Posts

Like a Rat-Fucking Stone: Russians and Roger Reading from the Same Voter Suppression Script

As I disclosed last month, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

In my post outlining all the investigative steps the Mueller team has taken with Roger Stone since Rick Gates flipped, I pointed to some things that seem to relate to questions Mueller has asked.

That’s one reason why the circumstances of Stone’s flip-flop in early August 2016, in which Stone went from admitting that the DNC hack was done by Russia to claiming it was not seemly in one day in which he was in Southern California is so important: because he established a contemporaneous claim he has relied on to excuse any coordination with Guccifer 2.0 and WikiLeaks. Given the import of Stone’s flip-flop, I find it interesting that so much of the funding for his SuperPAC came from Southern California, especially from John Powers Middleton. Did he meet with his donors when he orchestrated the flip-flop that makes it harder to argue his discussions and foreknowledge of Guccifer 2.0 and WikiLeaks events count as entering into a conspiracy to break one or several laws?

Whatever the circumstances of that flip-flop, from that point forward, Stone pushed several lines — notably the Seth Rich conspiracy — that would be key to Russian disinformation. A big chunk of his SuperPAC funds also spent on “Stop the Steal,” which may also tie to Russian disinformation to discredit the election.

One of the complexities Mueller may have spent months digging through may be whether and how to hold Stone accountable for willfully participation in disinformation supporting Russia’s larger efforts to swing the election to Donald Trump.

Last week, I started to look more closely at how Stone’s PAC may relate to this. There are, in my opinion, a number of really interesting details about his PAC (which admittedly isn’t dealing with that much money).

That was before, last week, materials in Andrew Miller’s challenge to the subpoena were unsealed, which first revealed Miller wanted a grant of immunity to testify about things pertaining to work he did for Stone’s PAC.

A hearing transcript from June 18 shows that Miller was subpoenaed for information about Stone, as well as key figures in the 2016 hacking of the Democratic National Committee and the public release of Democrats’ emails. According to that transcript, the subpoena seeks information from Miller about WikiLeaks and Assange. WikiLeaks published large volumes of Democrats’ hacked emails during the campaign.

The subpoena also seeks information about Guccifer 2.0 and DCLeaks. Investigators say both were online fronts invented by Russian intelligence operatives to spread the hacked documents. DCLeaks was a website that posted hacked emails of current and former U.S. officials and political aides, while Guccifer 2.0 claimed to be a Romanian hacker.

Miller had asked for “some grant of immunity” regarding financial transactions involving political action committees for which he assisted Stone, according to Alicia Dearn, an attorney for Miller.

On that issue, Miller “would be asserting” his Fifth Amendment right to refuse to answer questions, Dearn said.

As for the hacking and WikiLeaks questions, Dearn said at the hearing, “We don’t believe he has any information” about those topics.

Along with Miller, Kristin Davis also got paid by one of Stone’s PACs. Neither was paid enough to pay for the legal fees they’ve incurred covering their testimony (though a conservative group has paid for Miller’s challenge to his subpoena). Citroen Associate owner John Kakanis, who also testified, got paid more, though maybe not enough to pay for legal representation.

There are a number of notable things about Stone’s PACs that — at least on their face — are not unusual. There is one detail — that the bulk of the expenditures paid a personal injury law firm, one whose family members appear to have served as treasurers of the PACs — that is unusual. Most interesting of all, however, is how Stone’s Stop the Steal PAC’s voter suppression efforts before the election so closely paralleled Russian efforts.

Guy with the Nixon tattoo’s SoCal funding

First, remember the mysterious funding from SoCal aspect to the Watergate scandal?  There was good reason for that for Nixon; after all, he was from SoCal. Maybe Stone’s just doing most of his fundraising there for old time’s sake, because more than half the funding of Stone’s Committee to Restore American Greatness PAC (referred as CRAG below) comes in serial donations from John Powers Middleton, the son of the Philadelphia Phillies’ owner, who makes shitty movies. A good number of the other substantial donations come from SoCal too. And two PACs Stone operated in 2016 were run out of a UPS store in Santa Ana, CA.

That Middleton largely bankrolled this PAC is in no way unique or legally problematic (indeed, the numbers involved are much smaller than other such PACs). It is notable, however, that contributions to Stone’s PAC were Middleton’s only contributions in 2015-2016, and (apparently) his only recent FEC tracked political contributions, though Middleton played a big role in a youngish Republican group in his 20s. It’s also odd how he gave installments, including two smaller ones, in the same time period or even on the same day as other more sizable ones.

Robert Shillman’s pass through

The timing of the donations make it clear that the sole campaign contribution Stone’s PAC made — $16,000 in two donations to Trump, which paid for Clear Channel billboards — were pass throughs of San Diego County executive Robert Shillman donations. He’s a big donor to GOP causes, but spent much bigger money on PACs supporting Carly Fiorina ($25,000) and Marco Rubio ($75,000) in the primary. Interestingly, he also maxed out in direct donations to Ron DeSantis in 2015-2016, and is backing Devin Nunes this cycle. For some reason I don’t understand, the FEC recorded the first of those donations, made in August, as a primary donation (that’s true of a number of other smaller donations made in the fall as well). Shillman has also donated to Islamophobic fearmongering in the past.

This pass through is also not unusual, but it is notable for how obvious it is and because the pass through is the only donation to a political campaign in this PAC.

The Personal Injury lawyers in bed with Stone

What is unusual is the centrality of the Costa Mesa office of personal injury lawyers Jensen & Associates in all this. One of the firm’s only lawyers, Erin Boeck, may be the spouse of Brad Boeck, who served as treasurer for two of Stone’s PACs. The principal, Paul Jensen, may be related to Pamela Jensen, who set up Stone’s Women v Hillary PAC.

Jensen & Associates made two loans to CRAG of very specific amounts: 2398.87 and 2610, which were repaid less than a week after the second one was made. And in 2016, CRAG paid the firm almost $100,000, including $20,000 in April when Stop the Steal was set up, $23,700 in four different payments in July 2016, and a $9,500  payment on August 3, when Stone was out in LA claiming to Sam Nunberg to be dining with Julian Assange.

According to its website, Jensen & Associates does things like sue for dog bites, not set up political rat-fucking PACs.

The personal injury lawyers cohabiting with the Clinton dirt CPA

While the Women v Clinton 527 would not be registered by Pamela Jensen until June 2, 2016, the effort to dig up the women at the center of Bill Clinton’s scandals actually started much earlier, on February 1, 2016, when Pamela Jensen CPA would send out a fundraising letter to fund Kathleen Wiley’s mortgage. Pamela Jensen’s CPA address is the same as for Jensen & Associates law firm (though her license expired on December 31, ,2016).

On February 19, 2016, Roger Stone told Alex Jones that Trump himself had donated to the Willey fund, even though it had never raised anywhere close to the $80,000 it listed as a goal.

STONE: Or, short circuit this. Go right to HelpWilley.com. Help Willey, W-i-l-e-e-y (sic). Now the good news is —

JONES: We’re going to tweet that, we’re going to Facebook it right now. We haven’t really done that yet, so we’re going to do that right now. Go ahead, sir.

STONE: I appreciate it. We have raised a substantial amount of money. Trump is himself a contributor — I’m not ready to disclose what he has given. And many, many other people.

JONES: Oh OK, so that GoFundMe is only one thing.

STONE: That is only receptacle and there are –

JONES: OK so the best place to go again is, again —

STONE: HelpWilley.com. Willey spelled W-i-l-l-e-y. HelpWilley.com will take you right to one of our pages. We have numerous receptacles, we have raised substantially more than 3,970, we’re haggling with the mortgage company even as we speak, and I am still hopeful that we can save Kathleen’s home so she can go out on the road and take the fight right to the Clintons.

There are actually two entities here. The STOP RAPE PAC was registered on October 1, 2015. The Women v Clinton 527 was registered in June 2016. Both only ever had enough money to pay the mailbox used for its official address.

The revolving door between Stone’s rat-fucking PACs

Which brings us to another detail that is typical of many PACs.

Stone and his buddies were shifting money back and forth between a 527 named Stop the Steal and CRAG.

CRAG was set up in 2015 (though it didn’t file its FEC paperwork until July 2016). Stop the Steal was set up on April 6 2016, at a time when Trump was worried about knocking down a Convention rebellion (which is why Paul Manafort first got hired). The day it was set up, CRAG transferred $50,000 to Stop the Steal. Though by April 13, Stop the Steal was claiming to want to fundraise $262,000, money that never showed up in Stop the Steal’s IRS filings, if it did raise that kind of money.

Among the things Mueller questioned Michael Caputo about were meetings he and Rick Gates had with Stone. One of those meetings, to discuss the effort to ensure the loyalty of GOP delegates, took place in the weeks after Stop the Steal was first set up.

“I only have a record of one dinner with Rick Gates,” he said, adding that the guest list included two other political operatives: Michael Caputo, a former Trump campaign aide who was recently interviewed by Mr. Mueller’s investigators, and Paul Manafort, who soon after took over as chairman of Mr. Trump’s campaign. But Mr. Manafort canceled at the last minute, and Mr. Gates, his deputy, attended in his place.

Mr. Stone said the conversation during the dinner, which fell soon after the New York primary in April 2016, was about the New York State delegate selection for the Republican National Convention. The operatives expressed concern about whether delegates, at a time of deep division among Republicans, would be loyal to Mr. Trump’s vision for the party, Mr. Stone said.

Stop the Steal’s 527 filings show two expenditures for rallies in this earlier incarnation.

On July 12, 2016, Stop the Steal transferred $63,000 to CRAG. Its IRS paperwork doesn’t appear to show how, having made expenditures and raised negligible money in the interim period, it had that much money to return to CRAG, suggesting it may not have reported all its donations.

In the fall, Stop the Steal was repurposed to conduct Stone’s voter suppression efforts, including an effort to register “exit pollers” based on the inflammatory rhetoric about rigging the election that Trump had been pushing for some time, with an added focus on the voting machines.

Help us to reveal the TRUTH! Be an Exit Poller!  Register Now!

Donald Trump thinks Hillary Clinton and the Democrats are going to steal the next election. “I’m afraid the election is going to be rigged, I have to be honest,” he told a campaign rally last week.

The issue is both voter-fraud and election theft through manipulation of the computerized voting machines. The truth is both parties have used these DIEBOLD/ PES voting machines to rig results of elections at the state and federal election. The party in power in a given state controls the programming of the voting machines.

Here is how easy it is to rig these machines:

We now know, thanks to the hacked e-mails from the Democratic National Committee that the Clintons had to cheat and rig the system to steal the Democratic nomination from Bernie Sanders. Why wouldn’t they try to steal the election from Donald Trump?If this election is close, THEY WILL STEAL IT.

The Washington Post even ran an editorial saying it was “impossible” to steal an election. Then, incredibly, Barrack Obama called Donald Trump’s concerns about a rigged election “ridiculous.”

