NSA’s Dysfunctional Post-Tasking Checks

I noted this in both my working threads on the NSA, CIA and FBI minimization procedures, but it deserves more attention. Sometime in the last several years, the process by which NSA determines whether something they’ve collected is of a person in the US started going flukey, during certain periods. So now there’s a subset of data that analysts — at NSA, CIA, and FBI — all have to check for foreignness before they use it. That also means there is US person data that has been collected but not properly identified.

All three minimization procedures have a paragraph like this:

In the event that NSA seeks to use any information acquired pursuant to section 702 during a time period when there is uncertainty about the location of the target of the acquisition because the [redacted] post-tasking checks described in NSA’s section 702 targeting procedures, NSA will follow its internal procedures for determining whether such information may be used (including, but not limited to, in FISA applications, section 702 targeting, and disseminations). Except as necessary to assess location under this provision, NSA may not use or disclose any information acquired pursuant to section 702 during such time period unless NSA determines, based on the totality of the circumstances, that the target is reasonably believed to have been located outside the United States at the time the information was acquired. If the NSA determines that the target is reasonably believed to have been located inside the United States at the time the information was acquired, such information will not be used and will be promptly destroyed.

Both the fact that this section appears in the Destruction of Raw Data section in NSA’s SMPs (and not the section dedicated to challenges with upstream collection), and the fact that it appears in both the CIA and FBI SMPs (suggesting this is data they’d be getting in raw format, which they don’t get from upstream collection), suggest that this is general 702 data, not upstream data, where NSA has been known to have had a problem in the past.

The fact that the same paragraph, almost verbatim, shows up in all three places, plus the language about using such data for FISA applications, suggests this language came from or is in the SMPs to keep the FISA Court happy. Indeed, there’s probably a nice FISC opinion that explains how FISC learned that NSA’s targeting process was flawed.

We know this problem was identified sometime between October 2011 and July 2014 because this language doesn’t show up in the 2011 NSA SMPs. There are few things that are identifiable in the Intelligence Oversight Board reports that could be a dysfunction that would merit a FISC order, though there are a number — such as these two redacted paragraphs on Systems Errors in the middle of the FISA section of the Q1 2013 (which covers the last three months of 2012) report that might be such a problem.

Screen Shot 2015-02-25 at 8.56.26 AM

Or perhaps the problem is even more recent, meaning it would have been reported in the 2 years of IOB reports we don’t have.

To be sure, it appears FISC has required that all agencies accessing raw data do the kind of location checks that the failed system would otherwise have done. So US person data won’t be used, it’ll just sit in NSA’s (or CIA or FBI’s) servers until it is discovered.

But this is one of a number of examples we see in the IOB reports (the purge process, which was also not working for a while, is another; that seems to have been or is being fixed with the Master Purge List that appears in these SMPs) where the software checks designed to protect Americans failed. That doesn’t indicate any animus or ill-intent. But it does suggest the complexity of this system continues to result in failures that — regardless of intent — also present a privacy risk.

CIA General Counsel: If the President Authorizes It, It’s Legal

I do hope the Harvard students who listened to this speech from CIA General Counsel Stephen Preston–in which he purported to explain what a law-abiding agency the CIA is and which appears to be the CIA’s effort to prove that the Anwar al-Awlaki killing was legal–are sophisticated enough to realize he, like all spooks, was peddling deceit. I’ll get to those details below.

But first I want to focus on how he bookends his claim that CIA’s “activities are subject to strict internal and external scrutiny.”

He starts by admitting that courts and citizens are not part of this “external scrutiny.”

It is true that a lot of what the CIA does is shielded from public view, and for good reason: much of what the CIA does is a secret! Secrecy is absolutely essential to a functioning intelligence service, and a functioning intelligence service is absolutely essential to national security, today no less than in the past. This is not lost on the federal judiciary. The courts have long recognized the state secrets privilege and have consistently upheld its proper invocation to protect intelligence sources and methods from disclosure. Moreover, federal judges have dismissed cases on justiciability or political question grounds, acknowledging that the courts are, at times, institutionally ill-equipped and constitutionally incapable of reviewing national security decisions committed to the President and the political branches.

Let’s unpack the logic of this: first, CIA operations are subject to strict “external scrutiny.” But because–“national security”–such external scrutiny is not possible.

Next, Preston claims that the courts have been in the business of consistently upholding the “proper invocation” of state secrets “to protect intelligence sources and methods.” Of course, just about every invocation of state secrets has been subsequently or contemporaneously shown to be an effort to protect–at best–misconduct and, in most cases, illegal activities: things like kidnapping, illegal wiretapping, and torture. So when he describes this “proper invocation” of states secrets, he is effectively saying that when lawsuits threatened to expose CIA’s law-breaking, courts have willingly dismissed those cases in the name of sources and methods.

And even before it gets to that stage, courts will bow to the Executive Branch’s claim that only Congress and the Executive can decide what forms of law-breaking by the CIA will be tolerated; courts are “ill-equipped” to judge the legality of illegal actions if those illegal actions are committed by the CIA.

