Posts

DOJ’s Clear Threat to Go After Apple’s Source Code

Oops: My post URLs crossed. Here’s where If Trump’s Protestors Didn’t Exist He Would Have to Invent Them is.

In a rather unfortunate section heading the government used in their brief responding to Apple last week, DOJ asserted “There Is No Due Process Right Not to Develop Source Code.” The heading seemed designed to make Lavabit’s point about such requests being involuntary servitude.

I’d like to elaborate on this post to look at what DOJ has to say about source code — because I think the filing was meant to be an explicit threat that DOJ can — and may well, even if Apple were to capitulate here — demand Apple’s source code.

The government’s filing mentions “source code” nine ten different times [see update]. The bulk of those mentions appear in DOJ’s rebuttal to Apple’s assertion of a First Amendment claim about having to write code that violates its own beliefs, as in these three passages (there is one more purportedly addressing First Amendment issues I discuss below).

Incidentally Requiring a Corporation to Add Functional Source Code to a Commercial Product Does Not Violate the First Amendment

Apple asserts that functional source code in a corporation’s commercial product is core protected speech, such that asking it to modify that software on one device—to permit the execution of a lawful warrant—is compelled speech in violation of the First Amendment.

[snip]
There is reason to doubt that functional programming is even entitled to traditional speech protections. See, e.g., Universal City Studios, Inc. v. Corley, 273 F.3d 429, 454 (2d Cir. 2001) (recognizing that source code’s “functional capability is not speech within the meaning of the First Amendment”).

[snip]

To the extent Apple’s software includes expressive elements—such as variable names and comments—the Order permits Apple to express whatever it wants, so long as the software functions. Cf. Karn v. United States Department of State, 925 F. Supp. 1, 9- 10 (D.D.C. 1996) (assuming, without deciding, that source code was speech because it had English comments interspersed).

Most people aside from EFF think Apple’s First Amendment claim is the weakest part of its argument. I’m not so sure that, in the hands of the guy who argued Citizens United before SCOTUS, it will end up that weak. Nevertheless, DOJ focused closely on it, especially as compared to its treatment of Apple’s Fifth Amendment argument, which is where that dumb heading came in. This is the entirety of DOJ’s response to that part of Apple’s argument.

There Is No Due Process Right Not to Develop Source Code

Apple lastly asserts that the Order violates its Fifth Amendment right to due process. Apple is currently availing itself of the considerable process our legal system provides, and it is ludicrous to describe the government’s actions here as “arbitrary.” (Opp. 34); see County of Sacramento v. Lewis, 523 U.S. 833, 846-49 (1998). If Apple is asking for a Lochner-style holding that businesses have a substantive due process right against interference with its marketing strategy or against being asked to develop source code, that claim finds no support in any precedent, let alone “in the traditions and conscience of our people,” “the concept of ordered liberty,” or “this Nation’s history.” Washington v. Glucksberg, 521 U.S. 702, 721 (1997).

Though admittedly, that’s about how much Apple included in its brief.

The Fifth Amendment’s Due Process Clause Prohibits The Government From Compelling Apple To Create The Request [sic] Code

In addition to violating the First Amendment, the government’s requested order, by conscripting a private party with an extraordinarily attenuated connection to the crime to do the government’s bidding in a way that is statutorily unauthorized, highly burdensome, and contrary to the party’s core principles, violates Apple’s substantive due process right to be free from “‘arbitrary deprivation of [its] liberty by government.’” Costanich v. Dep’t of Soc. & Health Servs., 627 F.3d 1101, 1110 (9th Cir. 2010) (citation omitted); see also, e.g., Cnty. of Sacramento v. Lewis, 523 U.S. 833, 845-46 (1998) (“We have emphasized time and again that ‘[t]he touchstone of due process is protection of the individual against arbitrary action of government,’ . . . [including] the exercise of power without any reasonable justification in the service of a legitimate governmental objective.” (citations omitted)); cf. id. at 850 (“Rules of due process are not . . . subject to mechanical application in unfamiliar territory.”).

In other words, both Apple and DOJ appear to have a placeholder for discussions about takings (one that Lavabit argued from a Thirteenth Amendment perspective).

Those constitutional arguments, however, all seem to pertain the contested order requiring Apple to create source code that doesn’t currently exist. Or do they?

As I noted in my earlier Lavabit post, the DOJ argument doesn’t focus entirely on writing code that doesn’t already exists. As part of its argument for necessity, DOJ pretends to take Apple at its word that the US government could not disable the features (as if that’s what they would do if they had source code!) themselves.