Plus they intend to flood the polls with illegals. Liberal enclaves already let illegals vote in their local and state elections and now they want them to vote in the Presidential election.

What can we do to stop this outrageous steal? We must step up to the plate and do this vital job? That’s why I am working with a staticians attorneys and computer experts to find and make public any result which has been rigged

We at THE EMERGENCY COMMITTEE TO STOP THE STEAL WILL:

– Demand inspection of the software used to program the voting machines in every jurisdiction prior to the beginning of voting by an independent and truly non-partisan third party.

– Conduct targeted EXIT-POLLING in targeted states and targeted localities that we believe the Democrats could manipulate based on their local control,  to  determine if the results of the vote have been skewed by manipulation.

– Retain the countries foremost experts on voting machine fraud to help us both prevent and detect voting machine manipulation by putting in a place to monitor polling, review the results and compare them to EXIT POLLS we must conduct.

– Recruit trained poll watchers for the key precincts in key states to monitor voting for fraud.  Between the Trump campaign and our efforts we believe we can cover every precinct in the crucial states.

The effort also included a fundraising aspect, with a stated goal of raising $1 million. Stop the Steal reported $20,894 in small donations for the period covering the election, with $32932 reported for the year-to-date.

The Democratic Party sued Stone, Trump, and the state Republican parties in four swing states to get a Temporary Restraining Order against these activities.

The revolving door was actually a mislabeled front door

Now that I’m looking at the saved versions of Stone’s various websites, it’s clear he wasn’t segregating the fundraising for them, and I wonder whether some of his email fundraising involved other possible campaign finance violations. For example, here’s the Stop the Steal site as it existed on March 10, 2016. It was clearly trying to track fundraising, carefully instructing people to respond to emails if they received one. But it claimed to be TCTRAG (what I call CRAG), even though the incoming URL was for Stop the Steal.

That remained true even after Stop the Steal was formally created, on April 10. Even after the website changed language to disavow Stop the Steal being a PAC by April 23, the fundraising form still went to TCTRAG (what I call CRAG), a PAC.

And that remained true on May 12, when the site was aiming to raise $262,000. When the campaign had shifted to voter suppression targeted Democrats (this is October 16), the entire site redirected to a TCTRAG nation-builder site. Though it appears the Stop the Steal URL was returning both a direct site and a redirect (and it appears it was either hammered, or pretending to be hacked, on election day).

Here are the results of Stone’s “citizen exit polls” on November 9, a totally unscientific data point to “prove” that Hillary had stolen the election.

The parallel Russian and rat-fucker effort to suppress the vote

Stone’s voter suppression effort is not surprising. It’s the kind of thing the rat-fucker has been doing his entire life.

Except it’s of particular interest in 2016 because of the specific form it took. That’s because two aspects of Stone’s voter suppression efforts paralleled Russian efforts. For example, even as Stone was recruiting thousands of “exit pollers” to intimidate people of color, Guccifer 2.0 was promising to register as an election observer, in part because of the “holes and vulnerabilities” in the software of the machines.

INFO FROM INSIDE THE FEC: THE DEMOCRATS MAY RIG THE ELECTIONS

I’d like to warn you that the Democrats may rig the elections on November 8. This may be possible because of the software installed in the FEC networks by the large IT companies.

As I’ve already said, their software is of poor quality, with many holes and vulnerabilities.

I have registered in the FEC electronic system as an independent election observer; so I will monitor that the elections are held honestly.

I also call on other hackers to join me, monitor the elections from inside and inform the U.S. society about the facts of electoral fraud.

More interesting still, the GRU indictment makes it clear that GRU’s information operation hackers were probing county electoral websites in swing states as late as October 28.

In or around October 2016, KOVALEV and his co-conspirators further targeted state and county offices responsible for administering the 2016 U.S. elections. For example, on or about October 28, 2016, KOVALEV and his co-conspirators visited the websites of certain counties in Georgia, Iowa, and Florida to identify vulnerabilities.

Whether or not GRU ever intended to alter the vote, Russia’s propagandists were providing the digital “proof” that Republicans might point to to sustain their claims that Democrats had rigged the election.

This is a line that Wikileaks also parroted, DMing Don Jr that if Hillary won his pop should not concede.

Hi Don if your father ‘loses’ we think it is much more interesting if he DOES NOT conceed [sic] and spends time CHALLENGING the media and other types of rigging that occurred—as he has implied that he might do.

Does Mueller have the proof this parallel effort was coordination?

As I noted, the public record makes it clear these are, at the least, complementary parallel efforts. But Mueller’s relentless focus on Stone — and his inclusion of Wikileaks and Guccifer 2.0 in the subpoena to Andrew Miller (whose research on voter fraud is one of the things Mueller wants to present to the grand jury) — suggests he thinks this is not so much a parallel effort, but a coordinated one.

h/t to Susan Simpson and Adam Bonin for help with understanding the numbers here.

Update: TC notes that there are 14 instances of known Russian troll accounts hashtagging Stop the Steal. The examples are most interesting for the date range: the earliest is September 10, 2016; the most recent is February 24, 2017. And they certainly were prepped to go on election day and the day after.

Update: You can pull up the times where Roger Stone’s twitter account hashtagged Stop the Steal in the Trump Twitter archive. Of note, the first instance in the fall campaign was August 4, when Stone was out in LA claiming he was dining with Assange. Two of the earlier incarnations @ Manafort. Also of note are the differing platforms the tweets come from — including Twitter’s web client, TweetDeck, Twitter for iPhone, and Mobile Web — as that may suggest some of the associates who’ve been interviewed did the tweeting.

Update: MS notes that Stone was talking about rigged voting machines as early as July 29.

Update: Added section dedicated to Pamela Jensen’s Bill Clinton focused organizations and moved Stone website details into body of text. H/t Liberty_42 for the former.

Timeline

September 2, 2011: Pamela Jensen registers Should Trump Run 527 with Michael D Cohen listed as President

October 1, 2015: Pamela Jensen registers STOP RAPE PAC by loaning it enough money to pay for a mailbox

November 10, 2015: Jensen & Associates loans $2,398.87 to CRAG

November 10, 2015: CRAG pays Entkesis 2373.87

December 24, 2015: CRAG pays Newsmax 10803.55

December 31, 2015: CRAG pays Newsmax 1585.76

February 1, 2016: Pamela Jensen sends out fundraising letter to World Net Daily pushing Kathleen Wiley’s mortgage fundraiser

February 4, 2016: Jensen & Associates loans $2,610 to CRAG

February 10, 2016: Loans from Jensen & Associates repaid

February 19, 2016: Roger Stone tells Alex Jones that Donald Trump has donated to the Kathleen Willey fundraiser, even though it had raised less than $4,000 at that time

March 1, 2016: John Powers Middleton Company donates $150,000 to CRAG

March 6, 2016: First tweet in spring Stop the Steal campaign

March 9, 2016: John Powers Middleton donates $50,000 to CRAG

March 11, 2016: John Powers Middleton donates $25,000 to CRAG

March 14, 2016: John Powers Middleton donates $25,000 to CRAG

April 6, 2016: Stone (Sarah Rollins) establishes Stop the Steal in same UPS post box as CRAG

April 6, 2016: CRAG gives $50,000 to Stop the Steal

April 6, 2016: CRAG pays Jensen & Associates $11,000

April 6, 2016: CRAG pays Jensen & Associates $9,000

April 6, 2016: Stone tweets Stop the Steal toll free line to “report voter fraud in Wisconsin” primary

April 12, 2016: John Powers Middleton donates $60,000 to CRAG

April 13, 2016: Stop the Steal pays Sarah Rollins $386.72

April 14, 2016: CRAG pays Tim Yale $9,000

April 14, 2016: Stop the Steal pays Jim Baker $1,500 in “expense reimbursements for rally”

April 15, 2016: Stop the Steal pays Sarah Rollins $500

April 15, 2016: John Powers Middleton donates $15,000 to CRAG

April 15, 2016: John Powers Middleton donates $2,000 to CRAG

April 15, 2016: $1,000 refunded to John Powers Middleton

April 18, 2016: John Powers Middleton donates $1,000 to CRAG

April 18, 2016: CRAG pays Citroen Associates $40,000

April 25, 2016: CRAG pays Paul Nagy $2,500

April 25, 2016: CRAG pays Sarah Rollins $500 plus $41.66 in expenses

April 29, 2016: John Powers Middleton donates $50,000 to CRAG

May 1, 2016: Last Stone tweet in spring Stop the Steal campaign

May 2, 2016: CRAG pays Sarah Rollins $800

May 4, 2016: CRAG pays Jensen & Associates $5,000

May 13, 2016: CRAG pays Sarah Rollins 93.50

May 15, 2016: Stop the Steal pays Sarah Rollins $500

May 16, CRAG pays Andrew Miller $2,000

May 16, 2016: CRAG pays Citroen Associates $10,000

May 16, 2016: CRAG pays Sarah Rollins $400

May 16, 2016: CRAG pays Kathy Shelton $2,500

May 24, 2016: Stone PAC RAPE PAC, aka Women v Hillary, announced

June 2, 2016: Pamela Jensen sets up Women v Hillary PAC out of a different mailboxes location in Costa Mesa (again, this only ever showed enough money to pay for the mailbox used as its address)

June 7, 2016: FEC informs CRAG it must submit filings by July 12, 2016

June 7, 2016: CRAG pays Jensen & Associates $4,790

June 8, 2016: Stop the Steal pays Paul Nagy $800 in “expense reimbursements for rally”

June 17, 2016: CRAG pays Andrew Miller $3,000

July 5, 2016: CRAG pays Jensen & Associates $14,500

July 6, 2016: CRAG pays Michelle Selaty $10,000

July 6, 2016: CRAG pays Drake Ventures $12,000

July 11, 2016: CRAG pays Cheryl Smith $4,900

July 12, 2016: Stop the Steal gives $63,000 to CRAG

July 12, 2016: CRAG pays Jensen & Associates $7,200

July 15, 2016: CRAG pays Jason Sullivan $1,500

July 18, 2016: CRAG pays Jensen & Associates $7,500

July 20, 2016: CRAG pays Jensen & Associates $3,000

July 29, 2016: CRAG pays Jensen & Associates $6,000

August 1, 2016: CRAG pays Andrew Miller $4,000; Stone flies from JFK to LAX

August 2, 2016: Stone dines with Middleton at Dan Tanas in West Hollywood (h/t Laura Rozen)

August 3, 2016: CRAG pays Jensen & Associates $9,500

August 3, 2016: CRAG pays Josi & Company $2,500

August 3-4, 2016: Stone takes a red-eye from LAX to Miami

August 4, 2016: Stone flip-flops on whether the Russians or a 400 pound hacker are behind the DNC hack and also tells Sam Nunberg he dined with Julian Assange; first tweet in the fall StopTheSteal campaign

August 5, 2016: Stone column in Breitbart claiming Guccifer 2.0 is individual hacker

August 9, 2016: CRAG pays Jason Sullivan $1,500

August 15, 2016: CRAG pays Jensen & Associates $19,500

August 29, 2016: CRAG pays Law Offices of Michael Becker $3,500

August 31, 2016: Robert Shillman gives $8,000 to CRAG

September 12, 2016: CRAG gives $8,000 to Donald Trump

September 14, 2016: CRAG pays $3,000 to Citroen Associates

September 21, 2016: Robert Shillman gives $8,000 to CRAG

September 22, 2016: CRAG gives $8,000 to Donald Trump

Following October 5, 2016: Mariia Butina and Aleksandr Torshin discuss whether she should serve as a US election observer; Torshin suggests “the risk of provocation is too high and the ‘media hype’ which comes after it,” but Butina suggests she would do it “Only incognito! Right now everything has to be quiet and careful.”

