Posts

Annual FISC Report Suggests the Court Did Not Approve ANY Section 702 Certificate in 2016

The Administrative Office of the Courts just released the FISC annual report, the first full year report issued after USA Freedom Act.

I’ll work on more analysis in a moment, but wanted to point to something that is fairly remarkable, if I’m reading the report correctly.

Here’s the top line report for the year. Note, in particular, the 1881a line.

As last year’s report did, this year’s redacts the number of certificates the government applied for. But then the footnote reads, in part,

The government submitted this number of certification(s) during calendar year 2016 but the Court did not take action on any such certification(s) within the calendar year.

That, plus the “0”s in the table, seems to state clearly that the FISC did not approve last year’s Section 702 application.

What that likely means, given the precedent set in 2011, is that the government submitted applications (usually they do this with a month of lead time), but the court would not approve the applications as submitted. In 2011, the government got a series of extensions, so 702 never lapsed. The prior approval before last year was November 6, 2015, so it would only have had to have been extended 2 months to get into this year. So that seems to suggest there was at least a three month (application time plus extension) delay in approving the certifications for this year.

Note, too, that the report shows the only amicus appointed last year was Marc Zwillinger for a known PRTT application, so this hold up wasn’t even related to an amicus complaint.

In any case, this may reflect significant issues with 702.

Update: Here’s the 2011 702 opinion, which documents the last known time this happened (though there must have been a roughly month-long delay once since then). After submitting an application in April for May reauthorization, the government got two 60-day extensions, and one more month-long extensions, with final approval on October 3, 2011. It appears there was no big problem with getting the extensions (though at one point, Bates had a meeting with DOJ to tell them he was serious about the reapproval process), so presumably any extension in November would have been granted without much fuss.

One other thing that is worth noting. On September 27, 2016, then Assistant Attorney General John Carlin announced he would be leaving in a month. Mary McCord (who announced her own departure today) took over on October 15. So the transition between the two of them would have happened in the weeks before the certificates would have normally been reauthorized. Whatever Carlin’s reasons for leaving (which has never been made public, as far as I know) the transition between the two of them may have exacerbated any delay.

While It Is Reauthorizing FISA Amendments Act, Congress Should Reform Section 704

On Tuesday, the Senate Judiciary Committee had a public hearing on FISA Amendments Act reauthorization, which will take place in the next year. The hearing was treated as solely the reauthorization of Section 702 of FAA. But in fact, all of Title VII needs to be reauthorized. Which is why I think Congress should reform Section 704 — or at the very least, as a whole lot more question about how it (and by association EO 12333) is used against Americans.

As a reminder, here are the parts of Title VII authorizing collection (there are also some transparency provisions):

  • 702: Permits the government to target non-US persons located overseas based on only a FISA review of broad certifications; includes PRISM and upstream
  • 703: Requires NSA to obtain an individualized order when targeting electronic communications of US persons overseas; this is basically for collection on US persons overseas with the assistance of providers in the US
  • 704: Requires NSA to obtain an individualized order when targeting US persons overseas using means for which they’d have a reasonable expectation of privacy in the US; this is basically for spying on US persons overseas collecting overseas
  • 705a: Permits the government to apply for joint applications, effectively permitting them to do both 703 and 704 authorized spying
  • 705b: Permits the Attorney General to approve spying for US persons targeted under traditional FISA when they are located overseas

My interest in Section 704 stems from a fact that no one appears to know: NSA doesn’t use Section 703 of FAA. At all.

There’s a still-unreleased Snowden document that states that explicitly (something to the effect of, “to date [which date was probably 2012], the NSA has not used this authority”). But even some public documents make this clear. For example, the Q1 2012 Intelligence Oversight Board report, which broke out reporting for all FISA authorities used (the hidden authority is probably Title IV), lists only 704 and 705b, not 703 or 705a. More starkly, a 2010 NSA IG Report (PDF 10) discussing FISA authorities only names traditional FISA, Section 704, and Section 705b, which may mean 705a is not used either.

Screen Shot 2016-05-13 at 3.38.08 AM

I’ve been asking what this means since I first figured this out (so for two years) and not a single person has been able to explain it to me. To be fair, most simply don’t believe me that Section 703 is not used and so just blow off my question.

I think this means one (or a combination) of several things:

  • No surveillance of Americans overseas takes place with the assistance of US providers (which would trigger 703)
  • The government has some interpretation — perhaps a corollary to their claim that Americans have no expectation of privacy for any international communications — that claims they can use a lower standard for people overseas
  • The government uses traditional FISA even on people located overseas

I used to think it was this last one: that the government just went through the trouble of getting a traditional order every time it targeted a US person, meaning they’d also give the person full FISA notice if that person were prosecuted. Except I think using a traditional order to target an American overseas is actually a violation (!) that gets reported to IOB.

