Posts

Would We Have Accepted the Dragnet if NSA Had to Admit It Could Have Prevented 9/11?

/8 Comments/in /by

Screen shot 2014-02-18 at 10.16.30 AMI’m going to return to Glenn Greenwald’s latest showing details of how the NSA treated WikiLeaks and, to a lesser degree, Anonymous (as well as Alexa O’Brien’s update on the investigation into WikiLeaks) later.

If GCHQ does this kind of tracking, how did Five Eyes miss the Tsarnaev brothers?

But for now I want to look at one slide covering GCHQ’s AntiCrisis monitoring approach (see slide 34), which in this case is focused on WikiLeaks. It shows how GCHQ has the ability — and had it in 2012 — to monitor particular websites. It shows GCHQ can monitor the visitors of a particular website, where they’re coming from, what kind of browsers they use. None of that is, in the least surprising. But given those capabilities, it would be shocking if GCHQ weren’t doing similar monitoring of AQAP’s online magazine Inspire, with the added benefit that certain text strings in each Inspire magazine would make it very easy to track copies of it as it was downloaded, even domestically via upstream collection. And for the UK, this isn’t even controversial; even possessing Inspire in the UK can get you imprisoned.

Given that that’s the case, why didn’t GCHQ and NSA find the Tsarnaev brothers who — the FBI has claimed but provided no proof — learned to make a bomb from the Inspire release that GCHQ or NSA hacked? Why isn’t NSA reviewing why it didn’t find the brothers based on cross-referencing likely NSA tracking of Inspire with its FBI reporting on Tamerlan Tsarnaev?

I used to not believe NSA should have found the Tsarneavs. But now that I’ve seen all the nifty tools we’ve learned NSA and, especially, GCHQ have, they really do owe us an explanation for why they didn’t find the Tsarnaev brothers, one of whom was already in an FBI database, and who was allegedly learning to make a pressure cooker bomb from a document that surely gets tracked by the NSA and its partners.

Speaking of NSA failures…

Which brings me back to James Clapper’s interview with Eli Lake.

Clapper said the problems facing the U.S. intelligence community over its collection of phone records could have been avoided. “I probably shouldn’t say this, but I will. Had we been transparent about this from the outset right after 9/11—which is the genesis of the 215 program—and said both to the American people and to their elected representatives, we need to cover this gap, we need to make sure this never happens to us again, so here is what we are going to set up, here is how it’s going to work, and why we have to do it, and here are the safeguards… We wouldn’t have had the problem we had,” Clapper said.

“What did us in here, what worked against us was this shocking revelation,” he said, referring to the first disclosures from Snowden. If the program had been publicly introduced in the wake of the 9/11 attacks, most Americans would probably have supported it. “I don’t think it would be of any greater concern to most Americans than fingerprints

Now, I’ll have to review the latest declarations in Jewel, but I think Clapper’s statement — that the genesis of today’s phone dragnet dates to 9/11 —  goes slightly beyond what has been admitted, because it ties today’s phone dragnet program back to the PSP phone dragnet program. Ron Wyden has tried to make the tie between the illegal program and the current one clear for months. Clapper has now inched closer to doing so.

But I also want to take issue with Clapper’s claim that if NSA had presented a “gap” to Members of Congress and the public after 9/11 we would have loved the dragnet.

Had we known of the errors and territorialism that permitted 9/11, would we have agreed to any of this?

I do so, in part, because the claim there was a “gap” is erroneous and has been proven to be erroneous over and over. Moreover, that myth dates not to the days after 9/11, but to misrepresentations about the content of the 9/11 Commission report 3 years later. Note, too, that (as has happened with Inspector Generals reviews of the Boston Marathon attack) the Commission got almost no visibility into what NSA had against al Qaeda.

More importantly, had NSA gone to the public with claims about gaps it did and didn’t have before 9/11, we would likely have talked not about providing NSA more authority to collect dragnets, but instead, about the responsibility of those who sat on intelligence that might have prevented 9/11.