So to prove that CIA’s ops are subject to “external scrutiny,” Preston starts by admitting that two of the most important agents of external scrutiny–citizens and courts–don’t actually exercise any scrutiny, particularly in cases where the government is willing to invoke state secrets to shield illegal activities.

Read more

The “Oversight” over NCTC’s Not-Terrorist-Terrorist Database

Back when John Negroponte appointed him to be the Director of National Intelligence’s Civil Liberties Protection Officer, Alexander Joel admitted he had no problem with Cheney’s illegal domestic wiretap program.

When the NSA wiretapping program began, Mr. Joel wasn’t working for the intelligence office, but he says he has reviewed it and finds no problems. The classified nature of the agency’s surveillance work makes it difficult to discuss, but he suggests that fears about what the government might be doing are overblown.

“Although you might have concerns about what might potentially be going on, those potentials are not actually being realized and if you could see what was going on, you would be reassured just like everyone else,” he says.

That should trouble you, because he’s the cornerstone of oversight over the National Counterterrorism Center’s expanded ability to obtain and do pattern analysis on US person data.

The Guidelines describe such oversight to include the following:

  • Periodic spot checks overseen by CLPO to make sure database use complies with Terms and Conditions
  • Periodic reviews to determine whether ongoing use of US person data “remains appropriate”
  • Reporting (the Guidelines don’t say by whom) of any “significant failure” to comply with guidelines; such reports go to the Director of NCTC, the ODNI General Counsel, the CLPO, DOJ (it doesn’t say whom at DOJ), and the IC Inspector General; note, the Guidelines don’t require reporting to the Intelligence Oversight Board, which should get notice of significant failures
  • Annual reports from the Director of NCTC on an (admittedly worthwhile) range of metrics on performance to the Guidelines; this report goes to the CLPO, ODNI General Counsel, the IC IG, and–if she requests it–the Assistant Attorney General for National Security

There are a few reasons to be skeptical of this. First, rather than replicate the audits recently mandated under the PATRIOT Act–in which the DOJ Inspector General develops the metrics, these Guidelines have NCTC develop the metrics themselves. And they’re designed to go to the CLPO, who officially reports to the NCTC head, rather than an IG with some independence.

That is, to a large extent, this oversight consists of NCTC reporting to itself.

Read more

ODNI’s Response on Intelligence Oversight Board Shows Lack of Intelligence

In September, I wrote about EFF’s efforts to find out whether Obama had an Intelligence Oversight Board–the board that’s supposed to provide some outside review over potential problems and abuses in the intelligence community.

ODNI has finally responded to EFF’s FOIA lawsuit.

And the results show a distinct lack of intelligence. Meaning, they’re kind of dumb.

There are three documents:

  • Biographies of David Boren, Chuck Hagel, and Lester Lyles, labeled “IOB Member,” “IOB Chair,” and “IOB Member,” respectively.
  • An email (presumably from a press person at the White House) informing the then PIAB General Counsel Homer Pointer that “the announcement” of seven new members of the PIAB–including Lyles–“had been made.” A notation in the corner lists “IOB Members: Hagel (Chair), Boren, Miles.”
  • An ODNI email discussing who, outside that office, should be invited to the DNI Holiday Reception, basically consisting of a list of PIAB members and staffers with “(Also IOB Co-Chair)” noted next to both Hagel and Boren’s names, and “(IOB member)” next to Lyles’.

Maybe I’m just being persnickety, but that appears to suggest ODNI doesn’t know whether David Boren is a Co-Chair of IOB, or just its third member.

And note that the name of the person who puts together James Clapper’s Holiday Party is a secret. Cause the terrorists will win if they know who sets up our intelligence community holiday parties, I guess.

Frankly, maybe the big question is not who the members of IOB are, but who the staffers are, because it appears that between December 2009 and October 2010, IOB got new staffers, seemingly replacing Homer Pointer (who had gone on the record several times complaining about the non-existent IOB) with Ray Heddings (who had worked at the Defense Threat Reduction Agency) as Counsel.

So while at one level, these three documents may tell us nothing. At another, they make me wonder whether the Administration’s solution to rising questions about the IOB was simply to replace the guy, internally, who actually cared?

Two of Obama’s Independent Intelligence Advisors Have Supported Oversight in Past; Why Not Now?

I’ve written recently about Obama’s refusal to appoint anyone to the Privacy and Civil Liberties Oversight Board, which is supposed to ensure the government protects privacy while laying out a dragnet to catch terrorists, most recently when Thomas Kean and Lee Hamilton issued their 10-year report card on the 9/11 Commission’s recommendations. And I wrote about Bush’s efforts to bypass the intelligence oversight that is supposed to be exercised by the Intelligence Oversight Board by simply eliminating the part of the Presidential Foreign Intelligence Advisory Board that did that oversight, the IOB.

But it seems Obama has ensured–as he has with PCLOB–that IOB can’t do its job. Or at least that’s the appearance from the government’s stone-walling on information about the board.

