I mentioned earlier that the FBI withheld information on the Bureau’s use of phone dragnet tippers from DOJ’s Inspector General long enough to make any review unusable for Congress’ consideration before it passed USA F-ReDux.
That’s important because of this passage from the Stellar Wind IG Report.
Another consequence of the Stellar Wind program and the FBI’s approach to assigning leads was that many threat assessments were conducted on individuals located in the United States, including U.S. persons, who were determined not to have any nexus to terrorism or represent a threat to national security.402 These assessments also caused the FBI to collect and retain a significant amount of personal identification about the users of tipped telephone numbers and e-mail addresses. In addition to an individual’s name and home address, such information could include where the person worked, records of foreign travel, and the identity of family members. The results of these threat assessments and the information that was collected generally were reported in communications to FBI Headquarters and uploaded into FBI databases.
The FBI’s collection of U.S. person information in this manner is ongoing under the NSA’s FISA-authorized bulk metadata collection. To the extent leads derived from this program generate results similar to those under Stellar Wind, the FBI will continue to collect and retain a significant amount of information about individuals in the United States, including U.S. persons, that do not have a nexus to terrorism or represent a threat to national security.
We recommend that as part of the [redacted] project, the Justice Department’s National Security Division (NSD), working with the FBI, should collect addresses disseminated to FBI field offices that are assigned as Action leads and that require offices to conduct threat assessments. The information compiled should include whether individuals identified in threat assessments are U.S. or non-U.S. persons and whether the threat assessments led to the opening of preliminary or full national security investigations. With respect to threat assessments that conclude that users of tipped telephone numbers or e-mail addresses are not involved in terrorism and are not threats to national security, the Justice Department should take steps to track the quantity and nature of U.S. person information collected and how the FBI retains and utilizes this information. This will enable the Justice Department and entities with oversight responsibilities, including the OIG and congressional committees, to assess the impact this intelligence program has on the privacy interests of U.S. persons and to consider whether, and for how long, such information should be retained. (PDF 666-7/329-330)
After a preceding section talking about how many of the tippers to FBI — which, after all, may be two hops away from someone of interest — weren’t all that useful, DOJ’s IG (the current IG, Michael Horowitz’s predecessor, Glenn Fine) noted how many Americans with no nexus to terrorism nevertheless have their names, home addresses, workplace, travel records, and family members’ identities collected and stored in an FBI database, potentially for decades. And, we now know, those assessments would include a search for any previously-collected content, which the FBI could read without a warrant.
Fine recommended that FBI begin to track what happens with the Americans sucked up in PATRIOT-authorized dragnets.
But we can be virtually certain FBI chose not to heed that recommendation, because it hasn’t heeded similar recommendations with NSLs, and because FBI refuses to track any of their other FISA-related activities.
And Horowitz has been very disciplined in following up on previous IG recommendations in reports that follow up on like topics, so that is likely one of the things he planned to investigate with his focus on the “receiving, processing, and disseminating [of] leads” from the phone dragnet.
The review will examine the FBI’s procedures for receiving, processing, and disseminating leads the NSA develops from the metadata, as well as any changes that have been made to these procedures over time. The review will also examine how FBI field offices respond to leads and the scope and type of information field offices collect as a result of any investigative activity that is initiated. In addition, the review will examine the role the leads have had in FBI counterterrorism efforts
Frankly, because NSA had to curtail so much of what they were doing with the phone dragnet in 2009, there should be fewer Americans sucked up in the dragnet now then there was when Fine did his Stellar Wind review in 2008-09. Though if FBI continued to require an assessment of every new identifier, it would still result in a lot of innocent Americans having their lives unpacked and stored for 30 years by the FBI.
But those numbers will likely be higher — potentially significantly higher — under USA F-ReDux, because any given query will draw off of more kinds of information. More importantly, FBI is exempted from counting the queries it does on any database of call detail records obtained under the new CDR function.
(C) the number of search terms that included information concerning a United States person that were used to query any database of call detail records obtained through the use of such orders;
(A) FEDERAL BUREAU OF INVESTIGATION.—Paragraphs (2)(A), (2)(B), and (5)(C) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.
This strongly suggests the data will come in through the FBI, be treated under FBI’s far more permissive (than NSA’s) minimization procedures, and searched regularly. Which likely means the privacy implications of innocent Americans sucked up into the dragnet will be far worse. And all that’s before any of the analysis NSA will do on these query results.
