As debates about whether North Korea hacked Sony continue (or even better, websites mockingly show you could randomly assign blame to any number of people; h/t Kim Zetter), there’s something that has long bothered me. The excuse for the government’s failure to provide a more fulsome description of the reasons it is so sure North Korea is to blame always go back to (NSA’s) sources and methods.
For example, here’s Jack Goldsmith making the legitimate argument that one reason you can’t attribute properly is because it would expose what we don’t know, and make us more vulnerable to hackers.
The problem with saying that the “secrecy of the NSA’s sources and methods is going to have to take a back seat to the public’s right to know” is that public knowledge could exacerbate the cyber threat. For when other countries know those aspects of those sources and methods, they can hide their tracks better in the next attack. The U.S. Government might think that the credibility hit it takes for not revealing more in the face of this relatively mild attack on Sony is outweighed by the longer-term advantages – to meeting and defeating greater cybersecurity threats – of having penetrated networks and conversations in unknown ways. The game is iterative, and the proper balance of secrecy and disclosure at any particular time is tricky.
There’s one part of the hack, however, for which such claims can’t be made — and which, in the government’s descriptions, has been just as weak as the FBI’s public forensic case against North Korea: motive.
Not only did the movie The Interview, only become the motive well after the hack, but — even assuming Kim Jong-Un is batshit crazy — the rest of the hack still doesn’t make sense. Why burn all those stars before targeting The Interview? Why release so much about Sony’s IP and other financial dealings before targeting The Interview? Why do nothing in the face of The Interview‘s subsequent release and broad success? In other words, why does the bulk of the attack actually not attack the purported target of it? Heck, the hackers didn’t even make the most of the materials on the Interview obtained in the hack to best serve North Korea’s interests.
No description of the motive I’ve seen makes any sense (again, even assuming that everyone in North Korean positions of authority are crazy or at least irrational).
Meanwhile, as far as I know I had been the only person to point out that James Clapper made a highly unusual trip to North Korea just weeks before the hack to pick up two Americans North Korea claims were US spies.
Curiously, claims that North Korea launched the hack make no mention of James Clapper’s highly unusual trip to North Korea, just a few weeks before the hack was discovered, to pick up two Americans North Korea had imprisoned, claiming they were spies.
It seems to me you might more likely find a rational motive for a rash attack on US soil (albeit at the US subsidiary of Japanese company) in that trip than in a movie, no matter how curious the movies’ ties to US national security figures. That is, not only did North Korea allegedly hack Sony for a movie reviewed by government officials depicting the assassination of Kim, but it did so weeks after the top US spy personally flew to North Korea to rescue two Americans North Korea claimed were spies, one of whom entered on a tourist visa and then ripped it up claiming he wanted to talk to North Koreans.
Reports from a press blitz Clapper did upon his return described Clapper delivering a letter from President Obama — which he described as doing no more than naming Clapper as envoy to pick up the two Americans but which Clapper declined to quote — and North Korea as disappointed that Obama hadn’t offered something more in exchange for the prisoners.
Mr. Clapper revealed details of the trip in an interview with The Wall Street Journal. The North Koreans seemed disappointed when he arrived without a broader peace overture in hand, he said. At the same time, they didn’t ask for anything specific in return for the prisoners’ release.
U.S. officials say the mission, which few officials within the Obama administration knew about until Mr. Clapper was returning, wasn’t meant to signal any change in the U.S.’s approach to the reclusive North.
Mr. Clapper’s earlier conversations with older North Korean officials on his one-day trip had been contentious. He heard what he called a far more “tempered” tone from a younger North Korean whom he described as an interlocutor and who accompanied him on the 40-minute drive back to the airport at the trip’s end. He said the interlocutor expressed regret that the North and South remained split and asked Mr. Clapper if he’d return to Pyongyang.
The plan to send Mr. Clapper came together suddenly.
North Korea made clear that it wanted the U.S. to send a “senior envoy” and that it wanted a communication from the president.
The White House tapped Mr. Clapper, because he was a cabinet-level official though not a member of the cabinet or a diplomat. The White House didn’t want to signal to the North Koreans that Mr. Clapper was being sent to conduct a diplomatic negotiation. Mr. Clapper had also served as a military intelligence officer in South Korea in the mid-1980s and had a continuing interest in the Korean peninsula.
Gen. Kim Young Chol appeared to be taken aback when handed the letter, Mr. Clapper said.
Written in English, the letter introduced Mr. Clapper as the president’s envoy and “characterized the release of the two detainees as a positive gesture,” Mr. Clapper said, declining to quote it directly. “It didn’t apologize.”
It’s possible there was more to the trip than Clapper’s very boisterous press blitz let on.
And it turns out I’m no longer the only one who links the trip to North Korea and the hack. At a speech at a cybersecurity conference at Fordham today, Clapper repeated accusations that North Korea had done the Sony hack, claiming that the General Kim Youn(g) Chol, with whom he had met on his trip, ordered the attack (see also Eamon Javers’ TL) amid more details of what went wrong with his plane and other details of his trip. The Bureau Kim Youn(g) Chol heads is among those sanctioned last week in response to the hack, though it doesn’t appear he’s among the sanction targets himself (though there is someone with a very similar name, Kim Yong Chol, who is Korea Mining Company’s representative in Iran, who was sanctioned).
I’m still not convinced that North Korea did the hack. But if they did, then there’s more of a backstory, precisely where Clapper is pointing to it: in his trip to North Korea just weeks before the hack.
Alternately, Clapper’s fixation on his trip may suggest his meeting with Kin Youn(g) Chol has influenced analysis of the hack, leading Clapper’s subordinates to ascribe more importance to heated meetings while their boss was in North Korea than they logically should.
Either way, Clapper’s giving a very partial description of that trip. But now that he has returned to doing so, it ought to be a much more significant focus for reporting on the alleged North Korea hack.
You’ve no doubt heard that, last Friday (a pre-holiday Friday, as some people are already on their way to Thanksgiving), the Benghazi scandal ended with a fizzle.
