is the client, it would present real First Amendment issues. It would suggest that, after Twitter took the rare step of not just challenging but giving notice in an Administrative subpoena, DOJ decided to use NSLs, which are basically Administrative subpoenas with additional gags, in response.

Update: in potentially related news, Verizon just updated its Transparency Report, claiming it can’t provide details on some bulk orders.

We note that while we now are able to provide more information about national security orders that directly relate to our customers, reporting on other matters, such as any orders we may have received related to the bulk collection of non-content information, remains prohibited.

In Sworn Declaration about Dragnet, NSA Changes Its Tune about Scope of “This Program”

I’ve been tracking the sudden effort on the part of NSA to minimize how much of the call data in the US it collects (under “this program,” Section 215).

That effort has, unsurprisingly, carried over to its sworn declarations in lawsuits.

Along with the response in the First Unitarian Church of Los Angeles v. NSA suit the government filed last Friday (this is the EFF-backed suit that challenges the phone dragnet on Freedom of Association as well as other grounds), NSA’s Signals Intelligence Director Theresa Shea submitted a new declaration about the scope of the program.

Ostensibly, Shea’s declaration serves to explain the “new” “changes” Obama announced last month, which the FISA Court approved on February 4. As I have noted, in one case the “change” simply formalized NSA”s existing practice and in the other it’s probably not a big change either.

In addition to her explanation of those “changes,” Shea included this language about the scope of the dragnet.

Although there has been speculation that the NSA, under this program, acquires metadata relating to all telephone calls to, from, or within the United States, that is not the case. The Government has acknowledged that the program is broad in scope and involves the collection and aggregation of a large volume of data from multiple telecommunications service providers, but as the FISC observed in a decision last year, it has never captured information on all (or virtually all) calls made and/or received in the U.S. See In re Application of the FBI for an Order Requiring the Production of Tangible Things from [Redacted], Dkt. No. BR13-109 Amended Mem. Op. at 4 n.5 (F.I.S.C. Aug. 29, 2013) (publicly released, unclassified version) (“The production of all call detail records of all persons in the States has never occurred under under this program.“) And while the Government has also acknowledged that one provider was the recipient of a now-expired April 23, 2013, Secondary Order from the FISC (Exhibit B to my earlier declaration), the identities of the carriers participating in the program (either now, or at any time in the past) otherwise remain classified. [my emphasis]

Shea appears to be presenting as partial a picture of the dragnet as she did in her prior declaration, where she used expansive language that — if you looked closely — actually referred to the entire dragnet, not just the Section 215 part of it.

Here, she’s selectively citing the declassified August 29, 2013 version of Claire Eagan’s July 19, 2013 opinion. The latter date is significant, given that the day the government submitted the application tied to that order, NSA General Counsel Raj De made it clear there were 3 providers in the program (see after 18:00 in the third video). These are understood to be AT&T, Sprint, and Verizon.

Shea selectively focuses on language that describes some limits on the dragnet. She could also note that Eagan’s opinion quoted language suggesting the dragnet (at least in 2011) collected “substantially all” of the phone records from the providers in question, but she doesn’t, perhaps because it would present problems for her “virtually all” claim.

Moreover, Shea’s reference to “production of all call detail records” appears to have a different meaning than she suggests it has when read in context. Here’s what the actual language of the opinion says.

Specifically, the government requested Orders from this Court to obtain certain business records of specified telephone service providers. Those telephone company business records consist of a very large volume of each company’s call detail records or telephony metadata, but expressly exclude the contents of any communication; the name, address, or financial information of any subscriber or customer; or any cell site location information (CSLI). Primary Ord. at 3 n.l.5

5 In the event that the government seeks the production of CSLI as part of the bulk production of call detail records in the future, the government would be required to provide notice and briefing to this Court pursuant to FISC Rule 11. The production of all call detail records of all persons in the United States has never occurred under this program. For example, the government [redacted][my emphasis]

