With Upcoming David Medine Departure, Will PCLOB Slip Back into Meaninglessness?

The Chair of the Privacy and Civil Liberties Oversight Board, David Medine, has announced he will resign effective  July 1 to work with a development organization “advising on data privacy and consumer protection for lower-income financial consumers.”

The move comes not long after Congress has, in several ways, affirmatively weakened or unexpectedly stopped short of expanding PCLOB’s mandate, by ensuring it could not review any covert programs, and by eliminating a PCLOB oversight role under OmniCISA.

In Medine’s statement, he promised the board would continue to work on their examination of CT activities relating to EO 12333.

I look forward to continuing to work on PCLOB’s current projects until my departure. I am pleased to know that, even after my departure, the Board Members and our dedicated staff remain committed to carrying forward the Board’s critical work, including its ongoing examination of counterterrorism activities under Executive Order 12333.

The EO 12333 approach (and the two CIA programs to examine) was formally approved July 1, a year to the day before Medine’s departure. It was initially scheduled to be done by the end of last year. But in their most recent semi-annual report (released at the end of December), PCLOB noted they were just starting on their public report.

In July, the Board voted to approve two in-depth examinations of CIA activities conducted under E.O. 12333. Board staff has subsequently attended briefings and demonstrations, as well as obtained relevant documents, related to the examinations. The Board also received a series of briefings from the NSA on its E.O. 12333 activities. Board staff held follow-up sessions with NSA personnel on the topics covered and on the agency’s E.O. 12333 implementing procedures. Just after the conclusion of the Reporting Period, the Board voted to approve one in-depth examination of an NSA activity conducted under E.O. 12333. Board staff are currently engaging with NSA staff to gather additional information and documents in support of this examination. Board staff also began work developing the Board’s public report on E.O. 12333, described above.

So while Medine promises PCLOB will continue to work on the EO 12333 stuff, I do worry that it will stall after his departure. I’m concerned, as well, about the makeup of the board. Board member Jim Dempsey’s term officially ended on January 29, though President Obama nominated him for another term on March 17, which means he will serve out 2016 (I believe as a temporary appointment until the end of the congressional term, but am trying to confirm; Update: this stems from PCLOB’s statute, but the appointment would extend through the end of the Congressional term), and longer if and when the Senate confirms him. But Medine’s departure will leave 2 members (counting Dempsey) who have been firmly committed to conducting this review, Rachel Brand, who has been lukewarm but positive, and Elisabeth Collins Cook who was originally opposed. That is, unless Medine is replaced in timely fashion (and given that this is a multiple year appointment, Republicans would have incentive to stall to get a GOP Chair), the board may be split on its commitment to investigating these issues.

There are a few other things happening on the EO 12333 front. Most urgently, the Intelligence Community is as we speak implementing new procedures for the sharing of EO 12333 with law enforcement agencies. PCLOB was involved in a review of those procedures, and had successfully pressed for more controls on the FBI’s back door access to 702 data (which is one reason I find the timing of Medine’s departure of particular concern). Two years after PCLOB first outed Treasury as having no EO 12333 implementing guidelines, they still have none.

That is, particularly after Congress’ successful attempts at undercutting PCLOB’s power, Medine’s departure has me seriously worried about whether the Intelligence Committee is willing to undergo any scrutiny of its EO 12333 activities.

Raj De and the Back-Door Loophole

As I already noted, NSA General Counsel lied in today’s PCLOB hearing when he said the use of Section 215 to conduct a phone dragnet had the indicia of legitimacy because Congress twice reauthorized the PATRIOT after the executive had given it full information.

We know that the 2010 freshman class — with the exception of the 7 members who served on the Judiciary or Intelligence Committees — did not have opportunity to learn the most important details about the phone dragnet before reauthorizing PATRIOT in 2011. And it appears DOJ withheld from the Judiciary and Intelligence the original phone dragnet opinion — and they clearly withheld significant FISC materials on it — until August 2010, after PATRIOT had been reauthorized the first time. I trust Ben Wittes, who wants to prevent Jim Sensenbrenner from commenting on NSA’s secrecy because he’s dishonest about his own role, applies a similar standard to Raj De.

But I was even more interested in the way De answered Center for Democracy and Technology’s Jim Dempsey’s question about the back-door loophole in which NSA searches on incidentally collected US person data (starting at 2:09:00).  Dempsey asked whether NSA needed something like the Reasonably Articulable Suspicion before it searched incidental US person data. De treated the question as nonsensical, given that when you collect on a particular phone number in the criminal context you don’t need to ignore what you find.

In other words, the NSA has a lower standard for access this content than they do for accessing the metadata of our phone calls.

Curiously, though, De tried to tout the minimization of both 702 and EO 12333 collection to present this as reasonable.

By minimization, Dempsey asked, you mean you keep it.

De insisted that no, there’s minimization at each step of the process.

I get how he was trying to use this blatant dodge. I get that the NSA assumes they can take everything so long as they’re careful about how they sent it around.

But make no mistake. NSA searches on the data before it gets minimized.

Here’s how this year’s Semiannual Compliance Review, submitted by the Attorney General and Director of National Intelligence, describes this practice.

NSA’s querying of unminimized Section 702-acquired communications using United States person identifiers (page 7)

Here’s how John Bates referred to the practice, based on a submission the NSA had made itself (though before De was writing the documents), in his October 3, 2011 opinion.

The government has broadened Section 3(b)(5) to allow NSA to query the vast majority of its Section 702 collection using United States-Person identifiers, subject to approval pursuant to internal NSA procedures and oversight by the Department of Justice. Like all other NSA queries of the Section 702 collection, queries using United States-person identifiers would be limited to those reasonably likely to yield foreign intelligence information. (page 22-23)

Bates justifies this practice by pointing to another agency’s (almost certainly FBI) use of the practice, which he describes as,

an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information.

The NSA has restrictions about circumstances in which they can share this data (which arguably will be expanded under Dianne Feinstein’s FakeFISAFix). But they allow the NSA to share this data if it is “foreign intelligence,” evidence of a crime, and evidence of a threat to life-which-to-NSA-means-property.

They can sweep up entire countries worth of Internet traffic. They can sweep up entire mailboxes overseas. And then go in, without a warrant, and “discover” evidence of crime.