Jim Comey

1 2 3 8

Mitch McConnell Suggests He Wants a Bulk Document Collection System

On May 7, the very same day the Second Circuit ruled that Congress has to say specifically what a surveillance bill means for the bill to mean that thing, Richard Burr engaged in a staged colloquy on the Senate floor where he claimed that the Section 215 bulk collection program collects IP addresses. After Andrew Blake alerted me to that and I wrote it up, Burr stuffed the claim into the memory hole and claimed, dubiously, to have made a misstatement in a planned colloquy.

Then, after Mitch McConnell created a crisis by missing the first Section 215 reauthorization deadlines, Burr submitted a bill that would immediately permit the bulk collection of IP addresses, plus a whole lot more, falsely telling reporters this was a “compromise” bill that would ensure a smooth transition between the current (phone) dragnet and its replacement system.

Which strongly suggests Burr’s initial “misstatement” was simply an attempt to create a legislative record approving a vast expansion of the current dragnet that, when he got caught, led Burr to submit a bill that actually would implement that in fact.

This has convinced me we’re going to need to watch these authoritarians like hawks, to prevent them from creating the appearance of authorizing vast surveillance systems without general knowledge that’s what’s happening.

So I reviewed the speech Mitch made on Friday (this appears after 4:30 to 15:00; unlike Burr’s speech, the congressional record does reflect what Mitch actually said; h/t Steve Aftergood for Congressional Record transcript). And amid misleading claims about what the “compromise” bill Burr was working on, Mitch suggested something remarkable: among the data he’s demanding be retained are documents, not just call data.

I’ve placed the key part of Mitch’s comments below the rule, with my interspersed comments. As I show, one thing Mitch does is accuse providers of an unwillingness to provide data when in fact what he means is far more extensive cooperation. But I’m particularly interested in what he says about data retention:

The problem, of course, is that the providers have made it abundantly clear that they will not commit to retaining the data for any period of time as contemplated by the House-passed bill unless they are legally required to do so. There is no such requirement in the bill. For example, one provider said the following: “[We are] not prepared to commit to voluntarily retain documents for any particular period of time pursuant to the proposed USA FREEDOM Act if not otherwise required by law.”

Now, one credulous journalist told me the other day that telecoms were refusing to speak to the Administration at all, which he presumably parroted from sources like Mitch. That’s funny, because not only did the telecom key to making the program work — Verizon — provide testimony to Congress (which is worth reviewing, because Verizon Associate General Counsel — and former FBI lawyer — Michael Woods pointed to precisely what the dragnet would encompass under Burr’s bill, including VOIP, peer-to-peer, and IP collection), but Senator Feinstein has repeatedly made clear the telecoms have agreed with the President to keep data for two years.

Furthermore, McConnell’s quotation of this line from a (surely highly classified letter) cannot be relied on. Verizon at first refused to retain data before it made its data handshake with the President. So when did this provider send this letter, and does their stance remain the same? Mitch doesn’t say, and given how many other misleading comments he made in his speech, it’s unwise to trust him on this point.

Most curiously, though, look at what they’re refusing to keep. Not phone data! But documents.

Both USA F-ReDux and Burr’s bill only protect messaging contents, not other kinds of content (and Burr’s excludes anything that might be Dialing, Routing Addressing and Signaling data from his definition of content, which is the definition John Bates adopted in 2010 to be able to permit NSA to resume collecting Internet metadata in bulk). Both include remote computing services (cloud services) among the providers envisioned to be included not just under the bill, but under the “Call Detail Record” provision.

Perhaps there’s some other connotation for this use of the word “documents.” Remember, I think the major target of data retention mandates is Apple, because Jim Comey wants iMessage data that would only be available from their cloud.

But documents? What the hell kind of “Call Detail Records” is Mitch planning on here?

One more thing is remarkable about this. Mitch is suggesting it will take longer for providers to comply with this system than it took them to comply with Protect America Act. Yahoo, for example, challenged its orders and immediately refused to comply on November 8, 2007. Yet, even in spite of challenging that order and appealing, Yahoo started complying with it on May 5, 2008, that same 180-time frame envisioned here. And virtually all of the major providers already have some kind of compliance mechanism in place, either through PRISM (Apple, Google, and Microsoft) or upstream 702 compliance (AT&T and Verizon).
Continue reading

Mitch McConnell and Richard Burr’s Authoritarian Power Grab Fails

Last night, Mitch McConnell dealt himself a humiliating defeat. As I correctly predicted a month before events played out, McConnell tried to create a panic that would permit him and Richard Burr to demand changes — including iMessage retention, among other things — to USA F-ReDux. That is, in fact, what Mitch attempted to do, as is evident from the authoritarian power grab Burr released around 8:30 last night (that is, technically after the Administration had already missed the FISA Court deadline to renew the dragnet).

Contrary to a lot of absolutely horrible reporting on Burr’s bill, it does not actually resemble USA F-ReDux.

As I laid out here, it would start by gutting ECPA, such that the FBI could resume using NSLs to do the bulky Internet collection that moved to Section 215 production in 2009.

It also vastly expanded the application of the call record function (which it very explicitly applied to electronic communications providers, meaning it would include all Internet production, though that is probably what USA F-ReDux does implicitly), such that it could be used against Americans for any counterterrorism or counterintelligence (which includes leaks and cybersecurity) function, and for foreigners (which would chain onto Americans) for any foreign intelligence purpose. The chaining function includes the same vague language from USA F-ReDux which, in the absence of the limiting language in the House Judiciary Committee bill report, probably lets the government chain on session identifying information (like location and cookies, but possibly even things like address books) to do pattern analysis on providers’ data. Plus, the bill might even permit the government to do this chaining in provider data, because it doesn’t define a key “permit access” term.

Burr’s bill applies EO 12333 minimization procedures (and notice), not the stronger Section 215 ones Congress mandated in 2006; while USA F-ReDux data will already be shared far more widely than it is now, this would ensure that no defendant ever gets to challenge this collection. It imposes a 3-year data retention mandate (which would be a significant new burden on both Verizon and Apple). It appears to flip the amicus provision on its head, such that if Verizon or Apple challenged retention or any other part of the program, the FISC could provide a lawyer for the tech companies and tell that lawyer to fight for retention. And in the piece de la resistance, the bill creates its very own Espionage Act imposing 10 year prison terms for anyone who reveals precisely what’s happening in this expanded querying function at providers.

