There are two things Cy Vance (writing with Paris’ Chief Prosecutor, the City of London Policy Commissioner, and Javier Zaragoza, Spain’s High Court) doesn’t mention in his op-ed calling for back doors in Apple and Google phones.
iPhone theft and bankster crime.
The former is a huge problem in NYC, with 8,465 iPhone thefts in 2013, which made up 18% of the grand larcenies in the city. The number came down 25% (and the crime started switching to Samsung products) last year, largely due to Apple’s implementation of a Kill Switch, but that still leaves 6,000 thefts a year — as compared to the 74 iPhones Vance says NYPD wasn’t able to access (he’s silent about how many investigations, besides the 3 he describes, that actually thwarted; Vance ignores default cloud storage completely in his op-ed). The numbers will come down still further now that Apple has made the Kill Switch (like encryption) a default setting on the iPhone 6. But there are still a lot of thefts, which can not only result in a phone being wiped and resold, but also an identity stolen. Default encryption will protect against both kinds of crime. In other words, Vance just ignores how encryption can help to prevent a crime that has been rampant in NYC in recent years.
Bankster crime is an even bigger problem in NYC, with a number of the worlds most sophisticated Transnational Crime Organizations, doing trillions of dollars of damage, headquartered in the city. These TCOs are even rolling out their very own encrypted communication system, which Elizabeth Warren fears may eliminate the last means of holding them accountable for their crimes. But Vance — one of the prosecutors that should be cracking down on this crime — not only doesn’t mention their special encrypted communication system, but he doesn’t mention their crimes at all.
There are other silences and blind spots in Vance’s op-ed, too. The example he starts with — a murder in Evanston, not any of the signees’ jurisdiction — describes two phones that couldn’t be accessed. He remains silent about the other evidence available by other means, such as via the cloud. Moreover, he assumes the evidence will be in the smart phone, which may not be the case. Moreover, it’s notable that Vance focuses on a black murder victim, because racial disparities in policing, not encryption, are often a better explanation for why murders of black men remain unsolved 2 months later. Given NYPD’s own crummy record at investigating and solving the murders of black and Latino victims, you’d think Vance might worry more about having NYPD reassign its detectives accordingly than stripping the privacy of hundreds of thousands.
Then Vance goes on to describe how much smart phone data they’re still getting.
In France, smartphone data was vital to the swift investigation of the Charlie Hebdo terrorist attacks in January, and the deadly attack on a gas facility at Saint-Quentin-Fallavier, near Lyon, in June. And on a daily basis, our agencies rely on evidence lawfully retrieved from smartphones to fight sex crimes, child abuse, cybercrime, robberies or homicides.
Again, Vance is silent about whether this data is coming off the phone itself, or off the cloud. But it is better proof that investigators are still getting the data (perhaps via the cloud storage he doesn’t want to talk about?), not that they’re being thwarted.
Like Jim Comey, Vance claims to want to have a discussion weighing the “marginal benefits of full-disk encryption and the need for local law enforcement to solve and prosecute crimes.” But his op-ed is so dishonest, so riven with obvious holes, it raises real questions about both his honesty and basic logic.
Ben Wittes has a summary of last Wednesday’s “Going Dark” hearings. He engages in a really amusing straw man — comparing a hypothetically perfectly secure Internet with ungoverned Somalia.
Consider the conceptual question first. Would it be a good idea to have a world-wide communications infrastructure that is, as Bruce Schneier has aptly put it, secure from all attackers? That is, if we could snap our fingers and make all device-to-device communications perfectly secure against interception from the Chinese, from hackers, from the FSB but also from the FBI even wielding lawful process, would that be desireable? Or, in the alternative, do we want to create an internet as secure as possible from everyone except government investigators exercising their legal authorities with the understanding that other countries may do the same?
Conceptually speaking, I am with Comey on this question—and the matter does not seem to me an especially close call. The belief in principle in creating a giant world-wide network on which surveillance is technically impossible is really an argument for the creation of the world’s largest ungoverned space. I understand why techno-anarchists find this idea so appealing. I can’t imagine for moment, however, why anyone else would.
Consider the comparable argument in physical space: the creation of a city in which authorities are entirely dependent on citizen reporting of bad conduct but have no direct visibility onto what happens on the streets and no ability to conduct search warrants (even with court orders) or to patrol parks or street corners. Would you want to live in that city? The idea that ungoverned spaces really suck is not controversial when you’re talking about Yemen or Somalia. I see nothing more attractive about the creation of a worldwide architecture in which it is technically impossible to intercept and read ISIS communications with followers or to follow child predators into chatrooms where they go after kids.
This gets the issue precisely backwards, attributing all possible security and governance to policing alone, and none to prevention, and as a result envisioning chaos in a possibility that would, in fact, have less or at least different kinds chaos. Wittes simply dismisses the benefits of a perfectly secure Internet (which is what all the pro-backdoor witnesses at the hearings did too, ignoring, for example, the effect that encrypting phones would have on a really terrible iPhone theft problem). But Wittes’ straw man isn’t central to his argument, just a tell about his biases.
Wittes, like Comey, also suggests the technologists are wrong when they say back doors will be bad.