If it’s not that, then you would think it’d have to be the wacky interpretation, the middle option. After all, Americans are at least as likely to use Gmail as foreigners are, so to get the Gmail of Americans overseas, the NSA would presumably ask Google for assistance, and therefore trigger 703, unless there were a wacky legal interpretation to bypass that. There are things that make it clear NSA has a great deal of redundancy in its collection, even with PRISM collection, which makes it clear they do double dip, obtaining even Gmail overseas and domestically (which is why they’d have GCHQ hack Google’s overseas fiber). It’s possible, though, that the NSA conducts so much bulk collection overseas it is actually easier (or legally more permissive) to just collect US person content from bulk collections obtained overseas, thereby bypassing any domestic provider and onerous legal notice. I suppose it’s also possible that NSA now uses 703 (my proof they don’t dates to 2012 or earlier), having had to resort to playing by the rules as more providers lock up their data better in the wake of the Snowden revelations. (Note, Mieke Eoyang has an interesting FAA suggestion that would require exclusivity when NSA accesses content from US providers, thereby preventing them from stealing Google data overseas.)

My first point, then, in raising 704 is to say Congress and advocates should use this opportunity to figure out which of these options it is. Why is it that members of Congress still brag about having got NSA to accede to 703 when 703 is not used? What does it mean that they’re not using it?

But here’s my other concern. If the first option is the answer — that is, if overseas collection is so thorough that NSA can collect on someone, if there are reasons to, without using any provider, it means there’s a shit-ton of American content — both of people located in the US and overseas — accessible in NSA’s collections. We knew that. But it’d say even US provider content is available in great volume (which would be doable for any of them not using encryption in motion).

My other concern is that Americans overseas may actually have more protections than Americans in the US.

FISA is pretty strict about location: the 700s only apply to people overseas, except for 705b, which is supposed to be tied to someone mostly in the US but heading to China on a business trip. Screwing that up is a violation that gets reported to the IOB.

Add to that the fact that (as I understand it) NSA can access already-collected US person content collected under EO 12333 with the approval of the Attorney General.

If I’m right about all this (a big if, given how little anyone knows about this), then it would say accessing the bulk collected communications of an American overseas would require a 704 order, whereas accessing the bulk collected communications of an American who was herself located in the US, but whose communications were located overseas, would only require AG approval. That can’t be right, can it? Perhaps 704 gives the government some added authorities, such as the ability to target someone using XKeyscore. But we know NSA has collected “vast troves” of US person data overseas, and we know that Assistant Attorney General John Carlin doesn’t think his department should oversee that collection at all! Carlin stated clearly in February 2014 that even “vast troves” of US person data collected “incidentally” (which, under bulk collection, would mean all of it transiting overseas) get no FISA protection.

So in addition to politely requesting that Congress figures out how it is that NSA doesn’t use Section 703, at all, I’d also like to politely suggest that 704 protections or the equivalent be extended to Americans who are located in the US but whose communications have gone to Europe without them.

There has been a lot of discussion about how the NSA accesses the content of US persons who are themselves located in the US but whose communications get collected “overseas.” That has been treated as an EO 12333 issue (and as such, something that would take pulling teeth to get the Executive to agree to change). But there’s a mirror image of that problem, I think, in the Section 704 question. So perhaps shoring up Section 704 is the way to deal with both?

John Carlin Complains that ISIL Is Targeting Same Youth FBI Long Has Been

I’m reviewing some of the videos from the Aspen Security Forum. This one features DOJ Assistant Attorney General for National Security John Carlin and CIA General Counsel Caroline Krass.

I’m including it here so you can review Carlin’s complaints in the first part of the video. He explains to Ken Dilanian that ISIL’s recruiting strategy is different from Al Qaeda’s in that they recruit the young and mentally ill. He calls them children, repeatedly, but points to just one that involved a minor. 80% are 40 and under, 40% are 21 and under. In other words, he’s mostly complaining that ISIL is targeting young men who are in their early 20s. He even uses the stereotype of a guy in his parents’ basement, interacting on social media without them knowing.

Carlin, of course, has just described FBI’s targeting strategy for terrorist stings, where they reach out to young men — many with mental disabilities — over social media, only then to throw an informant or undercover officer at the target, to convince him to press the button that (the target believes) will detonate a bomb — though of course the bomb is an FBI-supplied inert bomb. He should know this, because before the end of the panel, he invokes Mohamed Osman Mohamud, the Portland youth convicted for pressing a button who was first targeted by FBI’s informant when he was 16 or so (and whose father asked FBI for help, only to have them target his son).

I’m not contesting the truth of Carlin’s claims. But if this is a new strategy — essentially adopting the strategy the FBI has used since 9/11 (and especially since 2009) — one that Carlin deems especially outrageous, then it ought to reflect back on FBI’s practice. If it is outrageous for ISIL to target young and in some cases mentally unstable men because they are so vulnerable because they’re not yet old enough to resist, then it should also be considered outrageous for FBI to do the same to fluff their terrorism conviction rates. Plus, Carlin’s depiction of this as a new strategy suggests all those earlier targeted young men may not have been recruited by core al Qaeda.

Not to mention, the vulnerability of this population ought to point to a different way of combatting terrorism (and domestic terrorism, which has been a bigger problem in recent weeks): to make this community less vulnerable.