October 13, 2016: Stop the Steal pays Andrew Miller $5,000

October 23, 2016: Stone tweets out message saying Clinton supporters can “VOTE the NEW way on Tues. Nov 8th by texting HILLARY to 8888”

October 28, 2016: GRU officer Anatoliy Kovalev and co-conspirators visit websites of counties in GA, IA, and FL to identify vulnerabilities

October 30, 2016: Ohio Democratic Party sues Ohio Republican Party to prevent Stop the Steal voter suppression; Democrats also sue in NV, AZ, and PA

November 3, 2016: Filings in ODP lawsuit describing Stop the Steal (declaration, exhibits)

November 4, 2016: Judge James Gwyn issues Temporary Restraining Order against Trump, Stone, and Stop the Steal

November 4, 2016: Guccifer 2.0 post claiming Democrats may rig the elections

November 7, 2016: Sixth Circuit issues a stay in OH TRO

December 14, 2016: Women versus Hillary gives $158.97 to CRAG

December 19, 2016: Stop the Steal pays $5,000 to Alejandro Vidal for “fundraising expenses”

December 19, 2016: Stop the Steal pays $3,500 to C Josi and Co.

December 21, 2016: Stop the Steal pays $1,500 to The Townsend Group

December 27, 2016: Stop the Steal pays $3,500 to Kristen [sic] Davis

December 28, 2016: Stop the Steal gives $94 to CRAG

December 29, 2016: Stop the Steal pays Jerry Steven Gray $4,000 for “fundraising expenses”

December 30, 2016: Stop the Steal pays 2,692 total to unnamed recipients

January 19, 2017: Stop the Steal pays $5,000 for fundraising expenses to Alejandro Vidal

February 8, 2017: Stop the Steal pays Kristen [sic] Davis $3,500 for “fundraising expenses”

February 15, 2017: Stop Steal pays Brad Boeck $862 for sales consultant consulting fee

2018 Senate Intelligence Global Threat Hearing Takeaways

Today was the annual Senate Intelligence Committee Global Threat Hearing, traditionally the hearing where Ron Wyden gets an Agency head to lie on the record.

That didn’t happen this time.

Instead, Wyden gave FBI Director Christopher Wray the opportunity to lay out the warnings the FBI had given the White House about Rob Porter’s spousal abuse problems, which should have led to Porter’s termination or at least loss of access to classified information.

The FBI submitted a partial report on the investigation in question in March. And then a completed background investigation in late July. That, soon thereafter, we received request for follow-up inquiry. And we did that follow-up and provided that information in November. Then we administratively closed the file in January. And then earlier this month we received some additional information and we passed that on as well.

That, of course, is the big takeaway the press got from the hearing.

A follow-up from Martin Heinrich shortly after Wyden’s question suggested he had reason to know of similar “areas of concern” involving Jared Kushner (which, considering the President’s son-in-law is under investigation in the Russian investigation, is not that surprising). Wray deferred that answer to closed session, so the committee will presumably learn some details of Kushner’s clearance woes by the end of the day.

Wray twice described the increasing reliance on “non-traditional collectors” in spying against the US, the second time in response to a Marco Rubio question about the role of Chinese graduate students in universities. Rubio thought the risk was from the Confucius centers that China uses to spin Chinese culture in universities. But not only did Wray say universities are showing less enthusiasm for Confucius centers of late, but made it clear he was talking about “professors, scientists, and students.” This is one of the reasons I keep pointing to the disproportionate impact of Section 702 on Chinese-Americans, because of this focus on academics from the FBI.

Susan Collins asked Mike Pompeo about the reports in The Intercept and NYT on CIA’s attempts to buy back Shadow Brokers tools. Pompeo claimed that James Risen and Matt Rosenberg were “swindled” when they got proffered the story, but along the way confirmed that the CIA was trying to buy stuff that “might have been stolen from the US government,” but that “it was unrelated to this idea of kompromat that appears in each of those two articles.” That’s actually a confirmation of the stories, not a refutation of them.

There was a fascinating exchange between Pompeo and Angus King, after the latter complained that, “until we have some deterrent capacity we are going to continue to be attacked” and then said right now there are now repercussions for Russia’s attack on the US.

Pompeo: I can’t say much in this setting I would argue that your statement that we have done nothing does not reflect the responses that, frankly, some of us at this table have engaged in or that this government has been engaged in both before and after, excuse me, both during and before this Administration.

King: But deterrence doesn’t work unless the other side knows it. The Doomsday Machine in Dr. Strangelove didn’t work because the Russians hadn’t told us about it.

Pompeo: It’s true. It’s important that the adversary know. It is not a requirement that the whole world know it.

King: And the adversary does know it, in your view?

Pompeo: I’d prefer to save that for another forum.

Pompeo later interjected himself into a Kamala Harris discussion about the Trump Administration’s refusal to impose sanctions by suggesting that the issue is Russia’s response to cumulative responses. He definitely went to some effort to spin the Administration’s response to Russia as more credible than it looks.

Tom Cotton made two comments about the dossier that Director Wray deferred answering to closed session.

First, he asked about Christopher Steele’s ties to Oleg Deripaska, something I first raised here and laid out in more detail in this Chuck Grassley letter to Deripaska’s British lawyer Paul Hauser. When Cotton asked if Steele worked for Deripaska, Wray said, “that’s not something I can answer.” When asked if they could discuss it in a classified setting, Wray said, “there might be more we could say there.”

Cotton then asked if the FBI position on the Steele dossier remains that it is “salacious and unverified” as he (misleadingly) quoted Comey as saying last year. Wray responded, “I think there’s maybe more we can talk about this afternoon on that.” It’s an interesting answer given that, in Chuck Grassley’s January 4 referral, he describes a “lack of corroboration for [Steele’s dossier] claims, at least at the time they were included in the FISA applications,” suggesting that Grassley might know of corroboration since. Yet in an interview by the even better informed Mark Warner published 25 days later, Warner mused that “so little of that dossier has either been fully proven or conversely, disproven.” Yesterday, FP reported that BuzzFeed had hired a former FBI cybersecurity official Anthony Ferrante to try to chase down the dossier in support of the Webzilla and Alfa bank suits against the outlet, so it’s possible that focused attention (and subpoena power tied to the lawsuit) may have netted some confirmation.

Finally, Richard Burr ended the hearing by describing what the committee was doing with regards to the Russian investigation. He (and Warner) described an effort to bring out an overview on ways to make elections more secure. But Burr also explained that SSCI will release a review of the ICA report on the 2016 hacks.

In addition to that, our review of the ICA, the Intel Committee Assessment, which was done in the F–December of 06, 16–we have reviewed in great detail, and we hope to report on what we found to support the findings where it’s appropriate, to be critical if in fact we found areas where we found came up short. We intend to make that public. Overview to begin with, none of this would be without a declassification process but we will have a public version as quickly as we can.

Finally, in the last dregs of the hearing, Burr suggested they would report on who colluded during the election.

We will continue to work towards conclusions  on any cooperation or collusion by any individual, campaign, or company with efforts to influence elections or create societal chaos in the United States.

My impression during the hearing was that this might refer to Cambridge Analytica, which tried to help Wikileaks organize hacked emails — and it might well refer to that. But I wonder if there’s not another company he has in mind.

Throwing H2O on the Pompeo to State Move

I could be totally wrong, but I don’t think the reported plan for Rex Tillerson to step down, to be replaced by Mike Pompeo, who in turn will be replaced by Tom Cotton (or maybe Admiral Robert Harward because Republicans can’t afford to defend an Arkansas Senate seat), will really happen.

The White House has developed a plan to force out Secretary of State Rex W. Tillerson, whose relationship with President Trump has been strained, and replace him with Mike Pompeo, the C.I.A. director, perhaps within the next several weeks, senior administration officials said on Thursday.

Mr. Pompeo would be replaced at the C.I.A. by Senator Tom Cotton, a Republican from Arkansas who has been a key ally of the president on national security matters, according to the White House plan. Mr. Cotton has signaled that he would accept the job if offered, said the officials, who insisted on anonymity to discuss sensitive deliberations before decisions are announced.

I say that for two reasons.

First, because of all the evidence that Mike Flynn is working on a plea deal. Particularly given that Mueller has decided he doesn’t need any more evidence of Flynn’s corrupt dealings with Turkey, I suspect his leverage over Flynn has gone well beyond just those crimes (which, in turn, is why I suspect Flynn has decided to flip).

I think that when the plea deal against Flynn is rolled out, it will be associated with some fairly alarming allegations against him and others, allegations that will dramatically change how willing Republicans are to run interference for Trump in Congress.

If I’m right about that, it will make it almost impossible for Pompeo to be confirmed as Secretary of State. Already, Senate Foreign Relations Committee Chair Bob Corker, who’d oversee the confirmation, is sending signals he’s not interested in seeing Pompeo replace Tillerson.

“I could barely pick Pompeo out of a lineup” Sen. Bob Corker (R-Tenn.), chairman of the Senate Foreign Relations Committee, said Thursday morning.

Already, Pompeo’s cheerleading of Wikileaks during the election should have been disqualifying for the position of CIA Director. That’s even more true now that Pompeo himself has deemed them a non-state hostile intelligence service.

Add in the fact that Pompeo met with Bill Binney to hear the skeptics’ version of the DNC hack, and the fact that Pompeo falsely suggested that the Intelligence Community had determined Russia hadn’t affected the election. Finally, add in the evidence that Pompeo has helped Trump obstruct the investigation and his role spying on CIA’s own investigation into it, and there’s just far too much smoke tying Pompeo to the Russian operation.

All that will become toxic once Mike Flynn’s plea deal is rolled out, I believe.

So between Corker and Marco Rubio, who both treat Russia’s hack of the election with real seriousness (remember, too, that Rubio himself was targeted), I don’t see how Pompeo could get out of the committee.

