Posts

New & Improved USA Freedumb Act, with Twice the Contractors Compensated

/3 Comments/in , /by

Somewhere Booz Allen Hamilton Vice Chairman (and former NSA Director) Mike McConnell just said, “Ka-Ching.”

As I noted, the initial manager’s amendment of HR 3361 (AKA USA Freedumb Act) added compensation language to Section 215 that didn’t originally exist.

(j) COMPENSATION.—The Government shall compensate, at the prevailing rate, a person for producing tangible things or providing information, facilities, or assistance in accordance with an order issued or an emergency production required under this section.

In this latest iteration, the compensation has been expanded beyond just the telecoms to anyone else who assists.

(j) COMPENSATION.—The Government shall compensate a person for reasonable expenses incurred for—

(1) producing tangible things or providing information, facilities, or assistance in accordance with an order issued with respect to an application described in subsection (b)(2)(C) or an emergency production under subsection (i) that, to comply with subsection (i)(1)(D), requires an application described in subsection (b)(2)(C); or

(2) otherwise providing technical assistance to the Government under this section or to implement the amendments made to this section by the USA FREEDOM Act.

There’s reason to believe that contractors (AKA Booz!) does some of the triage work on the data currently. So one solution to that problem might be to move those Booz contractors — with their access directly to the raw data of Americans — over to Verizon and AT&T.

Because why shouldn’t NSA contractors be in bed together, wallowing in all your raw data.

Glad to see this bill is improving Intelligence Contractors bottom line, even if it doesn’t improve the dragnet.

The Administration Stops Pretending Phone Dragnet Is Only about Phone Calls

/4 Comments/in /by

The other day, I noted that the language describing contact-chaining had been changed to permit chaining between identifiers that had a “connection” even without any actual phone contact. At a minimum, this permits the government to contact chain on various phones associated with the same person. But in the telecoms hands (which have access to geolocation information the government may not collect under the phone dragnet) it may also mean close proximity.

The Administration made this all more obvious with changes it added to the HR 3361, AKA the USA Freedom (Freedumb) Act. It changed the language on contact chaining from this:

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production;

(II) using the results of the production under subclause (I) as the basis for production; and

(III) using the results of the production under subclause (II) as the basis for production;

To this:

(iii) provide that the Government  may require the prompt production of call  detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii)  as the basis for production; and

(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;

(iv) provide that, when produced, such records be in a form that will be useful to the Government;

Now there is actually an important improvement in this language. The new language requires each step return to a call detail record: a phone number or SIM card number, for example. The telecoms can’t use things like geolocation or email addresses in that interim hop, as they might have been able to do under the previous language.

Though the end results may only need to be “a form that will be useful to the Government.” Before, the end results had to be a CDR; this would seem to permit some other kind of result.

And along the way, the Administration has abandoned all pretense that contact-chaining is only about tracking who calls whom. This language makes clear that the chaining is about connections.

As I said, the most obvious kind of “connection” is a burner phone: identifying the new phone of the same target based off the old phones existing call patterns. And, given the big push to outsource the call records to the telecoms, NSA surely intends to use cell location (the telecoms can legally use location, whereas the NSA is not permitted to under current FISA rules).

But those are only the most obvious applications. It would take a great deal of imagination, I think, to anticipate all the kinds of connections the NSA might ask the telecoms to make for them.

Mike Rogers: USA Freedom Act Only Changes Phone Dragnet

/5 Comments/in /by

In my analysis of the HR 3361 — hailed by reformers as the USA Freedom Act — I have posited the possibility that the claim to forbid “bulk collection” across a number of authorities actually changes almost nothing. I based that on a two-part argument.

First, the bill only promises to eliminate bulk collection as the intelligence committee defines it — that is, it only eliminates collection that has no discriminator, and therefore collects all of a certain kind of record (so, all phone records). It does not promise to eliminate what you and I might consider bulk collection — the collection of very untargeted information (say, all phone records in the 202 Area Code).

Then I noted that we know of no other program that operates without discriminators. All NSL programs — save perhaps the financial records one and the subscriber records one — build in discriminators (and the financial records one is based on “entities,” which is what the bill’s definition of a discriminator uses anyway). And we don’t know enough about the other Section 215 programs to know if they use discriminators or not.

If this logic is correct, then the bill changes very little, in spite of the broad promises.

In his report on the bill, Mike Rogers confirms that I am right. (h/t Katherine Hawkins)

It notes that the prohibition on “bulk” collection only applies to indiscriminate collection, but not to the collection of “a large number of communications records or other tangible things.”