 

The Emergency EO 12333 Fix: Section 309

In a last minute amendment to the Intelligence Authorization, the House and Senate passed a new section basically imposing minimization procedures for EO 12333 or other intelligence collection not obtained by court order. (See Section 309)

(3) Procedures.–

(A) Application.–The procedures required by paragraph (1) shall apply to any intelligence collection activity not otherwise authorized by court order (including an order or certification issued by a court established under subsection (a) or (b) of section 103 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803)), subpoena, or similar legal process that is reasonably anticipated to result in the acquisition of a covered communication to or from a United States person and shall permit the acquisition, retention, and dissemination of covered communications subject to the limitation in subparagraph (B).

(B) Limitation on retention.–A covered communication shall not be retained in excess of 5 years, unless–

(i) the communication has been affirmatively determined, in whole or in part, to constitute foreign intelligence or counterintelligence or is necessary to understand or assess foreign intelligence or counterintelligence;

(ii) the communication is reasonably believed to constitute evidence of a crime and is retained by a law enforcement agency;

(iii) the communication is enciphered or reasonably believed to have a secret meaning;

(iv) all parties to the communication are reasonably believed to be non-United States persons;

(v) retention is necessary to protect against an imminent threat to human life, in which case both the nature of the threat and
the information to be retained shall be reported to the congressional intelligence committees not later than 30 days after the
date such retention is extended under this clause;

(vi) retention is necessary for technical assurance or compliance purposes, including a court order or discovery obligation, in which case access to information retained for technical assurance or compliance purposes shall be reported to the congressional
intelligence committees on an annual basis; or

(vii) retention for a period in excess of 5 years is approved by the head of the element of the intelligence community responsible for such retention, based on a determination that retention is necessary to protect the national security of the United States, in which case the head of such element shall provide to the congressional intelligence committees a written certification describing–
(I) the reasons extended retention is necessary to protect the national security of the United States; (II) the duration for which the head of the element is authorizing retention;

(III) the particular information to be retained; and

(IV) the measures the element ofthe intelligence community is taking toprotect the privacy interests of UnitedStates persons or persons locatedinside the United States.

The language seems to be related to — but more comprehensive than — language included in the RuppRoge bill earlier this year. That, in turn, seemed to arise out of concerns raised by PCLOB that some unnamed agencies had not revised their minimization procedures in the entire life of EO 12333.

Whereas that earlier passage had required what I’ll call Reagan deadenders (since they haven’t updated their procedures since him) to come up with procedures, this section effectively imposes minimization procedures similar to, though not identical, to what the NSA uses: 5 year retention except for a number of reporting requirements to Congress.

I suspect these are an improvement over whatever the deadenders have been using But as Justin Amash wrote in an unsuccessful letter trying to get colleagues to oppose the intelligence authorization because of the late addition, the section provides affirmative basis for agencies to share US person communications whereas none had existed.

Sec. 309 authorizes “the acquisition, retention, and dissemination” of nonpublic communications, including those to and from U.S. persons. The section contemplates that those private communications of Americans, obtained without a court order, may be transferred to domestic law enforcement for criminal investigations.

To be clear, Sec. 309 provides the first statutory authority for the acquisition, retention, and dissemination of U.S. persons’ private communications obtained without legal process such as a court order or a subpoena. The administration currently may conduct such surveillance under a claim of executive authority, such as E.O. 12333. However, Congress never has approved of using executive authority in that way to capture and use Americans’ private telephone records, electronic communications, or cloud data.

[snip]

In exchange for the data retention requirements that the executive already follows, Sec. 309 provides a novel statutory basis for the executive branch’s capture and use of Americans’ private communications. The Senate inserted the provision into the intelligence reauthorization bill late last night.

Which raises the question of what the emergency was to have both houses of Congress push this through at the last minute? Back in March, after all, RuppRoge was happy to let the agencies do this on normal legislative time.

I can think of several possibilities:

  • The government is imminently going to have to explain some significant EO 12333 collection — perhaps in something like the Hassanshahi case or one of the terrorism cases explicitly challenging the use of EO 12333 data and it wants to create the appearance it is not a lawless dragnet (though the former was always described as metadata, not content)
  • The government is facing new scrutiny on tools like Hemisphere, which the DOJ IG is now reviewing; if 27-year old data is owned by HIDTA rather than AT&T, I can see why it would cause problems (though again, except insofar as it includes things like location, that’s metadata, not content)
  • This is Dianne Feinstein’s last ditch fix for the “trove” of US person content that Mark Udall described that John Carlin refused to treat under FISA
  • This is part of the effort to get FBI to use EO 12333 data (which may be related to the first bullet); these procedures are actually vastly better than FBI’s see-no-evil-keep-all-data for up to 30 years approach, though the language of them doesn’t seem tailored to the FBI

Or maybe this is meant to provide the patina of legality to some other dragnet we don’t yet know about.

Still, I find it an interesting little emergency the intelligence committees seem to want to address.