There was no public consideration of the privacy impact of the innocent Americans sucked in under the CDR function during the USA F-ReDux debate (though I wrote about it repeatedly).
But if DOJ’s IG intended to include past recommendations in its review of what FBI does with the phone dragnet data — which would be utterly consistent with past practice — that’s one of the things this review, the review FBI stalled beyond the point when it could be useful, would have focused on.
For over a year, Congress has been working on a “reform” to Section 215 that it claims will rein in abusive government spying.
DOJ has finally managed to release the report.
It confirms a number of things I have been reporting for years: that the government uses the provision to collect records that have nothing to do with phone records in bulk, the majority of which are now Internet records, definitely including URLs and probably including subject lines.
But the takeaway report is something else I’ve been reporting on for some time.
The government completely blew off a requirement imposed with the 2006 PATRIOT Act Reauthorization that the FBI (which is the only agency that’s supposed to use Section 215) adopt minimization procedures specifically for Section 215. Even after FBI missed its September 2006 deadline by claiming it had Interim Procedures, FISC kept approving Section 215 orders, even including paragraphs that appear in every phone dragnet order claiming the government has met that statutory requirement. A year after DOJ’s Inspector General pointed out FBI was violating the statute, FISC started imposing its own minimization procedures and reporting requirements (though not — as a court operating with more transparency might have done — denying orders). Finally, in March 2013, DOJ adopted minimization procedures (though it did not start actually complying with them until more than four months after Edward Snowden’s leaks focused more attention on bulk 215 orders).
In other words, Congress imposed a mandate designed to protect innocent Americans’ privacy in 2006. And DOJ blew that statutory mandate off for years. And FISC let it do so for years, approving order after order requiring FBI to have fulfilled that mandate. And only after 7 years (and some unexpected transparency) did DOJ start following the law.
These are the people Congress is rushing headlong to provide new authorities (including an Emergency provision that is designed to invite abuse): government agencies who simply refuse to follow Congressional mandates.
As I noted earlier, the House Judiciary Committee just released a new version of USA Freedom Act, which I’ve dubbed USA F-ReDux. I’ll have a lot more to say about it, but I want to make two minor point about things that got taken out of Leahy’s bill from last year.
First, last year’s bill had minimization procedures tied to bulky Section 215 collection effectively requiring the government to destroy the data that had not been determined to be two hops from a target within a period of time.
(C) for orders in which the specific selection term does not specifically identify an individual, account, or personal device, procedures that prohibit the dissemination, and require the destruction within a reasonable time period (which time period shall be specified in the order), of any tangible thing or information therein that has not been determined to relate to a person who is—
(i) a subject of an authorized investigation;
(ii) a foreign power or a suspected agent of a foreign power;
(iii) reasonably likely to have information about the activities of—
(I) a subject of an authorized 21 investigation; or
(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation;
(iv) in contact with or known to—
(I) a subject of an authorized investigation; or
(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation,
Those minimization procedures resemble what we’ve seen from the minimization procedures FISC imposed on the phone dragnet, which probably means they also resemble what FISC was imposing in other cases. In the previous year (2013), FISC had imposed minimization procedures on almost 80% of all orders.
In other words, the clause basically required the government to do what the FISC was probably already forcing it to do in the majority of orders (which, in any case, permitted the government to keep, indefinitely, the records associated with people two hops out of someone whom the government had a traffic stop suspicion had ties to terror or spying).
Last year, however, the FISC modified fewer than 3% of orders, and at least one of those was probably a phone dragnet one. Perhaps the change means the government finally started complying with the requirement laid out in 2006 that it adopt minimization procedures (the impending Section 215 IG Report likely created an incentive to do that, as following the law on minimization was one of the recommendations Glenn Fine had made in 2008, so Michael Horowitz surely followed up on that recommendation; plus, the generally law-abiding James Baker assumed FBI’s General Counsel role in this period). Perhaps it means the government stopped making bulky collections (though that is unlikely). But for some reason, the number of orders on which the FISC imposed minimization procedures and a report back fell off a cliff.
And now the requirement that the government adopt minimization procedures for bulky collection is gone from the bill.
I might be alarmed by that, but this year’s bill does add a Rule of Construction clarifying that the FISA Court can impose additional minimization procedures on top of what the bill requires the government to adopt for Section 215. So it may be that if the FBI returns to its recidivist ways on minimization procedures, we’ll see the number of modified orders spike again.
I’m more concerned about what happened on the Pen Register side.