As Thomas Drake and the other NSA whistleblowers have made clear, the NSA had not shared intelligence reports that might have helped prevent 9/11.

I found the pre- and post-9/11 intelligence from NSA monitoring of some of the hijackers as they planned the attacks of 9/11 had not been shared outside NSA. Read more

Share this entry

Obviously Bogus Clapper Exoneration Attempt 5.0 Doesn’t Exactly Line Up with OBCEA 4.0

/9 Comments/in , /by

Office of Director of National Intelligence General Counsel Robert Litt, 45 days ago:

Senator Ron Wyden asked about collection of information on Americans during a lengthy and wide-ranging hearing on an entirely different subject. While his staff provided the question the day before, Mr. Clapper had not seen it. As a result, as Mr. Clapper has explained, he was surprised by the question and focused his mind on the collection of the content of Americans’ communications. In that context, his answer was and is accurate.

When we pointed out Mr. Clapper’s mistake to him, he was surprised and distressed. I spoke with a staffer for Senator Wyden several days later and told him that although Mr. Clapper recognized that his testimony was inaccurate, it could not be corrected publicly because the program involved was classified.

This incident shows the difficulty of discussing classified information in an unclassified setting and the danger of inferring a person’s state of mind from extemporaneous answers given under pressure.

Director of National Intelligence James Clapper, today:

But Clapper told The Daily Beast that he simply misunderstood Wyden’s question. At the time of the hearing last March, Congress had just finished consideration of a bill to renew the Foreign Intelligence Surveillance Act (FISA). Section 702 of that legislation gives the National Security Agency the authority to collect the electronic communications of non-U.S. persons. In his question, Wyden asked initially if the United States had collected “dossiers” on American citizens and referred to an answer to this question by then NSA director, Keith Alexander.

“I was not even thinking of what he was asking about, which is of course we now all know as section 215 of the Patriot Act governing the acquisition and storage of telephony business records metadata,” Clapper said. “Wasn’t even thinking of that.” The director of national intelligence said he thought Wyden’s question was actually about section 702 of FISA.

“The allegation about my lying and committing perjury I think are disproven by my labored amplification when I said, ‘if there is, it’s inadvertent collection,’ meaning when we’re collecting overseas under section 702, and if we inadvertently collect which we may not know at the time, U.S. persons data, that’s what I meant by inadvertent. That comment would make absolutely no sense whatsoever in the context of section 215.”

At the time of the Mitchell interview, the U.S. government was still in the process of declassifying elements of the FISA 702 program. “There is only one person on the planet who actually knows what I was thinking,” Clapper said of his testimony from last March. “Not the media, and not certain members of Congress, only I know what I was thinking.”

If only one person knows what he was thinking, then how was Robert Litt in any position to tell us Clapper was “surprised”?

And has Clapper decided he wasn’t “surprised” (perhaps because he had been briefed, not to mention had received months and months of letters, about the question), but instead simply “misunderstood” the intent of a question he had received months of letters about?

Share this entry

On the Day Ron Wyden Asked Whether NSA Complied with US v. Jones, It Collected 4 Billion Cell Location Records

/10 Comments/in /by

FasciaAs part of my new focus on leaked claims that the NSA can’t collect call call data because of problems stripping out cell location data, I want to look at the two exchanges Ron Wyden and James Clapper have had about cell location data.

First, at the Global Threats Hearing 2 years ago just after the US v. Jones decision ruled GPS tracking a search (watching Ron Wyden discomfit Clapper at Threat Hearings used to be my exclusive beat, you know), they had this exchange.