PCLOB Member Rachel Brand Asked NSA General Counsel to Help Her Dissent from PCLOB

Let me say straight out: Privacy and Civil Liberties Oversight Board member Rachel Brand is no slouch. She’s very smart and very accomplished.

All that said, I am rather intrigued by the way she consulted NSA General Counsel Raj De several times — as illustrated by these emails Jason Leopold liberated from PCLOB —  as she worked on her dissent to the Democratic PCLOB members’ conclusion that the Section 215 dragnet is illegal.

On January 6, Brand emailed De. “Do you have a couple minutes to talk about a PCLOB matter today or tomorrow?” They scheduled some time to talk at midday the next day — though a request from Keith Alexander appears to have forced De to delay. Nevertheless, by 1:30 on January 7, it appears De and Brand spoke, because De forwarded two things: I Con the Record’s press release announcing the FISA Court had reauthorized the dragnet even after Judge Richard Leon ruled it unconstitutional (De makes no mention in his email, but the order had considered Leon’s ruling before reauthorizing the program), and the GPO transcript of Robert Mueller’s claim in a June 2013 House Judiciary Committee hearing that the dragnet would have prevented 9/11.

Ten days later, on January 17, Brand was emailing De again, after having seen each other that morning (that was the morning President Obama announced his own reforms to the dragnet, so it may have been in that context). She sent NSA’s General Counsel a paragraph, with one sentence highlighted, asking if it was accurate. He responded with “some suggestions for accuracy for your consideration … Feel free to give a call if you want to discuss, or would like more detail.”

Then, over that weekend, Brand and De exchanged the following emails:

Saturday, January 18, 12:31: Brand sends “the current draft of my separate statement” stating she wants “to be sure there is nothing factually or legally inaccurate in it;” she says it is currently 5 pages and tells De she needs to give PCLOB Chair David Medine the final by Sunday night

Saturday, January 18, 2:11: De responds, “happy to”

Sunday, January 19, 10:51: De responds, saying, “not that you need or want my validation, but for what’s [sic] it is worth it really reads quite well.” De then provides 3 “additional factual details” which “might fit in if you wanted to use them;” those bullets are redacted

Sunday, January 19, 3:47: Brand replies, stating that Beth (Elisebeth Collins Cook, the other Republican on PCLOB) “explicitly makes the first two in her separate statement” and that she’s “trying to keep this short, so have to forego making every available point”

Read more

EO 12333 Threatens Our Democracy

Among the many posts I’ve written about Executive Order 12333 — the order that authorizes all non-domestic spying — includes this post, where I noted that proposed changes to NSA’s phone dragnet won’t affect programs authorized by EO 12333.

Obama was speaking only about NSA’s treatment of Section 215 metadata, not the data — which includes a great amount of US person data — collected under Executive Order 12333.

[snip]

Section 215 metadata has different and significantly higher protections than EO 12333 phone metadata because of specific minimization procedures imposed by the FISC (arguably, the program doesn’t even meet the minimization procedure requirements mandated by the law). We’ve seen the implications of that, for example, when the NSA responded to being caught watch-listing 3,000 US persons without extending First Amendment protection not by stopping that tracking, but simply cutting off the watch-list’s ability to draw on Section 215 data.

Basically, the way NSA treats data collected under FISC-overseen programs (including both Section 215 and FISA Amendments Act) is to throw the data in with data collected under EO 12333, but add query screens tied to the more strict FISC-regulations governing production under it.

[snip]

NSA’s spokeswoman will say over and over that “everyday” or “ordinary” Americans don’t have to worry about their favorite software being sucked up by NSA. But to the extent that collection happens under EO 12333, they have relatively little protection.

That’s precisely the point made in an important op-ed by the State Department’s former Internet freedom chief, John Napier Tye, who had access to data from EO 12333 collection.

Bulk data collection that occurs inside the United States contains built-in protections for U.S. persons, defined as U.S. citizens, permanent residents and companies. Such collection must be authorized by statute and is subject to oversight from Congress and the Foreign Intelligence Surveillance Court. The statutes set a high bar for collecting the content of communications by U.S. persons. For example, Section 215 permits the bulk collection only of U.S. telephone metadata — lists of incoming and outgoing phone numbers — but not audio of the calls.

Executive Order 12333 contains no such protections for U.S. persons if the collection occurs outside U.S. borders.

[snip]

Unlike Section 215, the executive order authorizes collection of the content of communications, not just metadata, even for U.S. persons. Such persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person’s communications are “incidentally” collected (an NSA term of art) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.

Read more

Snowden’s Emailed Question Addresses One Abuse Revealed by His Leaks

In an effort to rebut Edward Snowden’s claims that he raised concerns via proper channels, NSA just released an email Snowden sent to NSA’s Office of General Counsel. The email reveals their own training is not clear about something central to Snowden’s leaks: whether laws passed by Congress take precedence over EO 12333.

In the email, Snowden describes a training program on USSID 18, NSA’s internal guidelines on protecting US person data. Snowden’s email reads, in part,

Hello, I have a question regarding the mandatory USSID 18 training.