Last year, the PRTT section added new “privacy” (not “minimization”) procedures.
IN GENERAL.—The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard nonpublicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect national security, include privacy protections that apply to the collection, retention, and use of information concerning United States persons.
Compare how squishy those privacy procedures are to the required Section 215 minimization procedures FBI blew off for years.
A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;
(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 1801 (e)(1) of this title, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; and
Rather than requiring the procedures minimize the retention and dissemination, the bill required only that privacy protections be applied. And there was no requirement limiting dissemination of non-foreign intelligence data.
But at least there were privacy procedures, right? Baby steps?
Last year’s bill had, and this year’s bill retains, a Rule of Construction (like that added to Section 215) that notes nothing limits FISC’s power to impose additional minimization procedures.
(2) RULE OF CONSTRUCTION.—Nothing in this subsection limits the authority of the court established under section 103(a) or of the Attorney General to impose additional privacy or minimization procedures with regard to the installation or use of a pen register or trap and trace device.
Which is all well and good, but FISC’s authority to do so with PRTT has no statutory basis, unlike Section 215. And during both the 2004 initial application for the Internet dragnet and John Bates’ 2010 reauthorization of it, the government made some fairly aggressive claims about FISC’s impotence to do anything but rubber stamp applications. So this Rule of Construction may not have the same weight as that in Section 215.
Which is why I worry that this section was removed from the bill.
(3) COMPLIANCE ASSESSMENT.—At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the privacy procedures required by this subsection by reviewing the circumstances under which information concerning United States persons was collected, retained, or disseminated.
As the documents on the phone dragnet violations showed, unless FISC has and exercises the authority to ensure compliance with minimization procedures, the government will cheat (or, more charitably, not find systematic years-long violations staring them in the face). FISC seemed to recognize this when it imposed compliance reports on its minimization of Section 215 orders in recent years. But it won’t have statutory authority to review assessment with these already-squishy “privacy procedures.”
Footnote 147 of the DOJ IG Report on Stellar Wind (PDF 462-3) modifies a discussion of the discussions on March 6 and 7, 2004 in which Jack Goldsmith and Patrick Philbin informed David Addington and Alberto Gonzales that they could not reauthorize Stellar Wind — in spite of applying a relaxed standard of review — because the White House wanted them to affirm that John Yoo’s November 2, 2001 memo had covered the program, yet Yoo’s memo had not included all aspects of it (this likely pertains to the collection of Internet metadata from telecom switches, though it may also pertain to the collection on Iraqi targets).
After reporting Gonzales’ claimed reaction to the meetings at which DOJ’s lawyers told the White House the program was illegal, the report notes that Gonzales was lawyered up at his IG interview, but later provided further elaboration in writing.
Later on March 6, Goldsmith and Philbin went to the White House to meet with Addington and Gonzales to convey their conclusions that the [2 lines redacted] According to Goldsmith’s chronology of these events, Addington and Gonzales “reacted calmly and said they would get back with us.” Goldsmith told us that the White House was not worried that it was “out there,” meaning that it was implementing a program without legal support.
On Sunday afternoon, March 7, 2004, Goldsmith and Philbin met again with Addington and Gonzales at the White House. According to Goldsmith, the White House officials informed Goldsmith and Philbin that they disagreed with Goldsmith and Philbin’s interpretation of Yoo’s memoranda and on the need to change the scope of the NSA’s collection. Gonzales told us that he recalled the meetings of March 6 and March 7, 2004, but did not recall the specifics of the discussions. He said he remembered that the overall tenor of the meetings with Goldsmith was one of trying to “find a way forward.”147
147 As noted above, Gonzales was represented by counsel during his interview with the OIG. Also present during the interview because of the issue of executive privilege was a Special Counsel to the President, Emmitt Flood. We asked Gonzales whether the President had been informed by this point in time of the OLC position regarding the lack of legal support for the program and [redacted]. Flood objected to the question on relevancy grounds and advised Gonzales not to answer, and Gonzales did not provide us an answer. However, when Gonzales commented on a draft of the report, he stated that he would not have brought Goldsmith and Philbin’s “concerns” to the attention of the President because there would have been nothing for the President to act upon at this point. Gonzales stated that this was especially true given that Ashcroft continued to certify the program as to legality during this period. Gonzales stated he generally would only bring matters to the President’s attention if the President could make a decision about them.
Remember the situation Gonzales would have been in. The interview (and probably, though not certainly, the review of the draft) would have taken place in fall to winter 2008, when Bush was still in office.