Without Apple’s assistance, the government cannot carry out the search of Farook’s iPhone authorized by the search warrant. Apple has ensured that its assistance is necessary by requiring its electronic signature to run any program on the iPhone. Even if the Court ordered Apple to provide the government with Apple’s cryptographic keys and source code, Apple itself has implied that the government could not disable the requisite features because it “would have insufficient knowledge of Apple’s software and design protocols to be effective.”  (Neuenschwander Decl. ¶ 23.)

Note DOJ claims to source that claim to Apple Manager of User Privacy Erik Neuenschwander’s declaration (which is included with their motion). But he wasn’t addressing whether the government would be able to reverse-engineer Apple’s source code at all. Instead, that language came from a passage where he explained why experienced engineers would have to be involved in writing the new source code.

New employees could not be hired to perform these tasks, as they would have insufficient knowledge of Apple’s software and design protocols to be effective in designing and coding the software without significant training.

So the discussion of what the government could do with if it had Apple’s source code is just as off point as the passage invoking the Lavabit case (which involved an SSL key, but not source code). Here’s that full passage:

The government has always been willing to work with Apple to attempt to reduce any burden of providing access to the evidence on Farook’s iPhone. See Mountain Bell, 616 F.2d at 1124 (noting parties’ collaboration to reduce perceived burdens). Before seeking the Order, the government requested voluntary technical assistance from Apple, and provided the details of its proposal. (Supp. Pluhar Decl. ¶ 12.) Apple refused to discuss the proposal’s feasibility and instead directed the FBI to methods of access that the FBI had already tried without success. (Compare Neuenschwander Decl. ¶¶ 54-61, with Supp. Pluhar Decl. ¶ 12.) The government turned to the Court only as a last resort and sought relief on narrow grounds meant to reduce possible burdens on Apple. The Order allows Apple flexibility in how to assist the FBI. (Order ¶ 4.) The government remains willing to seek a modification of the Order, if Apple can propose a less burdensome or more agreeable way for the FBI to access Farook’s iPhone.9

9 For the reasons discussed above, the FBI cannot itself modify the software on Farook’s iPhone without access to the source code and Apple’s private electronic signature. The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers. See In re Under Seal, 749 F.3d 276, 281-83 (4th Cir. 2014) (affirming contempt sanctions imposed for failure to comply with order requiring the company to assist law enforcement with effecting a pen register on encrypted e-mail content which included producing private SSL encryption key).

Effectively, having invented a discussion about whether the government would be able to use Apple’s source code out of thin air, DOJ returns to that possibility here, implying that that would be the least burdensome way of getting what it wanted and then reminding that it has succeeded in the past in demanding that a provider expose all of its users to government snooping, even at the cost of shutting down the business, even after Ladar Levison (after some complaining) had offered to provide decrypted information himself.

Significantly, the government obtained a warrant for Lavabit’s keys as a way of avoiding the question of whether the “technical assistance” language in the Pen/Trap statute extended to sharing keys, but Levison was ultimately held in contempt for all the orders served on him, including the Pen/Trap order and its language about technical assistance. The Fourth Circuit avoided ruling on whether that assistance language in Pen/Trap orders extended to encryption keys by finding that Levison had not raised it prior to appeal and that the District Court had not clearly erred, which effectively delayed consideration of the same kinds of issues at issue (though under a different set of laws) in the Apple encryption cases.

In making his statement against turning over the encryption keys to the Government, Levison offered only a one-sentence remark: “I have only ever objected to turning over the SSL keys because that would compromise all of the secure communications in and out of my network, including my own administrative traffic.” (J.A. 42.) This statement — which we recite here verbatim — constituted the sum total of the only objection that Lavabit ever raised to the turnover of the keys under the Pen/Trap Order. We cannot refashion this vague statement of personal preference into anything remotely close to the argument that Lavabit now raises on appeal: a statutory-text-based challenge to the district court’s fundamental authority under the Pen/Trap Statute. Levison’s statement to the district court simply reflected his personal angst over complying with the Pen/Trap Order, not his present appellate argument that questions whether the district court possessed the authority to act at all.

[snip]

The Government, however, never stopped contending that the Pen/Trap Order, in and of itself, also required Lavabit to turn over the encryption keys. For example, the Government specifically invoked the Pen/Trap Order in its written response to Lavabit’s motion to quash by noting that “four separate legal obligations” required Lavabit to provide its encryption keys, including the Pen/Trap Order and the June 28 Order.