The training states the following:

________

(U) The Hierarchy of Governing Authorities and Documents is displayed from the highest authority to the lowest authority as follows:

U.S. Constitution

Federal Statutes/Presidential Executive Orders (EO)

[snip]

________

I’m not entirely certain, but this does not seem correct, as it seems to imply Executive Orders have the same precedence as law. My understanding is that EOs may be superseded by federal statute, but EOs may not override statute.

An NSA lawyer wrote back (in part),

Executive Orders (E.O.s) have the “force and effect of law.” That said, you are correct that E.O.s cannot override a statute.

The NSA has not revealed whether Snowden called the lawyer with further questions, as he invited Snowden to do. Nor have they said this email to Office of General Counsel is the only email Snowden sent (only that it’s the only one he sent to OGC).

Nevertheless, the email is really suggestive, particularly as it took place when Snowden had already started downloading a slew of information.

That’s because Snowden’s documents (and documents released in response to his leaks) reveal NSA has repeatedly used EO 12333 to push the limits of laws passed by Congress, if not to evade the law altogether.

Here are just two of numerous examples:

NSA Avoids Stricter Minimization Procedures Under the Phone Dragnet: The NSA has fairly strict minimization procedures under the Section 215-authorized phone dragnet, but only NSA’s internal rules (USSID 18) for the EO 12333-authorized phone dragnet. Nevertheless, for the first 3 years of the FISA-authorized program, NSA didn’t follow their Section 215 rules, instead applying the less stringent rules of USSID 18 (effectively letting a DOD Directive supersede the PATRIOT Act). In one of their most egregious violations discovered in 2009, they watch listed 3,000 US persons without giving those people the required First Amendment review, as required by minimization procedures written to fulfill the law. But instead of purging those records upon discovery (or even stopping the watchlisting), they just moved them into the EO 12333-only category. They just kept spying on the US persons using only data collected under EO 12333.

And these 2009 violations are not isolated. At least as recently as 2011, the NSA was still engaging in this authority arbitrage; a training program from that year makes it clear NSA trained analysts to re-run queries under EO 12333, if possible, to get around the dissemination requirements of Section 215. (Update: I’m not saying this particular arbitrage is illegal; it’s not. But it does show how NSA games these authorities.)

NSA Collects US Person Content by Getting It Overseas: Because of the structure of the Internet, a great deal of US person data exists overseas. We’ve seen discussion of this US person data overseas including at least email content, address books, videocam images, and location. But because NSA collects this via dragnet, not targeted collection, it claims it is not targeting any American, even though it permits the searching of EO 12333 data for US person content, apparently without even Reasonable Articulable Suspicion. And because it is not targeting Americans under their dragnet and back door loopholes, it does not apply FISA Amendment Act restrictions on collecting US person data overseas under Sections 703, 704, and 705. Effectively, it has the ability to avoid those restrictions entirely by using EO 12333 as a dodge.

I’m not the only one concerned about this: at a hearing in February, both Dianne Feinstein and (at more length) Mark Udall raised concerns with National Security Division Assistant Attorney General John Carlin, suggesting some of this EO 12333 data should be treated according to FISA. Carlin — who is supposed to be a key player in overseeing NSA — showed no interest in doing so.

In both these questions, NSA did not allow laws to take precedence over EO 12333. On the contrary, NSA just created ways that it could apply EO 12333 and ignore the law that should have or might have applied.

Not only does Snowden’s question make it clear that the NSA doesn’t make the precedence of law over EO 12333 clear in training, but the lawyer’s response was rather ambiguous on this point as well.

One thing we’ve learned from Snowden’s leaks is that the Executive is (at a minimum) evading the intent of Congress on some of its treatment of US person data. And by releasing this email as part of a pissing contest with Snowden, NSA has made it clear that’s by design, even in their most core training program.

NSA is not telling its analysts that laws passed by Congress — even those offering protection to US person data — must take precedence over the looser protections under EO 12333. Which may be why they’re comfortable collecting so much US person data under EO 12333.

Update: According to Snowden, I’m absolutely right.

Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. It also did not include concerns about how indefensible collection activities – such as breaking into the back-haul communications of major US internet companies – are sometimes concealed under E.O. 12333 to avoid Congressional reporting requirements and regulations.

EFF to Reggie Walton: Stuart Delery and John Carlin Are Still Materially Misleading FISA Court

In my latest post in DOJ’s apparent effort to destroy evidence pertinent to EFF’s several lawsuits in Northern District of CA, I noted that even after being ordered to explain their earlier material misstatements to the FISA Court, Assistant Attorneys General John Carlin and Stuart Delery left a lot of key details unsaid. Significantly, they did not describe the full extent of the evidence supporting EFF’s claims in the dispute (and therefore showing DOJ’s actions to be unreasonable).

Notwithstanding a past comment about preservation orders in the matters before Judge Walton, the government claims EFF’s suits are unrelated to the phone dragnet.