The House Intelligence Committee released its report on the Benghazi attack, which basically says all the scandal mongering has been wrong, that Susan Rice’s talking points came from the CIA, that no one held up any rescue attempts, and so on and so on. This post will attempt to lay out why that might have happened. The short version, however, is that the report reveals (but does not dwell on) a number of failures on the part of the CIA that should raise real concerns about Syria.
Note that not all Republicans were as polite as the ultimate report. Mike Rogers, Jeff Miller, Jack Conaway, and Peter King released an additional views report, making precisely the points you’d expect them to — though it takes them until the 4th summary bullet to claim that Administration officials “perpetuated an inaccurate story that matched the Administration’s misguided view that the United States was nearing victory over al-Qa’ida.” Democrats released their own report noting that “there was no AQ mastermind” and that “extremists who were already well-armed and well-trained took advantage of regional violence” to launch the attack. Among the Republicans who presumably supported the middle ground were firebrands like Michele Bachmann and Mike Pompeo, as well as rising Chair Devin Nunes (as you’ll see, Nunes was a lot more interested in what the hell CIA was doing in Benghazi than Rogers). The day after the initial release Rogers released a second statement defending — and pointing to the limits of and Additional Views on — his report.
Now consider what this report is and is not.
The report boasts about the 1000s of hours of work and 1000s of pages of intelligence review, as well as 20 committee events, interviews with “senior intelligence officials” and 8 security personnel (whom elsewhere the report calls “the eight surviving U.S. personnel”) who were among the eyewitnesses in Benghazi. But the bulk of the report is sourced to 10 interviews (the 8 security guys, plus the Benghazi and Tripoli CIA Chiefs), and a November 15, 2012 presentation by James Clapper, Mike Morell, Matt Olsen, and Patrick Kennedy. (Here are the slides from that briefing: part one, part two.) As I’ll show, this means some of the claims in this report are not sourced to the people who directly witnessed the events. And the reports sources almost nothing to David Petraeus, who was CIA Director at the time.
One of the best explanations for why this is such a tempered report may be that FBI performed better analysis of the cause of the attack than CIA did. This is somewhat clear from the summary (though buried as the 4th bullet):
There was no protest. The CIA only changed its initial assessment about a protest on September 24, 2012, when closed caption television footage became available on September 18, 2012 (two days after Ambassador Susan Rice spoke), and after the FBI began publishing its interviews with U.S. officials on the ground on September 22, 2012.
That is, one reason Susan Rice’s talking points said what they did is because CIA’s analytical reports still backed the claim there had been a protest outside State’s Temporary Mission Facility.
Moreover, in sustaining its judgment there had been a protest as long as it did, CIA was actually ignoring both a report from Tripoli dated September 14, and the assessment of the Chief of Station in Tripoli, who wrote the following to Mike Morell on September 15.
We lack any ground-truth information that protest actually occurred, specifically in the vicinity of the consulate and leading up to the attack. We therefore judge events unfolded in a much different manner than in Tunis, Cairo, Khartoum, and Sanaa, which appear to the the result of escalating mob violence.
In a statement for the record issued in April 2014, Mike Morell explained that Chiefs of Station “do not/not make analytic calls for the Agency.” But it’s not clear whether Morell explained why CIA appears to have ignored their own officer.
While the report doesn’t dwell on this fact, the implication is that the FBI was more successful at interviewing people on the ground — including CIA officers!! — to rebut a common assumption arising from public reporting. That’s a condemnation of CIA’s analytical process, not to mention a suggestion FBI is better at collecting information from humans than CIA is. But HPSCI doesn’t seem all that worried about these CIA failures in its core missions.
Or maybe CIA failed for some other reason. Continue reading
The White House has come out with an enthusiastic statement supporting USA Freedom Act.
The Administration strongly supports Senate passage of S. 2685, the USA FREEDOM Act. In January, the President called on Congress to enact important changes to the Foreign Intelligence Surveillance Act (FISA) that would keep our Nation safe, while enhancing privacy and better safeguarding our civil liberties. This past spring, a broad bipartisan majority of the House passed a bill that answered the President’s call. S. 2685 carefully builds on the good work done in the House and has won the support of privacy and civil liberties advocates and the private sector, including significant members of the technology community. As the Attorney General and the Director of National Intelligence stated in a letter dated September 2, 2014, the bill is a reasonable compromise that enhances privacy and civil liberties and increases transparency.
The bill strengthens the FISA’s privacy and civil liberties protections, while preserving essential authorities that our intelligence and law enforcement professionals need.
It says the bill ends bulk collection which might be a useful record if the President used a definition besides “without any discriminator,” but that is what he is on the record as meaning by “bulk.”
The bill would prohibit bulk collection through the use of Section 215, FISA pen registers, and National Security Letters while maintaining critical authorities to conduct more targeted collection. The Attorney General and the Director of National Intelligence have indicated that the bill will retain the essential operational capabilities of the existing bulk telephone metadata program while eliminating bulk collection, based on communications providers’ existing practices.
Perhaps the most troubling part of Obama’s statement, however, is its endorsement of John Bates’ language about the amicus as echoed by James Clapper and Eric Holder, which among other things said that the amicus could not be required to represent the interests of civil liberties and privacy.
The bill also authorizes an independent voice in significant cases before the Foreign Intelligence Surveillance Court (FISC) — the Administration is aware of the concerns with regard to this issue, as outlined in the letter from the Attorney General and the Director of National Intelligence, and the Administration anticipates that Congress will address those concerns. Finally, the bill will enhance transparency by expanding the amount of information providers can disclose and increasing public reporting requirements.
In sum, this legislation will help strengthen Americans’ confidence in the Government’s use of these important national security authorities. Without passage of this bill, critical authorities that are appropriately reformed in this legislation could expire next summer. The Administration urges Congress to take action on this legislation now, since delay may subject these important national security authorities to brinksmanship and uncertainty. The Administration urges the Senate to pass the USA FREEDOM Act and for the House to act expeditiously so that the President can sign legislation into law this year. [my emphasis]
As I said here, the designed impotence of the amicus is not a reason to oppose the bill; it’s just a reason to expect to have to wait 9 years before it becomes functional, as happened with PCLOB. Still, it is very very troubling that given all the evidence that the Executive has been abusing the process of the FISC for a decade, the Executive is moving to ensure they’ll still be able to do so.