Wyden: Director Clapper, as you know the Supreme Court ruled last week that it was unconstitutional for federal agents to attach a GPS tracking device to an individual’s car and monitor their movements 24/7 without a warrant. Because the Chair was being very gracious, I want to do this briefly. Can you tell me as of now what you believe this means for the intelligence community, number 1, and 2, would you be willing to commit this morning to giving me an unclassified response with respect to what you believe the law authorizes. This goes to the point that you and I have talked, Sir, about in the past, the question of secret law, I strongly feel that the laws and their interpretations must be public. And then of course the important work that all of you’re doing we very often have to keep that classified in order to protect secrets and the well-being of your capable staff. So just two parts, 1, what you think the law means as of now, and will you commit to giving me an unclassified answer on the point of what you believe the law actually authorizes.

Clapper: Sir, the judgment rendered was, as you stated, was in a law enforcement context. We are now examining, and the lawyers are, what are the potential implications for intelligence, you know, foreign or domestic. So, that reading is of great interest to us. And I’m sure we can share it with you. [looks around for confirmation] One more point I need to make, though. In all of this, we will–we have and will continue to abide by the Fourth Amendment. [my emphasis]

We now have proof (as if Wyden’s hints weren’t enough of a tell, given his track record) that NSA was collecting cell location at the time of Wyden’s question. While the exchange took place after (according to NSA’s public claims) NSA’s domestic experiments with cell data under Section 215 ended, it suggests the actual NSA collection took place outside of Section 215.

As it happens, NSA’s own slide shows that on the day Wyden asked the question — January 31, 2012 — it collected around 4 billion cell location records (it was a slow day that day — NSA had been collecting closer to 5 billion records a day in 2012). That collection presumably would have been conducted under EO 12333.

Given that we know NSA collected around 4 billion cell location records that day, I’m particularly struck by Clapper’s emphasis on two things: First his suggestion that the legal analysis might be different for an intelligence use than for a law enforcement use. Given his claim the IC abided by the Fourth Amendment, I assume he imagines they have a Special Need to suck up all this cell location data that makes such searches “reasonable.”

Also note his reference to “foreign or domestic.” I’m guessing the IC was also busy arguing that, in spite of the US person cell locations they were ingesting, because they were doing so in a foreign location, it didn’t violate the Fourth Amendment.

With all that in mind, consider Wyden’s question to Keith Alexander on September 26, just before Alexander admitted to the past Section 215 experiments as some kind of limited hangout. Read more

Share this entry

Is There a 702 Certificate for Transnational Crime Organizations?

/in , /by

Update, 9/8/15: We’ve subsequently learned that in 2015, the third certificate in 2011 was a vaguely defined “foreign government” one, which has been used very broadly (and lied about by the government on multiple occasions). NSA was contemplating a cyber certificate in 2012, but Bates’ 2011 decision may have made the terms of that difficult. 

I joked yesterday that James Clapper did no more than cut and paste to accomplish President Obama’s order of providing a list of acceptable bulk collection. But I’d like to note something about the list of permissible uses of bulk collection.

  1. Espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;
  2. Threats to the United States and its interests from terrorism;
  3. Threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;
  4. Cybersecurity threats;
  5. Threats to U.S. or allied Armed Forces or other U.S. or allied personnel; and
  6. Transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named above.

For months, I have been noting hints that the use of Section 702 — which is one of several kinds of domestic bulk collection — is limited by the number of certifications approved by FISC, which might be limited by FISC’s assessment of whether such certifications establish a certain level of “special need.”

In 2011, it seems clear from John Bates’ opinion on the government’s Section 702 applications, there were 3 certifications.

Screen shot 2013-12-19 at 7.10.00 AM

If there are just 3 certifications, then it seems clear they cover counterterrorism, counterproliferation, and cybersecurity (which is consistent with both ODNI’s public descriptions of Section 702 and the Presidential Review Group’s limits on it), 3 of 6 of the permitted uses of bulk collection.

Furthermore, there’s some history (you’ll have to take my word for this for now, but the evidence derives in part from reports on the use of National Security Letters) of lumping in Counterintelligence and Cybersecurity, because the most useful CI application of bulk collection would target technical exploits used for spying. So if that happens with 702 collection, then 4 of the 6 permissible applications would be covered by existing known certifications.