[T]he Government has always understood [EFF’s suits] to be limited to certain presidentially authorized intelligence collection activities outside FISA, the Government did not identify those lawsuits, nor the preservation order issued therein, in its Motion for the Second Amendment to Primary Order filed in the above-captioned Docket number on February 25, 2014. For the same reasons, the Government did not notify this Court of its receipt of plaintiffs’ counsel’s February 26, 2014, e-mail.

Note, to sustain this claim, the government withheld both the state secrets declarations that clearly invoke the FISC-authorized dragnets as part of the litigation, even though the government’s protection order invokes it repeatedly, as well as Vaughn Walker’s preservation order which is broader than DOJ’s own preservation plan. Thus, they don’t give Walton the things he needs to be able to assess whether DOJ’s actions in this matter were remotely reasonable.

Apparently, EFF agrees. EFF Legal Director Cindy Cohn wrote AAGs Stuart Delery and John Carlin to complain that they hadn’t referenced the evidence submitted by EFF to support its claims.

[W]e were dismayed to see that the government’s response to the FISC on pages 3-5 repeated its own arguments (plus new ones) about the scope of the Jewel complaint without referencing, much less presenting, plaintiffs’ counter-arguments. As you know, especially in our reply papers (doc. 196) in support of the TRO, plaintiffs presented significant argument and evidence that contradicts the government’s statement to the FISC that plaintiffs only “recently-expressed views” (pages 2, 7) regarding the scope of the preservation orders. They also also undermines [sic] the few paragraphs of the Jewel Complaint and some other documents that the government has cherry-picked to support its argument.

In addition, Cohn complains that the government has left the impression this dispute pertains solely to phone records.

[W]e are concerned that the FISC has not been put on notice that the scope of the dispute about the preservation order in Jewel (or at least the scope of the plaintiffs’ view of the preservation order) reaches beyond telephone records into the Internet content and metadata gathered from the fiberoptic cables of AT&T. This is especially concerning because the FISC may have required (or allowed) destruction of some of that evidence without the knowledge that it was doing so despite the existence of a preservation order covering that information issued by the Northern District of California.

Cohn’s invocation of Internet data is particularly important as it raises the second of two known illegal practices (the other being watchlisting US persons in the phone dragnet without the legally required First Amendment review) the data for which would be aging off now or in the near future: the collection of Internet content in the guise of metadata. I believe the Internet dragnet continued until October 30, 2009, so if they were aging off data for the 6 months in advance, might be aged off in the next week or so.

I’m really curious whether this spat is going to be resolved before Reggie Walton finishes his service on FISC on May 19.

But one thing is certain: it’s a lot more fun to watch the FISC docket when ex parte status starts to break down.

Turns Out the NSA “May” Destroy Evidence of Crimes before 5 Years Elapse

The metadata collected under this order may be kept online (that is, accessible for queries by cleared analysts) for five years, at which point it shall be destroyed. — Phone dragnet order, December 12, 2008

The Government “takes its preservation obligations with the utmost seriousness,” said a filing signed by Assistant Attorneys General John Carlin and Stuart Delery submitted Thursday in response to Presiding FISA Court Judge Reggie Walton’s accusation they had made material misstatements to him regarding the question of destroying phone dragnet data.

Recognizing that data collected pursuant to the Section 215 program could be potentially relevant to, and subject to preservation obligations in, a number of cases challenging the legality of the program, including First Unitarian Church of Los Angeles  v. NSA,

… Signals Intelligence Division Director Theresa Shea wrote in her March 17 declaration (starting at page 81) explaining what the government has actually done to protect data under those suits.

At which point Shea proceeded to admit that the government hadn’t been preserving the data they recognized was potentially relevant to the suits at hand.

… since the inception of the FISC-authorized bulk telephony metadata program in 2006, the FISC’s orders authorizing the bulk collection of telephony metadata under FISA Section 501 (known also as the Section 215 program) require that metadata obtained by the NSA under this authority be destroyed no later than five years after their collection. In 2011, the NSA began compliance with this requirement (when the first metadata collected under the FISC authority was ready to be aged off) and continued to comply with it until this Court’s March 10 order and the subsequent March 12, 2014 order of the FISC.

Thursday’s filing added to that clarity, not only saying so in a footnote, but then submitting another filing to make sure the footnote was crystal clear.

Footnote 6 on page 5 was intended to convey that “[c]onsistent with the Government’s understanding of these orders in Jewel and Shubert, prior to the filing of the Government’s Motion for Second Amendment to Primary Order, the Government complied with this Court’s requirements that metadata obtained by the NSA under Section 215 authority be destroyed no later than five years after their collection.”

The significance seems clear. The Government admits it could potentially have a preservation obligation from the filing of the first Section 215 suit, Klayman v. Obama, on June 6, 2013. But nevertheless, it destroyed data for 9 months during which it recognized it could potentially have a preservation obligation.  That means data through at least March 9, 2009 and perhaps as late as September 10, 2009 may already be destroyed, assuming reports of biannual purging is correct. Which would perhaps not coincidentally cover almost all of the phone dragnet violations discovered over the course of 2009. It would also cover all, or almost all, of the period (probably)  NSA did not have adequate means of identifying the source of its data (meaning that Section 215 data may have gotten treated with the lesser protections of EO 12333 data).