I’m now being accused by USA Freedom Act champions of not providing constructive suggestions on how to improve USAF (even though I have, both via channels they were involved in and channels they are not party to) [oops, try this tweet, which is still active].
Now that it appears people who previously claimed I was making all this up now concede some of my critiques as a valid, here goes: my suggestions for how to fix the problems I identified in this post.
There is one application of connection chaining that I find legitimate, and two that are probably unconstitutional. The legitimate application is the burner phone one: to ask providers to use their algorithms (including new profiles of online use) to find the new phones or online accounts that people adopt after dropping previous ones, which is what AT&T offers under Hemisphere. To permit that, you might alter the connection chaining language to say providers can chain on calls and texts made, as well as ask providers to access their own records to find replacement phones. Note, however, that accuracy on this mapping is only about 94% per Hemisphere documents, so it seems there needs to be some kind of check before using those records.
The two other applications — the ones I’m pretty sure are or should be unconstitutional without a warrant — are 1) the use of cloud data, like address books, calendars, and photos, to establish connections, and 2) the use of phone records like Verizon’s supercookie to establish one-to-one correlations between identities across different platforms. I think these are both squarely unconstitutional under the DC Circuit’s Maynard decision, because both are key functions in linking all these metadata profiles together, and language in Riley would support that too. But who knows? I’m not an appellate judge.
To prevent the government from doing this without really independent judicial review — and more generally to ensure Section 215 is not abused going forward — the best fix is to require notice to defendants if any evidence from Section 215 or anything derived from it, including the use of metadata as an index to identify content, is used in a proceeding against them. Given that Section 215’s secret application is now unclassified, they should even get a fairly robust description of how it was used. After all, if this is just third party doctrine stuff, it can’t be all that secret!
I’m frankly of the opinion that ACLU’s Alex Abdo kicked DOJ’s ass so thoroughly in the 2nd Circuit, that unless that decision is mooted, it will provide a better halt to dragnets than any legislation could. But I get that that’s a risk, especially with Larry Klayman botching an even better setup in the DC Circuit.
But I do think the one way to make sure we don’t lose the opportunity for a judicial fix to this is to provide notice to defendants of any use or derivative use of Section 215. The government has insisted (most recently in the Reaz Qadir Khan case, but also did so in the Dzhokhar Tsarnaev and derivative cases, where we know they used the phone dragnet) that it doesn’t have to give such notice. If they get it — with the ability to demonstrate that their prosecution arises out of a warrantless mosaic analysis of their lives which provides the basis for the order providing access to their content — then at least there may be a limited judicial remedy in the future, even if it’s not Abdo fighting for his own organization. FISCR said PAA was legal because of precisely these linking procedures, but if they’re not (or if they require a warrant) then PRISM is not legal either. Defendants must have the ability to argue that in court.
USAF prohibits using a communications provider corporate person as a selector, but permits the use of a non-communications corporate person as a selector, meaning it could still get all of Visa’s or Western Union’s records. I understand the government claims it needs to retain the use for corporate person selectors to get things like all the guests at Caesars Palace to see if there are suspected terrorists there. The way to permit this, without at the same time permitting a programmatic dragnet (of, say, all Las Vegas hotels all the time), might be to temporally limit the order — say, limit the use of any non-communications provider order to get a month of records.
But this creates a problem, which is that it currently takes (per the NSL IG Report) 30-40 days to get a Section 215 order. The way to make it possible to get records when you need them, rather than keeping a dragnet, is to permit the use of the emergency provision more broadly. You might permit it to be used with counterintelligence uses as well as the current counterterrorism use (that is, make it available in any case where Section 215 would be available), though you should still limit use of any data collected to the purpose for which it was collected. You might even extend the deadline to submit an application beyond 7 days.
That exacerbates the existing problems with the emergency provision, however, which is that the government gets to keep records if the court finds they misused the statute. To fix this, I’d advise tying the change to the adoption of the existing language from the emergency provision currently in place on the phone dragnet order, specifically permitting FISC to require records be discarded if the government shouldn’t have obtained them. I’d also add a reporting requirement on how many emergency provisions were used (that one would be included in the public reporting) and, in classified form to the intelligence and judiciary committees, fairly precisely what it had been used for. I’d additionally require FBI track this data, so it can easily report what has become of it.
Given that the government may have already abused the emergency provisions, this requires close monitoring. So no loosening of the emergency provision should be put into place without the simultaneous controls.
I’d do two things to fix the current overly expansive immunity provisions. First, I’d put the language that exists in other immunity provisions requiring good faith compliance with orders, such that providers can’t be immunized for stuff that they recognize is illegal.
I’d also add language giving them an appeal if the government were obtaining proprietary information. While under current law the government should be able to obtain call records, they shouldn’t be able to require providers also share their algorithms about business records, which is (I suspect) where this going (indeed, the Yahoo documents suggest that’s where it has already gone under PRISM). So make it clear there’s a limit to what is included under third party doctrine, and provide providers with a way to protect their data derived from customer records.
This should be simple. Just include language letting the court review minimization procedures and review compliance, which is currently what happens and should happen as we get deeper and deeper into mosaic collection (indeed, this might be pitched as a solution to what should be a very urgent constitutional problem for the status quo practice).
Additionally, the bill should integrate the emergency provision currently applicable to the phone dragnet for all Section 215 use, along with reporting on how often and how it is used.
Both of these, importantly, simply codify the current status quo. If the government won’t accept the current status quo, after years of evidence on why it needs this minimal level of oversight from FISC, then that by itself should raise questions about the intelligence community’s intent going forward.
One minimal fix to the transparency provisions is to require reporting not just from all communications providers, but from all providers who have received orders, such that the government would have to report on financial and location dragnets, which are both currently excluded. This would ensure that financial and location dragnets that currently exist and are currently exempted from reporting are included.