[snip]

In view of Lavabit’s waiver of its appellate arguments by failing to raise them in the district court, and its failure to raise the issue of fundamental or plain error review, there is no cognizable basis upon which to challenge the Pen/Trap Order. The district court did not err, then, in finding Lavabit and Levison in contempt once they admittedly violated that order.

In other words, the Lavabit reference, like the invention of an Apple discussion about what the government could do with its source code (any such discussion would have been interesting in and of itself, because I’d bet Apple would be more confident FBI couldn’t do much with its source code than that NSA couldn’t), was off point. But in introducing both references, DOJ laid the groundwork for a demand for source code to be the fallback, least burdensome position.

And, as I noted, in the Lavabit case, the government justified demanding a key based on the presumption that Edward Snowden would have a more complicated password than Syed Rizwan Farook’s 4-digit numerical passcode. That is, in that case, the government tied a more intrusive demand to the difficulty of accessing a target’s communications, not to the law itself, which suggests they’d be happy to do so in the future if they were faced with an Apple phone with a passcode too complex to brute force in 26 minutes, as FBI claims it could do here.

All of which brings me to one more citation of source code in DOJ’s extended First Amendment discussion: a reference to a civil case where Apple was able to obtain the source code of a competitor.

This form of “compelled speech” runs throughout both the criminal and civil justice systems, from grand jury and trial subpoenas to interrogatories and depositions. See, e.g., Apple Inc.’s Motion to Compel in Apple Inc. v. Samsung Electronics, Docket No. 467 in Case No. 11–cv–1846–LHK, at 11 (N.D. Cal. Dec. 8, 2011) (Apple’s seeking court order compelling Samsung to produce source code to facilitate its compelled deposition of witnesses about that source code).

Note, this is not a case about Apple (or Samsung, in this case) being compelled to write new code at all. Rather, it is a case about handing over the source code a company already had. In another off point passage, then, DOJ pointed to a time when Apple itself successfully argued the provision of source code could be compelled, even in a civil case.

Through a variety of means, DOJ went well out of its way to introduce the specter of a demand for Apple’s source code into its response. They are clearly suggesting that if Apple refuses to write code that doesn’t exist, the government will happily take code that does.

Loretta Lynch claimed, under oath last week, that the government doesn’t want a back door into Apple products. That’s not what her lawyers have suggested in this brief. Not at all.

Update: Here’s how Apple treated this in its Reply:

The government also implicitly threatens that if Apple does not acquiesce, the government will seek to compel Apple to turn over its source code and private electronic signature. Opp. 22 n.9. The catastrophic security implications of that threat only highlight the government’s fundamental misunderstanding or reckless disregard of the technology at issue and the security risks implicated by its suggestion.

Also, in writing this post, I realized there’s one more reference to source code in the government’s Response, one that admits Apple’s source code is “the keys to the kingdom.”

For example, Apple currently protects (1) the source code to iOS and other core Apple software and (2) Apple’s electronic signature, which as described above allows software to be run on Apple hardware. (Hanna Decl. Ex. DD at 62-64 (code and signature are “the most confidential trade secrets [Apple] has”).) Those —which the government has not requested—are the keys to the kingdom. If Apple can guard them, it can guard this.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Play on the Scalia Replacement: Remember the Lame Duck

Within minutes after the public announcement of Antonin Scalia’s death, Senator Mike Lee’s flack Conn Carroll started predicting Obama would have zero chance of successfully naming a successor. After Carroll, one after another actual Senator followed that sentiment, including Chuck Grassley and Mitch McConnell, both of whom would have the ability to stall any Obama nominee. From that point, the GOP was pretty much committed, they said, to preventing any Obama nominee from being confirmed.

That led to a bunch of bad comparisons — between judges like Robert Bork who was rejected and Miguel Estrada who never got a vote — and simply going a year without acting on a President’s nominee. Even the comparison with Anthony Kennedy (who was nominated in November after two other nominees, including Bork, failed) is inapt, as he was nominated earlier than any Obama pick would be (though in a sense that fetishizes the year that would pass without a nominee).