But there’s another reason I don’t think this will happen. I suspect it — like earlier threats to replace Jeff Sessions — is just an attempt to get Tillerson to hew the Administration line on policy. The NYT cites Tillerson’s difference of opinion on both North Korea and Iran.

Mr. Trump and Mr. Tillerson have been at odds over a host of major issues, including the Iran nuclear deal, the confrontation with North Korea and a clash between Arab allies. The secretary was reported to have privately called Mr. Trump a “moron” and the president publicly criticized Mr. Tillerson for “wasting his time” with a diplomatic outreach to North Korea

It’s Iran that’s the big issue, particularly as Jared frantically tries to finish his “peace” “plan” before he gets arrested himself. The fact that Trump has floated Cotton as Pompeo’s replacement is strong support for the notion that this is about forcing Tillerson to accept the Administration lies about Iran and the nuclear deal: because Cotton, more than anyone else, has been willing to lie to oppose the deal.

Trump is basically saying that unless Tillerson will adopt the lies the Administration needs to start a war with Iran, then he will be ousted.

But Tillerson’s claim that he doesn’t need to replace all the people who’ve left state because he thinks a lot of domestic issues will be solved soon seems to reflect that he’s parroting the Administration line now.

Obviously, there’s no telling what will happen, because Trump is completely unpredictable.

But he also likes to use threats to get people to comply.

Update: CNN now reporting I’m correct.

Eleven (or Thirteen) Senators Are Cool with Using Section 702 to Spy on Americans

The Senate Intelligence Committee report on its version of Section 702 “reform” is out. It makes it clear that my concerns raised here and here are merited.

In this post, I’ll examine what the report — particularly taken in conjunction with the Wyden-Paul reform — reveals about the use of Section 702 for domestic spying.

The first clue is Senator Wyden’s effort to prohibit collection of domestic communications — the issue about which he and Director of National Intelligence Dan Coats have been fighting about since June.

By a vote of four ayes to eleven noes, the Committee rejected an amendment by Senator Wyden that would have prohibited acquisition under Section 702 of communications known to be entirely domestic under authority to target certain persons outside of the United States. The votes in person or by proxy were as follows: Chairman Burr—no; Senator Risch—no; Senator Rubio—no; Senator Collins—no; Senator Blunt—no; Senator Lankford—no; Senator Cotton—no; Senator Cornyn—no; Vice Chairman Warner—no; Senator Feinstein—aye; Senator Wyden—aye; Senator Heinrich— aye; Senator King—no; Senator Manchin—no; and Senator Harris—aye.

It tells us that the government collects entirely domestic communications, a practice that Wyden tried to prohibit in his own bill, which added this language to Section 702.

(F) may not acquire communications known to be entirely domestic;

This would effectively close the 2014 exception, which permitted the NSA to continue to collect on a facility even after it had identified that Americans also used it. As I have explained is used to collect Tor (and probably VPN) traffic to obtain foreigners’ data. I suspect that detail is what Wyden had in mind when, in his comments in the report, he said the report itself “omit[s] key information about the scope of authorities granted the government” (though there are likely other things this report hides).

I have concerns about this report. By omitting key information about the scope of authorities granted the government, the Committee is itself contributing to the continuing corrosive problem of secret law

As the bill report lays out, Senators Burr, Risch, Rubio, Collins, Blunt, Lankford, Cotton, Cornyn, Warner, King, and Manchin are all cool using a foreign surveillance program to spy on their constituents, especially given that Burr has hidden precisely the impact of that spying in this report.

Any bets on whether they might have voted differently if we all got to know what kind of spying on us this bill authorized.

That, of course, is only eleven senators who are cool with treating their constituents (or at least those using location obscuring techniques) like foreigners.

But I’m throwing Feinstein and Harris in with that group, because they voted against a Wyden amendment that would have limited how the government could use 702 collected data in investigations.

By a vote of two ayes to thirteen noes, the Committee rejected an amendment by Senator Wyden that would have imposed further restrictions on use of Section 702-derived information in investigations and legal proceedings. The votes in person or by proxy were as follows: Chairman Burr—no; Senator Risch—no; Senator Rubio—no; Senator Collins—no; Senator Blunt—no; Senator Lankford—no; Senator Cotton—no; Senator Cornyn—no; Vice Chairman Warner—no; Senator Feinstein—no; Senator Wyden— aye; Senator Heinrich—aye; Senator King—no; Senator Manchin— no; and Senator Harris—no.

While we don’t have the language of this amendment, I assume it does what this language in Wyden’s bill does, which is to limit the use of Section 702 data for purposes laid out in the known certificates (foreign government including nation-state hacking, counterproliferation, and counterterrorism — though this language makes me wonder if there’s a Critical Infrastructure certificate or whether it only depends on the permission to do so in the FBI minimization procedures, and the force protection language reminds me of the concerns raised by a recent HRW FOIA permitting the use of 12333 language to do so).

(B) in a proceeding or investigation in which the information is directly related to and necessary to address a specific threat of—

(i) terrorism (as defined in clauses (i) through (iii) of section 2332(g)(5)(B) of title 18, United States Code);

(ii) espionage (as used in chapter 37 of title 18, United States Code);

(iii) proliferation or use of a weapon of mass destruction (as defined in section 2332a(c) of title 18, United States Code);

(iv) a cybersecurity threat from a foreign country;

(v) incapacitation or destruction of critical infrastructure (as defined in section 1016(e) of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 (42 U.S.C. 5195c(e))); or

(vi) a threat to the armed forces of the United States or an ally of the United States or to other personnel of the United States Government or a government of an ally of the United States.

Compare this list with the one included in the bill, which codifies the use of 702 data for issues that,

“Affects, involves, or is related to” the national security of the United States (which will include proceedings used to flip informants on top of whatever terrorism, proliferation, or espionage and hacking crimes that would more directly fall under national security) or involves,

  • Death
  • Kidnapping
  • Serious bodily injury
  • Specified offense against a minor
  • Incapacitation or destruction of critical infrastructure (critical infrastructure can include even campgrounds!)
  • Cybersecurity, including violations of CFAA
  • Transnational crime, including transnational narcotics trafficking
  • Human trafficking (which, especially dissociated from transnational crime, is often used as a ploy to prosecute prostitution; the government also includes assisting undocumented migration to be human trafficking)

[snip]

Importantly, the bill does not permit judicial review on whether the determination that something “affects, involves, or is related to” national security. Meaning Attorney General Jeff Sessions could decide tomorrow that it can collect the Tor traffic of BLM or BDS activists, and no judge can rule that’s an inappropriate use of a foreign intelligence program.

The bill report’s description of this section makes it clear that — in spite of its use of the word “restriction,” — this is really about providing affirmative “permission.”

Section 6 provides restrictions on the Federal Bureau of Investigation’s (FBI’s) use of Section 702-derived information, so that the FBI can use the information as evidence only in court proceedings [my emphasis]

That is, Wyden would restrict the use of 702 data to purposes the FISC has affirmatively approved, rather than the list of 702 purposes expanded to include the most problematic uses of Tor: all hacking, dark markets, and child porn.

So while Feinstein and Harris voted against the use of 702 to collect known domestic communications, they’re still okay using domestic Tor commuincations they say they don’t want to let NSA collect to prosecute Americans (which is actually not surprising given their past actions on sex workers).

Again, they’re counting on the fact that the bill report is written such that their constituents won’t know that this is going on. Unless they read me.

Look, I get the need to collect on Tor traffic to go after its worst uses. But if you’re going to do that, stop pretending this is a foreign surveillance bill, and instead either call it a secret court bill (one that effectively evades warrant requirements for all Tor wiretapping in this country), or admit you’re doing that collection and put review of it back into criminal courts where it belongs.

I Con the Record Transparency Bingo (4): How 151 Million Call Events Can Look Reasonable But Is Besides the Point

Other entries in I Con the Record Transparency Bingo:

(1) Only One Positive Hit on a Criminal Search

(2): The Inexplicable Drop in PRTT Numbers

(3): CIA Continues to Hide Its US Person Network Analysis

If your understanding of the phone dragnet replacing the old USA Freedom dragnet came from the the public claims of USA Freedom Act boosters or from this NYT article on the I Con the Record report, you might believe 42 terrorist suspects and their 3,150 friends made 48,000 phone calls last year, which would work out to 130 calls a day … or maybe 24,000 perfectly duplicative calls, which works out to about 65 calls a day.

That’s the math suggested by these two entries in the I Con the Record Transparency Report — showing that the 42 targets of the new phone dragnet generated over 151 million “call detail records.” But as I’ll show, the impact of the 151 million [corrected] records collected last year is in some ways far lower than collecting 65 calls a day, which is a good thing! But it supports a claim that USAF has an entirely different function than boosters understood.

 

Here’s the math for assuming these are just phone calls. There were 42 targets approved for use in the new phone dragnet for some part of last year. Given the data showing just 40 orders, they might only be approved for six months of the year (each order lasts for 180 days), but we’ll just assume the NSA gets multiple targets approved with each order and that all 42 targets were tasked for the entirety of last year (for example, you could have just two orders getting 42 targets approved to cover all these people for a year).

In its report on the phone dragnet, PCLOB estimated that each target might have 75 total contacts. So a first round would collect on 42 targets, but with a second round you would be collecting on 3,192 people. That would mean each of those 3,192 people would be responsible for roughly 48,000 calls a year, every single one of which might represent a new totally innocent American sucked into NSA’s maw for the short term [update: that would be up to a total of 239,400 2nd-degree interlocutors]. The I Con the Record report says that, “the metric provided is over‐inclusive because the government counts each record separately even if the government receives the same record multiple times (whether from one provider or multiple providers).” If these were phone calls between just two people, then if our terrorist buddies only spoke to each other, each would be responsible for 24,000 calls a year, or 65 a day, which is certainly doable, but would mean our terrorist suspects and their friends all spent a lot of time calling each other.

The number becomes less surprising when you remember that even with traditional telephony call records can capture calls and texts. All of a sudden 65 becomes a lot more doable, and a lot more likely to have lots of perfectly duplicative records as terrorists and their buddies spend afternoons texting back and forth with each other.

Still, it may mean that 65 totally innocent people a day get sucked up by NSA.

All that said, there’s no reason to believe we’re dealing just with texts and calls.

As the report reminds us, we’re actually talking about session identifying information, which in the report I Con the Record pretends are “commonly referred to” as “call events.”

Call Detail Records (CDR) – commonly referred to as “call event metadata” – may be obtained from telecommunications providers pursuant to 50 U.S.C. §1861(b)(2)(C). A CDR is defined as session identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity (IMSI) number, or an International Mobile Station Equipment Identity (IMEI) number), a telephone calling card number, or the time or duration of a call. See 50 U.S.C. §1861(k)(3)(A). CDRs do not include the content of any communication, the name, address, or financial information of a subscriber or customer, or cell site location or global positioning system information. See 50 U.S.C. §1861(k)(3)(B). CDRs are stored and queried by the service providers. See 50 U.S.C. §1861(c)(2).