As to the other transparency provisions, the biggest problem is that the bill permits both the NSA and FBI to say “omigosh we simply can’t count all this.” I think they’re doing so for different reasons. In my opinion, the NSA is doing so because it is conducting illegal domestic wiretapping, especially to pursue cybersecurity targets. It is doing so because it hasn’t gotten Congress to buy off on using domestic wiretapping to pursue cybertargets. I would impose a 2 year limit on how long ODNI can avoid reporting this number, which should provide plenty of time for Congress to legislate a legal way to pursue cybertargets (along with limits to what kind of cybertargets merit such domestic wiretapping, if any).
I think the FBI refusing to count its collection because it wants to passively collect huge databases of US persons so it can just look up whether people who come under its radar are suspicious. I believe this is unconstitutional — it’s certainly something the government lied to the FISCR in order to beat back Yahoo’s challenge, and arguably the government made a similar lie in Amnesty v. Clapper. If I had my way, I’d require FBI to count how many US persons it was collecting on and back door searching yesterday. But if accommodation must be made, FBI, too, should get just 2 years (and significant funding) to be able to 1) tag all its data (as NSA does, so most of it would come tagged) 2) count it and its back door searches 3) determine whether incoming data is of interest within a short period of time, rather than sitting on it for 30 years. Ideally, FBI would also get 2 years to do the same things with its NSL data.
Again, I think the better option is just to make NSA and FBI count their data, which will show both are violating the Constitution. Apparently, Congress doesn’t want to make them do that. So make them do that over the next 2 years, giving them time to replace unconstitutional programs.
In this post, I noted that the provision requiring the advocate have all the material she needs to do to do her job conflicts with the provision permitting the government to withhold information on classification or privilege grounds. If there is any way to limit this — perhaps by requiring the advocate be given clearance into any compartments for the surveillance under question (though not necessarily the underlying sources and methods used in an affidavit), as well as mandating that originator controlled (ORCON) documents be required to be shared. This might work like a CIPA provision, that the government must be willing to share something if it wants FISC approval (and with it, the authority to obligate providers).
But since that post, we’ve seen how, in the Yahoo challenge, the government convinced Reggie Walton to apply the ex parte provisions applying to defendants to Yahoo. That precedent would now, in my opinion, apply language on review to any adversary. To fix that, the bill should include conforming language in all the places (such as at 50 USC 1861(c)) that call for ex parte review to make it clear that ex parte review does not apply to an advocate’s review of an order.
I fully expect the IC to find this unacceptable (Clapper has already made it clear he’ll only accept an advocate that is too weak to be effective). But bill reformers should point to the clear language in the President’s speech calling for “a panel of advocates from outside government to provide an independent voice in significant cases before the Foreign Intelligence Surveillance Court.” If the IC refuses to have an advocate that can do the job laid out by statute, they should have to answer to the President, who has called for real advocates (not amici).
To recap — all this pertains only to the bill on its face, not to the important things the bill is missing, such as a prohibition on back door searches. But these are things that would make USA Freedom Act far better.
I suspect the intelligence community would object to many, if not all of them. But if they do, then it would certainly clarify what their intent really is.
Earlier today, Harry Reid filed for cloture for the USA Freedom Act. So Patrick Leahy’s reform for the phone dragnet will get a vote in the lame duck.
As you may remember, I don’t support USAF. Here’s a summary of why.
USAF rolls out a new Call Detail Record provision providing for prospective daily collection of selected phone records. While it would replace the phone dragnet — which is a really really important improvement– there are many questions about the provision that James Clapper’s office refused to answer (and refused to respond to a FOIA I filed to find out). Most importantly, no one can explain what “connection chaining” — which clearly permits the chaining on things other than phone calls and texts made — includes. I worry that language will be used to connect on things available through phone cloud storage, like address books, calendars, and photos (which we know the NSA uses overseas). I also strongly believe (though some people I’ve talked to disagree) that Verizon’s supercookie qualifies as a CDR under the bill (it can be collected under other authorities in any case) and therefore will make it easier to access communications records for “correlated” identities accessed via the same phone. Whether this is the intent or not, we know from the Yahoo precedent that there will be significant mission creep within months of passing this bill.
Right now, the main PATRIOT authorities at question here — Section 215 and PRTT — are scheduled to sunset in June. They’ll be renewed one way or another. But in April to May, reformers will have more leverage than they do now.
Bill supporters claim civil liberties groups have never gotten concessions from a sunset. That’s plainly wrong, because reformers did on FISA Amendments Act, where (among other things) protection for Americans overseas was won with the wait. Admittedly, given the new Senate, we’d be worse positioned (with the exception of Thad Cochran being potentially better than Barb Mikulski at Appropriations). That said, we would likely be better prepared not to squander our far stronger position in the House, as civil liberties groups did on USAF, so legislatively it might be a wash, though with reformers having more leverage.
More importantly, passing this now may moot court decisions in 3 circuit courts (the 2nd and DC, where phone dragnet challenges have already been heard, and the 9th, where the hearing hasn’t been held yet). While Larry Klayman clearly botched his hearing in DC with a surprisingly receptive panel and a precedent that would make this program glaringly illegal, the 2nd seems otherwise poised to rule the FISC’s redefinition of “relevant to” to mean “everything” illegal, across all programs. In other words, this legislation will probably pre-empt making real change in the courts in the near term. And no one will get standing again on these issues in the near future.
As I said, I believe USAF eliminates the existing phone dragnet by requiring the use of selectors for collection. That’s good!
However, because the bill permits non-communications companies to be used as selectors, it almost certainly won’t end known financial dragnets involving Western Union transfers and purchase records (and as I describe below, those dragnets are also excluded from transparency provisions). I also think the bill will do nothing to limit FBI’s PRTT program (if it still exists — it existed and was sharing data with the NSA at least until 2012); I suspect — this is a wildarseguess — that is a bulky, not bulk, use of Stingrays to get location, which also would be exempted from reporting. There’s absolutely no reason to believe that the bill would affect other PRTT or NSL programs, because the ones included are all currently bulky, not bulk, programs. So it will eliminate the ability for the government to get every phone record in the US, but it will leave other non-phone dragnets intact and largely hidden by deceptive “transparency” provisions.