Thus, the interview would have happened during the period or just after DOJ IG conducted an investigation into what amounted to a CYA file Gonzales had carried around in his briefcase — documents and draft documents relating to all the illegal programs in which he had been involved, including his notes pertaining to the hospital confrontation over Stellar Wind. There’s reason to believe he was referred for that investigation precisely because it was recognized as a CYA file and he was no longer regarded as loyal on surveillance issues.
In addition, at the time, too, DOJ was still considering whether to file charges against Gonzales for the US Attorney scandal. So it makes sense that Gonzales’ retained lawyer, George Terwilliger, was there (and it is somewhat surprising that, given that John Ashcroft got away without cooperating, Terwilliger let him cooperate).
But then there is Emmet Flood.
Both before and after his tenure in the White House Counsel’s office — where he was brought in to deal with the scandals of the late Bush Administration — Flood was (and remains) a partner at Williams & Connolly. And not just a partner. He was formally part of Dick Cheney’s defense team when Patrick Fitzgerald was honing in on the Vice President for leaking Valerie Plame’s identity, and Flood would remain involved in protecting Cheney even after moved onto the taxpayer dime.
Emmet Flood may have been there in the name of protecting Executive Privilege, but it was not Bush’s privilege Flood was protecting.
So we learn that on March 6, 2004, Goldsmith and Philbin tell Gonzales and Addington that parts of Stellar Wind have never been legal. On March 7, 2004, Gonzales and Addington come back and tell OLC’s lawyers they’re wrong.
And when DOJ’s IG asked Gonzales whether — in the interim day — he had informed the President about this, Cheney’s defense lawyer pipes up and tells him not to answer. Given that Bush apparently learned new details of all this 4 days later when Comey and Robert Mueller would tell him directly, the answer is no (which is consistent with what Gonzales said when Cheney’s lawyer wasn’t present).
Which leaves the logical and thoroughly unsurprising conclusion — but one Cheney’s taxpayer funded lawyer didn’t want included in a legal document — Cheney (who is not a lawyer, nor does he have Article II authority directly) is the one who told Gonzales and Addington to dig in.
Update: Flood also had Gonzales refuse to answer a question about whether anyone had thought to include DOJ in the meeting with Congress.
I’ve finished up my working threads on the NSA, CIA, and FBI Section 702 minimization procedures. And they suggest that FBI has an identity crisis. Or rather, an inability to describe what it means by “identification of a US person” in unclassified form.
Identification of a United States person means (1) the name, unique title, or address of a United States person; or (2) other personal identifiers of a United States person when appearing in the context of activities conducted by that person or activities conducted by others that are related to that person. A reference to a product by brand name, or manufacturer’s name or the use of a name in a descriptive sense, e.g., “Monroe Doctrine,” is not an identification of a United States person.
Even though the FBI minimization procedures have a (briefer than NSA and CIA’s) definitional section and gets into when someone counts as US person from a geographical standpoint, it doesn’t have the equivalent paragraph on what they consider US person identifying information, which is central to minimization procedures.
Now, I might assume that this is just an oversight, something FBI forgot to incorporate as it was writing its own 702 minimization procedures incorporating what NSA has done.
Except that we know the FBI has suffered from this same kind of identity crisis in the past, in an analogous situation. As Glenn Fine described in the 2008 Inspector General Report on Section 215 (the one the successor for which has been stalled for declassification review for over 6 months), the FBI never got around to (and almost certainly still hasn’t gotten around to, except under modifications from the FISA Court) complying with Section 215’s requirement that it adopt minimization procedures specific to Section 215.
One holdup was disagreement over what constituted US person identifying information.
Unresolved issues included the time period for retention of information, definitional issues of “U.S. person identifying information,” and whether to include procedures for addressing material received in response to, but beyond the scope of, the FISA Court order; uploading information into FBI databases; and handling large or sensitive data collections.
(Note, there’s very good reason to believe FBI is still having all these problems, not least because several of them showed up in Michael Horowitz’ NSL IG Report last year.)
One problem Fine pointed out is that the AG Guidelines adopted in lieu of real minimization procedures don’t provide any guidance on when US identifying information is necessary to share.
When we asked how an agent would determine, for example, whether the disclosure of U.S. person identifying information is necessary to understand foreign intelligence or assess its importance, the FBI General Counsel stated that the determination must be made on a case-by-case basis.