I, like bmaz, believe Obama will pick someone fairly centrist, probably someone who has been recently confirmed by big margins.  I agree the most likely nominee will be Sri Srinivasan, who in 2013 was confirmed to the DC Circuit with a 97-0 vote — though I’m also mindful of the wisdom (given the GOP unanimity about obstructing this nominee) of picking someone who drive Democratic turnout — an African-American woman, for example. Though I highly doubt Obama will nominate Loretta Lynch, as some have suggested, not least because the fight over releasing data on HSBC’s continued money laundering will draw more attention as it moves toward appeal, which might focus attention on her role in administering the wrist slap in the face of egregious drug cartel and terrorist supporting money laundering.

After some reflection, some conservatives have suggested that the GOP would have been better served if they had simply not managed to pass Obama’s nominee, rather than making such a big stink about it.

I think that ignores how much both parties look forward to using this nominee to drive turnout — and regardless of who the respective nominees are, the GOP have a much bigger challenge in getting enough voters to turn out to elect a GOP president in November, so I’m sure they’re quite happy to have an issue that (they presumably hope) might flip some conservative Latino votes — though one likely outcome of an extended 8-member court is that the Fifth Circuit’s ruling staying Obama’s immigration orders will be upheld after a 4-4 tie on the court, which might have the opposite effect.

Furthermore, I think it ignores one other factor. Srinivasan has been predicted to be Obama’s most likely SCOTUS appointment for almost 3 years (few people consider how such predictions might have influenced Ruth Bader Ginsburg’s decision not to retire). The Republicans probably presume he’s the most likely candidate as well.

The presumption Srinivasan — or someone similar — would be the nominee easily justifies the GOP’s immediate promise they won’t confirm a nominee. That’s because they need to explain why someone they just overwhelmingly confirmed, someone who faced more opposition from the left than the right, suddenly became unacceptable.

More importantly, I presume the GOP wants to keep open the possibility of confirming Srinivasan or whatever centrist Obama appoints during the Lame Duck. Here’s why:

Barring any replay of Bush v. Gore, both sides will know on November 9 who would get to pick Scalia’s replacement if Obama’s pick failed. Both sides will also know the makeup of the Senate. Because of the demographic issues I mentioned earlier, the likely Democratic nominee, Hillary Clinton, is most likely to win. That’s not to say I think she’s necessarily the strongest candidate — even ignoring the potential the email scandal will taint close advisors like Huma Abedin or Jake Sullivan, I think it likely the economy will be crashing by November in a way that would favor Trump if he were the GOP nominee facing Hillary. But I think electoral demographics suggest the GOP will have a harder time winning this year, particularly after a year of Trump branding the GOP with bigotry.

Plus (ignoring my suspicion the economy will be crashing by November), we’re likely to have a more Democratic Senate after November. Harry Reid is the only retiring Democrat where the replacement race is currently perceived to be toss-up, whereas Marco Rubio, Mark Kirk, Kelly Ayotte, and Ron Johnson are all deemed to be likely toss-ups, if not Dem-favorable. It’s still most likely the GOP will have a slight majority, but a smaller one, in the Senate, one where people like Susan Collins could make more of a difference. But it is likely to be more Democratic.

If Hillary wins (the most likely outcome) and Democrats win the Senate (unlikely, but feasible), then the Republicans will have good reason to want to confirm an Obama nominee perceived to be centrist. Whereas Srinivasan looks far worse than Scalia to the Republicans, he would all of a sudden look far preferable to a Hillary choice with the time to wait out the Senate. The GOP would have time between November 9 and the Christmas break to confirm whatever Obama nominee has been languishing.

In other words, I think the GOP have provided a way to stall someone (like Srinivasan) they have recently confirmed, while leaving the possibility of confirming that person if November makes it likely the next nominee will be more liberal.

One more thing: Commentary on this process has presumed that McConnell and Grassley (and Obama) learned of Scalia’s death when we all did. I would hope that Obama, at least, got word well before that, particularly given the involvement of at least the US Marshals and according to some reports the FBI. But I also wouldn’t leave out the possibility that one of the 39 other still unidentified guests at the ranch this weekend gave the Republican leadership a heads up as soon as a hearse showed up. So it’s possible that what looked like quick knee-jerk response on the part of Republican leadership was instead more considered, along the lines I’ve just laid out.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

What We Know about the Section 215 Phone Dragnet and Location Data

Last month’s squabble between Marco Rubio and Ted Cruz about USA Freedom Act led a number of USAF boosters to belatedly understand what I’ve been writing for years: that USAF expanded the universe of people whose records would be collected under the program, and would therefore expose more completely innocent people, along with more potential suspects, to the full analytical tradecraft of the NSA, indefinitely.