The Electronic Frontier Foundation has been trying to see whether Obama has fulfilled his promise to restore the IOB to functionality by FOIAing who is on it and what they’ve been doing (and whether they’ve been ignoring the National Security Letters the Army has been sending out).Thus far, the government has denied their FOIA.

The IOB is supposed to alert the president and attorney general when it spots behavior that is unlawful or contrary to executive order. However, in his nearly three years in office, President Obama has not yet announced any appointments to the IOB. EFF’s suit comes after the ODNI refused to respond to a Freedom of Information Act (FOIA) request for membership, vacancies, and other information about the IOB made earlier this year.

“The IOB has a critically important mission – civilian oversight of America’s intelligence activities. The board exists to make sure government agencies are not overstepping their authority and abusing citizens’ rights,” said EFF Open Government Legal Fellow Mark Rumold. “History has shown that intelligence agencies overseeing their own behavior is like the fox guarding the henhouse. If the IOB is ineffective, impaired, or short-staffed, that’s information Americans need to know.”

So now they’re suing to get that information.

But there’s something else weird about Obama’s stone-walling here. Here’s the list of people Obama has appointed to the President’s Intelligence Advisory Board, the board that oversees the IOB.

  • Chuck Hagel (10/28/2009)
  • David Boren (10/28/2009)
  • Roel Campos (12/23/2009)
  • Lee Hamilton (12/23/2009)
  • Rita Hauser (12/23/2009)
  • Paul Kaminski (12/23/2009)
  • Ellen Laipson (12/23/2009)
  • Les Lyles (12/23/2009)
  • Jami Miscik (12/23/2009)
  • Richard Danzig (12/1/2010)
  • Daniel Meltzer (12/1/2010)
  • Thomas Wheeler (4/17/2011)
  • Mona Sutphen (9/6/2011)
  • Phillip Zelikow (9/6/2011)

You know, Lee Hamilton, the 9/11 Commission Chair who just weeks ago was nagging the Administration that, “there should be a board within the executive branch to oversee adherence to the [privacy] guidelines we recommend and the commitment the government makes to defend our civil liberties.” And Phillip Zelikow, who wasn’t involved in the anniversary nagging, but who was involved in the original recommendation? (FWIW, Chuck Hagel voted for PCLOB as part of the larger counterterrorism reform package of which it was a part.)

These men obviously think (or at least used to think) our intelligence community needs some oversight. I realize PCLOB isn’t the same thing as IOB (as originally conceived and even as statutorily defined PCLOB was supposed to be stronger in some ways than IOB, though it was targeted at privacy, not intelligence violations). So why not push for oversight designated to be a part of the board on which they serve?

Seven years ago, Hamilton and Zelikow signed off on the this language:

[W]hile protecting our homeland, Americans should be mindful of threats to vital personal and civil liberties. This balancing is no easy task, but we must constantly strive to keep it right.

This shift of power and authority to the government calls for an enhanced system of checks and balances to protect the precious liberties that are vital to our way of life.

Right now, even as Hamilton and Zelikow serve as Obama’s handpicked independent intelligence advisors, the checks and balances on our intelligence system are actually worse than when they signed off on those words. They may not be able to do anything about EFF’s FOIA to learn what has become of the IOB. But it’d be nice if they used their advisory position to implement checks and balances more generally on the intelligence community.

The Incredible Disappearing PFIAB

Smintheus provides a good background on Bush’s Executive Order to gut PFIAB (h/t scribe).

On Friday afternoon the White House posted without fanfare a new Executive Order that revamps an important though little known intelligence board. There are a few minor changes, but the most radical revision appears to be that the board has now been stripped of nearly all its powers to investigate and check illegal intelligence activities. It’s difficult to see what legitimate reasons there could have been for gutting the oversight activities of the board in this way, and the WH has not explained the changes.


The newly revised IOB is much more passive. Gone is the duty to review agency guidelines regarding illegal intelligence activities. Gone is the duty to hold accountable the intelligence watchdog offices, such as inspectors general, who are supposed to serve as a bulwark against illegal activities.

Gone is the duty ("shall…forward") to take illegal activities directly to the Attorney General.

I wanted to add just a few details of context.

First, recall that the referrals by IOB–and the absence of any response to such referrals–got Alberto Gonzales in trouble.

In 2005, Gonzales had assured Congress there were no violations of privacy associated with the PATRIOT Act. But last year it became clear that Gonzales received reports of at least six violations.

As he sought to renew the USA Patriot Act two years ago, Attorney General Alberto R. Gonzales assured lawmakers that the FBI had not abused its potent new terrorism-fighting powers. "There has not been one verified case of civil liberties abuse," Gonzales told senators on April 27, 2005.

Six days earlier, the FBI sent Gonzales a copy of a report that said its agents had obtained personal information that they were not entitled to have. It was one of at least half a dozen reports of legal or procedural violations that Gonzales received in the three months before he made his statement to the Senate intelligence committee, according to internal FBI documents released under the Freedom of Information Act.

When cornered on his lie, Gonzales invented some mumbo jumbo about how violations that get reported to the IOB aren’t really violations.

Read more