There is some reason, in my view, to suspect that the picture may not be quite as stark as the computer scientists make it seem. After all, the big tech companies increase the complexity of their software products all the time, and they generally regard the increased attack surface of the software they create as a result as a mitigatable problem. Similarly, there are lots of high-value intelligence targets that we have to secure and would have big security implications if we could not do so successfully. And when it really counts, that task is not hopeless. Google and Apple and Facebook are not without tools in the cybersecurity department.
Wittes appears unaware that the US has failed miserably at securing its high value intelligence targets, so it’s not a great counterexample.
But I’m primarily interested in Wittes’ fondness for an idea floated by Sheldon Whitehouse: that the government force providers to better weigh the risk of security by ensuring it bears liability if the cops can’t access communications.
Another, perhaps softer, possibility is to rely on the possibility of civil liability to incentivize companies to focus on these issues. At the Senate Judiciary Committee hearing this past week, the always interesting Senator Sheldon Whitehouse posed a question to Deputy Attorney General Sally Yates about which I’ve been thinking as well: “A girl goes missing. A neighbor reports that they saw her being taken into a van out in front of the house. The police are called. They come to the home. The parents are frantic. The girl’s phone is still at home.” The phone, however, is encrypted:
WHITEHOUSE: It strikes me that one of the balances that we have in these circumstances where a company may wish to privatize value by saying, “Gosh, we’re secure now. We got a really good product. You’re going to love it.” That’s to their benefit. But for the family of the girl that disappeared in the van, that’s a pretty big cost. And when we see corporations privatizing value and socializing cost so that other people have to bear the cost, one of the ways that we get back to that and try to put some balance into it, is through the civil courts, through a liability system.
If you’re a polluter and you’re dumping poisonous waste into the water rather than treating it properly, somebody downstream can bring an action and can get damages for the harm that they sustain, can get an order telling you to knock it off. I’d be interested in whether or not the Department of Justice has done any analysis as to what role the civil-liability system might be playing now to support these companies in drawing the correct balance, or if they’ve immunized themselves from the cost entirely and are enjoying the benefits. I think in terms of our determination as to what, if anything, we should do, knowing where the Department of Justice believes the civil liability system leaves us might be a helpful piece of information. So I don’t know if you’ve undertaken that, but if you have, I’d appreciate it if you’d share that with us, and if you’d consider doing it, I think that might be helpful to us.
YATES: We would be glad to look at that. It’s not something that we have done any kind of detailed analysis. We’ve been working hard on trying to figure out what the solution on the front end might be so that we’re not in a situation where there could potentially be corporate liability or the inability to be able to access the device.
WHITEHOUSE: But in terms of just looking at this situation, does it not appear that it looks like a situation where value is being privatized and costs are being socialized onto the rest of us?
YATES: That’s certainly one way to look at it. And perhaps the companies have done greater analysis on that than we have. But it’s certainly something we can look at.
I’m not sure what that lawsuit looks like under current law. I, like the Justice Department, have not done the analysis, and I would be very interested in hearing from anyone who has. Whitehouse, however, seems to me to be onto something here. Might a victim of an ISIS attack domestically committed by someone who communicated and plotted using communications architecture specifically designed to be immune, and specifically marketed as immune, from law enforcement surveillance have a claim against the provider who offered that service even after the director of the FBI began specifically warning that ISIS was using such infrastructure to plan attacks? To the extent such companies have no liability in such circumstances, is that the distribution of risk that we as a society want? And might the possibility of civil liability, either under current law or under some hypothetical change to current law, incentivize the development of secure systems that are nonetheless subject to surveillance under limited circumstances?
Why don’t we make the corporations liable, these two security hawks ask!!!
This, at a time when the cybersecurity solution on the table (CISA and other cybersecurity bills) gives corporations overly broad immunity from liability.
Think about that.
While Wittes hasn’t said whether he supports the immunity bills on the table, Paul Rosenzweig and other Lawfare writers are loudly in favor of expansive immunity. And Sheldon Whitehouse, whose idea this is, has been talking about building in immunity for corporations in cybersecurity plans since 2010.
I get there is a need for limited protection for corporations that help the Federal government spy (especially if they’re required to help), which is what liability is always about. I also get that every time we award it, it keeps getting bigger, and years later we discover that immunity covers fairly audacious spying far beyond the ostensible intent of the bill. Though CISA doesn’t even hide that this data will be used for purposes far beyond cybersecurity.
Far, far more importantly, however, one of the problems with the cyber bills on the table is by awarding this immunity, they’re creating a risk calculation for corporations to be sloppy. Sure, there will still be reputational damage every time a corporation exposes its customers’ data to hackers. But we’ve seen in the financial sector — where at least bank regulators require certain levels of hygiene and reporting — bank immunity tied to these reporting requirements appears to have made it impossible to prosecute egregious bank crime.
The banks have learned (and they will be key participants in CISA) that they can obtain impunity by sharing promiscuously (or even not so promiscuously) with the government.
And unlike those bank reporting laws, CISA doesn’t require hygiene. It doesn’t require that corporations deploy basic defenses before obtaining their immunity for information sharing.
If liability is such a great idea, then why aren’t these men pushing the use of liability as a tool to improve our cyberdefenses, rather than (on Whitehouse’s part, at least) calling for the opposite?
Indeed, if this is about appropriately balancing risk, there is no way you can use liability to get corporations to weigh the value of back doors for law enforcement, without at the same time ensuring all corporations also bear full liability for any insecurity in their system, because otherwise corporations won’t be weighing the two sides.