In an attempt to explain why that might be so, Julian Sanchez wrote this post, focusing on the limits on location data collection that restricted cell phone collection. Sanchez ignores two other likely factors — the probable inclusion of Internet phone calls and the ability to do certain kinds of connection chaining — that mark key new functionalities in the program which would have posed difficulties prior to USAF. But he also misses a lot of the public facts about location collection and cell phones under the Section 215 dragnet.  This post will lay those out.

The short version is this: the FISC appears to have imposed some limits on prospective cell location collection under Section 215 even as the phone dragnet moved over to it, and it was not until August 2011 that NSA started collecting cell phone records — stripped of location — from AT&T under Section 215 collection rules. The NSA was clearly getting “domestic” records from cell phones prior to that point, though it’s possible they weren’t coming from Section 215 data. Indeed, the only known “successes” of the phone dragnet — Basaaly Moalin and Adis Medunjanin — identified cell phones. It’s not clear whether those came from EO 12333, secondary database information that didn’t include location, or something else.

Here’s the more detailed explanation, along with a timeline of key dates:

There is significant circumstantial evidence that by February 17, 2006 — two months before the FISA Court approved the use of Section 215 of the PATRIOT Act to aspire to collect all Americans’ phone records — the FISA Court required briefing on the use of “hybrid” requests to get real-time location data from targets using a FISA Pen Register together with a Section 215 order. The move appears to have been a reaction to a series of magistrates’ rulings against a parallel practice in criminal cases. The briefing order came in advance of the 2006 PATRIOT Act reauthorization going into effect, which newly limited Section 215 requests to things that could be obtained with a grand jury subpoena. Because some courts had required more than a subpoena to obtain location, it appears, FISC reviewed the practice in the FISC — and, given the BR/PR numbers reported in IG Reports, ended, sometime before the end of 2006 though not immediately.

The FISC taking notice of criminal rulings and restricting FISC-authorized collection accordingly would be consistent with information provided in response to a January 2014 Ron Wyden query about what standards the FBI uses for obtaining location data under FISA. To get historic data (at least according to the letter), FBI used a 215 order at that point. But because some district courts (this was written in 2014, before some states and circuits had weighed in on prospective location collection, not to mention the 11th circuit ruling on historical location data under US v. Davis) require a warrant, “the FBI elects to seek prospective CSLI pursuant to a full content FISA order, thus matching the higher standard imposed in some U.S. districts.” In other words, as soon as some criminal courts started requiring a warrant, FISC apparently adopted that standard. If FISC continued to adopt criminal precedents, then at least after the first US v. Davis ruling, it would have and might still require a warrant (that is, an individualized FISA order) even for historical cell location data (though Davis did not apply to Stingrays).

FISC doesn’t always adopt the criminal court standard; at least until 2009 and by all appearances still, for example, FISC permits the collection, then minimization, of Post Cut Through Dialed Digits collected using FISA Pen Registers, whereas in the criminal context FBI does not collect PCTDD. But the FISC does take notice of, and respond to — even imposing a higher national security standard than what exists at some district levels — criminal court decisions. So the developments affecting location collection in magistrate, district, and circuit courts would be one limit on the government’s ability to collect location under FISA.

That wouldn’t necessarily prevent NSA from collecting cell records using a Section 215 order, at least until the Davis decision. After all, does that count as historic (a daily collection of records each day) or prospective (the approval to collect data going forward in 90 day approvals)? Plus, given the PCTDD and some other later FISA decisions, it’s possible FISC would have permitted the government to collect but minimize location data. But the decisions in criminal courts likely gave FISC pause, especially considering the magnitude of the production.

Then there’s the chaos of the program up to 2009.

At least between January 2008 and March 2009, and to some degree for the entire period preceding the 2009 clean-up of the phone and Internet dragnets, the NSA was applying EO 12333 standards to FISC-authorized metadata collection. In January 2008, NSA co-mingled 215 and EO 12333 data in either a repository or interface, and when the shit started hitting the fan the next year, analysts were instructed to distinguish the two authorities by date (which would have been useless to do). Not long after this data was co-mingled in 2008, FISC first approved IMEI and IMSI as identifiers for use in Section 215 chaining. In other words, any restrictions on cell collection in this period may have been meaningless, because NSA wasn’t heeding FISC’s restrictions on PATRIOT authorized collection, nor could it distinguish between the data it got under EO 12333 and Section 215.