While NSA’s 702 SMPs do lay out cases when FBI can and cannot share US person identifying information (those are, in some ways, less permissive than CIA’s sharing guidelines, if you ignore the entire criminal application and FBI’s passive voice when it comes to handling “sensitive” collections), if the guidelines for what counts as PII are not clear — or if they’re expansive enough to exempt (for example) Internet handles such as “emptywheel” that would clearly count as PII under NSA and CIA’s SMPs, then it would mean far more information on Americans can be shared in unminimized form.
And remember, FBI’s sharing rules are already far more lenient than NSA’s, especially with regards to sharing with state, local, and other law enforcement partners.
Call me crazy. But given the FBI’s past problems defining precisely this thing, I suspect they’re still refusing to do so.
As I noted the other day, I’m working through documents submitted in EPIC’s FOIA for PRTT documents (see all of EPIC’s documents on this case here).
In addition to the documents released (the reports to Congress, the extensive reporting on the Internet dragnet), the government submitted descriptions of what appear to be two (possibly three) sets of documents withheld: documents pertaining to orders combining a PRTT and Section 215 order, and documents pertaining to a secret technique, which we’ll call the Paragraph 31 technique. In this post I’ll examine the “combined order” documents.
The Vaughn Index for this FOIA made it clear that a number of the documents Withheld in Full (WIF) pertained to orders combing the Pen Register and Section 215 (Business Record) authorities, as does this list from David Hardy’s second declaration.
Footnotes 3, 4, and 5 all note that these documents have already been successfully withheld in the EFF’s FOIA for Section 215 documents, and by comparing the page numbers in that Vaughn Index in that case, we can guess with some confidence that these orders are the following documents and dates:
As I’ll show, this correlates with what we can glean from the DOJ IG Reports on Section 215.
I’m less certain about Document 12. Both the EFF and ACLU Vaughn Indices show a 10/31/06 document (it is 82C in the EFF Vaughn) that is the correct length, 4 pages, that is linked with another 10/31/06 document (see 82B and 84, for example). For a variety of reasons, however, I think we can’t rule out Document 89S which appears only in the EFF FOIA (but not the ACLU FOIA), which is dated December 16, 2005 (intriguingly, the day after NYT exposed Stellar Wind), in which case the withheld portion might be the relevant 4 pages of a longer 16 page order.
Last week, a number of people hailed the further declassification of DOJ Inspector General’s Report on FBI’s use of Exigent Letters.
That enthusiasm is misplaced, however. What too few people noticed is the thankless work Charlie Savage did to identify what was newly declassified. He had FOIAed the IG Report, which is what set off the declassification review.
In fact, FBI redacted three things that had previously been visible. On page 55/PDF 68, it redacted the title, “Diagram 2.1: Calling Circle or “Community of Interest.” On page 105/PDF 118 they redacted language indicating they use a certain kind of “language” to order what are probably also communities of interest. Finally, on page 207/PDF 220, FBI newly redacted the title, “Chart 4.3 Records for 10 Telephone Numbers Uploaded to FBI Databases With the Longest Periods of Overcollection.”
So the NYT sued the FBI to declassify language that should be declassified, given everything we’ve learned about related programs subsequent to the Snowden leaks, and FBI responded by trying to pretend we don’t know they were getting (and still get, per DOJ IG’s most recently report) call chains from telecoms.
To be fair, FBI did declassify some new stuff. That includes:
About the most interesting declassification was a citation to a Carrie Johnson story, published well over a year before the IG Report came out, describing the collection on those 3 journalists. The IG Report invoked this language in the story…
Mueller called the top editors at The Washington Post and the New York Times to express regret that agents had not followed proper procedures when they sought telephone records under a process that allowed them to bypass grand jury review in emergency cases.
… as evidence to support a footnote, which (except for the reference to Johnson’s article) had been unclassified, explaining,
In addition to the letter, Director Mueller called the editors of the two newspapers to express regret that the FBI agents had not followed proper procedures when they sought the reporters’ telephone records.
That is, they had classified reference to a published news article as S/NF! (Though I suppose it is possible that the fact they were hiding is that Glenn Fine had to read the WaPo to figure out what happened here, because Mueller wasn’t speaking directly to him.)
Congratulations to Carrie Johnson who I guess now classifies as a state secret!
I asked the Savage (and through him, NYT’s lawyer, David McCraw) how the NYT felt about FBI classifying, rather than declassifying language in response to his suit, and he suggested NYT expects DOJ to pay them for their time. “We have incurred no outside counsel fees and anticipate that the government will be required to pay us for the time spent by in-house counsel.”