Using liability as a tool might be a clever idea. But using it only for law enforcement back doors does nothing to identify the appropriate balance.
Jim Comey has used what has thus far been an infallible PR tactic since he started as FBI Director. He invites a bunch of handpicked journalists to lunch and eats them alive with his charisma, after which they dutifully report stuff that makes no sense.
In the latest incarnation, on the day after he made two unconvincing pleas for back-doors-called-front-doors to two Senate committees, hinting all the time of big threats over the Fourth, a bunch of journalists then reported that FBI had arrested some people.
Mr. Comey would not say what the plots entailed or how many people had been arrested, but he said the plotters were among more than 10 people with ties to the Islamic State — also known as ISIS or ISIL — who had been arrested across the country in the past month.
Meanwhile, more skeptical types like Dan Froomkin and Adam Johnson started reviewing FBI public announcements and even asking questions, only to have FBI respond, trust us. Froomkin found only one — yet another guy entrapped by the FBI — that looked like Comey’s claimed arrest.
I will have more to say about Comey’s discussion of terrorist arrestees who remain secret. I think they may in fact exist — indeed, I think it quite likely that FBI has already started using the enhanced material support sentences from the ironically named “USA Freedom Act” as leverage to get dopes on Twitter to turn informants into ISIS.
But the FBI has what should be a serious problem. It has been more than 3 days since July 4, since these purported arrests, well over 72 hours, the time period under which federal defendants should be presented and charged. And we’ve seen virtually no arrestees.
Where is the body? Or rather, the multiple bodies Comey insists exist?
Is the FBI subjecting these 10 guys to extended interrogations without telling the press or (potentially) even the local public defenders office so as to be able to extend the already extended “public safety” gutting of Miranda the FBI has been enacting of late? Have these defendants been denied presentment?
Where are the bodies, Comey?
I’ll have a piece in Salon shortly about the two hearings on whether FBI should be able to mandate back doors (they call them front doors because that fools some Senators about the security problems with that) in software.
One thing not in there, however, has to do with a bill the Senate Intelligence Committee is considering that would require Facebook and Twitter and other social media to report terrorist content to authorities. ABC News, quoting Richard Clarke (who hasn’t had an official role in government for some years but is on ABC’s payroll) reported that the social media companies were not now reporting terrorist content.
In the middle of the SSCI hearing on this topic, Dianne Feinstein asked Jim Comey whether social media companies were reporting such content. Comey said they are (he did say they’ve gotten far better of late). Feinstein asked whether there ought to be a law anyway, to mandate behavior the companies are already doing. Comey suggested it wasn’t necessary. Feinstein said maybe they should mandate it anyway, like they do for child porn.
All of which made it clear that such a law is unnecessary, even before you get into the severe problems with the law (such as defining who is a terrorist and what counts as terrorist content).
SSCI will probably pass it anyway, because that’s how they respond to threats of late: by passing legislation that won’t address it.
Note, Feinstein also got visibly and audibly and persistently pissed at Ron Wyden for accurately describing what Deputy Attorney General Sally Yates had said she wanted in an earlier hearing: for providers to have keys that the FBI could use. Feinstein seems to believe good PR will eliminate all the technical problems with a back door plan, perhaps because then she won’t be held responsible for making us less secure as a result.
Update: The measures is here, in the Intelligence Authorization.
Update: Title changed for accuracy.
Apparently, Jim Comey wasn’t happy with his stenographer, Ben Wittes. After having Ben write up Comey’s concerns on encryption last week, Comey has written his own explanation of his concerns about encryption at Ben’s blog.
Here are the 3 key paragraphs.
2. There are many benefits to this. Universal strong encryption will protect all of us—our innovation, our private thoughts, and so many other things of value—from thieves of all kinds. We will all have lock-boxes in our lives that only we can open and in which we can store all that is valuable to us. There are lots of good things about this.
3. There are many costs to this. Public safety in the United States has relied for a couple centuries on the ability of the government, with predication, to obtain permission from a court to access the “papers and effects” and communications of Americans. The Fourth Amendment reflects a trade-off inherent in ordered liberty: To protect the public, the government sometimes needs to be able to see an individual’s stuff, but only under appropriate circumstances and with appropriate oversight.
4. These two things are in tension in many contexts. When the government’s ability—with appropriate predication and court oversight—to see an individual’s stuff goes away, it will affect public safety. That tension is vividly illustrated by the current ISIL threat, which involves ISIL operators in Syria recruiting and tasking dozens of troubled Americans to kill people, a process that increasingly takes part through mobile messaging apps that are end-to-end encrypted, communications that may not be intercepted, despite judicial orders under the Fourth Amendment. But the tension could as well be illustrated in criminal investigations all over the country. There is simply no doubt that bad people can communicate with impunity in a world of universal strong encryption.
Comey admits encryption lets people lock stuff away from criminals (and supports innovation), and admits “there are lots of good things about this.” He then introduces “costs,” without enumerating them. In a paragraph purportedly explaining how the “good things” and “costs” are in tension, he raises the ISIL threat as well as — as an afterthought — “criminal investigations all over the country.”
Without providing any evidence about that tension.