Significantly, this parenthesis — “(including an originating or terminating telephone number, an International Mobile Subscriber Identity (IMSI) number, or an International Mobile Station Equipment Identity (IMEI) number)” — suggests that so long as something returns a phone number, a SIM card number, or a handset number, that can be a “call event.” That is, a terrorist using his cell phone to access a site, generating a cookie, would have the requisite identifiers for his phone as well as a time associated with it. And I Con the Record’s transparency report says it is collecting these “call event” records from “telecommunications” firms, not phone companies, meaning a lot more kinds of things might be included — certainly iMessage and WhatsApp, possibly Signal. Indeed, that’s necessarily true given repeated efforts in Congress to get a list of all electronic communications service providers company that don’t keep their “call records” 18 months and to track any changes in retention policies. It’s also necessarily true given Marco Rubio’s claim that we’re sending requests out to a “large and significant number of companies” under the new phone dragnet.

The fine print provides further elements that suggest both that the 151 million events collected last year are not that high. First, it suggests a significant number of CDRs fail validation at some point in the process.

This metric represents the number of records received from the provider(s) and stored in NSA repositories (records that fail at any of a variety of validation steps are not included in this number).

At one level, this means NSA’s results resulted in well more than 151 million events collected. But it also means they may be getting junk. One thing that in the past might have represented a failed validation is if the target no longer uses the selector, though the apparent failure at multiple levels suggests there may be far more interesting reasons for failed validation, some probably technically more interesting.

In addition, the fine print notes that the 151 million call events include both historical events collected with the first order as well as the prospective events collected each day.

CDRs covered by § 501(b)(2)(C) include call detail records created before, on, or after the date of the application relating to an authorized investigation.

So these events weren’t all generated last year — if they’re from AT&T they could have been generated decades ago. Remember that Verizon and T-Mobile agreed to a handshake agreement to keep their call records two years as part of USAF, so for major providers providing just traditional telephony, a request will include at least two years of data, plus the prospective collection. That means our 3,192 targets and friends might only have had 48 calls or texts a day, without any duplication.

Finally, there’s one more thing that suggests this huge number isn’t that huge, but that also it may be a totally irrelevant measure of the privacy impact. In NSA’s document on implementing the program from last year, it described first querying the NSA Enterprise Architecture to find query results, and then sending out selectors for more data.

Once the one-hop results are retrieved from the NSA’s internal holdings, the list of FISC-approved specific selection terms, along with NSA’s internal one-hop results, are submitted to the provider(s).

In other words — and this is a point that was clear about the old phone dragnet but which most people simply refused to understand — this program is not only designed to interact seamlessly with EO 12333 collected data (NSA’s report says so explicitly, as did the USAF report), but many of the selectors involved are already in NSA’s maw.

Under the old phone dragnet, a great proportion of the phone records in question came from EO 12333. NSA preferred then — and I’m sure still prefers now — to rely on queries run on EO 12333 because they came with fewer limits on dissemination.

Which means we need to understand the 65 additional texts — or anything else available only in the US from a large number of electronic communications service providers that might be deemed a session identifier — a day from 42 terrorists and their 3150 buddies on top of the vast store of EO 12333 records that form the primary basis here.

Because (particularly as the rest of the report shows continually expanding metadata analysis and collection) this is literally just the tip of an enormous iceberg, 151 million edge cases to a vast sea of data.

Update: Charlie Savage, who has a really thin skin, wrote me an email trying to dispute this post. In the past, his emails have almost universally devolved into him being really defensive while insisting over and over that stuff I’ve written doesn’t count as reporting (he likes to do this, especially, with stuff he claims a scoop for three years after I’ve written about it). So I told him I would only engage publicly, which he does here.

Fundamentally, Charlie disputes whether Section 215 is getting anything that’s not traditional telephony (he says my texts point is “likely right,” apparently unaware that a document he obtained in FOIA shows an issue that almost certainly shows they were getting texts years ago). Fair enough: the law is written to define CDRs as session identifiers, not telephony calls; we’ll see whether the government is obtaining things that are session identifiers. The I Con the Record report is obviously misleading on other points, but Charlie relies on language from it rather than the actual law. Charlie ignores the larger point, that any discussion of this needs to engage with how Section 215 requests interact with EO 12333, which was always a problem with the reporting on the topic and remains a problem now.

So, perhaps I’m wrong that it is “necessarily” the case that they’re getting non-telephony calls. The law is written such that they can do so (though the bill report limits it to “phone companies,” which would make WhatsApp but not iMessage a stretch).

What’s remarkable about Charlie’s piece, though, is that he utterly and completely misreads this post, “About half” of which, he says, “is devoted to showing how the math to generate 151 million call events within a year is implausible.”

The title of this post says, “151 Million Call Events Can Look Reasonable.” I then say, “But as I’ll show, the impact of the 131 [sic, now corrected] million records collected last year is in some ways far lower than collecting 65 calls a day, which is a good thing!” I then say, “The number becomes less surprising when you remember that even with traditional telephony call records can capture calls and texts. All of a sudden 65 becomes a lot more doable, and a lot more likely to have lots of perfectly duplicative records as terrorists and their buddies spend afternoons texting back and forth with each other.” I go on to say, “The fine print provides further elements that suggest both that the 151 million events collected last year are not that high.” I then go on to say, “So these events weren’t all generated last year — if they’re from AT&T they could have been generated decades ago.”

That is, in the title, and at least four times after that, I point out that 151 million is not that high. Yet he claims that my post aims to show that the math is implausible, not totally plausible.  (He also seems to think I’ve not accounted for the duplicative nature of this, which is curious, since I quote that and incorporate it into my math.)

In his email, I noted that this post replied not just to him, but to others who were alarmed by the number. I said specifically with regards the number, “yes, you were among the people I subtweeted there. But not the only one and some people did take this as just live calls. It’s not all about you, Charlie.”

Yet having been told that that part of the post was not a response to him, Charlie nevertheless persisted in completely misunderstanding the post.

I guess he still believed it was all about him.

Maybe Charlie should spend his time reading the documents he gets in FOIA more attentively rather than writing thin-skinned emails assuming everything is about him?

Update: Once I pointed out that Charlie totally misread this post he told me to go back on my meds.

Since he’s being such a douche, I’ll give you two more pieces of background. First, after I said that I knew CIA wasn’t tracking metadata (because it’s all over public records), Charlie suggested he knew better.

Here’s me twice pointing out that the number of call events was not (just) calls (as he had claimed in his story), a point he mostly concedes in his response.

Here’s the lead of his story:

DOJ’s Clear Threat to Go After Apple’s Source Code

Oops: My post URLs crossed. Here’s where If Trump’s Protestors Didn’t Exist He Would Have to Invent Them is.

In a rather unfortunate section heading the government used in their brief responding to Apple last week, DOJ asserted “There Is No Due Process Right Not to Develop Source Code.” The heading seemed designed to make Lavabit’s point about such requests being involuntary servitude.

I’d like to elaborate on this post to look at what DOJ has to say about source code — because I think the filing was meant to be an explicit threat that DOJ can — and may well, even if Apple were to capitulate here — demand Apple’s source code.

The government’s filing mentions “source code” nine ten different times [see update]. The bulk of those mentions appear in DOJ’s rebuttal to Apple’s assertion of a First Amendment claim about having to write code that violates its own beliefs, as in these three passages (there is one more purportedly addressing First Amendment issues I discuss below).

Incidentally Requiring a Corporation to Add Functional Source Code to a Commercial Product Does Not Violate the First Amendment

Apple asserts that functional source code in a corporation’s commercial product is core protected speech, such that asking it to modify that software on one device—to permit the execution of a lawful warrant—is compelled speech in violation of the First Amendment.

[snip]
There is reason to doubt that functional programming is even entitled to traditional speech protections. See, e.g., Universal City Studios, Inc. v. Corley, 273 F.3d 429, 454 (2d Cir. 2001) (recognizing that source code’s “functional capability is not speech within the meaning of the First Amendment”).

[snip]

To the extent Apple’s software includes expressive elements—such as variable names and comments—the Order permits Apple to express whatever it wants, so long as the software functions. Cf. Karn v. United States Department of State, 925 F. Supp. 1, 9- 10 (D.D.C. 1996) (assuming, without deciding, that source code was speech because it had English comments interspersed).

Most people aside from EFF think Apple’s First Amendment claim is the weakest part of its argument. I’m not so sure that, in the hands of the guy who argued Citizens United before SCOTUS, it will end up that weak. Nevertheless, DOJ focused closely on it, especially as compared to its treatment of Apple’s Fifth Amendment argument, which is where that dumb heading came in. This is the entirety of DOJ’s response to that part of Apple’s argument.

There Is No Due Process Right Not to Develop Source Code

Apple lastly asserts that the Order violates its Fifth Amendment right to due process. Apple is currently availing itself of the considerable process our legal system provides, and it is ludicrous to describe the government’s actions here as “arbitrary.” (Opp. 34); see County of Sacramento v. Lewis, 523 U.S. 833, 846-49 (1998). If Apple is asking for a Lochner-style holding that businesses have a substantive due process right against interference with its marketing strategy or against being asked to develop source code, that claim finds no support in any precedent, let alone “in the traditions and conscience of our people,” “the concept of ordered liberty,” or “this Nation’s history.” Washington v. Glucksberg, 521 U.S. 702, 721 (1997).

Though admittedly, that’s about how much Apple included in its brief.

The Fifth Amendment’s Due Process Clause Prohibits The Government From Compelling Apple To Create The Request [sic] Code

In addition to violating the First Amendment, the government’s requested order, by conscripting a private party with an extraordinarily attenuated connection to the crime to do the government’s bidding in a way that is statutorily unauthorized, highly burdensome, and contrary to the party’s core principles, violates Apple’s substantive due process right to be free from “‘arbitrary deprivation of [its] liberty by government.’” Costanich v. Dep’t of Soc. & Health Servs., 627 F.3d 1101, 1110 (9th Cir. 2010) (citation omitted); see also, e.g., Cnty. of Sacramento v. Lewis, 523 U.S. 833, 845-46 (1998) (“We have emphasized time and again that ‘[t]he touchstone of due process is protection of the individual against arbitrary action of government,’ . . . [including] the exercise of power without any reasonable justification in the service of a legitimate governmental objective.” (citations omitted)); cf. id. at 850 (“Rules of due process are not . . . subject to mechanical application in unfamiliar territory.”).

In other words, both Apple and DOJ appear to have a placeholder for discussions about takings (one that Lavabit argued from a Thirteenth Amendment perspective).

Those constitutional arguments, however, all seem to pertain the contested order requiring Apple to create source code that doesn’t currently exist. Or do they?