This bill first bans the bulk collection of tangible things under Section 215 of the USA PATRIOT Act. This ban is intended to stop the use of Section 215 to acquire bulk call detail records and to prohibit any future attempt to acquire bulk electronic communications records. The Committee recognizes that ‘‘bulk’’ collection means indiscriminate acquisition. It does not mean the acquisition of a large number of communications records or other tangible things—it would be nonsensical and dangerous for our intelligence agencies’ collection authorities to contract as the number of our adversaries expands.

The report then implicitly reveals (or at least claims as part of the legislative record) that no other collection program operates without discriminators, because the bill will not end any other current program.

The Committee’s decision to end the bulk collection of telephone metadata does not extend to any other intelligence programs currently conducted under FISA, including access to business records through Section 215 for foreign intelligence, counterterrorism, and counterintelligence purposes, and the targeting of persons outside the United States under Section 702.

The report also makes clear that any ban on bulk NSL collection is not meant to affect any ongoing NSL program.

Second, this bill contains amendments to other collection authorities, including Section 402 of FISA and National Security Letter authorities. These amendments respond to concerns that those existing authorities could somehow contain a ‘‘loophole’’ that would permit the reconstitution of a bulk telephone records program. The Committee does not intend these prophylactic amendments to affect any programs currently authorized by Section 402 or the use of National Security Letters.

So: no changes to any existing Section 215 collection programs, and no changes to any existing NSL programs (though the report also makes clear that the government should not try to use NSLs to replicate the existing phone dragnet).

One more thing: Rogers’ report makes it clear that the government can still use Section 215 to collect as much historical phone data as it wants.

The government can continue to obtain specified historical call detail records through the existing Section 215 authority.

This means the government has the ability to obtain far more than 5 years of call data on selected targets, and can do so by obtaining any records that transit AT&T backbones, because AT&T keeps records for years and years. While there is a 5 year age off requirement in the bill, that only applies to data that is not relevant to an investigation, and as we’ve learned, everything can be deemed relevant to an investigation.

So don’t take my word for it, take Mike Rogers’ (which will serve as the legislative record in any case). This bill only changes the phone dragnet’s prospective collection.

Update: Note that Rogers is still working on some “technical changes” to preserve operational equities, which may mean there are some programs that would be affected but he’s going to massage the bill to exempt them.

On USA Freedom: Heed Jan Schakowsky’s Warning

/3 Comments/in /by

There are two reviews of whether HR 3361 constitutes real reform today, one from McClatchy and one from National Journal, both written partly in response to privacy groups’ realization that Mike Rogers has been doing a circumspect victory lap over the shape of the bill.

While neither examines the flip side of the bill — what the intelligence community will gain from this — they both provide a useful caution about the potential pitfalls in the bill, many (but not all) I’ve examined at this site.

McClatchy is particularly useful, though, for the comments from Adam Schiff and Jan Schakowsky, two of the only people on the House Intelligence Committee who tend to balance the interests of civil liberties against the demands of the intelligence community. Here’s what they had to say about the legislative prospects.

Rep. Adam Schiff, D-Calif., an Intelligence Committee member who isn’t among the letter writers, said he hoped to offer an amendment that would seek to “introduce a greater adversarial process in the FISA court” by establishing a panel of attorneys from which counsel could be selected to participate in cases that involved novel legal and technical issues.

“I believe the civil liberties protections can be improved,” Schiff said.

[snip]

Rep. Jan Schakowsky, D-Ill., an Intelligence Committee member, praised the House bill. “If we could improve it,” she said, “I would go back to the original bill’s provisions that would implement stronger reporting regulations and create an office of the special advocate.”

Schakowsky added, though, “ I am most concerned at this point about preventing any efforts to weaken this bipartisan compromise.”

Remember, HPSCI held its markup behind closed doors, and there has been little leaking about went on there, aside from Rogers’ crowing. So this offers a bit of a read of what might have gone on.

Schiff, if you recall, was one of the very first people to get Keith Alexander to admit the government could conduct its contact-chaining program with the telecoms retaining the data. He is generally a pretty good read on the art of the possible. If he thinks this bill can be improved, perhaps he’s got reason for optimism.

But I find Schakowsky’s warning potentially more realistic.