As I have noted, the recent wiretap report raises real questions, at least about the “criminal investigations all over the country,” which in fact are not being thwarted. On that ledger, at least, there is no question: the “good things” (AKA, benefits) are huge, especially with the million or so iPhones that get stolen every year, and the “costs” are negligible, just a few wiretaps law enforcement can’t break.
I conceded we can’t make the same conclusions about FISA orders — or the FBI generally — because Comey’s agency’s record keeping is so bad (which is consistent with all the rest of its record-keeping). It may well be that we’re not able to access ISIL communications with US recruits because of encryption, but simply invoking the existence of ISIL using end-to-end encrypted mobile messaging apps is not evidence (especially because so much evidence indicates that sloppy end-user behavior makes it possible for FBI to crack this).
Especially after the FBI’s 0-for-40 record about making claims about terrorists since 9/11.
It may be that the FBI is facing increasing problems tracking ISIL. It may even be — though I’m skeptical — that those problems would outweigh the value of making stealing iPhones less useful.
But even as he calls for a real debate, Comey offers not one bit of real evidence to counter the crappy FBI reporting in the official reports to suggest this is not more FBI fearmongering.
The US Courts released its semiannual Wiretap Report the other day, which reported that very few of the attempted wiretaps last year were encrypted, with even fewer thwarting law enforcement.
The number of state wiretaps in which encryption was encountered decreased from 41 in 2013 to 22 in 2014. In two of these wiretaps, officials were unable to decipher the plain text of the messages. Three federal wiretaps were reported as being encrypted in 2014, of which two could not be decrypted. Encryption was also reported for five federal wiretaps that were conducted during previous years, but reported to the AO for the first time in 2014. Officials were able to decipher the plain text of the communications in four of the five intercepts.
Motherboard has taken this data and concluded it means the Feds have been overstating their claim they’re “going dark.”
[N]ew numbers released by the US government seem to contradict this doomsday scenario.
“They’re blowing it out of proportion,” Hanni Fahkoury, an attorney at the digital rights group Electronic Frontier Foundation (EFF), told Motherboard. “[Encryption] was only a problem in five cases of the more than 3,500 wiretaps they had up. Second, the presence of encryption was down by almost 50 percent from the previous year.
“So this is on a downward trend, not upward,” he wrote in an email.
Much as I’d like to, I’m not sure I agree with Motherboard’s (or Hanni Fahkoury’s) conclusion.
You’ll see lots of parenthetical entries and NRs. That’s because this data is not being reported systematically. Parenthetical references are to encrypted feeds not reported until years after they get set, and usually those have been decrypted by the time they’re reported. NRs show that we have not getting these numbers, if they exist, from federal law enforcement (and the numbers can’t be zero, as reported here, because FBI has been taking down targets like Silk Road). The reporting on this ought to raise real questions about the quality of the data being reported and perhaps might spark some interest in mandating better reporting of this data so it can be tracked. But it also suggests that — at a time when law enforcement are just beginning to find encryption they can’t break (immediately) — there’s a lot of noise in the data. Does 2013’s 2% of encrypted targets and half-percent that couldn’t be broken represent a big problem? It depends on who the target is — a point I’ll come back to.
Congress will soon have that opportunity (but won’t avail themselves of it).
Even as US Courts were reporting still very low levels of encryption challenges faced by law enforcement, both the Senate Judiciary Committee and the Senate Intelligence Committee announced hearings next Wednesday where Jim Comey will have yet another opportunity to try to present a compelling argument that he should have back doors into our communication. SJC even saw fit to invite witnesses with opposing viewpoints, which the “intelligence” committee saw no need to do.
In an apparent attempt to regain some credibility before these hearings (Jim Comey is nothing if not superb at working the media), Comey went to Ben Wittes to suggest his claimed concern with increasing use of encryption has to do with ISIS’ increasing use of encryption. Ben quotes from Comey’s earlier comments to CNN then riffs on that in light of what Comey just told him in a conversation.
“Our job is to find needles in a nationwide haystack, needles that are increasingly invisible to us because of end-to-end encryption,” Comey said. “This is the ‘going dark’ problem in high definition.”
Comey said ISIS is increasingly communicating with Americans via mobile apps that are difficult for the FBI to decrypt. He also explained that he had to balance the desire to intercept the communication with broader privacy concerns.
“It is a really, really hard problem, but the collision that’s going on between important privacy concerns and public safety is significant enough that we have to figure out a way to solve it,” Comey said.
Let’s unpack this.
As has been widely reported, the FBI has been busy recently dealing with ISIS threats. There have been a bunch of arrests, both because ISIS has gotten extremely good at the inducing self-radicalization in disaffected souls worldwide using Twitter and because of the convergence of Ramadan and the run-up to the July 4 holiday.
As has also been widely reported, the FBI is concerned about the effect of end-to-end encryption on its ability to conduct counterterrorism operations and other law enforcement functions. The concern is two-fold: It’s about data at rest on devices, data that is now being encrypted in a fashion that can’t easily be cracked when those devices are lawfully seized. And it’s also about data in transit between devices, data encrypted such that when captured with a lawful court-ordered wiretap, the signal intercepted is undecipherable.