Still, I think Savage (and FOIA requesters generally) should get finder’s fees every time the government newly classifies stuff years later … impose some kind of fine for stupid overclassification.
Update: Corrected timing on Johnson story which came out in August 2008, so 17 months before the IG Report.
I’ve been covering the DOJ Inspector General’s billion-day old review of Section 215.
If my calculation is correct, that report has been pending for 1,616 days.
Today, in a report on the most significant challenges faced by the government, the IG explains what happened to the review: it is caught up in declassification review.
Ongoing OIG work, such as our reviews of the Department’s requests for and use of business records under Section 215 of the USA PATRIOT Reauthorization Act and the Department’s use of pen register and trap-and-trace devices under the Foreign Intelligence Surveillance Act (FISA), also address privacy concerns implicated by the use of national security authorities to collect data. Although the OIG completed both of these reviews months ago, and we have provided classified briefings to Congress regarding them, we have been unable to release the classified reports to Congress or non-classified reports to the public because the classification review being conducted by the intelligence community, which includes the FBI, is still ongoing.
This is craziness! Congress is actively legislating on this topic … tomorrow! There’s also the matter of the secret FBI PRTT program, that I strongly suspect is a location dragnet, which this report likely covers.
But the IC is suppressing a report that has been in the works for over 4 years with a slow declassification review?
Update: From Glenn Fine’s original letter scoping out the review, here’s some of what it includes.
It will examine the number of Section 215 applications filed from 2007 through 2009, how the FBI is using the tool today, and describe any reported improper or illegal uses of the authority. Our review also will examine the progress the FBI has made in addressing recommendations contained in our prior reports that the FBI draft and implement minimization procedures specifically for information collected under Section 215 authority.
We also intend to conduct a programmatic review of the FBI’s use of its pen register and trap and trace authority under the FISA. That part of the review will examine issues such as how the FBI uses the authority to collect information, what the FBI does with the information it collects, and whether there have been any improper or illegal uses of the authority either reported by the FBI or identified by the OIG.
In addition to identifying any improper uses of these authorities (the report should provide some sense of how rigorous the First Amendment review is), it will certainly lay out how FBI has refused to implement minimization procedures are required by law and recommended in DOJ IG’s last Section 215 report (we know this to be the case because the FISC is imposing minimization procedures itself, and requiring compliance reviews).
All that would be rather important to know before extending Section 215 for another 3 years.
I’m still working on understanding all the crud that is included in the USA Freedumber Act. And for the first time, I have looked really closely at the language on Inspector General Reports, which effectively modifies Section 106 of the 2005 PATRIOT Act Reauthorization. Not only does the language add a DOJ IG Report roughly parallel to the ones mandated for the years through 2006 for 2012 through 2014, but it adds an Intelligence Community IG Report for those 3 years.
I’ve long noted that that seems to leave 2010 and 2011 unexamined. That might be covered in the IG report Pat Leahy requested of the Intelligence Committee IG, Charles McCullough, though the dates are different and McCullough said he didn’t really have the time. So 2010 and 2011 may or may not currently being reviewed; they’re not required to be by the bill, however.
But upon closer review I’m just as interested in some holes the two reports will likely have, in combination.
What I realized when I reviewed the actual language, below, is that USA Freedumber is exploiting the fact that Section 215 was originally written exclusively for the FBI, even if the NSA and CIA and probably a bunch of other agencies are using it too (they’re doing this with minimization procedures elsewhere in the bill, too). Thus, they can leave language that applies specifically to FBI, and pretend that it applies to other agencies.
In practice, that leaves the DOJ IG to investigate general things about Section 215 use, including:
any noteworthy facts or circumstances relating to orders under such section, including any improper or illegal use of the authority provided under such section; and
So long as FBI retains a role in the application process, it will have access to and can review the categories of records obtained, which is critical because this is one of the ways Congress will learn what those categories are.
But only the DOJ IG assesses whether Section 215 is adhering to law (as opposed to protecting Americanas’ constitutional rights). At one level, I’d much rather have DOJ IG perform this review, because we’ve never seen anything out of the IC IG resembling real oversight. Plus, under Glenn Fine, DOJ’s IG did point to real legal problems with the dragnet (which DOJ largely refused to fix, but which may have led to addition FISC opinions on those subjects). But I have questions whether DOJ’s IG would get enough visibility into what NSA and CIA and other agencies are doing with this data to perform a real review of the legality of it.
