Posts

Preston Burton Was Not Necessarily Appointed to Represent Privacy Interests; Was He Appointed to Undercut EFF?

/4 Comments/in /by

In my post on Michael Mosman’s appointment of Preston Burton as an amicus to decide whether NSA should be permitted to keep bulk telephony data collected under section 215 past November 28, 2015 I noted he was appointed pursuant to provisions of USA F-ReDux. But I want to correct something: Burton was not — at least not necessarily — appointed to protect civil liberties and privacy.

In his order appointing Burton, here’s how Mosman cited USA F-ReDux.

This appointment is made pursuant to section, 103(i)(2)(B) of the Foreign Intelligence Surveillance Act (“FISA”), codified at 50 U.S.C. § 1803(i)(2)(B), as most recently amended by the USA FREEDOM Act, Pub. L. No. 114-23, 129 Stat. 268, 272 (2015).

[snip]

By the terms of 50 U.S.C. § 1803(i)(2)(A), the Court “shall appoint” to serve as amicus curiae an individual who has been designated as eligible for such service under section 1803(i)(l) “to assist … in the consideration of any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law, unless the court issues a finding that such appointment is not appropriate.” Under section 1803(i)(l), the presiding judges of the Foreign Intelligence Surveillance Court and the Foreign Intelligence Surveillance Court of Review have until November 29, 2015, to jointly designate individuals to serve as amici under section  1803(i)(l). 1 To date, no such designations have been made. Under present circumstances, therefore, the appointment of such an individual “is not appropriate” under section 1803(i)(2)(A), because, as of yet, there are no designated individuals who can serve.

Section 1803(i)(2)(B) provides that the Court “may appoint an individual or organization to serve as amicus curiae … in any instance as such court deems appropriate.” Persons appointed under this provision need not have been designated under section 1803(i)(l ). Pursuant to section l 803(i)(3)(B), however, they must “be persons who are determined to be eligible for access to classified information, if such access is necessary to participate in the matters in which they may be appointed.”

Here, the Court finds it appropriate to appoint Preston Burton as amicus curiae under section 1803(i)(2)(B). Mr. Burton is well qualified to assist the Court in considering the issue specified herein. The Security and Emergency Planning Staff (SEPS) of the Department of Justice has advised that he is eligible for access to classified information.

Effectively, he points to the new language on amicus curiae as “codifying” the authority FISC already had (and has already used, when permitting Center for National Security Studies to file an amicus on phone dragnet orders and tech companies to submit amici briefs in discussions about transparency, though the latter was dismissed before the court considered those briefs, not to mention FISCR’s permission of ACLU and NACDL to submit briefs in In Re Sealed Case in 2002).

He then notes that he cannot appoint one of the 5 selected amici set up to consider “novel or significant interpretation of law” because FISC hasn’t gotten around to appointing those 5 people yet (they have until early December to do so and seem to be taking their time).

He then points to a second means of appointing an amicus — 1803(i)(2)(B) — which says the court “may” appoint an amicus “in any instance as such court deems appropriate or, upon motion, permit an individual or organization leave to file an amicus curiae brief,” as his basis for appointing Burton.

Mosman doesn’t explain why he “finds it appropriate” to appoint an amicus here, unlike when he deemed FreedomWorks an amicus addressing the issue of whether USA F-ReDux restored the phone dragnet to its prior state and therefore justified another phone dragnet order. This is what he said in that instance.

The Court finds that the government’s application “presents a novel or significant interpretation of the law” within the meaning of section 103(i)(2)(A). Because, understandably, no one has yet been designated as eligible to be appointed as an amicus curiae under section 103(i)(2)(A), appointment under that provision is not appropriate. Instead, the Court has chosen to appoint the Movants as amici curiae under section 103(i)(2)(B) for the limited purpose of presenting their legal arguments as stated in the Motion in Opposition and subsequent submissions to date.

Nor does Mosman explain what, in particular, qualifies Burton to serve as amicus here, which might provide some insight as to why he decided it appropriate to appoint an amicus at all. He just says he’s qualified and is eligible for access to classified information. Even under the appointed amici, FISC can appoint someone for reasons other than privacy, and that’s all the more true for this optional appointment.

So reports — including by me! — that Burton would represent the interests of civil liberties may not be correct. For all we know, he could be representing the interests of the spies or DC Madams.

I find Mosman’s silence on his appointment of Burton interesting for two reasons.

First, the genesis of this entire request and deferral is unclear. Back in July — after it had gotten its first post-USA F-ReDux order, and a month before this current one was approved — ODNI issued a statement out of the blue asserting they could keep the data.

On June 29, 2015, the Foreign Intelligence Surveillance Court approved the Government’s application to resume the Section 215 bulk telephony metadata program pursuant to the USA FREEDOM Act’s 180-day transition provision. As part of our effort to transition to the new authority, we have evaluated whether NSA should maintain access to the historical metadata after the conclusion of that 180-day period.

NSA has determined that analytic access to that historical metadata collected under Section 215 (any data collected before November 29, 2015) will cease on November 29, 2015. However, solely for data integrity purposes to verify the records produced under the new targeted production authorized by the USA FREEDOM Act, NSA will allow technical personnel to continue to have access to the historical metadata for an additional three months.

Separately, NSA remains under a continuing legal obligation to preserve its bulk 215 telephony metadata collection until civil litigation regarding the program is resolved, or the relevant courts relieve NSA of such obligations. The telephony metadata preserved solely because of preservation obligations in pending civil litigation will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.

When that second dragnet order came out in August, I noticed NSA had applied for authority to keep the data, but that Mosman had deferred his answer to whether they could.