As I noted in my earlier Lavabit post, the DOJ argument doesn’t focus entirely on writing code that doesn’t already exists. As part of its argument for necessity, DOJ pretends to take Apple at its word that the US government could not disable the features (as if that’s what they would do if they had source code!) themselves.

Without Apple’s assistance, the government cannot carry out the search of Farook’s iPhone authorized by the search warrant. Apple has ensured that its assistance is necessary by requiring its electronic signature to run any program on the iPhone. Even if the Court ordered Apple to provide the government with Apple’s cryptographic keys and source code, Apple itself has implied that the government could not disable the requisite features because it “would have insufficient knowledge of Apple’s software and design protocols to be effective.”  (Neuenschwander Decl. ¶ 23.)

Note DOJ claims to source that claim to Apple Manager of User Privacy Erik Neuenschwander’s declaration (which is included with their motion). But he wasn’t addressing whether the government would be able to reverse-engineer Apple’s source code at all. Instead, that language came from a passage where he explained why experienced engineers would have to be involved in writing the new source code.

New employees could not be hired to perform these tasks, as they would have insufficient knowledge of Apple’s software and design protocols to be effective in designing and coding the software without significant training.

So the discussion of what the government could do with if it had Apple’s source code is just as off point as the passage invoking the Lavabit case (which involved an SSL key, but not source code). Here’s that full passage:

The government has always been willing to work with Apple to attempt to reduce any burden of providing access to the evidence on Farook’s iPhone. See Mountain Bell, 616 F.2d at 1124 (noting parties’ collaboration to reduce perceived burdens). Before seeking the Order, the government requested voluntary technical assistance from Apple, and provided the details of its proposal. (Supp. Pluhar Decl. ¶ 12.) Apple refused to discuss the proposal’s feasibility and instead directed the FBI to methods of access that the FBI had already tried without success. (Compare Neuenschwander Decl. ¶¶ 54-61, with Supp. Pluhar Decl. ¶ 12.) The government turned to the Court only as a last resort and sought relief on narrow grounds meant to reduce possible burdens on Apple. The Order allows Apple flexibility in how to assist the FBI. (Order ¶ 4.) The government remains willing to seek a modification of the Order, if Apple can propose a less burdensome or more agreeable way for the FBI to access Farook’s iPhone.9

9 For the reasons discussed above, the FBI cannot itself modify the software on Farook’s iPhone without access to the source code and Apple’s private electronic signature. The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers. See In re Under Seal, 749 F.3d 276, 281-83 (4th Cir. 2014) (affirming contempt sanctions imposed for failure to comply with order requiring the company to assist law enforcement with effecting a pen register on encrypted e-mail content which included producing private SSL encryption key).

Effectively, having invented a discussion about whether the government would be able to use Apple’s source code out of thin air, DOJ returns to that possibility here, implying that that would be the least burdensome way of getting what it wanted and then reminding that it has succeeded in the past in demanding that a provider expose all of its users to government snooping, even at the cost of shutting down the business, even after Ladar Levison (after some complaining) had offered to provide decrypted information himself.

Significantly, the government obtained a warrant for Lavabit’s keys as a way of avoiding the question of whether the “technical assistance” language in the Pen/Trap statute extended to sharing keys, but Levison was ultimately held in contempt for all the orders served on him, including the Pen/Trap order and its language about technical assistance. The Fourth Circuit avoided ruling on whether that assistance language in Pen/Trap orders extended to encryption keys by finding that Levison had not raised it prior to appeal and that the District Court had not clearly erred, which effectively delayed consideration of the same kinds of issues at issue (though under a different set of laws) in the Apple encryption cases.

In making his statement against turning over the encryption keys to the Government, Levison offered only a one-sentence remark: “I have only ever objected to turning over the SSL keys because that would compromise all of the secure communications in and out of my network, including my own administrative traffic.” (J.A. 42.) This statement — which we recite here verbatim — constituted the sum total of the only objection that Lavabit ever raised to the turnover of the keys under the Pen/Trap Order. We cannot refashion this vague statement of personal preference into anything remotely close to the argument that Lavabit now raises on appeal: a statutory-text-based challenge to the district court’s fundamental authority under the Pen/Trap Statute. Levison’s statement to the district court simply reflected his personal angst over complying with the Pen/Trap Order, not his present appellate argument that questions whether the district court possessed the authority to act at all.

[snip]

The Government, however, never stopped contending that the Pen/Trap Order, in and of itself, also required Lavabit to turn over the encryption keys. For example, the Government specifically invoked the Pen/Trap Order in its written response to Lavabit’s motion to quash by noting that “four separate legal obligations” required Lavabit to provide its encryption keys, including the Pen/Trap Order and the June 28 Order.

[snip]

In view of Lavabit’s waiver of its appellate arguments by failing to raise them in the district court, and its failure to raise the issue of fundamental or plain error review, there is no cognizable basis upon which to challenge the Pen/Trap Order. The district court did not err, then, in finding Lavabit and Levison in contempt once they admittedly violated that order.

In other words, the Lavabit reference, like the invention of an Apple discussion about what the government could do with its source code (any such discussion would have been interesting in and of itself, because I’d bet Apple would be more confident FBI couldn’t do much with its source code than that NSA couldn’t), was off point. But in introducing both references, DOJ laid the groundwork for a demand for source code to be the fallback, least burdensome position.

And, as I noted, in the Lavabit case, the government justified demanding a key based on the presumption that Edward Snowden would have a more complicated password than Syed Rizwan Farook’s 4-digit numerical passcode. That is, in that case, the government tied a more intrusive demand to the difficulty of accessing a target’s communications, not to the law itself, which suggests they’d be happy to do so in the future if they were faced with an Apple phone with a passcode too complex to brute force in 26 minutes, as FBI claims it could do here.

All of which brings me to one more citation of source code in DOJ’s extended First Amendment discussion: a reference to a civil case where Apple was able to obtain the source code of a competitor.

This form of “compelled speech” runs throughout both the criminal and civil justice systems, from grand jury and trial subpoenas to interrogatories and depositions. See, e.g., Apple Inc.’s Motion to Compel in Apple Inc. v. Samsung Electronics, Docket No. 467 in Case No. 11–cv–1846–LHK, at 11 (N.D. Cal. Dec. 8, 2011) (Apple’s seeking court order compelling Samsung to produce source code to facilitate its compelled deposition of witnesses about that source code).

Note, this is not a case about Apple (or Samsung, in this case) being compelled to write new code at all. Rather, it is a case about handing over the source code a company already had. In another off point passage, then, DOJ pointed to a time when Apple itself successfully argued the provision of source code could be compelled, even in a civil case.

Through a variety of means, DOJ went well out of its way to introduce the specter of a demand for Apple’s source code into its response. They are clearly suggesting that if Apple refuses to write code that doesn’t exist, the government will happily take code that does.

Loretta Lynch claimed, under oath last week, that the government doesn’t want a back door into Apple products. That’s not what her lawyers have suggested in this brief. Not at all.

Update: Here’s how Apple treated this in its Reply:

The government also implicitly threatens that if Apple does not acquiesce, the government will seek to compel Apple to turn over its source code and private electronic signature. Opp. 22 n.9. The catastrophic security implications of that threat only highlight the government’s fundamental misunderstanding or reckless disregard of the technology at issue and the security risks implicated by its suggestion.

Also, in writing this post, I realized there’s one more reference to source code in the government’s Response, one that admits Apple’s source code is “the keys to the kingdom.”

For example, Apple currently protects (1) the source code to iOS and other core Apple software and (2) Apple’s electronic signature, which as described above allows software to be run on Apple hardware. (Hanna Decl. Ex. DD at 62-64 (code and signature are “the most confidential trade secrets [Apple] has”).) Those —which the government has not requested—are the keys to the kingdom. If Apple can guard them, it can guard this.

The Play on the Scalia Replacement: Remember the Lame Duck

Within minutes after the public announcement of Antonin Scalia’s death, Senator Mike Lee’s flack Conn Carroll started predicting Obama would have zero chance of successfully naming a successor. After Carroll, one after another actual Senator followed that sentiment, including Chuck Grassley and Mitch McConnell, both of whom would have the ability to stall any Obama nominee. From that point, the GOP was pretty much committed, they said, to preventing any Obama nominee from being confirmed.

That led to a bunch of bad comparisons — between judges like Robert Bork who was rejected and Miguel Estrada who never got a vote — and simply going a year without acting on a President’s nominee. Even the comparison with Anthony Kennedy (who was nominated in November after two other nominees, including Bork, failed) is inapt, as he was nominated earlier than any Obama pick would be (though in a sense that fetishizes the year that would pass without a nominee).

I, like bmaz, believe Obama will pick someone fairly centrist, probably someone who has been recently confirmed by big margins.  I agree the most likely nominee will be Sri Srinivasan, who in 2013 was confirmed to the DC Circuit with a 97-0 vote — though I’m also mindful of the wisdom (given the GOP unanimity about obstructing this nominee) of picking someone who drive Democratic turnout — an African-American woman, for example. Though I highly doubt Obama will nominate Loretta Lynch, as some have suggested, not least because the fight over releasing data on HSBC’s continued money laundering will draw more attention as it moves toward appeal, which might focus attention on her role in administering the wrist slap in the face of egregious drug cartel and terrorist supporting money laundering.

After some reflection, some conservatives have suggested that the GOP would have been better served if they had simply not managed to pass Obama’s nominee, rather than making such a big stink about it.

I think that ignores how much both parties look forward to using this nominee to drive turnout — and regardless of who the respective nominees are, the GOP have a much bigger challenge in getting enough voters to turn out to elect a GOP president in November, so I’m sure they’re quite happy to have an issue that (they presumably hope) might flip some conservative Latino votes — though one likely outcome of an extended 8-member court is that the Fifth Circuit’s ruling staying Obama’s immigration orders will be upheld after a 4-4 tie on the court, which might have the opposite effect.

Furthermore, I think it ignores one other factor. Srinivasan has been predicted to be Obama’s most likely SCOTUS appointment for almost 3 years (few people consider how such predictions might have influenced Ruth Bader Ginsburg’s decision not to retire). The Republicans probably presume he’s the most likely candidate as well.

The presumption Srinivasan — or someone similar — would be the nominee easily justifies the GOP’s immediate promise they won’t confirm a nominee. That’s because they need to explain why someone they just overwhelmingly confirmed, someone who faced more opposition from the left than the right, suddenly became unacceptable.