Threats against Armed Forces would, for the most part, be overseas, suggesting the bulk collection on it would be too. (Though it appears Bush’s illegal program used the excuse of force protection to spy on Iraqi-related targets, potentially even in the US, until the hospital confrontation stopped it.)

Which leaves just transnational crime threats — against which President Obama rolled out a parallel sanctions regime to terrorism in 2011 (though there had long been a regime against drug traffickers) — as the sole bulk collection that might apply in the US that doesn’t have certifications we know about.

Given that at least drug cartels have a far more viable — and deathly — operation in the United States than al Qaeda, I can’t think of any reason why the Administration wouldn’t have applied for a certification targeting TCOs, too (one of Treasury’s designated TCO targets — Russian and East European mobs — would have some overlap with the cyber function, and one — Yakuza — just doesn’t seem like a big threat to the US at all).

And last year’s Semiannual Compliance Assessment may support the argument that there are more than 3 certificates. In its description of the review process for 702 compliance, the report lays out review dates by certifications. Here’s the NSA review schedule:

Screen Shot 2014-02-11 at 9.49.59 AM

This seems to show 4 lines of certifications, one each in August and December, but two in October. Perhaps they re-review one of the certifications (counterterrorism, most likely). But if not, it would seem to suggest there’s now a 4th certification.

Here’s the FBI review schedule (which apparently requires a lot more manual review).

Screen Shot 2014-02-11 at 12.30.28 PM

Given that this requires manual review, I wouldn’t be surprised if they repeated the counterterrorism certifications review (and we don’t know whether all the NSA certifications would be used by FBI). But the redactions would at least allow for the possibility that there is a 4th certification, in addition to the 3 we know about.

Perhaps Obama rolled out TCOs as a 4th certification as he rolled out his new Treasury initiative on it (which would be after the applications laid out by Bates).

Of course, we don’t know. But I think two things are safe to say. First, the use of 702 is tied to certifications by topic. And the public statement about permissible use of bulk collection, it would seem to envision the possibility of a 4th certification covering TCOs, and with it, drug cartels.

Share this entry

In Cut and Paste Tumblr Post, James Clapper Describes Who We Can Spy on without Discriminants

/in , , /by

As part of his Presidential Policy Directive on Signals Intelligence, Obama said this about bulk collection:

In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: (1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests; (2) threats to the United States and its interests from terrorism; (3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied Armed Forces or other U.S or allied personnel; and (6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section. In no event may signals intelligence collected in bulk be used for the purpose of suppressing or burdening criticism or dissent; disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion; affording a competitive advantage to U.S. companies and U.S . business sectors commercially; or achieving any purpose other than those identified in this section.

The Assistant to the President and National Security Advisor (APNSA), in consultation with the Director of National Intelligence (DNI), shall coordinate, on at least an annual basis, a review of the permissible uses of signals intelligence collected in bulk through the National Security Council Principals and Deputies Committee system identified in PPD-1 or any successor document. At the end of this review, I will be presented with recommended additions to or removals from the list of the permissible uses of signals intelligence collected in bulk.

The DNI shall maintain a list of the permissible uses of signals intelligence collected in bulk. This list shall be updated as necessary and made publicly available to the maximum extent feasible, consistent with the national security.

To fulfill that bolded “shall” language, James Clapper just released this on his IContheRecord Tumblr page:

Presidential Policy Directive/PPD-28 – Signals Intelligence Activities establishes a process for determining the permissible uses of nonpublicly available signals intelligence that the United States collects in bulk. It also directs the Director of National Intelligence to “maintain a list of permissible uses of signals intelligence collected in bulk” and make the list “publicly available to the maximum extent feasible, consistent with the national security.”

Consistent with that directive, I am hereby releasing the current list of permissible uses of nonpublicly available signals intelligence that the United States collects in bulk.