It is, in short, the forced-deputization of the nation’s communications providers to conduct EO 12333 spying on Americans within America.

Had Mitch had his way, after both USA F-ReDux and his 2-month straight reauthorization failed to get cloture, he would have asked for a week extension, during which the House would have been forced to come back to work and accept — under threat of “going dark” — some of the things demanded in Burr’s bill.

It didn’t work out.

Sure, both USA F-ReDux (57-42) and the short-term reauthorization (45-54) failed cloture votes.

But as it was, USA F-ReDux had far more support than the short-term reauthorization. Both McConnell and Rand Paul voted against both, for very different reasons. The difference in the vote results, however, was that Joe Donnelly (D), Jeff Flake (R), Ron Johnson (R), James Lankford (R), Bill Nelson (D), Tim Scott (R), and Dan Sullivan (R) voted yes to both. McConnell’s preferred option didn’t even get a majority of the vote, because he lost a chunk of his members.

Then McConnell played the hand he believed would give himself and Burr leverage. The plan — as I stated — was to get a very short term reauthorization passed and in that period force through changes with the House (never mind that permitting that to happen might have cost Boehner his Speakership, that’s what McConnell and Burr had in mind).

First, McConnell asked for unanimous consent to pass an extension to June 8. (h/t joanneleon for making the clip) But Paul, reminding that this country’s founders opposed General Warrants and demanding 2 majority vote amendments, objected. McConnell then asked for a June 5 extension, to which Ron Wyden objected. McConnell asked for an extension to June 3. Martin Heinrich objected. McConnell asked for an extension to June 2. Paul objected.

McConnell’s bid failed. And he ultimately scheduled the Senate to return on Sunday afternoon, May 31.

By far the most likely outcome at this point is that enough Senators — likely candidates are Mark Kirk, Angus King, John McCain, Joni Ernst, or Susan Collins — flip their vote on USA F-ReDux, which will then be rushed to President Obama just hours before Section 215 (and with it, Lone Wolf and Roving Wiretaps) expires on June 1. But even that (because of when McConnell scheduled it) probably requires Paul to agree to an immediate vote.

But if not, it won’t be the immediate end of the world.

On this issue, too, the reporting has been horrible, even to almost universal misrepresentation of what Jim Comey said about the importance of expiring provisions — I’ve laid out what he really said and what it means here. Comey cares first and foremost about the other Section 215 uses, almost surely the bulky Internet collection that moved there in 2009. But those orders, because they’re tied to existing investigations (of presumably more focused subject than the standing counterterrorism investigation to justify the phone dragnet), they will be grand-fathered at least until whatever expiration date they have hits, if not longer. So FBI will be anxious to restore that authority (or move it back to NSLs as Burr’s bill would do), especially since unlike the phone dragnet, there aren’t other ways to get the data. But there’s some time left to do that.

Comey also said the Roving Wiretap is critical. I’m guessing that’s because they use it to target things like Tor relays. But if that’s the primary secretly redefined function, they likely have learned enough about the Tor relays they’re parked on to get individual warrants. And here, too, the FBI likely won’t have to detask until expiration days on these FISA orders come due.

As for the phone dragnet and the Lone Wolf? Those are less urgent, according to Comey.

Now, that might help the Republicans who want to jam through some of Burr’s demands, since most moderate reformers assume the phone dragnet is the most important function that expires. Except that McConnell and others have spent so long pretending that this is about a phone dragnet that in truth doesn’t really work, that skittish Republicans are likely to want to appear to do all they can to keep the phone dragnet afloat.

As I said, the most likely outcome is that a number of people flip their vote and help pass USA F-ReDux.

But as with last night’s “debate,” no one really knows for sure.

Comey’s Emphasis on Expiring PATRIOT Provisions: Other 215 Uses and Roving Wiretaps


A number of outlets have reported that, in an appearance Wednesday at Georgetown, Jim Comey suggested the other PATRIOT Act provisions expiring on June 1, not Section 215, are the critical ones. Here’s one example:

In a speech Wednesday, FBI Director James B. Comey said losing the ability to use roving wiretaps or track lone wolves in terrorism investigations would be a “big problem.” The bureau since the 1980s has been able to follow criminal suspects as they changed phones, he said, and the Patriot Act extended that capability to terrorism cases.

“That’s going to go away” unless the law is reauthorized, Comey said.

That’s not actually what Comey said. (Starting at 20:45) Rather, he said that losing other uses of Section 215 — in situations where FBI can’t get use a grand jury subpoena or an NSL — would be “a big problem.” He did say that losing Roving Wiretap Authority would be “a big problem.” About Lone Wolf, he said only that it, “matters.”

Significant impact, in ways that we’re not talking about much, and I’m trying to make sure we’re talking about. A lot of the focus on 215 is on the NSA’s telephony metadata — should that be with the NSA, should that be with individual telepho–telephony providers and accessed by the NSA, and that’s an important discussion. That’s a useful tool the FBI [shrugs] so it’s a conversation I care about, but there are critical tools to the FBI that are going to sunset on June 1 that people don’t talk about.

The first is, Section 215 is the vehicle through which the NSA, telephony database, was assembled, but we use Section 215 in individual cases, in very important circumstances fewer than 200 times a year we go to the FISA Court in a particular case and get particular records that are important to a Counterintelligence investigation or a Counterterrorism investigation. If we lose that authority, which I don’t think is controversial with folks, that is a big problem. Because we will find ourselves in circumstances where we can’t use a grand jury subpoena or we can’t use a National Security Letter, unable to obtain information, with the court’s approval that I think everybody wants us to be able to obtain, in individual cases, so that’s a problem.

The second that’s a big problem is the Roving Wiretap Authority is gonna expire on June 1. This is an authority we’ve had in criminal cases since the early, mid-eighties, where if a drug dealer or a criminal is dropping phones repeatedly, the judge can give us authority to intercept that individual’s communications, no matter what device they’re on, so we don’t have to go back and start the process each time they dump a phone. What the PATRIOT Act did in 2001 was extend that authority to international terrorism investigations and counterintelligence investigations. That is not a controversial thing. That’s gonna go away June 1 unless it’s reauthorized.