In context, the reference discusses not just whether the records of all the calls from all US telecom providers (AT&T, Sprint, and Verizon, which participated in this program on the date Eagan wrote the opinion, but also T-Mobile and Cricket, plus VOIP providers like Microsoft, owner of Skype, which did not) are turned over, but also whether each provider that does participate (AT&T, Sprint, and Verizon) turns over all the records on each call. The passage makes clear they don’t do the latter; AT&T, Sprint, and Verizon don’t turn over financial data, name, or cell location, for example! And since we know that at the time Eagan wrote this opinion, there were just those 3 providers participating, clearly the records of providers that didn’t use the backbone of those 3 providers or, in the case of Skype, would be inaccessible, would be missed. So not all call detail records from the providers that do provide records, nor records covering all the people in the US. But still a “very large volume” from AT&T, Sprint, and Verizon, the providers that happen to be covered by the suit.

And in this declaration, instead of using the number De used last July, Shea instead refers to “multiple telecommunications service providers,” which could be 50, 4, 3, or 2, or anywhere in between. Particularly given her “either now, or at any time in the past” language, this suggests the number of providers participating may have changed since July.

Which brings me to the two other implicit caveats in her statement.

First, she suggests (ignoring the time ODNI revealed Verizon’s name a second time) that the only thing we can be sure of is that Verizon provided all its domestic data for the 3 months following April 23, 2013.

Actually, we can be fairly sure that at least until January 3, Verizon still participated. That’s because the Primary Order approved on that date still includes a paragraph that — thanks to ODNI’s earlier redaction fail — we know was written to ensure that Verizon didn’t start handing over its foreign call records along with its domestic ones.

Screen Shot 2014-02-25 at 9.33.00 AM

Though curiously, the way in which DOJ implemented the Obama-directed changes — the ones that Shea’s declaration supposedly serves to explain — involved providing substitute language affecting a huge section of the Primary Order, without providing a new Primary Order itself. So we don’t know whether ¶1(B) — what I think of as the Verizon paragraph — still exists, or even whether it still existed on February 4, when Reggie Walton approved the change.

Which is particularly interesting given that Shea’s declaration just happened to be submitted on the date, February 21, when a significant change in Verizon’s structure may have affected how NSA gets its data. (That date was set in December by a joint scheduling change.)

One way or another, Shea’s claim that the dragnet doesn’t collect all or even virtually all phone records is very time delimited, certainly allowing the possibility that the scope of the dragnet has changed since the plaintiffs filed this suit on July 16, 3 days before Eagan explicitly excluded cell location data from the dragnet collection, which is the reason NSA’s leak recipients now give for limits on the scope of the program.

The claim is also — as claims about the Section 215 always are — very program delimited. In her statement claiming limits on how much data the NSA collects, Shea makes 2 references to “this program” and quotes Eagan making a third. She’s not saying the NSA doesn’t collect all the phone data in the US (I don’t think they quite do that either, but I think they collect more US phone data than they collect under this program). She’s saying only that it doesn’t collect “virtually all” the phone data in the US “under this program.”

Given her previously expansive declaration (which implicitly included all the other dragnet collection methods), I take this declaration as a rather interesting indicator of the limits to the claims about limits to the dragnet.

NSA’s Data Retention Oddities

NSA’s defenders are enjoying this one: WSJ says that NSA may temporarily have to expand the phone dragnet (it really means retain more data) because of all the lawsuits to end it.

A number of government lawyers involved in lawsuits over the NSA phone-records program believe federal-court rules on preserving evidence related to lawsuits require the agency to stop routinely destroying older phone records, according to people familiar with the discussions. As a result, the government would expand the database beyond its original intent, at least while the lawsuits are active.

No final decision has been made to preserve the data, officials said, and one official said that even if a decision is made to retain the information, it would be held only for the purpose of litigation and not be subject to searches.

There is actually a precedent for this. In 2009, as NSA was trying to clean up its alert list and other violations, it told the FISA Court it might not be able destroy all the alert notices because of ongoing litigation.