Then there are some somewhat parallel things both DOJ’s and IC’s IG would review, including:
the importance (IC IG) or effectiveness (DOJ IG) of Section 215
the manner in which that information was collected, retained, analyzed, and disseminated by the intelligence community;
the minimization procedures used by elements of the intelligence community under such title and whether the minimization procedures adequately protect the constitutional rights of United States persons; and
any minimization procedures proposed by an element of the intelligence community under such title that were modified or denied by the FISC
These are all well and good, and there’s the possibility that an IC IG review of how NSA analyzes and disseminates Section 215 data would find any of the most concerning potential practices.
I find the last two things DOJ’s IG would review at FBI but not even at DEA (if DEA uses Section 215), and which the IC IG would not review at all, the most telling.
That is, the DOJ IG reports on how often the FBI uses Section 215 for finished intelligence products and how often it serves supports criminal proceedings. But it doesn’t track how often NSA uses Section 215 for finished intelligence products, nor does it track how often NSA uses Section 215 to investigate an American further.
The latter fact — that NSA isn’t counting how many Americans its targets because of Section 215 derived information — is not all that surprising. NSA has worked hard to obscure how many Americans have been sucked up in its analytical maw. Still, if we were serious about providing some transparency to the corporate store — where anyone 2 or 3 degrees from a RAS approved selector can get dumped and subjected to all of NSA’s analytical tradecraft forever — we’d require the IC IG to count this number, too.
And the fact that no one asks NSA and CIA how many finished intelligence reports they’re generating out of Section 215 is problematic both because it doesn’t identify how often NSA and CIA are sharing intelligence with FBI or National Counterterrorism Center or other agencies like DEA (which was one of the big problems with both the phone and Internet dragnet in 2009-10). But it also makes it harder for Congress to get a real understanding of how effective these tools are.
You can’t judge the efficacy of something you don’t measure.
To understand how important this is, consider the discussions about the phone dragnet we’ve had since last year. Everything has been measured in terms of reporting to FBI, which not only doesn’t disclose how many people are stuck in NSA’s maw, but to outsiders made the program look totally useless. We still don’t know precisely how the government is using the phone dragnet, because the data they’ve shared to describe its efficacy is probably not the most significant way it is used.
It seems the intelligence community would like to keep it that way. Continue reading
Last week, I laid out the amazing coinkydink that DOJ provided Sprint a bunch of FISA opinions — including the December 12, 2008 Reggie Walton opinion finding that the phone dragnet did not violate ECPA — on the same day, January 8, 2010, that OLC issued a memo finding that providers could voluntarily turn over phone records in some circumstances without violating ECPA.
Looking more closely at what we know about the opinion, I’m increasingly convinced it was not a coinkydink at all. I suspect that the memo not only addresses FBI’s exigent letter program, but also the non-Section 215 phone dragnet.
As a reminder, we first learned of this memo when, in January 2010, DOJ’s Inspector General issued a report on FBI’s practice of getting phone records from telecom provider employees cohabiting at FBI with little or no legal service. The report was fairly unique in that it was released in 3 versions: the public unclassified but heavily redacted version, a Secret version, and a Top Secret/SCI version. Given how closely parallel the onsite telecom provider program was with the phone dragnet, that always hinted the report may have touched on other issues.
Roughly a year after the IG Report came out, EFF FOIAed the memo (see page 30). Over the course of the FOIA litigation — the DC Circuit rejected their appeal for the memo in January — DOJ provided further detail about the memo.
Here’s how OLC Special Counsel Paul Colborn described the memo (starting at 25):
The document at issue in this case is a January 8, 2010 Memorandum for Valerie Caproni, General Counsel of the Federal Bureau of Investigation (the “FBI”), from David J. Barron, Acting Assistant Attorney General for the Office of Legal Counsel (the “Opinion”). The OLC Opinion was prepared in response to a November 27, 2009 opinion request from the FBI’s General Counsel and a supplemental request from Ms. Caproni dated December 11, 2009. These two requests were made in order to obtain OLC advice that would assist FBI’s evaluation of how it should respond to a draft Report by the Office of Inspector General at the Department of Justice (the “OIG”) in the course of a review by the OIG of the FBI’s use of certain investigatory procedures.In the context of preparing the Opinion, OLC, as is common, also sought and obtained the views of other interested agencies and components of the Department. OIG was aware that the FBI was seeking legal advice on the question from OLC, but it did not submit its views on the question.