USAF provides providers — and 2nd level contractors — expansive immunity. So long as they are ordered to do something, whether they believe it is legal or not, they cannot be held liable. In addition, the bill compensates providers, which the existing Section 215 cannot do (the government even had to stop compensating telecoms after the first 2 dragnet orders). Finally, the bill requires assistance of providers, whereas the existing law can only collect existing business records (I believe the absence of all three things explains the big gaps in the government’s cell phone coverage). These three provisions are designed, I strongly suspect, to overcome Verizon’s disinterest in being an affirmative spy wing of the government, which is probably the real point of this bill. Possibly, they’re designed to get Verizon — the most important mobile provider — to do the kind of affirmative analysis for the government that AT&T currently does.
In at least 3 areas, I worry that USAF will actually weaken existing minimization procedures. Under both the PRTT and Section 215 authority, the FISC currently imposes minimization procedures. For the former, the bill would put the authority to devise “privacy procedures” in the hands of the Attorney General (though says it doesn’t change the law; thing is, FISC minimization procedures aren’t in the law). The bill mandates minimization procedures for bulky collection, but it’s not clear whether those procedures are even as good as what the FISC currently imposes (they’re probably very similar). Most troubling of all, the bill doesn’t provide the FISC authority to require the government to destroy records collected under the emergency provision if found to have been improperly collected, a significant deterioration from the status quo, and one that it appears the FISC may have already needed to use.
I don’t mean to be an asshole on this point, but I actually think many of USAF’s “transparency” provisions are counter-productive, because they are very obviously designed to hide the programs that we know exist, but that won’t be affected by USAF’s selection term provisions, because only communications dragnets get counted, sort of; financial dragnets won’t get counted and location dragnets won’t get counted. That will make it very very difficult to organize to eliminate any of the residual bulk programs (because the bill champions will have assured people they don’t exist and they won’t show up in transparency provisions). In addition, they tacitly permit the NSA and FBI to pretend they’re not conducting fairly bulky domestic wiretapping by providing them ways to avoid counting that illegal wiretapping. In addition, the FBI will be permitted to hide how much spying they’re doing on Americans (though for some, not all, provisions, their collection will be reported misleadingly as foreign collection). And the introduction of ranges will hide still more of they spying. See this post for my estimate of how the bill hides millions of Americans affected.
My other big warning about the bill is not meant to disqualify it, but is meant to suggest supporters are vastly overestimating its impact. James Clapper has made it very clear that he intends to ensure the Advocate (or amicus, as Clapper calls it) remains powerless. And the Yahoo documents make it clear that precedent at the FISCR says the ex parte procedures in FISA will be used to prevent the Advocate from reviewing materials she needs to do her job. As I said here, though, that’s not reason to oppose the bill; if PCLOB is any indication, the bill will start us down a 9-year process at the end of which we might have a functioning advocate. But it’s reason to be honest about how leaving ex parte provisions intact in FISA will make this Advocate very weak.
All this is before the things the bill doesn’t even claim to address: back door searches, EO 12333, spying on foreigners.
The bill will get phone records out of the hands of the government. But from that point on, I’m not sure how much of an improvement it is.
“Merely to assert – without particularization – that mass surveillance technology can contribute to the suppression and prosecution of acts of terrorism does not provide an adequate human rights law justification for its use. The fact that something is technically feasible, and that it may sometimes yield useful intelligence, does not by itself mean that it is either reasonable or lawful.”
“It is incompatible with existing concepts of privacy for states to collect all communications or metadata all the time indiscriminately. The very essence of the right to the privacy of communication is that infringements must be exceptional, and justified on a case-by-case basis.”
As we work to meet the January 2015 deadline, PPD-28 called on the Director of National Intelligence to prepare an interim report on the status of our efforts and to evaluate, in coordination with the Department of Justice and the rest of the Intelligence Community, additional retention and dissemination safeguards.
The DNI’s interim report is now being made available to the public in line with our pledge to share as much information about sensitive intelligence activities as is possible, consistent with our national security.
One thing this interim report requires is that “elements shall publicly release their PPD-28 implementation policies and procedures to the maximum extent possible.” Which requirement, you might assume, this release fulfills.
Which is why it’s so curious I Con the Record chose not to release an unclassified report mandated and mandating transparency — dated July 2014 — until October 2014.
Lest I be called a cynic, let me acknowledge that there are key parts of this that may represent improvements (or may not). The report asserts:
Those are good things! Yeah us!
There are, however, a series of exceptions to these rules.
First, the guidelines in this report restate PPD-28’s unbelievably broad approval of the use of bulk data, in full. The report does include this language:
[T]he procedures must also reflect the limitations on the use of SIGINT collected in bulk. Moreover, Intelligence Community element procedures should include safeguards to satisfy the requirements of this section. In developing procedures to comply with this requirement, the Intelligence Community must be mindful that to make full use of intelligence information, an Intelligence Community element may need to use SIGINT collected in bulk together with other lawfully collected information. In such situations, Intelligence Community elements should take care to comply with the limitations applicable to the use of bulk SIGINT collection.
Unless I’m missing something, the only “limits” in this section are those limiting the use of bulk collection to almost all of NSA’s targets, including counterterrorism, cybersecurity, and crime, among other things. Thus, the passage not only reaffirms what amounts to a broad permission to use bulk, but then attaches those weaker handling rules to anything used in conjunction with bulk.
Then there are the other exceptions. The privacy rules in this document don’t apply to:
And, if these procedures aren’t loosey goosey enough for you, the report includes this language:
It is important that elements have the ability to deviate from their procedures when national security requires doing so, but only with approval at a senior level within the Intelligence Community element and notice to the DNI and the Attorney General.
Congratulations world! We’re going to treat you like Americans. Except in the majority of situations when we’ve decided not to grant you that treatment. Rest easy, though, knowing you’re data is sitting in a database for only 5 years, if we feel like following that rule.
Some weeks ago, I noted the language in James Clapper’s letter purportedly “supporting” Patrick Leahy’s USA Freedom Act making it clear he intended to retain the information asymmetry that currently exists in the FISA Court — specifically, ex parte communication with the court.