With respect to the alert process, after this compliance matter surfaced, NSA identified and eliminated analyst access to all alerts that were generated from the comparison of non-RAS approved identifiers against the incoming BR FISA material. The only individuals who retain continued access to this class of alerts are the Technical Director for NSA’s Homeland Security Analysis Center (“HSAC”) and two system developers assigned to HSAC. From a technical standpoint, NSA believes it could purge copies of any alerts that were generated from comparisons of the incoming BR FISA information against non-RAS approved identifiers on the alert list. However, the Agency, in consultation with DoJ, would need to determine whether such action would conflict with a data preservation Order the Agency has received in an ongoing litigation matter.

Though I can’t think of any follow-up confirming whether NSA believed this massive violation should or should not be retained in light of ongoing litigation.

As EFF’s Cindy Cohn notes in the WSJ article, if NSA should be retaining data, it should date back to when a judge first issued a preservation order.

Cindy Cohn, legal director at the Electronic Frontier Foundation, which also is suing over the program, said the government should save the phone records, as long as they aren’t still searchable under the program. “If they’re destroying evidence, that would be a crime,” she said.

Ms. Cohn also questioned why the government was only now considering this move, even though the EFF filed a lawsuit over NSA data collection in 2008.

In that case, a judge ordered evidence preserved related to claims brought by AT&Tcustomers. What the government is considering now is far broader.

Though when I saw reference to the litigation in the 2009 filing, I wondered whether it might be either the al-Haramain suit or one of the dragnet suits, potentially including EFF’s suit.

Here’s what confuses me about all this data retention business.

If the NSA is so cautious about retaining evidence in case of a potential crime, then why did it just blast away the 3,000 files of phone dragnet information they found stashed on a random server, which may or may not have been mingled in with STELLAR WIND data it found in 2012? Here’s how PCLOB describes the data and its destruction, which differs in some ways from the way NSA described it to itself internally.

In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit.

According to the NSA, they didn’t know how or why or when the data ended up where it wasn’t supposed to be or even if it had really been retained past the age-off date.

Heck, those 3,000 files potentially mixed up with STELLAR WIND data seem like precisely the kind of thing EFF’s Jewel suit might need to access.

But it’s all gone!

One final detail. Here’s how WSJ says the system currently ages off data.

As the NSA program currently works, the database holds about five years of data, according to officials and some declassified court opinions. About twice a year, any call record more than five years old is purged from the system, officials said.

This is not how witnesses have consistently described the age-off system. It adds up to 6 months on the age-off, in what appears to be non-compliance with the unredacted parts of the phone dragnet orders.

Update: Adding one more thing. WSJ suggests NSA may have to keep the data because it might help some of the plaintiffs get standing. The only way that’s true is if NSA stopped getting Verizon cell data from Verizon starting in 2009.

For most of the plaintiffs, standing should be no problem They’re Verizon Business Service customers. But Larry Klayman is just a cell phone customer. A 5-year age off (ignoring the semi-annual purge detail) would mean they’d be getting rid of data collected in February 2009, just as NSA was working through the violations and before the May 29, 2009 order for Verizon to stop handing over its foreign data (also before Reggie Walton shut down Verizon production for a 3 month period later in 2009). I’m not sure I buy all that, but it is the only way standing might depend on data retention.

James Clapper Claims Publicly Acknowledged Details Are State Secrets While Boasting of Transparency

Between documents leaked by Edward Snowden, official court submissions, and official public statements, we know at least the following about the surveillance system set up after 9/11 and maintained virtually intact to this day:

  • Around of 8-14% of the content collected under Bush’s illegal program was domestic content (page 15 of the NSA IG Report says this constituted 8% of all the illegal wiretap targets but the percentage works out to be higher)
  • Some of the content collected via ongoing upstream collection currently includes intentionally-collected domestic content (NSA refuses to count this, even for the FISA Court)
  • Bush’s illegal wiretap program targeted Iraqi Intelligence Service targets, as well as targets affiliated with al Qaeda and its associates (see page 8)
  • NSA uses the phone metadata program with Iranian targets, as well as targets affiliated with al Qaeda and its associates
  • Both the illegal wiretap program and the Internet dragnet authorized under Pen Register/Trap and Trace in 2004 collected information that (because of the way TCP/IP works) would be legally content if treated as electronic surveillance
  • The NSA still conducts an Internet dragnet via collection overseas, which not only would permit the metadata-as-content collection, but would permit far more collection on US persons; that collection is seamlessly linked to the domestic dragnet collection
  • NSA uses the dragnets to decide which of content the telecoms have briefly indiscriminately collected to read