And there’s one other provision that matters. And that’s the so-called Lone Wolf — that’s not a term I like but it’s call a Lone Wolf provision by most people. And that is if we can’t, if we can establish probable cause that someone in this country is up to terrible no good, they have probable cause to believe they are an international terrorist of some sort, but we can’t prove what particular organization they’re hooked up with, this provision would allow us — the judge — to authorize the interception, even if we can’t say, “well they’re Al Qaeda, no they’re ISIL, no they’re AQAP. That’s an important, I think uncontroversial authority, these 3 are going to go away June 1. And I don’t want them to get lost in the conversation about metadata.

The emphasis, then, is on the first two — other uses of Section 215 and Roving Wiretaps — and not Lone Wolf as much.

To be fair, Comey is likely obfuscating about all three of these.

We know that when the Internet collection that had formerly (until 2009) been done under NSLs is bulky; the FISC spent a lot of time policing minimization procedures on that collection until FBI finally started complying with the law in 2013. And when Comey says these are “individual cases,” he likely means they are things like US-based Jihadist fora encompassing the communications of many individuals, or frequent or critical cyber targets with which many individual people might communicate as well. Indeed, these collection points are probably — like the phone dragnet — tied to enterprise investigations, which would explain why grand jury subpoenas would not be available.

As for the Roving Wiretap, remember that in 2007 the FISC reinterpreted that statute in secret to mean NSA could collect from entire circuits because al Qaeda targets used many different email and phone addresses served by that circuit. While NSA is likely not relying on that particular opinion anymore (the Protect America Act and FISA Amendments Act replaced that collection), the opinion has likely been repurposed in similar ways to permit NSA to target far more broadly than actual suspect individuals. For example, for a frequent cybersecurity target, I could imagine NSA making an argument that hackers are frequently using (in reality, attacking) those servers, and therefore the FBI can collect on it. Similarly, I could imagine them using Roving Wiretaps to authorize US-based efforts to undermine the Tor network.

The same is almost certainly true of the Lone Wolf provision (in fact it has to be, because for years FBI insisted on extending even though they admitted they had never used it directly). Remember, Lone Wolves are supposed be US-based non-US persons engaged in international terrorism. But for a bunch of reasons, I suspect the provision is used to claim someone with zero tie to a terrorist organization overseas is a Lone Wolf (making him a foreign power) and then use that to claim some young Muslim man in the US “planning” plots with the foreign-based Lone Wolf can be targeted under FISA. (There must be some such explanation because there are lot of young sting targets apparently targeted using traditional FISA orders who have no discernible status as an agent of a Foreign Power.)

For what it’s worth, I suspect the extension of WMD trafficking designations under USA F-ReDux to include those who conspire with or abet actual proliferators is intended to work the same way: to expand the Foreign Power definition to encompass many fairly.

All that said, Comey’s emphasis was, in large part, on those other use of Section 215, and certainly didn’t seem to be on the Lone Wolf provision. And he may well be correct that FBI can’t replace this function easily, if my guess that FBI uses Section 215 to conduct bulky collection for enterprise investigations is correct. Moreover, note that the assessments of agents in the IG Report released yesterday — that they could not “identify any major case developments from the records obtained in response to Section 215 orders” — predates the big spike in use of Section 215 to collect those Internet communications. So the question would need to be asked again about this collection to see if it has been critical.

All that said, if these other uses are so important, than the Intelligence Community shouldn’t have played a game of chicken to retain a phone dragnet function which FBI largely duplicates with individualized collection already, which has never been critical to stopping a terrorist plot, and which may well hold up these purportedly critical other uses.

In 2003, OLC Doubled Down on Unlimited (de)Classification Authority for the President

One of the tactics those in DOJ attempted to use in 2004 to put some controls on Stellar Wind, it appears from the DOJ IG Report, was to point to legal requirements to inform Congress (for example, to inform Congress that the Attorney General had decided not to enforce particular laws), which might have led to enough people in Congress learning of the program to impose some limits on it. For example, Robert Mueller apparently tried to get the Executive to brief the Judiciary Committees, in addition to the Gang of Four, about the program.

On March 16, 2004 Gonzales wrote a letter to Jim Comey in response to DOJ’s efforts to force the Administration to follow the law. Previous reporting revealed that Gonzales told Comey he misunderstood the White House’s interest in DOJ’s opinion.

Your memorandum appears to have been based on a misunderstanding of the President’s expectations regarding the conduct of the Department of Justice. While the President was, and remains, interested in any thoughts the Department of Justice may have on alternative ways to achieve effectively the goals of the activities authorized by the Presidential Authorization of March 11, 2004, the President has addressed definitively for the Executive Branch in the Presidential Authorization the interpretation of the law.

This appears to have led directly to Comey drafting his resignation letter.

But what previous reporting didn’t make clear was that Gonzales also claimed the Administration had unfettered authority to decide whether or not to share classified information (and that, implicitly, it could blow off statutory Congressional reporting requirements).

Gonzales letter also addressed Comey’s comments about congressional notification. Citing Department of the Navy v. Egan, 484 U.S. 518 (1988) and a 2003 OLC opinion, Gonzales’s letter stated that the President has the constitutional authority to define and control access to the nation’s secrets, “including authority to determine the extent to which disclosure may be made outside the Executive Branch.” (TS//STLW//SI/OC/NF) [PDF 504]

I’m as interested in this as much for the timing of the memo — 2003 — as the indication that the Executive asserted the authority to invoke unlimited authority over classification as a way to flout reporting mandates (both with regards to Stellar Wind, but the implication is, generally as well).

The most likely time frame for this decision would be around March 25, 2003, when President Bush was also rewriting the Executive Order on classification (this EO is most famous because it gave the Vice President new authorities over classifying information). If that’s right, it would confirm that Bush’s intent with the EO (and the underlying OLC memo) was to expand the ability to invoke classification for whatever reasons.

And if that OLC opinion was written around the time of the March 2003 EO, it would mean it was on the books (and, surely, known by David Addington) when he counseled Scooter Libby in July 2003 he could leak whatever it was Dick Cheney told him to leak to Judy Miller, up to and including Valerie Plame’s identity.

But I’m also interested that this footnote was classified under STLW, the Stellar Wind marking. That may not be definitive, especially given the innocuous reference to the OLC memo. But it’s possible that means the 2003 opinion — the decision to share or not share classified information according to the whim of the President — was tied to Stellar Wind. That would be interesting given that George Tenet and John Yoo were declaring Iraq and their claimed conspirators in the US were terrorists permissible for surveillance around the same time.