Signals intelligence collected in “bulk” is defined as “the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).” As of Jan. 17, 2014, nonpublicly available signals intelligence collected by the United States in bulk may be used by the United States “only for the purposes of detecting and countering:

  1. Espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;
  2. Threats to the United States and its interests from terrorism;
  3. Threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;
  4. Cybersecurity threats;
  5. Threats to U.S. or allied Armed Forces or other U.S. or allied personnel; and
  6. Transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named above.”

Further, as prescribed in PPD-28, “in no event may signals intelligence collected in bulk be used for the purpose of suppressing or burdening criticism or dissent; disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion; affording a competitive advantage to U.S. companies and U.S. business sectors commercially;” or achieving any purpose other than those identified above.

Effectively, Clapper fulfilled an obligation mandated by the PPD by simply cutting and pasting the list of 6 permissible uses of bulk collection in the PPD.

Given that this list is expected to be assessed annually, does that mean the PPD itself should be considered valid for no more than a year?

Share this entry

Mike Rogers Throws Tantrum Over Obama’s Drone Policy

/1 Comment/in , /by

It seems that Mike Rogers lately is aiming to take over the Emptywheel blog. When he’s not yapping about criminalizing journalism or dissembling about Congressional briefings on the Patriot Act renewal, he’s putting out bloodthirsty endorsements of drone violence. When we last heard from him on the drone front, he was joining the mad rush to come up with the most damning indictment of Hakimullah Mehsud after the US disrupted Pakistan’s plans to start peace talks the very next day with a Taliban group headed by Mehsud. Yesterday, Rogers used a hearing of his House Intelligence Committee as a venue in which to pitch a tantrum over the US daring to adjust its drone policy, leading to fewer strikes.

Now, almost exactly three months after the Mehsud drone strike, we see the prospect for peace talks between Pakistan and the Taliban disrupted again. As I mentioned yesterday, Taliban negotiators fear that Pakistan’s government may be planning to scuttle the talks in order to launch an offensive against the Taliban in tribal areas, which might also play into a desire by Sharif’s government to be in line for counterterrorism funds which the US might not be spending in Afghanistan.

The Washington Post has Rogers’ tirade. First, there is news of a pause in drone strikes in Pakistan:

The Obama administration has sharply curtailed drone strikes in Pakistan after a request from the government there for restraint as it pursues peace talks with the Pakistani Taliban, according to U.S. officials.

“That’s what they asked for, and we didn’t tell them no,” one U.S. official said. The administration indicated that it will still carry out strikes against senior al-Qaeda targets, if they become available, and move to thwart any direct, imminent threat to U.S. persons.

Concern about Pakistani political sensitivities provides one explanation for the absence of strikes since December, the longest pause in the CIA’s drone campaign since a six-week lull in 2011, after an errant U.S. air assault killed 24 Pakistani soldiers at a border post, triggering a diplomatic crisis.

Oooh, look! There’s Marcy’s favorite word again, “imminent“. But this lull in drone strikes, coupled with the explanation offered in the Post, tells us that no suitable al Qaeda targets with credible plans against the US presented themselves in Pakistan’s tribal areas for over a month. That didn’t deter Rogers; he’s upset that any potential targets aren’t blasted immediately: Read more

Share this entry

Mirror, Mirror, on the Wall, Who’s the Hackiest of Them All?

/25 Comments/in /by

ClapperHere are some excerpts from the Global Threats report pertaining to the cyber threat.

We assess that computer network exploitation and disruption activities such as denial-of-service attacks will continue.

[snip]

… many countries are creating cyber defense institutions within their national security establishments. We estimate that several of these will likely be responsible for offensive cyber operations as well.

[snip]

Critical infrastructure, particularly the Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used in water management, oil and gas pipelines, electrical power distribution, and mass transit, provides an enticing target to malicious actors. Although newer architectures provide flexibility, functionality, and resilience, large segments of legacy architecture remain vulnerable to attack, which might cause significant economic or human impact.