The Application requests authority for the Government to retain BR metadata after November 28, 2015, in accordance with the Opinion and Order of this Court issued on March 12,. 2014 in docket number BR 14-01, and subject to the conditions stated therein, including the requirement to notify this Court of any material developments in civil litigation pertaining to such BR metadata. The Application also requests authority, for a period ending on February 29, 2016 for appropriately trained and authorized technical personnel (described in subparagraph B. above) to access BR metadata to verify the completeness and accuracy of call detail records produced under the targeted production orders authorized by the USA FREEDOM Act. The Court is taking these requests under advisement and will address them in a subsequent order or orders. Accordingly, this Primary Order does not authorize the retention and use of BR metadata beyond November 28, 2015.

So for some reason, ODNI was asserting they were going to keep the data before they had asked whether they could — or perhaps when ODNI made that assertion someone at DOJ or in FISC realized they needed to ask permission first. I have asked ODNI for an explanation on this. Update: ODNI General Counsel Bob Litt didn’t exactly explain the timing, but did say “No one ever had any doubt that we would have to ask the court” for permission to keep this data.

But I also find Mosman’s silence about why he appointed Burton curious given that the FISC judge clearly thinks both retention issues — whether the data should be retained under EFF’s protection order issued in NDCA, and whether the data can be retained for 3 months after expiration of the 6 month extension for technical verification — are at issue.

That’s because there’s a far more qualified potential amicus to address the EFF retention issue: EFF. Indeed, Jon Eisenberg, who argued the al-Haramain suit, is a Special Counsel associated with EFF, and he either still has or is qualified to have a Top Secret clearance, and still gets classified documents in Gitmo detainee suits. Particularly given DOJ’s serial failure to accurately represent the nature of EFF’s suit (post one, post two, post three), and DOJ’s failure to notice Reggie Walton (to say nothing of Yahoo itself) of all issues relevant to Yahoo’s challenge of Protect America Act, it would be far better to have someone who has worked on these issues already and who at least has an association with EFF to weigh in, because the FISC is going to get a far better idea of the issues involved, including the stakes for privacy. So why did Mosman appoint a less qualified amicus to address this issue?

Luckily, in deeming FreedomWorks an appropriate amicus in June, Mosman has demonstrated a willingness to appoint amici for the other reason permitted under 103(i)(2)(B), because an organization asks for leave to file one. So maybe EFF should ask! I’ve asked EFF if they will respond to this appointment, but have not received an answer.

The big question, in that situation, would be whether EFF would be given the same information he has already promised to Burton, which includes the application to the court. Again, given DOJ’s serial misinformation of the court on the EFF request, it would sure be interesting to see what representations it made in that application.

Unlike the Existing Phone Dragnet, USA F-ReDux Does Not Include “Telephony” in Its Definition of Call Detail Record

/in /by

As part of a larger effort to get some people who understand the intersection of telephony and Internet technologies well to review the chaining process that would be introduced under USA F-ReDux, I want to compare the definitions of Call Detail Record used under the current dragnet orders and that which would be adopted under USA F-ReDux (both of which I’ve put below).

Obviously, the definitions are very closely related. Both prohibit the collection of the name, address, or financial information of a subscriber or customer (which makes this definition far narrower than an administrative subpoena for phone records). Both prohibit the collection of “contents” (though using a definition tied to a communication sent, which may not include stored content). Both prohibit the collection of non-trunk identifier location data, though the USA F-ReDux definition explicitly adds GPS data to the definition.

And both include certain things in their definitions of “session identifying information,” including originating and terminating telephone number, IMSI and IMEI numbers, calling card numbers, and time and duration of a call. Though the existing definition uses the conjunction “and” in its orders that ultimately go to providers, but notes the definition “includes but is not limited to” this session-identifying information. USA F-ReDux uses a non-exclusive “or” for its description of what session-identifying information is, suggesting only one of those things must be included in a CDR. At least as I read it, then, the existing phone dragnet definition of “session identifying information” is expansive, ordering providers to turn over at least this much, though possibly more (cough, AT&T), just so long as that “more” doesn’t include anything from the 3 kinds of prohibited information. Whereas the USA F-ReDux definition provides a list of things, one of which must be included, to be considered a CDR that can be returned to the government at the end of the process. As I read it, a CDR might consist of nothing more than an IMEI or an IMSI number.

But by far the most interesting difference between these two definitions is that the existing phone dragnet orders requires this be telephony session-identifying information (and also seems to require some communications routing information). Not only doesn’t USA F-ReDux require the session-identifying information to relate to telephony sessions, the word “telephony” doesn’t appear in USA F-ReDux at all.

Thus, while the bill requires that reports back to the government include something that is considered a telephony identifier — a phone number or one of two numbers identifying a device — it doesn’t actually say that the sessions in question must be telephony sessions.

Update 5/6: Actually, I think this paragraph is incorrect. A CDR, as defined, involves one of 5 things: telephone number, IMSI number, IMEI number, calling card number, or time and duration of a call. Given the “or,” only one of those things must be included. So if time and duration of a call is included (perhaps described as tied to Internet identifiers rather than device identifiers), that should fulfill the definition.

That’s important, because people increasingly make their calls using Internet technology, whether via things that feel like phone calls (VOIP), via video conversations, or via messaging (most notably iMessage) that — if sent across wifi — would not hit a telecom network as telephony. Nothing I see in this bill excludes those “calls” from this definition of CDR.

USA F-ReDux Definition of Call Detail Record

(3) CALL DETAIL RECORD.—The term ‘call detail record’—

(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location or global positioning system information.

Existing Section 215 Definition of Call Detail Records

From the February 26, 2015 order, footnote 1.

For the purposes of this Order, “telephony metadata” includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identifier (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. Furthermore, this Order does not authorize the production of cell site location information (CSLI).