And the amount of data may be greater, given that NSA now describes in its 5 year age-off requirement no affirmative  obligation to keep data five years.

This all means the government apparently has already destroyed data that might be implicated in the scenario Judge Jeffrey White (hypothetically) raised in a hearing on March 19, in which he imagined practices of graver Constitutional concern than the program as it currently operates five years ago.

THE COURT: Well, what if the NSA was doing something, say, five years ago that was broader in scope, and more problematical from the constitutional perspective, and those documents are now aged out? And — because now under the FISC or the orders of the FISC Court, the activities of the NSA have — I mean, again, this is all hypothetical — have narrowed. And wouldn’t the Government — wouldn’t the plaintiffs then be deprived of that evidence, if it existed, of a broader, maybe more constitutionally problematic evidence, if you will?

MR. GILLIGAN: There — we submit a twofold answer to that, Your Honor.

We submit that there are documents that — and this goes to Your Honor’s Question 5B, perhaps. There are documents that could shed light on the Plaintiffs’ standing, whether we’ve actually collected information about their communications, even in the absence of those data.

As far as — as Your Honor’s hypothetical goes, it’s a question that I am very hesitant to discuss on the public record; but I can say if this is something that the Court wishes to explore, we could we could make a further classified ex parte submission to Your Honor on that point.

According to the NSA’s own admissions, until just over 5 years ago, the NSA was watchlisting as many as 3,000 Americans without doing the requisite First Amendment review required by law. And that evidence — and potentially the derivative queries that arose from it — is apparently now gone.

Which puts a new spin on the narratives offered in the press about DOJ’s delay in deciding what to do with this evidence. WSJ described the semiannual age-off and suggested the issue with destroying evidence might pertain to standing.

As the NSA program currently works, the database holds about five years of data, according to officials and some declassified court opinions. About twice a year, any call record more than five years old is purged from the system, officials said.

A particular concern, according to one official, is that the older records may give certain parties legal standing to pursue their cases, and that deleting the data could erase evidence that the phone records of those individuals or groups were swept up in the data dragnet.

FP’s sources suggested DOJ was running up against that semiannual deadline.

A U.S. official familiar with the legal process said the question about what to do with the phone records needn’t have been handled at practically the last minute. “The government was coming up on a five-year deadline to delete the data. Lawsuits were pending. The Justice Department could have approached the FISC months ago to resolve this,” the official said, referring to the Foreign Intelligence Surveillance Court.

There should be no February to March deadline. Assuming the semiannual age-off were timed to March 1, there should have already been a September 1 deadline, at which point NSA presumably would have destroyed everything moving forward to March 1, 2009.

Which may mean NSA and DOJ put it off to permit some interim age-off, all the out of control violations from 2009.

We shall see. EFF and DOJ will still litigate this going forward. But as I look more closely at the timing of all this, DOJ’s very belated effort to attempt to preserve data in February seems to have served, instead, to put off dealing with preservation orders until the most potentially damning data got destroyed.

All of this is separate from the dispute over whether DOJ violated the preservation order in Jewel, and that case may be coming up on the 5 year destruction of the last violative Internet metadata, which might be aged off by April 30 (based on the assumption the Internet dragnet got shut down on October 30, 2009).

But even for he more narrow question of the phone dragnet, for which the government admits it may have data retention obligations, the government seems to have already violated those obligations and, in the process, destroyed some of the most damning data about the program. 

Why Did 3 Top DOJ Officials Feed Their Dog DOJ’s Homework?

DOJ has submitted what it claims is an explanation for why it materially misstated facts to Reggie Walton in discussions about destroying phone dragnet data. (See this post and this post for background.)

As you recall, Walton had read EFF’s emails closely enough to realize that EFF had asked Civil Division lawyers why they had claimed there was no protection order when they believed they had one.

A review of the E-mail Correspondence indicates that as early as February 26, 2014, the day after the government filed its February 25 Motion, the plaintiffs in Jewel and First Unitarian indeed sought to clarify why the preservation orders in Jewel and Shubert were not referenced in that motion. E-mail Correspondence at 6-7. The Court’s review of the E-mail Correspondence suggests that the DOJ attorneys may have perceived the preservation orders in Jewel and Shubert to be immaterial to the February 25 Motion because the metadata at issue in those cases was collected under what DOJ referred to as the “President’s Surveillance Program” (i.e., collection pursuant to executive authority), as opposed to having been collected under Section 215 pursuant to FISC orders — a proposition with which plaintiffs’ counsel disagreed. Id at 4. As this Court noted in the March 12 Order and Opinion, it is ultimately up to the Northern District of California, rather than the FISC, to determine what BR metadata is relevant to the litigation pending before the court.