It’s as if the intelligence community called up NSA and CyberCommand, asked what they had been working on, and then “assessed” that those targets presented threats going forward.

And while I expect that China commits what would be judged the largest number of hacks (in part because much of the information we steal right from the communication backbone they would have to hack to get), the inclusion of SCADA in the list of vulnerabilities is particularly rich, considering we are believed to have pioneered that kind of attack with StuxNet.

Again, I’m not denying these other entities hack (the unclassified version of the report left off Israel and France, as unclassified versions tend to do). Just that we continue to exhibit no awareness that some part of this threat amounts to our genie blowing back in our face.

Share this entry

When Judge Reggie Walton Disappeared the FBI Director: The Tell that FISC Wasn’t Following the Law

/4 Comments/in , /by

SEN. MIKULSKI: General Clapper, there are 36 different legal opinions.

DIR. CLAPPER: I realize that.

SEN. MIKULSKI: Thirty-six say the program’s constitutional. Judge Leon said it’s not.

Thirty-six “legal opinions” have deemed the dragnet legal and constitutional, its defenders say defensively, over and over again.

But that’s not right — not by a long shot, as ACLU’s Brett Max Kaufman pointed out in a post yesterday. In its report, PCLOB confirmed what I first guessed 4 months ago: the FISA Court never got around to writing an opinion considering the legality or constitutionality of the dragnet until August 29, 2013.

FISC judges, on 33 occasions before then, signed off on the dragnet without bothering to give it comprehensive legal review.

Sure, after the program had been reauthorized 11 times, Reggie Walton considered the more narrow question of whether the program violates the Stored Communications Act (I suspect, but cannot yet prove, that the government presented that question because of concerns raised by DOJ IG Glenn Fine). But until Claire Eagan’s “strange” opinion in August, no judge considered in systematic fashion whether the dragnet was legal or constitutional.

And the thing is, I think FISC judge — now Presiding Judge — Reggie Walton realized around about 2009 what they had done. I think he realized the program didn’t fit the statute.

Consider a key problem with the dragnet — another one I discussed before PCLOB (though I was not the first or only one to do so). The wrong agency is using it.

Section 215 does not authorize the NSA to acquire anything at all. Instead, it permits the FBI to obtain records for use in its own investigations. If our surveillance programs are to be governed by law, this clear congressional determination about which federal agency should obtain these records must be followed.

Section 215 expressly allows only the FBI to acquire records and other tangible things that are relevant to its foreign intelligence and counterterrorism investigations. Its text makes unmistakably clear the connection between this limitation and the overall design of the statute. Applications to the FISA court must be made by the director of the FBI or a subordinate. The records sought must be relevant to an authorized FBI investigation. Records produced in response to an order are to be “made available to,” “obtained” by, and “received by” the FBI. The Attorney General is directed to adopt minimization procedures governing the FBI’s retention and dissemination of the records it obtains pursuant to an order. Before granting a Section 215 application, the FISA court must find that the application enumerates the minimization procedures that the FBI will follow in handling the records it obtains. [my emphasis, footnotes removed]

The Executive convinced the FISA Court, over and over and over, to approve collection for NSA’s use using a law authorizing collection only by FBI.

Which is why I wanted to point out something else Walton cleaned up in 2009, along with watchlists of 3,000 Americans who had not received First Amendment Review. Judge Reggie Walton disappeared the FBI Director.

>>>Poof!<<<

Gone.