We note that, consistent with the President’s request, the bill estsablishes a process for the appointment of an amicus curiae to assist the FISA Court and FISA Court of Review in matters that present a novel or significant interpretation of the law. We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.
The Yahoo documents released a few weeks back illustrate how this might work in practice.
We’ve known since January 2009 that Yahoo (which we then only knew was an Internet company) didn’t receive the materials — perhaps most importantly, the minimization procedures — it needed to adequately challenge the program.
The cover sheet to the ex parte appendix provided to the FISCR illustrates the range of things withheld from Yahoo’s attorney, Marc Zwillinger, who apparently had a Top Secret clearance. In addition to the minimization procedures for NSA and FBI, the government withheld the “linking” procedures used to identify targets (the titles of these documents are redacted in the released version, but this post explains why at least some must pertain to these procedures; note, I think the government also withheld these from Judge Reggie Walton at the FISC level!), and a January 15, 2008 Colleen Kollar-Kotelly FISC opinion assessing the adequacy of the original certifications.
Comparing two versions of Walton’s April 25, 2008 opinions — a version redacted for Yahoo’s use in 2008, and the version redacted for public release now — provides context on the key issues obscured or suppressed entirely from Yahoo’s view. (Note two things about these redactions: first, with the exception of language on the information the government demanded from Yahoo, we’re receiving more information than Yahoo’s cleared attorney received when he was fighting this case. And the older document actually includes two sets of redactions: the more faded redactions used for Yahoo, and a more opaque set done for this release, the latter of which hide details about the Directives given to Yahoo.)
Effectively, the government hid what they changed when they rewrote Certifications underlying their demands to Yahoo just 2 weeks before the law expired. A significant part of those changes involves getting FBI involved in the process (I increasingly suspect those January 29, 2008 Certifications are when the government first obtained official permission for FBI back door searches).
Notice of the new Certificates was given to Yahoo on February 16, 2008, the day PAA expired, and signed by then Solicitor General Paul Clement, though signed as Acting Attorney General (see page 81). One day earlier, Judge Walton had given the government an ex parte order requiring them to address whether the ex parte materials they had submitted to him in December “constitutes the complete and up-to-date set of certifications … applicable to the directives that are at issue in this proceeding.” Walton also required the government to provide notice to Yahoo they were going to submit a new classified appendix.
Apparently, Walton had gotten wind of the fact — but had not been told formally — that the government had submitted entirely new Certifications affecting their treatment of the data they would obtain from Yahoo. So he ordered them to update the record so his review actually considered the surveillance as it would be implemented.
I’ve listed most of the differences between the two memoranda below. While much of it pertains to prior classified decisions and the operation of FISC generally, the biggest sections redacted from Yahoo but released in part to us now describe the new certifications, including FBI’s new role in the process. Of particular concern, the government withheld Walton’s comment admonishing the government for changing the certifications, “without appropriately informing the Court or supplementing the record in this matter until ordered to do so” (page 4), though footnote 4 and page 35 make it clear that Walton revealed some details of the government’s belated disclosures in a February 29 order for more briefing.
More troubling still, they hid Walton’s still significantly-redacted assessment that the changes in the Certifications would not change the nature of the government’s demand from Yahoo (page 38).
Neither type of amendment altered the nature of the assistance to be rendered by Yahoo,40
40 Yahoo has submitted a sworn statement that, prior to serving the directives on Yahoo, representatives of the government “indicated that, at the outset, it only would expect…
I wrote about these changing requests here. And while on paper the changing requests couldn’t have been a result of the changed Certification — Yahoo’s Manager of Legal Compliance described them in a January 23 submission, and the new Certifications were issued the following week — I find the timing, and the government’s failure to notice Walton on them, suspect enough that it’s the kind of thing that should have been briefed. Plus, as I’ll show in a follow-up post, I’m fairly certain the government hid from both FISC and FISCR the degree to which this was about targeting Americans.
Once Walton learned that the government’s requests to Yahoo had changed between the date of Kollar-Kotelly’s initial approval and the expiration of the law, it seems it should have merited more direct briefing, but that would have required admitting that the changes put domestic law enforcement in the center of the program, which presents (or should present) significantly different Fourth Amendment concerns, notably increasing the importance of prior interpretations of the “significant purpose” language instituted under the PATRIOT Act.
In other words, not only did the ex parte nature of this proceeding hide the details Yahoo would have needed to make a robust Fourth Amendment argument, as well as evidence that the government was not being entirely forthcoming to FISC (which would have bolstered Yahoo’s separation of powers claim), it also hid what may be specifically pertinent details behind the government’s last minute changed certifications.
In theory, this shouldn’t happen with the USA Freedom Advocate, because the bill specifically requires the Advocate have access to certifications necessary for her to complete her duties.
(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—
(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;
By comparison, the government was challenging Yahoo’s legal standing to take this challenge in the first place.
But I find the apparent basis for withholding information from Yahoo to be relevant. This memorandum, at least, was originally classified Top Secret/ORCON (Originator Controlled); the redacted memorandum given to Yahoo was classified Secret. That means that the changes arose, at least in part, from the ability of the originator (which may be DOJ’s National Security Division, given that Mark Bradley conducted the declassification review) to determine who gets the document. As I noted, there are two bases in USAF that would permit the government to withhold information, classification and privilege. Withholding information under an ORCON claim likely stems from both (though I am checking this).
So while the government should not be able to treat the advocate the same way they treated Yahoo (which, after all, FISC treated as a Congressionally sanctioned challenger to the orders, just as it would the advocate), they seem to have the prerogative to. (Update: I should add that Walton permitted the government to do all the ex parte briefing here under FISA’s ex parte briefing language; given that USAF doesn’t change that for any of the authorities in question, we should assume this precedent will apply to the advocate.)