More importantly, I presume the GOP wants to keep open the possibility of confirming Srinivasan or whatever centrist Obama appoints during the Lame Duck. Here’s why:

Barring any replay of Bush v. Gore, both sides will know on November 9 who would get to pick Scalia’s replacement if Obama’s pick failed. Both sides will also know the makeup of the Senate. Because of the demographic issues I mentioned earlier, the likely Democratic nominee, Hillary Clinton, is most likely to win. That’s not to say I think she’s necessarily the strongest candidate — even ignoring the potential the email scandal will taint close advisors like Huma Abedin or Jake Sullivan, I think it likely the economy will be crashing by November in a way that would favor Trump if he were the GOP nominee facing Hillary. But I think electoral demographics suggest the GOP will have a harder time winning this year, particularly after a year of Trump branding the GOP with bigotry.

Plus (ignoring my suspicion the economy will be crashing by November), we’re likely to have a more Democratic Senate after November. Harry Reid is the only retiring Democrat where the replacement race is currently perceived to be toss-up, whereas Marco Rubio, Mark Kirk, Kelly Ayotte, and Ron Johnson are all deemed to be likely toss-ups, if not Dem-favorable. It’s still most likely the GOP will have a slight majority, but a smaller one, in the Senate, one where people like Susan Collins could make more of a difference. But it is likely to be more Democratic.

If Hillary wins (the most likely outcome) and Democrats win the Senate (unlikely, but feasible), then the Republicans will have good reason to want to confirm an Obama nominee perceived to be centrist. Whereas Srinivasan looks far worse than Scalia to the Republicans, he would all of a sudden look far preferable to a Hillary choice with the time to wait out the Senate. The GOP would have time between November 9 and the Christmas break to confirm whatever Obama nominee has been languishing.

In other words, I think the GOP have provided a way to stall someone (like Srinivasan) they have recently confirmed, while leaving the possibility of confirming that person if November makes it likely the next nominee will be more liberal.

One more thing: Commentary on this process has presumed that McConnell and Grassley (and Obama) learned of Scalia’s death when we all did. I would hope that Obama, at least, got word well before that, particularly given the involvement of at least the US Marshals and according to some reports the FBI. But I also wouldn’t leave out the possibility that one of the 39 other still unidentified guests at the ranch this weekend gave the Republican leadership a heads up as soon as a hearse showed up. So it’s possible that what looked like quick knee-jerk response on the part of Republican leadership was instead more considered, along the lines I’ve just laid out.

What We Know about the Section 215 Phone Dragnet and Location Data

Last month’s squabble between Marco Rubio and Ted Cruz about USA Freedom Act led a number of USAF boosters to belatedly understand what I’ve been writing for years: that USAF expanded the universe of people whose records would be collected under the program, and would therefore expose more completely innocent people, along with more potential suspects, to the full analytical tradecraft of the NSA, indefinitely.

In an attempt to explain why that might be so, Julian Sanchez wrote this post, focusing on the limits on location data collection that restricted cell phone collection. Sanchez ignores two other likely factors — the probable inclusion of Internet phone calls and the ability to do certain kinds of connection chaining — that mark key new functionalities in the program which would have posed difficulties prior to USAF. But he also misses a lot of the public facts about location collection and cell phones under the Section 215 dragnet.  This post will lay those out.

The short version is this: the FISC appears to have imposed some limits on prospective cell location collection under Section 215 even as the phone dragnet moved over to it, and it was not until August 2011 that NSA started collecting cell phone records — stripped of location — from AT&T under Section 215 collection rules. The NSA was clearly getting “domestic” records from cell phones prior to that point, though it’s possible they weren’t coming from Section 215 data. Indeed, the only known “successes” of the phone dragnet — Basaaly Moalin and Adis Medunjanin — identified cell phones. It’s not clear whether those came from EO 12333, secondary database information that didn’t include location, or something else.

Here’s the more detailed explanation, along with a timeline of key dates:

There is significant circumstantial evidence that by February 17, 2006 — two months before the FISA Court approved the use of Section 215 of the PATRIOT Act to aspire to collect all Americans’ phone records — the FISA Court required briefing on the use of “hybrid” requests to get real-time location data from targets using a FISA Pen Register together with a Section 215 order. The move appears to have been a reaction to a series of magistrates’ rulings against a parallel practice in criminal cases. The briefing order came in advance of the 2006 PATRIOT Act reauthorization going into effect, which newly limited Section 215 requests to things that could be obtained with a grand jury subpoena. Because some courts had required more than a subpoena to obtain location, it appears, FISC reviewed the practice in the FISC — and, given the BR/PR numbers reported in IG Reports, ended, sometime before the end of 2006 though not immediately.

The FISC taking notice of criminal rulings and restricting FISC-authorized collection accordingly would be consistent with information provided in response to a January 2014 Ron Wyden query about what standards the FBI uses for obtaining location data under FISA. To get historic data (at least according to the letter), FBI used a 215 order at that point. But because some district courts (this was written in 2014, before some states and circuits had weighed in on prospective location collection, not to mention the 11th circuit ruling on historical location data under US v. Davis) require a warrant, “the FBI elects to seek prospective CSLI pursuant to a full content FISA order, thus matching the higher standard imposed in some U.S. districts.” In other words, as soon as some criminal courts started requiring a warrant, FISC apparently adopted that standard. If FISC continued to adopt criminal precedents, then at least after the first US v. Davis ruling, it would have and might still require a warrant (that is, an individualized FISA order) even for historical cell location data (though Davis did not apply to Stingrays).

FISC doesn’t always adopt the criminal court standard; at least until 2009 and by all appearances still, for example, FISC permits the collection, then minimization, of Post Cut Through Dialed Digits collected using FISA Pen Registers, whereas in the criminal context FBI does not collect PCTDD. But the FISC does take notice of, and respond to — even imposing a higher national security standard than what exists at some district levels — criminal court decisions. So the developments affecting location collection in magistrate, district, and circuit courts would be one limit on the government’s ability to collect location under FISA.

That wouldn’t necessarily prevent NSA from collecting cell records using a Section 215 order, at least until the Davis decision. After all, does that count as historic (a daily collection of records each day) or prospective (the approval to collect data going forward in 90 day approvals)? Plus, given the PCTDD and some other later FISA decisions, it’s possible FISC would have permitted the government to collect but minimize location data. But the decisions in criminal courts likely gave FISC pause, especially considering the magnitude of the production.

Then there’s the chaos of the program up to 2009.

At least between January 2008 and March 2009, and to some degree for the entire period preceding the 2009 clean-up of the phone and Internet dragnets, the NSA was applying EO 12333 standards to FISC-authorized metadata collection. In January 2008, NSA co-mingled 215 and EO 12333 data in either a repository or interface, and when the shit started hitting the fan the next year, analysts were instructed to distinguish the two authorities by date (which would have been useless to do). Not long after this data was co-mingled in 2008, FISC first approved IMEI and IMSI as identifiers for use in Section 215 chaining. In other words, any restrictions on cell collection in this period may have been meaningless, because NSA wasn’t heeding FISC’s restrictions on PATRIOT authorized collection, nor could it distinguish between the data it got under EO 12333 and Section 215.

Few people seem to get this point, but at least during 2008, and probably during the entire period leading up to 2009, there was no appreciable analytical border between where the EO 12333 phone dragnet ended and the Section 215 one began.

There’s no unredacted evidence (aside from the IMEI/IMSI permission) the NSA was collecting cell phone records under Section 215 before the 2009 process, though in 2009, both Sprint and Verizon (even AT&T, though to a much less significant level) had to separate out their entirely foreign collection from their domestic, meaning they were turning over data subject to EO 12333 and Section 215 together for years. That’s also roughly the point when NSA moved toward XML coding of data on intake, clearly identifying where and under what authority it obtained the data. Thus, it’s only from that point forward where (at least according to what we know) the data collected under Section 215 would clearly have adhered to any restrictions imposed on location.

In 2010, the NSA first started experimenting with smaller collections of records including location data at a time when Verizon Wireless was named on primary orders. And we have two separate documents describing what NSA considered its first collection of cell data under Section 215 on August 29, 2011. But it did so only after AT&T had stripped the location data from the records.

It appears Verizon never did the same (indeed, Verizon objected to any request to do so in testimony leading up to USAF’s passage). The telecoms used different methods of delivering call records under the program. In fact, in August 2, 2012, NSA’s IG described the orders as requiring telecoms to produce “certain call detail records (CDRs) or telephony metadata,” which may differentiate records that (which may just be AT&T) got processed before turning over. Also in 2009, part of Verizon ended its contract with the FBI to provide special compliance with NSLs. Both things may have affected Verizon’s ability or willingness to custom what it was delivering to NSA, as compared to AT&T.

All of which suggests that at least Verizon could not or chose not to do what AT&T did: strip location data from its call records. Section 215, before USAF, could only require providers to turn over records they kept, it could not require, as USAF may, provision of records under the form required by the government. Additionally, under Section 215, providers did not get compensated after the first two dragnet orders.

All that said, the dragnet has identified cell phones! In fact, the only known “successes” under Section 215 — the discovery of Basaaly Moalin’s T-Mobile cell phone and the discovery of Adis Medunjanin’s unknown, but believed to be Verizon, cell phone — did, and they are cell phones from companies that didn’t turn over records. In addition, there’s another case, cited in a 2009 Robert Mueller declaration preceding the Medunjanin discovery, that found a US-based cell phone.

There are several possible explanations for that. The first is that these phones were identified based off calls from landlines and/or off backbone records (so the phone number would be identified, but not the cell information). But note that, in the Moalin case, there are no known land lines involved in the presumed chain from Ayro to Moalin.

Another possibility — a very real possibility with some of these — is that the underlying records weren’t collected under Section 215 at all, but were instead collected under EO 12333 (though Moalin’s phone was identified before Michael Mukasey signed off on procedures permitting the chaining through US person records). That’s all the more likely given that all the known hits were collected before the point in 2009 when the FISC started requiring providers to separate out foreign (EO 12333) collection from domestic and international (Section 215) collection. In other words, the Section 215 phone dragnet may have been working swimmingly up until 2009 because NSA was breaking the rules, but as soon as it started abiding by the rules — and adhering to FISC’s increasingly strict limits on cell location data — it all of a sudden became virtually useless given the likelihood that potential terrorism targets would use exclusively cell and/or Internet calls just as they came to bypass telephony lines. Though as that happened, the permissions on tracking US persons via records collected under EO 12333, including doing location analysis, grew far more permissive.

In any case, at least in recent years, it’s clear that by giving notice and adjusting policy to match districts, the FISC and FBI made it very difficult to collect prospective location records under FISA, and therefore absent some means of forcing telecoms to strip their records before turning them over, to collect cell data.

Read more

The Three Kinds of Dragnet Searches NSA Did When Only Doing Contact Chaining

This is going to be a weedy post in which I look at a key detail revealed by 2010 NSA Inspector General reviews of the Section 215 phone dragnet. The document was liberated by Charlie Savage last year.