The factual information contained in the FBI’s requests to OLC for legal advice concerned certain sensitive techniques used in the context of national security and law enforcement investigations — in particular, significant information about intelligence activities, sources, and methodology.
Later in his declaration, Colborn makes it clear the memo addressed not just FBI, but also other agencies.
The Opinion was requested by the FBI and reflects confidential communications to OLC from the FBI and other agencies. In providing the Opinion, OLC was serving an advisory role as legal counsel to the Executive Branch. In the context of the FBI’s evaluation of its procedures, the general counsel at the FBI sought OLC advice regarding the proper interpretation of the law with respect to information-gathering procedures employed by the FBI and other Executive Branch agencies. Having been requested to provide counsel on the law, OLC stood in a special relationship of trust with the FBI and other affected agencies.
And FBI Record/Information Dissemination Section Chief David Hardy’s declaration revealed that an Other Government Agency relied on the memo too. (starting at 46)
This information was not examined in isolation. Instead, each piece of information contained in the FBI’s letters of November 27, 2009 and December 11, 2009, and OLC’s memorandum of January 8, 2010, was evaluated with careful consideration given to the impact that disclosure of this information will have on other sensitive information contained elsewhere in the United States intelligence community’s files, including the secrecy of that other information.
As part of its classification review of the OLC Memorandum, the FBI identified potential equities and interests of other government agencies (“OGAs”) with regard to the OLC memo. … FBI referred the OLC Memo for consultation with those OGAs. One OGA, which has requested non-attribution, affirmatively responded to our consultation and concurs in all of the classification markings.
Perhaps most remarkably, the government’s response to EFF’s appeal even seems to suggest that what we’ve always referred to as the Exigent Letters IG Report is not the Exigent Letters IG Report!
Comparing EFF’s claims (see pages 11-12) with the government’s response to those claims (see pages 17-18), the government appears to deny the following:
Along with these denials, the government reminded that the report “contained significant redactions to protect classified information and other sensitive information.” And with each denial (or non-response to EFF’s characterizations) it “respectfully refer[red] the Court to the January 2010 OIG report itself.”
The Exigent Letters IG Report is not what it seems, apparently.
With all that in mind, consider two more details. First, as David Kris (who was the Assistant Attorney General during this period) made clear in his paper on the phone (and Internet) dragnet, in addition to Section 215, the government obtained phone records from the telecoms under USC 2511(2)(f), the clause in question.
And look at how the chronology maps.
November 5, 2008: OLC releases opinion ruling sneak peak and hot number requests (among other things) impermissible under NSLs
December 12, 2008: Reggie Walton rules that the phone dragnet does not violate ECPA
Throughout 2009: DOJ confesses to multiple violations of Section 215 program, including:
- An alert function that serves the same purpose as sneak peaks and also violates Section 215 minimization requirements
- NSA treated Section 215 derived data with same procedures as EO 12333 data; that EO 12333 data included significant US person data
- One provider’s (which I originally thought was Sprint, then believed was Verizon, but could still be Sprint) production got shut down because it included foreign-to-foreign data (the kind that, according to the OLC, could be obtained under USC 2511(2)(f)
Summer and Fall, 2009: Sprint meets with government to learn how Section 215 can be used to require delivery of “all” customer records
October 30, 2009: Still unreleased primary order BR 09-15
November 27, 2009: Valerie Caproni makes first request for opinion
December 11, 2009: Caproni supplements her request for a memo
December 16, 2009: Application and approval of BR 09-19
December 30, 2009: Sprint served with secondary order
January 7, 2010: Motion to unseal records
January 8, 2010: FISC declassifies earlier opinions; DOJ and Sprint jointly move to extend time when Sprint can challenge order; and OLC releases OLC opinion; FISC grants motion (John Bates approves all these motions)
January 11, 2010: DOJ moves (in a motion dated January 8) to amend secondary order to incorporate language on legality; this request is granted the following day (though we don’t get that order)
January 20, 2010: IG Report released, making existence of OLC memo public
This memo is looking less and less like a coinkydink after all, and more and more a legal justification for the provision of foreign-to-foreign records to accompany the Section 215 provision. And while FBI said it wasn’t going to rely on the memo, it’s not clear whether NSA said the same.
Golly. It’d sure be nice if we got to see that memo before David Barron got to be a lifetime appointed judge.