The structure of all the dragnet orders released so far (save Eagan’s opinion) follow a similar general structure:

  • An (unnumbered, unlettered) preamble paragraph describing that the FBI Director made a request
  • 3-4 paragraphs measuring the request against the statute, followed by some “wherefore” language
  • A number of paragraphs describing the order, consisting of the description of the phone records required, followed by 2 minimization paragraphs, the first pertaining to FBI and,
  • The second paragraph introducing minimization procedures for NSA, followed by a larger number of lettered paragraphs describing the treatment of the records and queries (this section got quite long during the 2009 period when Walton was trying to clean up the dragnet and remains longer to this day because of the DOJ oversight Walton required)

Here’s how the first three paragraphs looked in the first order and (best as I can tell) the next 11 orders, including Walton’s first order in December 2008:

An application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (the Act), Title 50, United States Code (U.S.C.), § 1861, as amended, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, the Court finds that:

1. The Director of the FBI is authorized to make an application for an order requiring the production of any tangible thing for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the First Amendment to the Constitution of the United States. [50 U.S.C. § 1861 (c)(1)]

2. The tangible things to be produced are all call-detail records or “telephone metadata” created by [the telecoms]. Telephone metadata includes …

[snip]

3. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12,333 to protect against international terrorism, … [my emphasis]

Here’s how the next order and all (released) following orders start [save the bracketed language, which is unique to this order]:

An verified application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (FISA), as amended, 50 U.S.C. § 1861, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, [as well as the government’s filings in Docket Number BR 08-13 (the prior renewal of the above-captioned matter),] the Court finds that:

1. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12333 to protect against international terrorism, …

That is, Walton took out the paragraph — which he indicated in his opinion 3 months earlier derived from the statutory language at 50 U.S.C. § 1861 (c)(1) — pertaining to the FBI Director. The paragraph always fudged the issue anyway, as it doesn’t discuss the FBI Director’s authority to obtain this for the NSA. Nevertheless, Walton seems to have found that discussion unnecessary or unhelpful.

Walton’s March 5, 2009 order and all others since have just 3 statutory paragraphs, which basically say:

  1. The tangible things are relevant to authorized FBI investigations conducted under EO 12333 — Walton cites 50 USC 1861 (c)(1) here
  2. The tangible things could be obtained by a subpoena duces tecum (50 USC 1861 (c)(2)(D)
  3. The application includes an enumeration of minimization procedures — Walton doesn’t cite statute in this May 5, 2009 order, but later orders would cite 50 USC 1861 (c)(1) again

Here’s what 50 USC 1861 (c)(1), in its entirety, says:

(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.

And here are two key parts of subsections (a) and (b) — in addition to “relevant” language that has always been included in the dragnet orders.

(a) Application for order; conduct of investigation generally

(1) Subject to paragraph (3), the Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things

[snip]

(2) shall include—

[snip]

(B) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.

FBI … FBI … FBI.

The language incorporated in 50 USC 1861 (c)(1) that has always been cited as the standard judges must follow emphasizes the FBI repeatedly (PCLOB laid out that fact at length in their analysis of the program). And even Reggie Walton once admitted that fact.

And then, following his lead, FISC stopped mentioning that in its statutory analysis altogether.

Eagan didn’t even consider that language in her “strange” opinion, not even when citing the passages (here, pertaining to minimization) of Section 215 that directly mention the FBI.

Section 215 of the USA PATRIOT Act created a statutory framework, the various parts of which are designed to ensure not only that the government has access to the information it needs for authorized investigations, but also that there are protections and prohibitions in place to safeguard U.S. person information. It requires the government to demonstrate, among other things, that there is “an investigation to obtain foreign intelligence information … to [in this case] protect against international terrorism,” 50 U.S.C. § 1861(a)(1); that investigations of U.S. persons are “not conducted solely upon the basis of activities protected by the first amendment to the Constitution,” id.; that the investigation is “conducted under guidelines approved by the Attorney General under Executive Order 12333,” id. § 1861(a)(2); that there is “a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant” to the investigation, id. § 1861(b)(2)(A);14 that there are adequate minimization procedures “applicable to the retention and dissemination” of the information requested, id. § 1861(b)(2)(B); and, that only the production of such things that could be “obtained with a subpoena duces tecum” or “any other order issued by a court of the United States directing the production of records” may be ordered, id. § 1861(c)(2)(D), see infra Part III.a. (discussing Section 2703(d) of the Stored Communications Act). If the Court determines that the government has met the requirements of Section 215, it shall enter an ex parte order compelling production.