At issue is the government’s description, in the period after the Snowden leaks, of what kind of searches it did on the Section 215 phone dragnet. The searches the government did on Section 215 dragnet data are critical to understanding a number of things: the reasons the parallel Internet dragnet probably got shut down in 2011, the squeals from people like Marco Rubio about things the government lost in shutting down the dragnet, and the likely scope of collection under USA Freedom Act.

Throughout the discussion of the phone dragnet, the administration claimed it was used for “contact chaining” — that is, exclusively to show who was within 3 (and starting in 2014, 2) degrees of separation, by phone calls [or texts, see update] made, from a suspected terrorist associate.

Here’s how the administration’s white paper on the program described it in 2013.

This telephony metadata is important to the Government because, by analyzing it, the Government can determine whether known or suspected terrorist operatives have been in contact with other persons who may be engaged in terrorist activities, including persons and activities within the United States. The program is carefully limited to this purpose: it is not lawful for anyone to query the bulk telephony metadata for any purpose other than counterterrorism, and Court-imposed rules strictly limit all such queries.

Though some claims to Congress and the press were even more definitive that this was just about contact chaining.

The documents on the 2009 violations released under FOIA made it clear that, historically at least, querying wasn’t limited to contact chaining. Almost every reference in these documents to the scope of the program includes a redaction after “contact chaining” in the description of the allowable queries. Here’s one of many from the government’s first response to Reggie Walton’s questions about the program.

Screen Shot 2016-01-05 at 10.48.44 AM

The redaction is probably something like “pattern analysis.”

Because the NSA was basically treating all Section 215 data according to the rules governing EO 12333 in 2009 (indeed, at the beginning of this period, analysts couldn’t distinguish the source of the two authorizations), it subjected the data to a number of processes that did not fit under the authorization in the FISC orders — things like counts of all contacts and automatic chaining on identifiers believed to be the same user as one deemed to have met the Reasonable Articulable Standard. The End to End report finished in summer 2009 described one after another of these processes being shut down (though making it clear it wanted to resume them once it obtained FISC authorization). But even in these discussions, that redaction after “contact chaining” remained.

Screen Shot 2016-01-05 at 11.00.33 AM

Even in spite of this persistent redaction, the public claims this was about contact chaining gave the impression that the pattern analysis not specifically authorized by the dragnet orders also got shut down.

The IG Reports that Savage liberated gives a better sense of precisely what the NSA was doing after it cleared up all its violations in 2009.

The Reports were ordered up by the FISC and covered an entire year of production (there was a counterpart of the Internet dragnet side, which was largely useless since so much of that dragnet got shut down around October 30, 2009 and remained shut down during this review period).

The show several things:

  • NSA continued to disseminate dragnet results informally, even after Reggie Walton had objected to such untrackable dissemination
  • Data integrity techs could — and did on one occasion, which was the most significant violation in the period — access data directly and in doing so bypass minimization procedures imposed on analysts (this would be particularly useful in bypassing subject matter restrictions)
  • Already by 2010, NSA did at least three different kinds of queries on the database data: in addition to contact chaining, “ident lookups,” and another query still considered Top Secret

It’s the last item of interest here.

The first thing to understand about the phone dragnet data is it could be queried two places: the analyst front-end (the name of which is always redacted), and a “Transaction Database” that got replaced with something else in 2011. (336)

Screen Shot 2015-08-29 at 7.08.12 PM

Basically, when the NSA did intake on data received from the telecoms, it would create a table of each and every record (which is I guess where the “transaction” name came from), while also making sure the telecoms didn’t send illegal data like credit card information.

Doing queries in the Transaction Database bypassed search restrictions. The March 2010 audit discovered a tech had done a query in the Transaction Database using a selector the RAS approval (meaning NSA had determined there was reasonable articulable suspicion that the selector had some tie to designated terrorist groups and/or Iran) of which had expired. The response to that violation, which NSA didn’t agree was a violation, was to move that tech function into a different department at NSA, away from the analyst function, which would do nothing to limit such restriction free queries, but would put a wall between analysts and techs, making it harder for analysts to ask techs to perform queries they would be unable to do.

Because the direct queries done for data integrity purposes were not subject to auditing under the phone dragnet orders, the monthly reports distinguished between those and analyst queries, the latter of which were audited to be sure they were RAS approved. But as the April 2010 report and subsequent audits showed, analysts also would do an “ident lookup.” (83)

Screen Shot 2015-08-29 at 2.16.18 PM

The report provided this classified/Five Eyes description of “ident lookups.”

Screen Shot 2015-08-29 at 2.19.12 PM

The Emphatic Access Restriction was a tool implemented in 2009 to ensure that analysts only did queries on RAS-approved selectors. What this detail reveals is that, rather than consulting a running list somewhere to see whether a selector was RAS approved, analysts would instead try to query, and if the query failed, that’s how they would learn the selector was not RAS approved.

We can’t be sure, but that suggests RAS approval went beyond simple one-to-one matching of identifiers. It’s possible an ident lookup needed to query the database to see if the data showed a given selector (say, a SIM card) matched another selector (say, a phone number) which had been RAS approved. It might go even further, given that NSA had automatically done searches on “correlated” numbers (that is, on a second phone number deemed to belong to the same person as the approved primary number that had been RAS approved). At least, that’s something NSA had done until 2009 and said it wanted to resume.

In other words, the fact that an ident lookup query queried the data and not just a list of approved selectors suggests it did more than just cross-check the RAS approval list: at some level it must tested the multiple selectors associated with one user to see if the underlying selectors were, by dint of the user himself being approved, themselves approved.

Indent lookups appear fairly often in these IG reports. Less frequent is an entirely redacted kind of query such as described but redacted in the September 2010 report. (166)

Screen Shot 2015-08-29 at 3.41.18 PM

The footnote description of that query is classified Top Secret NOFORN and entirely redacted.

Screen Shot 2015-08-29 at 3.49.14 PM

I have no idea what that query would be, but it’s clear it is done on the analyst facing interface, and only on RAS approved selectors.

The timing of this third query is interesting. Such queries appear in the September and October 2010 audits. That was a period when, in the wake of the July 2010 John Bates approval to resume the Internet dragnet, they were aligning the two programs again (or perhaps even more closely than they had been in 2009). It also appears after a new selector tracking tool got introduced in June 2010. That said, I’m unaware of anything in the phone dragnet orders that would have expanded the kinds of queries permitted on the phone dragnet data.

We know they had used the phone dragnet until 2009 to track burner phones (that is, matching calling patterns of selectors unknown to have a connection to determine which was a user’s new phone). We know that in November 2012, FISC approved an automated query process, though NSA never managed to implement it technically before Obama decided to shut down the dragnet. We also know that in 2014 they started admitting they were also doing “connection” chaining (which may be burner phone matching or may be matching of selectors). All are changes that might relate to more extensive non-chain querying.

We also don’t know whether this kind of query persisted from 2010 until last year, when the dragnet got shut down. I think it possible that the reasons they shut down the Internet dragnet in 2011 may have implicated the phone dragnet.

The point, though, is that at least by 2010, NSA was doing non-chain queries of the entire dragnet dataset that it considered to be approved under the phone dragnet orders. That suggests by that point, NSA was using the bulk set as a set already (or, more accurately, again, after the 2009 violations) by September 2010.

Last March James Clapper explained the need to retain records for a period of time, he justified it by saying you needed the historical data to discern patterns.

Q: And just to be clear, with the private providers maintaining that data, do you feel you’ve lost an important tool?

Clapper: Not necessarily. It will depend though, for one, retention period. I think, given the attitude today of the providers, they will probably do all they can to minimize the retention period. Which of course, from our standpoint, lessens the utility of the data, because you do need some — and we can prove this statistically — you do need some historical data in order to, if you’re gonna discern a pattern. And again, 215 to me, is much like my fire insurance policy. You know, my house has never burned down but every year I buy fire insurance just in case.

This would be consistent with the efforts to use the bulk dataset to find burner identities, at a minimum. It would also be consistent with Marco Rubio et al’s squeals about needing the historical data. And it would be consistent with the invocation of the National Academy of Sciences report on bulk data (though not on the phone dragnet), which NSA’s General Counsel raised in a Lawfare post today.

In other words, contrary to public suggestions, it appears NSA was using the phone dragnet to conduct pattern analysis that required the bulk dataset. That’s not surprising, though it is something the NSA suggested they weren’t doing.

They surely are still doing that on the larger EO 12333 dataset, along with a lot more complex kinds of analysis. But it seems some, like Rubio, either think we need to return to such bulk pattern analysis, or has used the San Bernardino attack to call to resume more intrusive spying.

Update: One of the other things the IG Reports make clear is that NSA was (unsurprisingly) collecting records of non-simultaneous telephone transactions. That became an issue when, in 2011, NSA started to age-off 5 year old data, because they would have some communication chains that reflected communications that were more than 5 years old but which were obtained less than 5 years before.

Screen Shot 2015-08-29 at 6.18.57 PM

My guess is this reflects texting chains that continued across days or weeks.

Richard Burr Just Told ISIS USAF Phone Program Gets Internet Phone Data

Richard Burr has apparently stated publicly that he’s looking into not Marco Rubio’s serial leaking of classified information, but Ted Cruz’s alleged disclosure of classified information at least night’s debate. That’s particularly curious given that Rubio has gotten privileged access to this information on the Senate Intelligence Committee, whereas Cruz has not.

I assume Burr is thinking of this passage, in which Cruz explained how the USA Freedom Act phone program adds to the tools the intelligence community gets.

It strengthened the tools of national security and law enforcement to go after terrorists. It gave us greater tools and we are seeing those tools work right now in San Bernardino.

And in particular, what it did is the prior program only covered a relatively narrow slice of phone calls. When you had a terrorist, you could only search a relatively narrow slice of numbers, primarily land lines.

The USA Freedom Act expands that so now we have cell phones, now we have Internet phones, now we have the phones that terrorists are likely to use and the focus of law enforcement is on targeting the bad guys.

[snip]

And the reason is simple. What he knows is that the old program covered 20 percent to 30 percent of phone numbers to search for terrorists. The new program covers nearly 100 percent. That gives us greater ability to stop acts of terrorism, and he knows that that’s the case.

Shortly thereafter, Rubio said,

RUBIO: Let me be very careful when answering this, because I don’t think national television in front of 15 million people is the place to discuss classified information.

Of course, that means Burr — who has the most privileged access to this information — just confirmed for ISIS and anyone else who wants to know (like, say, American citizens) that the IC is targeting “Internet phones” as well as the the more limited set of call records the Section 215 phone dragnet used to incorporate, and in doing so getting closer to 100% of “calls” (which includes texting and messaging) in the US.

I’m not sure why Burr would give OpSec tips to our adversaries, all to score political points against Cruz. Obviously, his tolerance for Rubio’s serial leaks, which effectively confirmed the very same information, shows this isn’t about protecting sources and methods.

Maybe it’s time to boot Burr, in addition to Rubio, from SSCI before he continues to leak classified information?