What was not clear to me until today, however, was the extent to which the ISIS concerns and the “going dark” concerns have converged. In his Brookings speech, Comey did not focus on counterterrorism in the examples he gave of the going dark problem. In the remarks quoted by CNN, and in his conversation with me today, however, he made clear that the landscape is changing fast. Initial recruitment may take place on Twitter, but the promising ISIS candidate quickly gets moved onto messaging platforms that are encrypted end to end. As a practical matter, that means there are people in the United States whom authorities reasonably believe to be in contact with ISIS for whom surveillance is lawful and appropriate but for whom useful signals interception is not technically feasible.
Now, Ben incorrectly blurs the several roles of FBI here. FBI’s interception of ISIS communiques may be both intelligence and law enforcement. To the extent they’re the former — to the extent they’re conducted under FISA — they won’t show up in US Courts’ annual report.
But they probably should, if Comey is to have any credibility on this front.
Moreover, Ben simply states that “there are people in the United States whom authorities reasonably believe to be in contact with ISIS for whom surveillance is lawful and appropriate.” But there’s no evidence presented to support this. Indeed, most of the so-called ISIS prosecutions have shown 1) where probable cause existed, it largely existed in the clear, in Twitter conversations and other online postings and 2) there may not have been probable cause before FBI ginned it up.
It ought to raise real questions about whether Comey’s going dark problem is a law enforcement one — with FBI being unable to to access evidence on real criminals — or is an intelligence one — with FBI being unable to access First Amendment protected speech that nevertheless may be important for an understanding of the threat ISIS poses domestically. Again, the data is not there, one way or another, but given the law enforcement data, we ought to demand real numbers for intelligence intercepts. Another pertinent question is whether this encrypted data is easily accessible to NSA (ISIS recruiters are almost entirely going to be legitimate NSA targets located overseas), but not to FBI?
And all this presumes that Comey is telling the truth about ISIS and not — as he and just about every member of the Intelligence Community has done routinely — used terror threats to be able to get authorities to wield against other kinds of threats, especially hackers (which is not to say hackers aren’t a target, just that the IC likes to pretend its authorities serve an exclusively CT purpose when they clearly do not). The law enforcement data, at least, show that even members of very sophisticated drug distribution networks are using encryption at a really low level. Is ISIS’ ability to coach potential recruits into using encrypted products on Twitter really that much better, or is Comey really talking about hackers who more obviously have the technical skills to encrypt their communications?
Thus far, Comey would have you believe that intelligence — counterterrorism — targets encrypt at a much higher rate than even drug targets. But the data also suggest even federal law enforcement (that is, Comey’s agency, among others) aren’t tracking this very effectively, and so can’t present reliable numbers.
Before we go any further in this cryptowar debate, we ought to be able to get real numbers on how serious the problem is.
While everyone was focused on USA F-ReDux last week, DOJ’s Inspector General submitted its semiannual report. In it, Michael Horowitz reiterated his complaint that FBI was stonewalling on document production. He listed 4 requests made after Congress defunded such stonewalling on which FBI was still stonewalling at the end of March.
The OIG has sent four letters to Congress to report that the FBI has failed to comply with Section 218 by refusing to provide the OIG, for reasons unrelated to any express limitation in Section 6(a) of the IG Act, with timely access to certain records in ongoing OIG reviews. Those reviews are:
- Two FBI whistleblower retaliation investigations, letter dated February 3, 2015, which is available here;
- The FBI documents related to review of the DEA’s use of administrative subpoenas, letter dated February 19, 2015, which is available here;
- The FBI’s use of information derived from collection of telephony metadata under Section 215 of the Patriot Act, letter dated February 25, 2015, which is available here; and
- The FBI’s security clearance adjudication process, letter dated March 4, 2015, which is available here.
As of March 31, 2015, the OIG document requests were outstanding in every one of the reviews and investigations that were the subject of the letters above. The OIG is approaching the 1 year anniversary of the Deputy Attorney General’s request in May 2014 to the Office of Legal Counsel for an opinion on these matters, yet that opinion remains outstanding and the OIG has been given no timeline for the issuance of the completed opinion. Although the OIG has been told the opinion is a priority for the Department, the length of time that has now passed suggests otherwise. Instead, the status quo continues, with the FBI repeatedly ignoring the mandate of Section 218 and the Department failing to issue an opinion that would resolve the matter. The result is that the OIG continues to be prevented from getting complete and timely access to records in the Department’s possession. The OIG’s ability to conduct effective and rigorous oversight is being undercut every day that goes by without a resolution of this dispute.
Of particular note, as of March 31, FBI was still stonewalling an October 10, 2014 request (and January 2015 deadline) connected with DOJ IG’s review of how FBI has been using metadata from phone dragnets.
The OIG requested these records in connection with its pending review of the FBI’s use of information derived from the National Security Agency’s collection of telephony metadata obtained from certain telecommunications service providers under Section 215 of the Patriot Act. The timeliness of production is particularly important given that Section 215 of the Patriot Act is set to expire in June of this year.
FBI was also still stonewalling records of how it used DEA’s dragnet, but in the case of phone metadata, Horowitz specifically tied the investigation to the upcoming sunset of Section 215 authority.
DOJ’s IG wanted to review what was happening with the 2-hop dragnet data that got turned over to FBI before Congress reauthorized Section 215. And FBI successfully stalled that effort until after Congress passed a bill that will almost certainly result in far more phone metadata being turned over to FBI, and under far more permissive rules than they had been under.