To be clear, the USAF advocate is not one of the things that I believe sets back a slow reform process (as, for example, I believe the “transparency” provisions and some weakened minimization procedures do). I think it most likely that the advocate will evolve the way PCLOB has, which was first authorized in 2004, thwarted by Executive obstruction (on precisely these kinds of issues), reauthorized as a more effective body in 2007, then slow-walked again — partly by President Obama, though partly by Congress — for another 6 years. That is, if the advocate is at least as self-respecting as Lanny Davis (!), she will quit if the Executive ignores the intent of Congress that she have access to the materials she needs to do her job, exposing the inefficacy of the existing system. All that, of course, assumes she will cop onto what has been withheld. Clearly, Yahoo got a sense of it during this process, though FISC and FISCR seem to have realized only some of the other stuff withheld from them.
That is, judging by the PCLOB example, if all goes well and if USAF were to pass this year, we might have a fully functional advocate by 2023!
The Yahoo materials released show that the government withheld pertinent information from Yahoo, FISC, and FISCR until forced to provide it, and they never provided any of them with all the information they should have.
That it retains the ability to do so under USAF doesn’t bode well for the advocate. But that’s really just a subset to a larger issue that, even when authorized by Congress to provide oversight of this executive spying, the government has consistently, for years, been less than fully cooperative with FISC’s authority to do so.
As I’ve said, the surest way to reform surveillance is to eliminate the FISA Court.
A few weeks back, I pointed to 9th Circuit Chief Judge Alex Kozinski’s criticism of John Bates’ presumption to speak for the judiciary in his August 5 letter complaining about some aspects of USA Freedom Act. Kozinski was pretty obviously pissed.
But compared to the op-ed from retired District Court Judge Nancy Gertner — who effectively scolds Bates, as the Administrative staff, speaking out of turn — Kozinski was reserved.
[W]hatever the merits of Bates’ concerns—and other judges have dissented from it—he most assuredly does not speak for the Third Branch.
Bates has been appointed by Chief Justice John Roberts to serve as director of the Administrative Office of the U.S. Courts, the body that administers the federal courts. It was created in 1939 to take the administration of the judiciary out of the Department of Justice. Its principal tasks were data collection and the creation of budgets and, while its duties have grown over the years, they remain administrative (dealing with such things as court reporters, interpreters, judicial pay, maintenance of judicial buildings, staffing etc.).
When members of Congress solicit the “judiciary’s” opinion they may write to the office’s director, but he has no authority to make policy for the federal judiciary. It is the Judicial Conference of the United States Courts, to which the AO director is only the “secretary,” that has that responsibility.
I’m very supportive of Gertner’s defense of judicial independence and her concern about the operation of the FISA Court.
But her critique goes off the rails when she points to DOJ’s purported support of USA Freedom Act as a better indication of the Executive’s views than Bates’ comments.
Moreover, a great deal of Bates’ letter focuses on the Senate proposals’ impact on the executive branch and the intelligence community. The Senate bill would burden the executive with more work and even delay the FISA court’s proceedings, he suggests. Worse yet, the executive may be reluctant to share information with an independent advocate—a troubling claim.
Bates’ concerns are belied by the support voiced by the Department of Justice and the president for the Senate proposal. Surely, the executive branch understands its own needs better than does Bates. Surely, the executive branch has confidence in the procedures that the FISA court would have in place for dealing with classified information, just as the courts that have dealt with other national security issues have had.
And surely, the executive would abide by what the law requires, notwithstanding Bates’ predictions about its “reluctance” to share information with a special advocate.
DOJ’s “support” of the bill was expressed when Eric Holder co-signed a letter (which Gertner tellingly doesn’t mention, much less link) from James Clapper which, when read with attention, clearly indicated the Executive would interpret the bill to be fairly permissive on most of the issues on which the Senate bill would otherwise improve on the House one. Holder’s “support” of the bill strongly indicates that DOJ, with ODNI, plans to use the classification and privilege “protections” in the bill to refuse to share information with the special advocate.
And that’s precisely the part of the letter where Holder and Clapper invoke Bates.
I regret that I am only now taking a close look at the “transparency” provisions in Patrick Leahy’s version of USA Freedom Act. They are actually designed not to provide “transparency,” but to give a very misleading picture of how much spying is going on. They are also designed to permit the government to continue not knowing how much content it collects domestically under upstream and pen register orders, which is handy, because John Bates told them if they didn’t know it was domestic then collecting domestic isn’t illegal.
In this post, I’ve laid out the section of the bill that mandates reporting from ODNI, with my comments interspersed along with what the “transparency” report Clapper did this year showed.
(b) MANDATORY REPORTING BY DIRECTOR OF NATIONAL INTELLIGENCE.—
(1) IN GENERAL.—Except as provided in subsection (e), the Director of National Intelligence shall annually make publicly available on an Internet Web site a report that identifies, for the preceding 12-month period—
This language basically requires the DNI to post a report on I Con the Record every year. But subsection (e) provides a number of outs.
(A) the total number of orders issued pursuant to titles I and III and sections 703 and 704 and a good faith estimate of the number of targets of such orders;
This language requires DNI to describe, in bulk, how many individual US persons are targeted in a given year (there were 1,767 orders and 1,144 estimated targets last year). But it only requires DNI to give a “good faith estimate” of these numbers (and that’s what they’re listed as in ODNI’s report from last year)! If there’s one thing DNI should be able to give a rock-solid number for, it’s individual USP targets. But … apparently that’s not the case.
(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—
(i) the number of targets of such orders;
(ii) the number of individuals whose communications were collected pursuant to such orders;
(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;
This language requires DNI to provide an estimate of the number of targets of Section 702 which includes both upstream and PRISM production. Last year, this was one order (ODNI doesn’t tell us, but there were at least 3 certificates –Counterterrorism, Counterproliferation, and Foreign Government) affecting 89,138 targets.
The new reporting requires the government to come up with some estimate of how many communications are collected, as well as how many are located inside the US.
Except DNI is permitted to issue a certification saying that there are operational reasons why he can’t provide that last bit — how many are in the US. Thus, 4 years after refusing to tell John Bates how many Americans’ communications NSA was sucking up in upstream collection, Clapper is now getting the right to continue to refuse to provide that ratified by Congress. And remember — Bates also said that if the government didn’t know it was collecting that content domestically, then it wasn’t really in violation of 50 USC 1809(a). So by ensuring that it doesn’t have to count this, Clapper is ensuring that he can continue to conduct illegal domestic surveillance.