That is, the surveillance system is not so much discrete metadata programs and content programs directed overseas, directed exclusively against al Qaeda or even terrorists. Rather, it is a system in which network analysis plays a central role in selecting which collected content to read. That content includes entirely domestic communication. And targets of the system have not always been — and were not as recently as June — limited to terrorists.

These details of the surveillance system — along with the fact that AT&T and Verizon played the crucial role of collecting content and “metadata” off domestic switches — are among the details James “Least Untruthful” Clapper, with backup from acting Deputy Director of NSA Frances Fleisch, declared to still be state secrets on Friday, in spite of their public (and in many cases, official) acknowledgement.

In doing so, they are attempting to end the last remaining lawsuits for illegal wiretapping dating to 2006 by prohibiting discussion of the central issue at hand: the government has repeatedly and fairly consistently collected the content of US persons from within the US, at times without even the justification of terrorism. (For more background on Jewel v. AT&T, see here.)

Here’s how Clapper, with a nod to Fleisch, lays out the rebuttal of the Jewel plaintiffs.

the NSA’s collection of the content of communications under the TSP was directed at international communications in which a participant was reasonably believed to be associated with al-Qa’ida or an affiliated organization. Thus, as the U.S. Government has previously stated, plaintiff’s allegation that the NSA has indiscriminately collected the content of millions of communications sent or received by people inside the United States after September 11, 2001, under the TSP is false.

There are several weasel parts of this claim.

The “Terrorist Surveillance Program” and the “Other Target Surveillance Program”

First, to make this claim, Clapper (and Fleisch) revert to use of “Terrorist Surveillance Program,” a term invented to segment off the part of the larger illegal wiretap program that George Bush was willing to confess to in December 2005, that involving international communications with a suspected al Qaeda figure. But as Fleisch admits — but doesn’t explain — at ¶20, the TSP is just a subset of the larger Presidential Surveillance Program.  Read more

EFF: The Fourth Amendment Is Not Top Secret

EFF is requesting that the judge in its FOIA for the October 3, 2011 John Bates FISA Court opinion, Amy Berman Jackson, review the redactions currently in the document to ensure they are properly classified. (h/t Mike Scarcella) It argues the court should undertake such a review because disclosure of the things DOJ had previously claimed were Top Secret has now proven “the agency’s previous blanket withholding assertions were overbroad and wholly without merit.”

To support that case, they point to this passage originally withheld from production.

Upon even a cursory review of the Opinion, it is apparent, DOJ’s blanket exemption claims were far broader than the law allows. For example, this passage, according to the agency, was appropriately “classified at the TOP SECRET level” and withheld from the Opinion:

The Fourth Amendment provides:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Opinion at 67 (reciting Fourth Amendment); see also Bradley Decl., ¶ 5 (Opinion “withheld in full pursuant to FOIA Exemptions b(1) and b(3)”).

Now, I’m actually not sure about this argument. In recent years, after all, the Fourth Amendment has been almost entirely disappeared without a trace. I wouldn’t be surprised if the government had disappeared it as a conscious policy decision. So perhaps they really do maintain that the Fourth Amendment must now be hidden pursuant to the Executive Order governing classified information.

Technically, the government previously argued that revealing the existence and text of the Fourth Amendment would cause exceptionally grave harm to the United States — that’s what the Top Secret classification it withheld this material under means. [Update: Or, as Nigel puts it, that the opinion referenced the Fourth. Except that’s even more absurd because the FOIA was a response to Ron Wyden’s declassification of a statement that said the FISC had found in this opinion that the program violated the Fourth.]

We’ll see whether Judge Jackson agrees that was a reasonable claim.