I’ll explain why that was probably important in a follow-up post. But for the moment, as pundits declare winners and losers on yesterday’s passage of USA F-ReDux (I’ll do my own version of that too, shortly!), it’s worth noting that FBI successfully ran out the clock on its own IG, preventing us from learning about the privacy impact of one little-considered aspect of the dragnet.
On May 7, the very same day the Second Circuit ruled that Congress has to say specifically what a surveillance bill means for the bill to mean that thing, Richard Burr engaged in a staged colloquy on the Senate floor where he claimed that the Section 215 bulk collection program collects IP addresses. After Andrew Blake alerted me to that and I wrote it up, Burr stuffed the claim into the memory hole and claimed, dubiously, to have made a misstatement in a planned colloquy.
Then, after Mitch McConnell created a crisis by missing the first Section 215 reauthorization deadlines, Burr submitted a bill that would immediately permit the bulk collection of IP addresses, plus a whole lot more, falsely telling reporters this was a “compromise” bill that would ensure a smooth transition between the current (phone) dragnet and its replacement system.
Which strongly suggests Burr’s initial “misstatement” was simply an attempt to create a legislative record approving a vast expansion of the current dragnet that, when he got caught, led Burr to submit a bill that actually would implement that in fact.
This has convinced me we’re going to need to watch these authoritarians like hawks, to prevent them from creating the appearance of authorizing vast surveillance systems without general knowledge that’s what’s happening.
So I reviewed the speech Mitch made on Friday (this appears after 4:30 to 15:00; unlike Burr’s speech, the congressional record does reflect what Mitch actually said; h/t Steve Aftergood for Congressional Record transcript). And amid misleading claims about what the “compromise” bill Burr was working on, Mitch suggested something remarkable: among the data he’s demanding be retained are documents, not just call data.
I’ve placed the key part of Mitch’s comments below the rule, with my interspersed comments. As I show, one thing Mitch does is accuse providers of an unwillingness to provide data when in fact what he means is far more extensive cooperation. But I’m particularly interested in what he says about data retention:
The problem, of course, is that the providers have made it abundantly clear that they will not commit to retaining the data for any period of time as contemplated by the House-passed bill unless they are legally required to do so. There is no such requirement in the bill. For example, one provider said the following: “[We are] not prepared to commit to voluntarily retain documents for any particular period of time pursuant to the proposed USA FREEDOM Act if not otherwise required by law.”
Now, one credulous journalist told me the other day that telecoms were refusing to speak to the Administration at all, which he presumably parroted from sources like Mitch. That’s funny, because not only did the telecom key to making the program work — Verizon — provide testimony to Congress (which is worth reviewing, because Verizon Associate General Counsel — and former FBI lawyer — Michael Woods pointed to precisely what the dragnet would encompass under Burr’s bill, including VOIP, peer-to-peer, and IP collection), but Senator Feinstein has repeatedly made clear the telecoms have agreed with the President to keep data for two years.
Furthermore, McConnell’s quotation of this line from a (surely highly classified letter) cannot be relied on. Verizon at first refused to retain data before it made its data handshake with the President. So when did this provider send this letter, and does their stance remain the same? Mitch doesn’t say, and given how many other misleading comments he made in his speech, it’s unwise to trust him on this point.
Most curiously, though, look at what they’re refusing to keep. Not phone data! But documents.
Both USA F-ReDux and Burr’s bill only protect messaging contents, not other kinds of content (and Burr’s excludes anything that might be Dialing, Routing Addressing and Signaling data from his definition of content, which is the definition John Bates adopted in 2010 to be able to permit NSA to resume collecting Internet metadata in bulk). Both include remote computing services (cloud services) among the providers envisioned to be included not just under the bill, but under the “Call Detail Record” provision.
Perhaps there’s some other connotation for this use of the word “documents.” Remember, I think the major target of data retention mandates is Apple, because Jim Comey wants iMessage data that would only be available from their cloud.
But documents? What the hell kind of “Call Detail Records” is Mitch planning on here?
One more thing is remarkable about this. Mitch is suggesting it will take longer for providers to comply with this system than it took them to comply with Protect America Act. Yahoo, for example, challenged its orders and immediately refused to comply on November 8, 2007. Yet, even in spite of challenging that order and appealing, Yahoo started complying with it on May 5, 2008, that same 180-time frame envisioned here. And virtually all of the major providers already have some kind of compliance mechanism in place, either through PRISM (Apple, Google, and Microsoft) or upstream 702 compliance (AT&T and Verizon).
Last night, Mitch McConnell dealt himself a humiliating defeat. As I correctly predicted a month before events played out, McConnell tried to create a panic that would permit him and Richard Burr to demand changes — including iMessage retention, among other things — to USA F-ReDux. That is, in fact, what Mitch attempted to do, as is evident from the authoritarian power grab Burr released around 8:30 last night (that is, technically after the Administration had already missed the FISA Court deadline to renew the dragnet).
Contrary to a lot of absolutely horrible reporting on Burr’s bill, it does not actually resemble USA F-ReDux.
As I laid out here, it would start by gutting ECPA, such that the FBI could resume using NSLs to do the bulky Internet collection that moved to Section 215 production in 2009.