Finally, I assume this OLC memo, whatever it says, is still on the books. And given how it was interpreted in the past — that OLC could simply ignore reporting mandates — and that the government continued to flout reporting mandates until at least 2010, even those tied specifically to surveillance, I assume that the Executive still believes it can use a claimed unlimited authority over classification to trump legally mandated reporting requirements.

That’s worth keeping in mind as we debate a bill, USA F-ReDux, celebrated, in part, for its reporting requirements.

Alberto Gonzales: The Counsel Represented by Counsel and Babysat by Cheney’s Counsel

Footnote 147 of the DOJ IG Report on Stellar Wind (PDF 462-3) modifies a discussion of the discussions on March 6 and 7, 2004 in which Jack Goldsmith and Patrick Philbin informed David Addington and Alberto Gonzales that they could not reauthorize Stellar Wind — in spite of applying a relaxed standard of review — because the White House wanted them to affirm that John Yoo’s November 2, 2001 memo had covered the program, yet Yoo’s memo had not included all aspects of it (this likely pertains to the collection of Internet metadata from telecom switches, though it may also pertain to the collection on Iraqi targets).

After reporting Gonzales’ claimed reaction to the meetings at which DOJ’s lawyers told the White House the program was illegal, the report notes that Gonzales was lawyered up at his IG interview, but later provided further elaboration in writing.

Later on March 6, Goldsmith and Philbin went to the White House to meet with Addington and Gonzales to convey their conclusions that the [2 lines redacted] According to Goldsmith’s chronology of these events, Addington and Gonzales “reacted calmly and said they would get back with us.” Goldsmith told us that the White House was not worried that it was “out there,” meaning that it was implementing a program without legal support.

On Sunday afternoon, March 7, 2004, Goldsmith and Philbin met again with Addington and Gonzales at the White House. According to Goldsmith, the White House officials informed Goldsmith and Philbin that they disagreed with Goldsmith and Philbin’s interpretation of Yoo’s memoranda and on the need to change the scope of the NSA’s collection. Gonzales told us that he recalled the meetings of March 6 and March 7, 2004, but did not recall the specifics of the discussions. He said he remembered that the overall tenor of the meetings with Goldsmith was one of trying to “find a way forward.”147

147 As noted above, Gonzales was represented by counsel during his interview with the OIG. Also present during the interview because of the issue of executive privilege was a Special Counsel to the President, Emmitt Flood. We asked Gonzales whether the President had been informed by this point in time of the OLC position regarding the lack of legal support for the program and [redacted]. Flood objected to the question on relevancy grounds and advised Gonzales not to answer, and Gonzales did not provide us an answer. However, when Gonzales commented on a draft of the report, he stated that he would not have brought Goldsmith and Philbin’s “concerns” to the attention of the President because there would have been nothing for the President to act upon at this point. Gonzales stated that this was especially true given that Ashcroft continued to certify the program as to legality during this period. Gonzales stated he generally would only bring matters to the President’s attention if the President could make a decision about them.

Remember the situation Gonzales would have been in. The interview (and probably, though not certainly, the review of the draft) would have taken place in fall to winter 2008, when Bush was still in office.

Thus, the interview would have happened during the period or just after DOJ IG conducted an investigation into what amounted to a CYA file Gonzales had carried around in his briefcase — documents and draft documents relating to all the illegal programs in which he had been involved, including his notes pertaining to the hospital confrontation over Stellar Wind. There’s reason to believe he was referred for that investigation precisely because it was recognized as a CYA file and he was no longer regarded as loyal on surveillance issues.

In addition, at the time, too, DOJ was still considering whether to file charges against Gonzales for the US Attorney scandal. So it makes sense that Gonzales’ retained lawyer, George Terwilliger, was there (and it is somewhat surprising that, given that John Ashcroft got away without cooperating, Terwilliger let him cooperate).

But then there is Emmet Flood.

Both before and after his tenure in the White House Counsel’s office — where he was brought in to deal with the scandals of the late Bush Administration — Flood was (and remains) a partner at Williams & Connolly. And not just a partner. He was formally part of Dick Cheney’s defense team when Patrick Fitzgerald was honing in on the Vice President for leaking Valerie Plame’s identity, and Flood would remain involved in protecting Cheney even after moved onto the taxpayer dime.

Emmet Flood may have been there in the name of protecting Executive Privilege, but it was not Bush’s privilege Flood was protecting.

So we learn that on March 6, 2004, Goldsmith and Philbin tell Gonzales and Addington that parts of Stellar Wind have never been legal. On March 7, 2004, Gonzales and Addington come back and tell OLC’s lawyers they’re wrong.

And when DOJ’s IG asked Gonzales whether — in the interim day — he had informed the President about this, Cheney’s defense lawyer pipes up and tells him not to answer. Given that Bush apparently learned new details of all this 4 days later when Comey and Robert Mueller would tell him directly, the answer is no (which is consistent with what Gonzales said when Cheney’s lawyer wasn’t present).

Which leaves the logical and thoroughly unsurprising conclusion — but one Cheney’s taxpayer funded lawyer didn’t want included in a legal document — Cheney (who is not a lawyer, nor does he have Article II authority directly) is the one who told Gonzales and Addington to dig in.

Update: Flood also had Gonzales refuse to answer a question about whether anyone had thought to include DOJ in the meeting with Congress.

OLC Lowers Its Standards for Retroactive Legal Reviews

There’s an interesting passage in the DOJ IG discussion of Jack Goldsmith’s efforts to rewrite the Stellar Wind OLC memos (PDF 456).

The first passage describes Jim Comey permitting a lower standard of review to apply for activities already in process.

In explaining the rationale for the revise opinion, Comey described to the OIG his view of two approaches or standards that could be used to undertake legal analysis of government action. If the government is contemplating taking a particular action, OLC’s legal analysis will be based on a “best view of the law” standard. However, if the government already is taking the action, the analysis should instead focus on whether reasonable legal arguments can be made to support the continuation of the conduct.137

137 Goldsmith emphasized to us that this second situation almost never presents itself, and that OLC rarely is asked to furnish legal advise on an ongoing program because the pressure “to say ‘yes’ to the President” invariably would result in applying a lower standard of review. Goldsmith stated that OLC’s involvement in Stellar Wind was “unprecedented” because OLC is always asked to review the facts and formulate its advice “up front.”

If it was unprecedented on March 1, 2004, it quickly became common.