This Court must verify that each statutory provision is satisfied before issuing the requested Orders. For example, even if the Court finds that the records requested are relevant to an investigation, it may not authorize the production if the minimization procedures are insufficient. Under Section 215, minimization procedures are “specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” Id. § 1861(g)(2)(A)

Reggie Walton disappeared the FBI Director as a statutory requirement (he retained that preamble paragraph, the nod to authorized FBI investigations, and the perfunctory paragraph on minimization of data provided from NSA to FBI) on March 5, 2009, and he has never been heard from in discussions of the FISC again.

Now I can imagine someone like Steven Bradbury making an argument that so long as the FBI Director actually signed the application, and so long as the FBI had minimization procedures for the as few as 16 tips they receive from the program in a given year, it was all good to use an FBI statute to let the NSA collect a dragnet potentially incorporating all the phone records of all Americans. I can imagine Bradbury pointing to the passive construction of that “things to be made available” language and suggest so long as there were minimization procedures about FBI receipt somewhere, the fact that the order underlying that passive voice was directed at the telecoms didn’t matter. That would be a patently dishonest argument, but not one I’d put beyond a hack like Bradbury.

The thing is, no one has made it. Not Malcolm Howard in the first order authorizing the dragnet, not DOJ in its request for that order (indeed, as PCLOB pointed out, the application relied heavily on Keith Alexander’s declaration about how the data would be used). The closest anyone has come is the white paper written last year that emphasizes the relevance to FBI investigations.

But no one I know of has affirmatively argued that it’s cool to use an FBI statute for the NSA. In the face of all the evidence that the dragnet has not helped the FBI thwart a single plot — maybe hasn’t even helped the FBI catch one Somali-American donating less than $10,000 to al-Shabaab, as they’ve been crowing for months — FBI Director Jim Comey has stated to Congress that the dragnet is useful to the FBI primarily for agility (though the record doesn’t back Comey’s claim).

Which leaves us with the only conclusion that makes sense given the Executive’s failure to prove it is useful at all: it’s not the FBI that uses it, it’s NSA. They don’t want to tell us how the NSA uses it, in part, because we’ll realize all their reassurances about protections for Americans fall flat for the millions of Americans who are 3 degrees away from a potential suspect.

But they also don’t want to admit that it’s the NSA that uses it, because then it’ll become far more clear how patently illegal this program has been from the start.

Better to just disappear the FBI Director and hope no one starts investigating the disappearance.

Share this entry

Jello Jay Rockefeller: Associational Database Is “Core Governmental Function”

/7 Comments/in /by

I’m watching the Senate Intelligence Committee hearing on global threats, and will have more to say about the Snowden fear-mongering later.

But I wanted to point to Jello Jay Rockefeller’s remarkable campaign in favor of the status quo for the dragnet.

He argued against the telecoms taking the data, because their interest is not in protecting privacy (yet they’re playing with our data all the time).

He then said the phone dragnet — a database of all the phone-based relationships in the US in the last 5 years — was a “core governmental function.”

There you have it. Having an associational database of the entire US is a core governmental function, the oversight people think.

Share this entry

Clapper and Holder Remind Us “Disclosure” Mostly Pertains to Targets

/4 Comments/in /by

I want to thank James Clapper and Eric Holder who, in their statement on yesterday’s “disclosure” agreement emphasized the word “target.”

As indicated in the Justice Department’s filing with the Foreign Intelligence Surveillance Court, the administration is acting to allow more detailed disclosures about the number of national security orders and requests issued to communications providers, the number of customer accounts targeted under those orders and requests, and the underlying legal authorities.

I should have given this more emphasis yesterday. All “transparency” numbers provided by the tech companies will describe the number of accounts or “selectors” “targeted,” with the exception of National Security Letter reporting using Option One. So if thousands of other Google accounts are getting sucked into requests for content or metadata, we’ll never know that.

Share this entry