It also vastly expanded the application of the call record function (which it very explicitly applied to electronic communications providers, meaning it would include all Internet production, though that is probably what USA F-ReDux does implicitly), such that it could be used against Americans for any counterterrorism or counterintelligence (which includes leaks and cybersecurity) function, and for foreigners (which would chain onto Americans) for any foreign intelligence purpose. The chaining function includes the same vague language from USA F-ReDux which, in the absence of the limiting language in the House Judiciary Committee bill report, probably lets the government chain on session identifying information (like location and cookies, but possibly even things like address books) to do pattern analysis on providers’ data. Plus, the bill might even permit the government to do this chaining in provider data, because it doesn’t define a key “permit access” term.
Burr’s bill applies EO 12333 minimization procedures (and notice), not the stronger Section 215 ones Congress mandated in 2006; while USA F-ReDux data will already be shared far more widely than it is now, this would ensure that no defendant ever gets to challenge this collection. It imposes a 3-year data retention mandate (which would be a significant new burden on both Verizon and Apple). It appears to flip the amicus provision on its head, such that if Verizon or Apple challenged retention or any other part of the program, the FISC could provide a lawyer for the tech companies and tell that lawyer to fight for retention. And in the piece de la resistance, the bill creates its very own Espionage Act imposing 10 year prison terms for anyone who reveals precisely what’s happening in this expanded querying function at providers.
It is, in short, the forced-deputization of the nation’s communications providers to conduct EO 12333 spying on Americans within America.
Had Mitch had his way, after both USA F-ReDux and his 2-month straight reauthorization failed to get cloture, he would have asked for a week extension, during which the House would have been forced to come back to work and accept — under threat of “going dark” — some of the things demanded in Burr’s bill.
It didn’t work out.
But as it was, USA F-ReDux had far more support than the short-term reauthorization. Both McConnell and Rand Paul voted against both, for very different reasons. The difference in the vote results, however, was that Joe Donnelly (D), Jeff Flake (R), Ron Johnson (R), James Lankford (R), Bill Nelson (D), Tim Scott (R), and Dan Sullivan (R) voted yes to both. McConnell’s preferred option didn’t even get a majority of the vote, because he lost a chunk of his members.
Then McConnell played the hand he believed would give himself and Burr leverage. The plan — as I stated — was to get a very short term reauthorization passed and in that period force through changes with the House (never mind that permitting that to happen might have cost Boehner his Speakership, that’s what McConnell and Burr had in mind).
First, McConnell asked for unanimous consent to pass an extension to June 8. (h/t joanneleon for making the clip) But Paul, reminding that this country’s founders opposed General Warrants and demanding 2 majority vote amendments, objected. McConnell then asked for a June 5 extension, to which Ron Wyden objected. McConnell asked for an extension to June 3. Martin Heinrich objected. McConnell asked for an extension to June 2. Paul objected.
McConnell’s bid failed. And he ultimately scheduled the Senate to return on Sunday afternoon, May 31.
By far the most likely outcome at this point is that enough Senators — likely candidates are Mark Kirk, Angus King, John McCain, Joni Ernst, or Susan Collins — flip their vote on USA F-ReDux, which will then be rushed to President Obama just hours before Section 215 (and with it, Lone Wolf and Roving Wiretaps) expires on June 1. But even that (because of when McConnell scheduled it) probably requires Paul to agree to an immediate vote.
But if not, it won’t be the immediate end of the world.
On this issue, too, the reporting has been horrible, even to almost universal misrepresentation of what Jim Comey said about the importance of expiring provisions — I’ve laid out what he really said and what it means here. Comey cares first and foremost about the other Section 215 uses, almost surely the bulky Internet collection that moved there in 2009. But those orders, because they’re tied to existing investigations (of presumably more focused subject than the standing counterterrorism investigation to justify the phone dragnet), they will be grand-fathered at least until whatever expiration date they have hits, if not longer. So FBI will be anxious to restore that authority (or move it back to NSLs as Burr’s bill would do), especially since unlike the phone dragnet, there aren’t other ways to get the data. But there’s some time left to do that.
Comey also said the Roving Wiretap is critical. I’m guessing that’s because they use it to target things like Tor relays. But if that’s the primary secretly redefined function, they likely have learned enough about the Tor relays they’re parked on to get individual warrants. And here, too, the FBI likely won’t have to detask until expiration days on these FISA orders come due.
As for the phone dragnet and the Lone Wolf? Those are less urgent, according to Comey.
Now, that might help the Republicans who want to jam through some of Burr’s demands, since most moderate reformers assume the phone dragnet is the most important function that expires. Except that McConnell and others have spent so long pretending that this is about a phone dragnet that in truth doesn’t really work, that skittish Republicans are likely to want to appear to do all they can to keep the phone dragnet afloat.
As I said, the most likely outcome is that a number of people flip their vote and help pass USA F-ReDux.
But as with last night’s “debate,” no one really knows for sure.
A number of outlets have reported that, in an appearance Wednesday at Georgetown, Jim Comey suggested the other PATRIOT Act provisions expiring on June 1, not Section 215, are the critical ones. Here’s one example:
In a speech Wednesday, FBI Director James B. Comey said losing the ability to use roving wiretaps or track lone wolves in terrorism investigations would be a “big problem.” The bureau since the 1980s has been able to follow criminal suspects as they changed phones, he said, and the Patriot Act extended that capability to terrorism cases.
“That’s going to go away” unless the law is reauthorized, Comey said.