As the government is well aware, it has a heightened duty of candor to the Court in ex parte procedings. See MODEL RULES OF PROF’L CONDUCT R. 3.3(d) (2013). Regardless of the government’s perception of the materiality of the preservation orders in Jewel andShubert to its February 25 Motion, the government was on notice, as of February 26, 2014, that the plaintiffs in Jewel and First Unitarian believed that orders issued by the District Court for the Northern District of California required the preservation of the FISA telephony metadata at issue in the government’s February 25 Motion. E-mail Correspondence at 6-7. The fact that the plaintiffs had this understanding of the preservation orders–even if the government had a contrary understanding–was material to the FISC’s consideration of the February 25 Motion. The materiality of that fact is evidenced by the Court’s statement, based on the information provided by the government in the February 25 Motion, that “there is no indication that nay of the plaintiffs have sought discovery of this information or made any effort to have it preserved.” March 7 Opinion and Order at 8-9.

The government, upon learning this information, should have made the FISC aware of the preservation orders and of the plaintiffs’ understanding of their scopre, regardless of whether the plaintiffs had made a “specific request” that the FISC be so advised. Not only did the government fail to do so, but the E-mail Correspondence suggests that on February 28, 2014, the government sought to dissuade plaintiffs’ counsel from immediately raising this issue with the FISC or the Northern District of California. E-mail Correspondence at 5.

DOJ’s excuse for not telling Walton EFF believed they had a protection order is roughly as follows:

1. Notwithstanding a past comment about preservation orders in the matters before Judge Walton, the government claims EFF’s suits are unrelated to the phone dragnet.

[T]he Government has always understood [EFF’s suits] to be limited to certain presidentially authorized intelligence collection activities outside FISA, the Government did not identify those lawsuits, nor the preservation order issued therein, in its Motion for the Second Amendment to Primary Order filed in the above-captioned Docket number on February 25, 2014. For the same reasons, the Government did not notify this Court of its receipt of plaintiffs’ counsel’s February 26, 2014, e-mail.

Note, to sustain this claim, the government withheld both the state secrets declarations that clearly invoke the FISC-authorized dragnets as part of the litigation, even though the government’s protection order invokes it repeatedly, as well as Vaughn Walker’s preservation order which is broader than DOJ’s own preservation plan. Thus, they don’t give Walton the things he needs to be able to assess whether DOJ’s actions in this matter were remotely reasonable.

2. It explains that it never provided EFF with its own 2007 preservation plan (which did not meet the terms of Walker’s order) until March 17, 2014 because Stellar Wind — but not the FISC-authorized programs that the preservation plan excluded — was classified until December 2013.

A classified submission was necessary at that time [in 2007] because the existence of the presidentially-authorized program was classified and remained so until December 2013.

Note, it doesn’t mention that 19 days passed between the time EFF formally raised concerns about the protection order and the date DOJ actually provided the declassified protection plan to them, during which time, it appears, NSA destroyed one of the most damning half year’s worth of data in the program’s history (which I’ll return to in a later post).

3. In spite of EFF telling DOJ their earlier suits were relevant (and not having received the preservation plan which could have been declassified in December), DOJ claims they didn’t think they were relevant so it didn’t tell FISC about EFF’s beliefs.

Because the Government’s Motion for Second Amendment already had sought relief from this Court based on a list of BR metadata pursuant to FISC authorization, see Motion for Second Amendment at 3-5, counsel did not appreciate — even after receiving the email from plaintiffs’ counsel in Jewel — that it would be be important to notify this Court about Jewel and Shubert or the email from counsel for the Jewel plaintiffs about those cases with which the Government disagreed. Rather, counsel viewed any potential dispute about the scope of Jewel and Shubert preservation orders as a mater to be resolved, if possible, by the parties to those cases (though a potential unclassified explanation to plaintiffs’ counsel) or, failing that, by the district court.

Note what DOJ is not mentioning here? That EFF has a Section 215 lawsuit too, and that its understanding of the impact on that suit may have been influenced by the Shubert and Jewel protection orders.

4. DOJ’s Civil Division lawyers did not forward EFF’s email to DOJ’s National Security Division lawyers, they claim, because the Civil Division lawyers did not agree with EFF’s interpretation of the protection order.

For these reasons, counsel did not think to forward the email from Jewel Plaintiffs’ counsel to the attorneys with primary responsibility for interaction with this Court before the Court ruled on the Motion for Second Amendment. The Department wishes to assure the Court that it has always endeavored to maintain close coordination within the Department regarding civil litigation matters that involve proceedings before this Court, and will take even greater care to do so in the future.

5. DOJ told EFF to hold off formally alerting any Court in the belief that it could tell EFF about the preservation plan which could have been declassified in December but did not get declassified until 10 days after FISC issued its initial order requiring DOJ to destroy data, and that would solve everything.

In particular, the request in its February 28 email that counsel for the Jewel plaintiffs “forbear from filing anything with the FISC, or [the district court], until we have further opportunity to confer” was a good faith attempt to avoid unnecessary motions practice in the event that the issue could be worked out among the parties through the Government’s provision of an unclassified explanation concerning its preservation in Jewel and Shubert.

Read more