After all, Goldsmith was asked to consider how the Geneva Convention applied to various types of detainees in Iraq, after the Administration had already been and continued to render people out of that occupied country. And he was also in the midst of a review of the torture program.

Indeed, Daniel Levin, who would go on to reconsider torture approvals until Cheney booted him out of the way to have Steven Bradbury rubberstamp things, would have been a part of those discussions.

So when, in fall 2004, he was asked to reconsider torture, that lower standard of review would have been in his mind.

You could even say that this standard of review gave CIA an incentive to start and continue torturing Janat Gul, on whom they pinned their need to resume torture, even after they accepted he was not, as a fabricator had claimed, planning election year plots in the US. So long as they tortured Gul, Levin would be permitted to apply a lower standard to that torture.

In any case, if this was unprecedented then, I suspect it’s not anymore. After all, by the time David Barron first considered the drone killing memo for Anwar al-Awlaki, the Administration had apparently already tried to kill him once. And the Libyan war had already started when OLC started reviewing it (though they made a heroic effort to rule it illegal, which is a testament to just how illegal it was).

With regards to the Stellar Wind OLC, the discussion of what Goldsmith found so problematic is mostly redacted. Which is why I’m interested in his opinion that “‘we can get there’ as to [redacted] albeit by using an aggressive legal analysis.” That says that one of the things his opinion would approve — either the content collection of one-end foreign communications or the dragnet collection of telephone metadata — involved “aggressive legal analysis” even to meet this lower standard.

It’d sure be nice to know which practice was considered so marginally legal.

FBI’s Cell Phone Investigative Kiosk Would Allow Fourth Amendment Violations

Jim Comey wants to sacrifice individual security to ensure the FBI can access cell phones easily.

But in an audit of a forensic lab in Philadelphia, DOJ’s Inspector General found that the FBI is not keeping adequate control of the kiosks that FBI uses to do initial reviews of data on cell phones.

As the report describes, cell phone kiosks serve as a “preview” tool of the contents of the data stored on a phone.

Cell Phone Investigative Kiosks (Kiosks) are available at select FBI field offices and RCFLs. A Kiosk is a preview tool that allows users to quickly and easily view data stored on a cell phone, extract the data to use as evidence, put it into a report, and copy the report to an electronic storage device such as a compact disk. Kiosks are not designed to take the place of full-scale cell phone examinations performed by certified Forensic Examiners; however, the evidence produced by a Kiosk is admissible in a court of law. Kiosk users are required to take a one-time hour-long training course and be familiar with computers. In addition, FBI policy requires Kiosk users to confirm they possess the proper legal authority for the search of data on cell phones or loose media.

The FBI only recently started tracking who had access to these kiosks. And when DOJ IG audited this office’s use of the kiosk, it found that 27% of the people who were accessing it hadn’t filled out the requisite paperwork to ensure only appropriate people used it.

We found that the PHRCFL did not have adequate controls over the access and use of its Kiosks. FBI policy requires Kiosk users to confirm they possess the proper legal authority for the search of data on cell phones or loose media. During our fieldwork, the FBI did not provide any information to show that PHRCFL Kiosk users were required to sign-in, identify the case related to the evidence being examined, or, as required by FBI policy, confirm that they possessed the proper legal authority to search for evidence on the cell phone. In addition, the FBI did not provide us with any information regarding controls in place at the PHRCFL to ensure that users do not use the Kiosks for non-law enforcement matters.

[snip]

we conducted limited testing of 25 visits during FYs 2012 through 2014 to verify compliance with the procedures in place. When the PHRCFL began using the Acknowledgment Form in May 2012, its visitor’s log contained a field for the purpose of each visitor’s visit. We selected names from the visitor’s log whose stated purpose for the visit was Kiosk usage and compared those names and dates to the corresponding Acknowledgment Forms. For the 17 visits we selected between May 2012 and January 2013, we found that approximately 24 percent of the PHRCFL Kiosk-related visitor log entries did not have corresponding Acknowledgment Forms.

[snip]

We believe that although the Kiosks are an efficient tool for law enforcement officers to use to examine digital evidence that may not require the extensive examination of a certified Forensic Examiner, Kiosks are vulnerable to potentially serious abuse. For example, without proper controls, it is possible that a Kiosk user could use this tool to view private cell phone information for non-law enforcement purposes. It also is possible for a user to use a Kiosk without proper legal authority, thereby engaging in a Fourth Amendment violation.

Later in the report, the IG noted that none of the centralized databases tracking other uses of the forensic office track use of the kiosk. That, combined with the paperwork failures, would sure permit FBI to do a whole lot of illegal cell phone searching that would not be tracked.

Which might explain why the numbers FBI shows for searching cell phones don’t actually match Director Comey’s stated concerns about iPhone encrypting its phone.

Section 215’s Multiple Programs and Where They Might Hide after June 1

In an column explicitly limited to the phone dragnet, Conor Friedersdorf pointed to a post I wrote about Section 215 generally and suggested I thought the phone dragnet was about to get hidden under a new authority.

Marcy Wheeler is suspicious that the Obama Administration is planning to continue the dragnet under different authorities.

But my post was about more that just the phone dragnet. It was about two things: First, the way that, rather than go “cold turkey” after it ended the Internet dragnet in 2011 as the AP had claimed, NSA had instead already started doing the same kind of collection using other authorities that — while they didn’t collect all US traffic — had more permissive rules for the tracking they were doing. That’s an instructive narrative for the phone dragnet amid discussions it might lapse, because it’s quite possible that the Intelligence Community will move to doing far less controlled tracking, albeit on fewer Americans, under a new approach.

In addition, I noted that there are already signs that the IC is doing what Keith Alexander said he could live with a year ago: ending the phone dragnet in exchange for cybersecurity information sharing. I raised that in light of increasing evidence that the majority of Section 215 orders are used for things related to cybersecurity (though possibly obtained by FBI, not NSA). If that’s correct, Alexander’s comment would make sense, because it would reflect that it is working cybersecurity investigations under protections — most notably, FISC-supervised minimization — all involved would rather get rid of.

Those two strands are important, taken together, for the debate about Section 215 expiration, because Section 215 is far more than the dragnet. And the singular focus of everyone — from the press to activists and definitely fostered by NatSec types leaking — on the phone dragnet as Section 215 sunset approaches makes it more likely the government will pull off some kind of shell game, moving the surveillances they care most about (that is, not the phone dragnet) under some new shell while using other authorities to accomplish what they need to sustain some kind of  phone contact and connection chaining.