That’s not actually what Comey said. (Starting at 20:45) Rather, he said that losing other uses of Section 215 — in situations where FBI can’t get use a grand jury subpoena or an NSL — would be “a big problem.” He did say that losing Roving Wiretap Authority would be “a big problem.” About Lone Wolf, he said only that it, “matters.”
Significant impact, in ways that we’re not talking about much, and I’m trying to make sure we’re talking about. A lot of the focus on 215 is on the NSA’s telephony metadata — should that be with the NSA, should that be with individual telepho–telephony providers and accessed by the NSA, and that’s an important discussion. That’s a useful tool the FBI [shrugs] so it’s a conversation I care about, but there are critical tools to the FBI that are going to sunset on June 1 that people don’t talk about.
The first is, Section 215 is the vehicle through which the NSA, telephony database, was assembled, but we use Section 215 in individual cases, in very important circumstances fewer than 200 times a year we go to the FISA Court in a particular case and get particular records that are important to a Counterintelligence investigation or a Counterterrorism investigation. If we lose that authority, which I don’t think is controversial with folks, that is a big problem. Because we will find ourselves in circumstances where we can’t use a grand jury subpoena or we can’t use a National Security Letter, unable to obtain information, with the court’s approval that I think everybody wants us to be able to obtain, in individual cases, so that’s a problem.
The second that’s a big problem is the Roving Wiretap Authority is gonna expire on June 1. This is an authority we’ve had in criminal cases since the early, mid-eighties, where if a drug dealer or a criminal is dropping phones repeatedly, the judge can give us authority to intercept that individual’s communications, no matter what device they’re on, so we don’t have to go back and start the process each time they dump a phone. What the PATRIOT Act did in 2001 was extend that authority to international terrorism investigations and counterintelligence investigations. That is not a controversial thing. That’s gonna go away June 1 unless it’s reauthorized.
And there’s one other provision that matters. And that’s the so-called Lone Wolf — that’s not a term I like but it’s call a Lone Wolf provision by most people. And that is if we can’t, if we can establish probable cause that someone in this country is up to terrible no good, they have probable cause to believe they are an international terrorist of some sort, but we can’t prove what particular organization they’re hooked up with, this provision would allow us — the judge — to authorize the interception, even if we can’t say, “well they’re Al Qaeda, no they’re ISIL, no they’re AQAP. That’s an important, I think uncontroversial authority, these 3 are going to go away June 1. And I don’t want them to get lost in the conversation about metadata.
The emphasis, then, is on the first two — other uses of Section 215 and Roving Wiretaps — and not Lone Wolf as much.
To be fair, Comey is likely obfuscating about all three of these.
We know that when the Internet collection that had formerly (until 2009) been done under NSLs is bulky; the FISC spent a lot of time policing minimization procedures on that collection until FBI finally started complying with the law in 2013. And when Comey says these are “individual cases,” he likely means they are things like US-based Jihadist fora encompassing the communications of many individuals, or frequent or critical cyber targets with which many individual people might communicate as well. Indeed, these collection points are probably — like the phone dragnet — tied to enterprise investigations, which would explain why grand jury subpoenas would not be available.
As for the Roving Wiretap, remember that in 2007 the FISC reinterpreted that statute in secret to mean NSA could collect from entire circuits because al Qaeda targets used many different email and phone addresses served by that circuit. While NSA is likely not relying on that particular opinion anymore (the Protect America Act and FISA Amendments Act replaced that collection), the opinion has likely been repurposed in similar ways to permit NSA to target far more broadly than actual suspect individuals. For example, for a frequent cybersecurity target, I could imagine NSA making an argument that hackers are frequently using (in reality, attacking) those servers, and therefore the FBI can collect on it. Similarly, I could imagine them using Roving Wiretaps to authorize US-based efforts to undermine the Tor network.
The same is almost certainly true of the Lone Wolf provision (in fact it has to be, because for years FBI insisted on extending even though they admitted they had never used it directly). Remember, Lone Wolves are supposed be US-based non-US persons engaged in international terrorism. But for a bunch of reasons, I suspect the provision is used to claim someone with zero tie to a terrorist organization overseas is a Lone Wolf (making him a foreign power) and then use that to claim some young Muslim man in the US “planning” plots with the foreign-based Lone Wolf can be targeted under FISA. (There must be some such explanation because there are lot of young sting targets apparently targeted using traditional FISA orders who have no discernible status as an agent of a Foreign Power.)
For what it’s worth, I suspect the extension of WMD trafficking designations under USA F-ReDux to include those who conspire with or abet actual proliferators is intended to work the same way: to expand the Foreign Power definition to encompass many fairly.
All that said, Comey’s emphasis was, in large part, on those other use of Section 215, and certainly didn’t seem to be on the Lone Wolf provision. And he may well be correct that FBI can’t replace this function easily, if my guess that FBI uses Section 215 to conduct bulky collection for enterprise investigations is correct. Moreover, note that the assessments of agents in the IG Report released yesterday — that they could not “identify any major case developments from the records obtained in response to Section 215 orders” — predates the big spike in use of Section 215 to collect those Internet communications. So the question would need to be asked again about this collection to see if it has been critical.
All that said, if these other uses are so important, than the Intelligence Community shouldn’t have played a game of chicken to retain a phone dragnet function which FBI largely duplicates with individualized collection already, which has never been critical to stopping a terrorist plot, and which may well hold up these purportedly critical other uses.