Don’t worry though. The bill includes language that says, even though this provision permits the government to continue conducting illegal domestic collection, “Nothing in this section affects the lawfulness or unlawfulness of any government surveillance activities described herein. ”
(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and
(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;
This language counts back door searches.
But later in the bill, the FBI — which we know does the bulk of these back door searches — is exempted from all of this reporting. As I noted in this post, effectively the Senate is saying it’s no big deal of FBI doesn’t track how many warrantless searches of US person content it does, even of people against whom the FBI has no evidence of wrongdoing.
In addition, note that odd limit to (v). DNI only has to report metadata searches “initiated by an officer, employee, or agent” of the United States. That would seem to exempt any back door metadata searches by foreign governments (it might also exempt contractors, but they should be included as “agents” of the US). Which, given that CIA doesn’t currently count its metadata searches, and given that CIA conducts a bunch of metadata searches on behalf of other entities, leads me to suspect that CIA may be doing metadata searches “initiated” by foreign governments. But that’s a guess. One way or another, though, this clause was written to not count some of these metadata searches. [Update: On reflection, that language may be designed to avoid counting automated processes as searches — if they’re initiated by a robot rather than an employee they’re not counted!]
C) the total number of orders issued pursuant to title IV and a good faith estimate of—
(i) the number of targets of such orders;
(ii) the number of individuals whose communications were collected pursuant to such orders; and
(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;
This language counts how many Pen Register orders the government obtains, how many individuals get sucked up, and how many are in the US, both of which are additions on what ODNI reported this year.
But that last bit — counting people in the US — is again a permissible exemption under the bill. Which is, as you’ll recall, the other way NSA has been known to engage in illegal domestic content collection. The only known bulk pen register is currently run by FBI, but in any case, the exemption has the same effect, of permitting the government from ever having to admit that it is breaking the law.
(D) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of—
(i) the number of targets of such orders;
(ii) the number of individuals whose communications were collected pursuant to such orders; and
(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;
This requires DNI to report on traditional Section 215 orders, but the entire requirement is a joke on two counts.
First, note that, for a reporting requirement for a law permitting the government to collect “tangible things,” it only requires individualized reporting for “communications.” “Individuals whose communications were collected” are specifically defined as only involving phone calls and electronic communications.
So this “transparency” bill will not count how many individuals have their financial records, beauty supply purchases, gun purchases, pressure cooker purchases, medical records, money transfers, or other things sucked up, much of which we know to be done under this bill. And this is particularly important, because the law still permits bulk collection of these things. Thus, this “transparency” report creates the illusion that far less collection is done under Section 215 than actually is, it creates the illusion that bulk collection is not going on when it is.
But it gets worse!
In this post I pointed out what Clapper’s letter really said. In this one, I described why it is so inexcusable that Clapper emphasized FBI’s exemption from reporting requirements (I will have a follow-up soon about why that earlier post just scratches the surface). And this post lays out some — but not all — the ways Clapper’s letter said he would gut the Advocate provision.
But I think there’s a far better way of understanding Clapper’s letter. He didn’t endorse Leahy’s USAF, S 2685. He endorsed USA Freedumber, HR 3361.
Below the rule I’ve put a summary of changes from USA Freedumber to Leahy USA Freedom, HR 3361 to S 2685. I did it a very long time ago, and there are things I’d emphasize differently now, but it will have to do for now (it may also be helpful to review this summary of how USA Freedumber made USA Freedumb worse). Basically, S 2685 improved on HR 3361 by,
This closely matches what the coalition that signed onto S 2685 laid out as the improvements from HR 3361 to S 2685.
[T]he new version of the bill:
- Strengthens and clarifies the ban on “bulk” collection of records, including by tightening definitions to ensure that the government can’t collect records for everyone in a particular geographic area or using a particular communication service, and by adding new post-collection minimization procedures;
- Allows much more detailed transparency reporting by companies—and requires much more detailed transparency reporting by the government—about the NSA’s surveillance activities; and
- Provides stronger reforms to the secret Foreign Intelligence Surveillance Court’s processes, by creating new Special Advocates whose duty is to advocate to the court in favor of privacy and civil liberties, and by strengthening requirements that the government release redacted copies or summaries of the court’s significant decisions.
Though as I explained here, there is no public evidence the minimization procedures required by the bill are even as stringent as what the FISC currently imposes on most orders, so the minimization procedures of S 2685 might — like the emergency procedures do — actually weaken the status quo.
Here are three of the key passages from Clapper’s letter that I believe would address the intent of the bill as written.
In other words, the limiting language in Clapper’s letter very clearly maps the changes from HR 3361 to S 2685.
He clearly says he doesn’t have to follow the new limits on specific selection terms. He signals he will use his authority to make classification and privilege determinations to keep information away from the amicus (or retain ex parte procedures via some other means). And by endorsing John Bates’ letter, he revealed his intention to take out requirements that the amicus advocate in favor of privacy and civil liberties. In addition — this is the part of Bates’ letter I missed in my previous analysis — he thereby endorsed Bates’ recommendation to “delet[e] this provision [specifying that the Court must release at least a summary], leaving in place the provision that significant FISA court decision would continue to be released, whenever feasible, in redacted form.”
Plus, as I mentioned, his use of “metadata” rather than “Call Detail Record” suggests he may play with that laudable limit in the bill as well.
I think Clapper’s read on the exemption for FBI is totally a fair reading of the bill; I just happen to think the Senate is doing a great deal of affirmative damage by accepting it. (Again, I hope to explain more why that is the case in the next day or so.)
Voila! Clapper’s “endorsement” of the bill managed to carve out almost all the improvements from HR 3361 to S 2685 (as well as emphasize Congress’ ratification for the FBI exemption, the huge reservation on the one improvement he left untouched). The only other improvement Clapper left in place was the limit on collection of prospective phone record to counterterrorism purposes.
That’s it. If Clapper’s views hold sway, that’s all this bill is: USA Freedumber with the retention of the status quo counterterrorism application for CDR collection.