So in an effort to bring more nuance to the debate about Section 215 sunset, here is my best guess — and it is a guess — about what they’re doing with Section 215 and what other authorities they might be able to use to do the same collection.

Here are the known numbers on how Section 215 orders break out based on annual reports and this timeline.

215 Tracker

The Phone Dragnet

Since its transfer under Section 215 in 2006, the phone dragnet has generally made up 4 or 5 orders a year (Reggie Walton imposed shorter renewal periods in 2009 as he was working through the problems in the program). 2009 is the one known year where many of the modified orders — which generally involve imposed minimization procedures — were phone dragnet orders.

We  know that the government believes that if Section 215 were to sunset, it would still have authority to do the dragnet. Indeed, it not only has a still-active Jack Goldsmith memo from 2004 saying it can do the dragnet without any law, it sort of waved it around just before the USA Freedom  Act debate last year as if to remind those paying attention that they didn’t necessarily think they needed USAF (in spite of comments from people like Bob Litt that they do need a new law to do what they’d like to do).

But that depends on telecoms being willing to turn over the dragnet data voluntarily. While we have every reason to believe AT&T does that, the government’s inability to obligate Verizon to turn over phone records in the form it wants them is probably part of the explanation for claims the current dragnet is not getting all the cell records of Americans.

A number of people — including, in part, Ron Wyden and other SSCI skeptics in a letter written last June — think the government could use FISA’s PRTT authority (which does not sunset) to replace Section 215, and while they certainly could get phone records using it, if they could use PRTT to get what it wants, they probably would have been doing so going back to 2006 (the difference in authority is that PRTT gets actual activity placed, whereas 215 can only get records maintained (and Verizon isn’t maintaining the records the government would like it to, and PRTT could not get 2 hops).

For calls based off a foreign RAS, the government could use PRISM to obtain the data, with the added benefit that using PRISM would include all the smart phone data — things like address books, video messaging, and location — that the government surely increasingly relies on. Using PRISM to collect Internet metadata is one of two ways the government replaced the PRTT Internet dragnet. The government couldn’t get 2 hops and couldn’t chain off of Americans, however.

I also suspect that telecoms’ embrace of supercookies may provide other options to get the smart phone data they’re probably increasingly interested in.

For data collected offshore, the government could use SPCMA, the other authority the government appears to have replaced the PRTT Internet dragnet with. We know that at least one of the location data programs NSA has tested out works with SPCMA, so that would offer the benefit of including location data in the dragnet. If cell phone location data is what has prevented the government from doing what they want to do with the existing phone dragnet, SPCMA’s ability to incorporate location would be a real plus for NSA, to the extent that this data is available (and cell phone likely has more offshore availability than land line).

The government could obtain individualized data using NSLs — and it continues to get not just “community of interest” (that is, at least one hop) from AT&T, but also 7 other things that go beyond ECPA that FBI doesn’t want us to know about. But using NSLs may suffer from a similar problem to the current dragnet, that providers only have to provide as much as ECPA requires. Thus, there, too, other providers are probably unwilling to provide as much data as AT&T.

Telecoms might be willing to provide data the government is currently getting under 215 under CISA and CISA collection won’t be tied in any way to ECPA definitions, though its application is a different topic, cybersecurity (plus leaks and IP theft) rather than terrorism. So one question I have is whether, because of the immunity and extended secrecy provisions of CISA, telecoms would be willing to stretch that?

Other Dragnets

In addition to the phone dragnet, FBI and other IC agencies seem to operate other dragnets under Section 215. It’s probably a decent guess that the 8-13 other 215 orders prior to 2009 were for such things. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year. Other items discussed involve hotel dragnets and explosives precursor dragnets, the latter of which would have been expanded after the 2009 Najibullah Zazi investigation. In other words, there might be up to 5 dragnets, each representing 4-5 orders a year (assuming they work on the same 90-day renewal cycle), so a total of around 22 of the roughly 175 orders a year that aren’t the phone dragnet (the higher numbers for 2006 are known to be combination orders both obtaining subscription data for PRTT orders and location data with a PRTT order; those uses stopped in part with the passage of PATRIOT reauthorization in 2006 and in part with FISC’s response to magistrate rulings on location data from that year).

Some of these dragnets could be obtained, in more limited fashion, with NSLs (NSLs currently require reporting on how many US persons are targeted, so we will know if they move larger dragnets to NSLs). Alternately, the FBI may be willing to do these under grand jury subpoenas or other orders, given the way they admitted they had done a Macy’s Frago Elite pressure cooker dragnet after the Boston Marathon attack. The three biggest restrictions on this usage would be timeliness (some NSLs might not be quick enough), the need to have a grand jury involved for some subpoenas, and data retention, but those are all probably manageable hurdles.

The Internet content

Finally, there is the Internet content — which we know makes up for a majority of Section 215 orders — that moved to that production from NSLs starting in 2009. It’s probably a conservative bet that over 100 of current dragnet orders are for this kind of content. And we know the modification numbers for 2009 through 2011 — and therefore, probably still — are tied to minimization procedure requirements imposed by the FISC.

A recent court document from a Nicholas Merrill lawsuit suggests this production likely includes URL and data flow requests. And the FBI has recently claimed –for what that’s worth — that they rely on Section 215 for cybersecurity investigations.

Now, for some reason, the government has always declined to revise ECPA to restore their ability to use NSLs to obtain this collection, which I suspect is because they don’t want the public to know how extensive the collection is (which is why they’re still gagging Merrill, 11 years after he got an NSL).

But the data here strongly suggests that going from NSL production to Section 215 production has not only involved more cumbersome application processes, but also added a minimization requirement.

And I guarantee you, FBI or NSA or whoever is doing this must hate that new requirement. Under NSLs, they could just horde data, as we know both love to do, the FBI even more so than the NSA. Under 215s, judges made them minimize it.

As I noted above, this is why I think Keith Alexander was willing to do a CISA for 215 swap. While CISA would require weak sauce Attorney General derived “privacy guidelines,” those would almost certainly be more lenient than what FISC orders, and wouldn’t come with a reporting requirement. Moreover, whereas at least for the phone dragnet, FISC has imposed very strict usage requirements (demanding that a counterterrorism dragnet be used only for counterterrorism purposes), CISA has unbelievably broad application once that data gets collected — not even requiring that terrorist usages be tied to international terrorism, which would seem to be a violation of the Keith Supreme Court precedent).