Remember, one thing HPSCI considered was removing all definition of “specific selection term” (or “identifier,” which HPSCI also included). Without a definition, the bill might only prevent bulk collection of phone records, if that; I believe the government could come up with “selection terms” for everything else that would permit systematic programs. And I suspect something like dropping the definition would — will — happen if this ever gets to a conference (indeed, as Jim Sensenbrenner knows better than anyone, that’s how some of the existing loopholes got retained in PATRIOT in 2005-6, at a time when there was also bipartisan uproar over illegal spying). I think Schakowsky is realistic in worrying that, with the momentum it has picked up with unanimous passage in HJC and a voice vote passage in HPSCI, it could get worse just as easily as it could get better.

As I’ve said, this bill defuses the digital equivalent of a nuclear bomb by taking the phone-based relationship database out of the hands of the government. That’s important.

But from there, it’s unclear what effect this bill will have in practice, and could become far less clear if things like that definition disappear. So we’d be well to take Schakowsky’s warning seriously.

About HR 3361, the NSA Surveillance Efficiency Act, AKA USA Freedom Act

/9 Comments/in /by

The House Intelligence Committee passed a bill out of its committee Thursday, HR 3361, that will reportedly solve a problem (or problems) the NSA has been struggling with since 2009. The bill will now move to the full House for a vote.

The public — and surely a great majority of members of Congress — have no idea precisely what problem this bill will solve is: planted leaks suggest it has to do with difficulties dealing with cell phone records, perhaps because they include location data. If that is part of the problem, then it’s a fairly recent development, perhaps arising after US v. Jones raised new concerns about the legality of collecting location data without a warrant. There’s also the presumably-related issue of an automated query function; NSA has been struggling to resume that function since its alert function got shut down as a legal violation in 2009. The ability to tie multiple identities from the same person together as NSA runs those alerts may be a related issue.

The bill has not been reported as a fix for NSA’s long-term legal and technical struggles (though LAT’s Ken Dilanian has asked why civil liberties groups are so happy about this given that it will expose more data to NSA collection). Rather, it has been called the USA Freedom Act and reported as a reform of the phone dragnet program, a successful effort to “end” “bulk collection.”

The bill does have the critically important effect of ending the government’s practice of collecting and storing some significant portion of all US call records, beyond whatever US person call records it collects overseas. That, by itself, is the equivalent of defusing a nuclear bomb. It is a very important improvement on the status quo.

It remains entirely unclear — and unexamined, as far as I can tell — whether the bill will increase or decrease the number of entirely innocent Americans who will be subjected to the full range of NSA’s analytical tradecraft because they got swept up based on the guilt by association principle behind contact-chaining, or whether the bill will actually expose more kinds of US person records to the scrutiny of the NSA.

The bill the press is calling USA Freedom Act may also — though we don’t know this either — have the salutary benefit of changing the way the NSA currently collects data under other Section 215, Pen Register, and NSL collection efforts.  The bill requires that all Section 215 (both call record and otherwise), Pen Register, and NSL queries be based on a specific selection term that remains vaguely defined (a definition the House Intelligence Committee considered eliminating before Thursday’s hearing). But it remains unclear how much that rule — even ignoring questions about the definition — will limit any current practices. At Wednesday’s hearing Bob Goodlatte said the bill “preserves the individual use of Section 215 under the existing relevancy standard for all business records,” and at least for several NSL authorities, the new “restrictions” almost certainly present no change (and another NSL authority, the Right to Financial Privacy Act, uses the same “entity” language the bill definition does, suggesting it is unlikely to change either). Plus, at least according to DOJ’s public claims and court filings, it ended the bulk domestic collection under PRTT in 2011. So the language “ending” “bulk collection” may do no more than make it harder for FBI to construct its own phone books of phone company and ISP subscribers using NSLs, if it does even that.

What the bill doesn’t do — because this part of the bill was stripped as part of the compromise — is provide the Intelligence Community’s oversight committees detailed reports of what kind of records the government obtains under Section 215 (and for what agencies), and how many Americans are subject to all the FISA authorities, including Section 215. That is, the compromise eliminated the one thing that could measure whether the bill really did “end” “bulk collection” as you or I would understand it. In its stead, the bill largely codifies an existing reporting agreement that AT&T has already demonstrated to be completely deceptive. In Wednesday’s hearing, Zoe Lofgren called provider reporting “the canary in the coal mine” the committee would rely on to understand what collection occurred.

So this bill that “ends” “bulk collection” still prevents us, or even the oversight committees working in our name, from learning whether it does so.