All of this is to suggest that for cybersecurity, IP theft, and leak investigations, CISA would offer FBI their ideal collection approach. It would certainly make sense that Alexander (or now, Admiral Mike Rogers and Jim Comey) would be willing to swap a phone dragnet they could largely achieve the same paltry results for using other authorities if they in exchange got to access cybersecurity data in a far, far more permissive way. That’d be a no-brainer.

There’s just one limitation on this formula, potentially a big one. CISA does not include any obligation. Providers may share data, but there is nothing in the bill to obligate them to do so. And to the extent that providers no longer provide this data under NSLs, it suggests they may have fought such permissive obligation in the past. It would seem that those same providers would be unwilling to share it willingly.

But my thoughts on CISA’s voluntary nature are for another post.

One final thought. If the government is contemplating some or all of this, then it represents an effort — one we saw in all versions of dragnet reform to greater (RuppRoge) or lesser degrees (USAF) — to bypass FISC. The government and its overseers clearly seem to think FISC-ordered minimization procedures are too restrictive, and so are increasingly (and have been, since 2009) attempting to replace the role played by an utterly dysfunctional secret court with one entirely within the Executive.

This is the reason why Section 215 sunset can’t be treated in a vacuum: because, to the extent that the government could do this in other authorities, it would largely involve bypassing what few restrictions exist on this spying. Sunsetting Section 215 would be great, but only if we could at the same time prevent the government from doing similar work with even fewer controls.

FBI’s Preventative Role: Hygiene for Corporations, Spies for Muslims

I’m still deep in this 9/11 Follow-up Report FBI, which Jim Comey and now-retired Congressman Frank Wolf had done last year and which released the unsurprising topline conclusion that Jim Comey needs to have more power, released earlier this week.

About the only conclusion in the report that Comey disagreed with — per this Josh Gerstein report — is that it should get out of the business of Countering Violent Extremism.

Comey said he agreed with many of the report’s recommendations, but he challenged the proposal that the FBI leave counter-extremism work to other agencies.

“I respectfully disagree with the review commission,” the director said. “It should not be focused on messages about faith it should not be socially focused, but we have an expertise … I have these people who spend all day long thinking dark thoughts and doing research at Quantico, my Behavioral Analysis Unit. They have an incredibly important role to play in countering violent extremism.”

Here’s what the report had to say about FBI and CVE (note, this is a profoundly ahistorical take on the serial efforts to CVE, but that’s just one of many analytical problems with this report).

The FBI, like DHS, NCTC, and other agencies, has made an admirable effort to counter violent extremism (CVE) as mandated in the White House’s December 2011 strategy, Empowering Local Partners to Prevent Violent Extremism in the United States. In January 2012, the FBI established the Countering Violent Extremism Office (CVEO) under the National Security Branch.322 The CVEO was re-aligned in January 2013 to CTD’s Domestic Terrorism Operations Section, under the National JTTF, to better leverage the collaborative participation of the dozens of participating agencies in FBI’s CVE efforts.323 Yet, even within FBI, there is a misperception by some that CVE efforts are the same as FBI’s community outreach efforts. Many field offices remain unaware of the CVE resources available through the CVEO.324 Because the field offices have to own and integrate the CVE portfolio without the benefit of additional resources from FBI Headquarters, there is understandably inconsistent implementation. The Review Commission, through interviews and meetings, heard doubts expressed by FBI personnel and its partners regarding the FBI’s central role in the CVE program. The implementation had been inconsistent and confusing within the FBI, to outside partners, and to local communities.325 The CVEO’s current limited budget and fundamental law enforcement and intelligence responsibilities do not make it an appropriate vehicle for the social and prevention role in the CVE mission. Such initiatives are best undertaken by other government agencies. The Review Commission recommends that the primary social and prevention responsibilities for the CVE mission should be transferred from the FBI to DHS or distributed among other agencies more directly involved with community interaction.

[snip]

(U) Recommendation 6: The Review Commission recommends that the primary social and prevention responsibilities for the CVE mission should be transferred from the FBI to DHS or distributed among other agencies more directly involved with community interaction.

For what it’s worth, Muslim communities increasingly agree that the FBI — and the federal government generally — should not be in the business of CVE. But that’s largely because the government approaches it with the same view Comey does: by thinking immediately of his analysts thinking dark thoughts at Quantico. So if some agency that had credibility — if some agency had credibility — at diverting youth (of all faiths) who might otherwise get caught in an FBI sting, I could support it moving someplace else, but I’m skeptical DHS or any other existing federal agency is that agency right now.

While the Review doesn’t say explicitly in this section what it wants the FBI to be doing instead of CVE, elsewhere it emphasizes that it wants the FBI to do more racial profiling (AKA “domain awareness”) and run more informants. Thus, I think it fair to argue that the Ed Meese-led panel thinks the FBI should spy on Muslims, not reach out to them. Occupation-style federal intelligence gathering, not community based.

Which is why I think this approach to Muslim communities should be compared directly with the Review’s approach with corporations. The same report that says FBI should not be in the business of CVE — which done properly is outreach to at-risk communities — says that it should accelerate and increase its funding for its outreach to the private sector.

(U) Recommendation 5: The Review Commission recommends that the FBI enhance and accelerate its outreach to the private sector.

  • (U) The FBI should work with Congress to develop legislation that facilitates private companies’ communication and collaboration and work with the US Government in countering cyber threats.
  • (U) The FBI should play a prominent role in coordinating with the private sector, which the Review Commission believes will require a full-time position for a qualified special agent in the relevant field offices, as well as existing oversight at Headquarters.

Indeed, in a paragraph explaining why the FBI should add more private sector liaisons (and give them the same credit they’d get if they recruited corporations as narcs, only corporations shouldn’t be called “sources” because it would carry the stigma of being a narc), the Review approvingly describes the FBI liaison officers working with corporations to promote better Internet hygiene.

The Review Commission learned that the FBI liaison positions have traditionally been undervalued but that has begun to change as more experienced special agents take on the role, although this has not yet resulted in adequate numbers of assigned special agents or adequate training for those in the position. One field office noted that it had 400 cleared defense contractors (CDCs) in its AOR—ranging from large well known names to far smaller enterprises—with only one liaison officer handling hundreds of CDCs. This field office emphasized the critical need for more liaison officers to conduct outreach to these companies to promote better internet hygiene, reduce the number of breaches, and promote long-term cooperation with the FBI.319 Another field office noted, however, some sensitivity in these liaison relationships because labeling private sector contacts as sources could create a stigma. The field office argued that liaison contacts should be considered valuable and special agents should receive credit for the quality of liaison relationships the same way they do for CHSs.320

Ed Meese’s panel wants the FBI to do the digital equivalent of teaching corporations to blow their nose and wash their hands after peeing, but it doesn’t think the FBI should spend time reaching out to Muslim communities but should instead spy on them via paid informants.

Maybe there are good reasons for the panel’s disparate recommended treatment of corporations and Muslim communities. If so, the Review doesn’t explain it anywhere (though the approach is solidly in line with the Intelligence Committees’ rush to give corporations immunity to cyber share information with the federal government).

But it does seem worth noting that this panel has advocated the nanny state for one stakeholder and STASI state for another.

The Unopened Torture Report and Trusting CIA on Other Covert Operations

Yesterday, Pat Leahy issued a Sunshine Week statement criticizing Richard Burr for attempting to reclaim all copies of the Torture Report, but also complaining that State and DOJ haven’t opened their copy of the Torture Report.

I also was appalled to learn that several of the agencies that received the full report in December have not yet opened it.  In a Freedom of Information Act (FOIA) lawsuit seeking release of the full report, Justice Department and State Department officials submitted declarations stating that their copies remain locked away in unopened, sealed envelopes.  I do not know if this was done to attempt to bolster the government’s position in the FOIA lawsuit, or to otherwise avoid Federal records laws.  I certainly hope not.  Regardless of the motivation, it was a mistake and needs to be rectified.

The executive summary of the torture report makes clear that both the State Department and the Justice Department have much to learn from the history of the CIA’s torture program.  Both agencies were misled by the CIA about the program.  Both should consider systemic changes in how they deal with covert actions.  Yet neither agency has bothered to open the final, full version of the report, or apparently even those sections most relevant to them.

Today, Ron Wyden issued a Sunshine Week release linking back to a February 3 letter Eric Holder is still ignoring.  The letter — which I wrote about here — addresses 4 things: 1) the unclear limits on the President’s ability to kill Americans outside of war zones 2) the common commercial service agreement OLC opinion that should be withdrawn 3) some action the Executive took that Wyden and Russ Feingold wrote Holder and Hillary about in late 2010 and 4) DOJ’s failure to even open the Torture Report. Wyden’s statement, lumps all these under “secret law.”

U.S. Senator Ron Wyden, D-Ore., renewed his call for Attorney General Eric Holder to answer crucial questions on everything from when the government believes it has the right to kill an American to secret interpretations of law. The Justice Department has ignored these questions or declined to answer them, in some cases for years.

[snip]

“It is never acceptable to keep the basic interpretations of U.S. law secret from the American people. It doesn’t make our country safer, and erodes the public’s confidence in the government and intelligence agencies in particular,” Wyden said. “While it is appropriate to keep sources, methods and operations secret, the law should never be a mystery. Sunshine Week is the perfect time for the Justice Department to pull back the curtains and let the light in on how our government interprets the law.”

This may be secret law.

But I find it interesting that both Wyden’s letter and Leahy’s statement tie covert operations to the lessons from the Torture Report.

There are many reasons DOJ (and FBI) are probably refusing to open the Torture Report. The most obvious — the one everyone is pointing to — is that by not opening it, these Agencies keep it safe from the snooping FOIAs of the ACLU and Jason Leopold.

But the other reason DOJ and FBI might want to keep this report sealed is what it says about the reliability of the CIA.

The CIA lied repeatedly to DOJ, FBI, and FBI Director Jim Comey (when he was Deputy Attorney General) specifically. Specifically, they lied to protect the conduct of what was structured as a covert operation, CIA breaking the law at the behest of the President.

Of course, both DOJ generally and FBI specifically continue to partner with CIA as if nothing has gone on, as if the spooks retain the credibility they had back in 2001, as if they should retain that credibility. (I’m particularly interested in the way FBI participated in the killing of Anwar al-Awlaki, perhaps relying on CIA’s claims there, too, but it goes well beyond that.)

That’s understandable, to a point. If DOJ and the FBI are going to continue pursuing (especially) terrorists with CIA, they need to be able to trust them, to trust they’re not being lied to about, potentially, everything.

Except that ignores the lesson of the Torture Report, which is that CIA will lie about anything to get DOJ to rubber stamp criminal behavior.

No wonder DOJ and FBI aren’t opening that report.

1 2 3 8
Emptywheel Twitterverse
JimWhiteGNV Groundhog Day. Train. Fade away. Train again. Rinse. Repeat. https://t.co/xrqmhJKFa0
1hreplyretweetfavorite
bmaz @PhilPerspective @R_Ephemeral @walterwkatz To paint the picture to explain the other conduct.
3hreplyretweetfavorite
emptywheel @regretblues Interesting. thanks.
3hreplyretweetfavorite
emptywheel RT @FSIStanford: Taubman: Presumably the Senate Intelligence Committee was aware of everything Snowden exposed. No, says Feinstein. #Securi
4hreplyretweetfavorite
emptywheel RT @FSIStanford: Feinstein: We don't know who or how, but Leon Panetta had asked his staff to "assess" what our Intelligence Committee was …
4hreplyretweetfavorite
emptywheel @adambonin Yeah. I bet @ddayen could invent some competition that would distinguish Spelling wasp from fruit fly.
4hreplyretweetfavorite
emptywheel @adambonin I'd say a POTUS debate but they'd look good by comparison, I guess.
4hreplyretweetfavorite
emptywheel @adambonin Why not make them face off in skills neither is good at, like all good reality shows?
4hreplyretweetfavorite
JimWhiteGNV Aaand there are now a ton of SD Police on motorcycles. Moving on to previously planned destination...
4hreplyretweetfavorite
JimWhiteGNV Previous tweet: this is a demonstration against Border Patrol violence.
4hreplyretweetfavorite
emptywheel How can something as cutthroat as the Spelling Bee end in a tie? It's not right.
4hreplyretweetfavorite
May 2015
S M T W T F S
« Apr    
 12
3456789
10111213141516
17181920212223
24252627282930
31