It does, however, have some interesting features, given its other purpose of solving one or more challenges facing the NSA.

The first of those is immunity.

No cause of action shall lie in any court against a person who produces tangible things or provides information, facilities, or technical assistance pursuant to an  order issued or an emergency production required under this section. 

This is another part of the bill the underlying reasons for which the public, and probably much of Congress, doesn’t understand. At one level, it seems to immunize the process that may have telecoms playing a role the NSA previously did, analyzing the data; it may also pertain to providing NSA access to the telecoms’ physical facilities. But given the background to the move to telecoms — NSA’s legal-technical problems dealing with cell phone data because it ties to location — it is possible the immunity gives the telecoms protection if they use but don’t turn over data they have already, such as location data or even Internet metadata, to perform the interim analysis.

Consider how the bill describes the call record query process.

[T]he Government  may require the production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using the results of the production under subclause (I) as the basis for production;

So a 2-hop query goes from a “specific selection term” to “the results of the production” to the “call detail record” handed over to the government. While the definition of call detail records clearly prohibits the final production to the government of either content or cell location, nothing in this process description prevents the telecoms from using such things (most Internet metadata is legally content to the telecoms) in that interim hop; indeed, the “results of the production under subclause (I)” available to the telecoms almost certainly would include some of this information, particularly for smart phones. We know the Hemisphere program (the AT&T-specific program for the DEA) uses cell location in its analysis. Remember, too, how NSA is gobbling up smart phone data (including things like address books) in overseas programs; this may permit analysis of similar data — if not collection of it — domestically.  So at the very least, this scheme seems to give the NSA access to cell location and possibly a whole lot more data for analysis they otherwise couldn’t get (which David Sanger’s sources confirm).

And consider two more details from Wednesday’s House Judiciary hearing. At it, Lofgren repeated a list of business records the government might obtain under Section 215 she got Deputy Attorney General James Cole to confirm at an earlier hearing. It includes:

  • ATM photos
  • location where phone calls made
  • credit card transactions
  • cookies
  • Internet searches
  • pictures captured by CCTV cameras

So long as the word “entity” in the definition of specific selection term remains undefined, so long as FISC precedents permit the tapping of entire circuits in the name of collecting on an entity, the government may still be able to collect massive amounts of this data, not actually targeted at a suspect but rather something defined as an entity (in both the existing 215 program and the new call records one the bill retains the “relevant to” language that has been blown up beyond meaning).

Finally, consider what happened with Lofgren’s last attempted amendment. After having submitted a number of other failed amendments, Lofgren submitted an amendment to fix what she called an inadvertent error in the manager’s amendment specifically prohibiting the collection of content under Section 215.

I believe this amendment fixes — at least I hope — an error that was created in the manager’s amendment that I cannot believe was intended. As you know we have specified that the content is not included in business records. This amendment clarifies that business records do not include the content of communication. We specify that in the new section about call detail records, but but the specification that content was not included somehow got dropped out of the business records section. It was included in your original bill but it didn’t make it into the manager’s amendment. I think this amendment clarifies the ambiguity that could be created and I hope it was not intentional.

This is a problem I pointed out here.

Almost without missing a beat after she introduced this, Jim Sensenbrenner recessed the hearing, citing votes. While there were, in fact, votes, Luis Pierluisi (who cast the decisive vote in favor of an amendment to redefine counterintelligence) and possibly Lofgren got a lecture at the break about how any such amendments might blow up the deal the Committee had with Mike Rogers and HPSCI. After the break, Lofgren withdrew the amendment, expressing hope it could be treated as a clerical fix.

That purported error was not fixed before HPSCI (which explicitly permitted the collection of content under its bill) voted out the bill.

Perhaps it will be “fixed” before it comes to the floor.

But if it doesn’t, it may expand (or, given Lofgren’s stated concerns about what records Section 215 might cover, sustain) the use of Section 215 to collect content, not just metadata. Imagine the possibility this gets yoked to expanded analysis at telecoms under the new CDR program?

We don’t know. This bill has gotten past two committees of Congress (we didn’t get to see any of the debate at HPSCI) without these details becoming clear. But the questions raised by this bill when you consider it as the fix to one or more problems the NSA has been struggling with, it does raise real questions.

Again, I don’t want to make light of the one thing we know this bill will do — take a database showing all phone-based relationships in the country out of NSA’s hands. That eliminates an intolerably risky program. That is an important fix.

But that shouldn’t lead us to ignore the potential expansion of spying that may come with this bill.