Few people seem to get this point, but at least during 2008, and probably during the entire period leading up to 2009, there was no appreciable analytical border between where the EO 12333 phone dragnet ended and the Section 215 one began.

There’s no unredacted evidence (aside from the IMEI/IMSI permission) the NSA was collecting cell phone records under Section 215 before the 2009 process, though in 2009, both Sprint and Verizon (even AT&T, though to a much less significant level) had to separate out their entirely foreign collection from their domestic, meaning they were turning over data subject to EO 12333 and Section 215 together for years. That’s also roughly the point when NSA moved toward XML coding of data on intake, clearly identifying where and under what authority it obtained the data. Thus, it’s only from that point forward where (at least according to what we know) the data collected under Section 215 would clearly have adhered to any restrictions imposed on location.

In 2010, the NSA first started experimenting with smaller collections of records including location data at a time when Verizon Wireless was named on primary orders. And we have two separate documents describing what NSA considered its first collection of cell data under Section 215 on August 29, 2011. But it did so only after AT&T had stripped the location data from the records.

It appears Verizon never did the same (indeed, Verizon objected to any request to do so in testimony leading up to USAF’s passage). The telecoms used different methods of delivering call records under the program. In fact, in August 2, 2012, NSA’s IG described the orders as requiring telecoms to produce “certain call detail records (CDRs) or telephony metadata,” which may differentiate records that (which may just be AT&T) got processed before turning over. Also in 2009, part of Verizon ended its contract with the FBI to provide special compliance with NSLs. Both things may have affected Verizon’s ability or willingness to custom what it was delivering to NSA, as compared to AT&T.

All of which suggests that at least Verizon could not or chose not to do what AT&T did: strip location data from its call records. Section 215, before USAF, could only require providers to turn over records they kept, it could not require, as USAF may, provision of records under the form required by the government. Additionally, under Section 215, providers did not get compensated after the first two dragnet orders.

All that said, the dragnet has identified cell phones! In fact, the only known “successes” under Section 215 — the discovery of Basaaly Moalin’s T-Mobile cell phone and the discovery of Adis Medunjanin’s unknown, but believed to be Verizon, cell phone — did, and they are cell phones from companies that didn’t turn over records. In addition, there’s another case, cited in a 2009 Robert Mueller declaration preceding the Medunjanin discovery, that found a US-based cell phone.

There are several possible explanations for that. The first is that these phones were identified based off calls from landlines and/or off backbone records (so the phone number would be identified, but not the cell information). But note that, in the Moalin case, there are no known land lines involved in the presumed chain from Ayro to Moalin.

Another possibility — a very real possibility with some of these — is that the underlying records weren’t collected under Section 215 at all, but were instead collected under EO 12333 (though Moalin’s phone was identified before Michael Mukasey signed off on procedures permitting the chaining through US person records). That’s all the more likely given that all the known hits were collected before the point in 2009 when the FISC started requiring providers to separate out foreign (EO 12333) collection from domestic and international (Section 215) collection. In other words, the Section 215 phone dragnet may have been working swimmingly up until 2009 because NSA was breaking the rules, but as soon as it started abiding by the rules — and adhering to FISC’s increasingly strict limits on cell location data — it all of a sudden became virtually useless given the likelihood that potential terrorism targets would use exclusively cell and/or Internet calls just as they came to bypass telephony lines. Though as that happened, the permissions on tracking US persons via records collected under EO 12333, including doing location analysis, grew far more permissive.

In any case, at least in recent years, it’s clear that by giving notice and adjusting policy to match districts, the FISC and FBI made it very difficult to collect prospective location records under FISA, and therefore absent some means of forcing telecoms to strip their records before turning them over, to collect cell data.

Read more

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Three Kinds of Dragnet Searches NSA Did When Only Doing Contact Chaining

This is going to be a weedy post in which I look at a key detail revealed by 2010 NSA Inspector General reviews of the Section 215 phone dragnet. The document was liberated by Charlie Savage last year.

At issue is the government’s description, in the period after the Snowden leaks, of what kind of searches it did on the Section 215 phone dragnet. The searches the government did on Section 215 dragnet data are critical to understanding a number of things: the reasons the parallel Internet dragnet probably got shut down in 2011, the squeals from people like Marco Rubio about things the government lost in shutting down the dragnet, and the likely scope of collection under USA Freedom Act.

Throughout the discussion of the phone dragnet, the administration claimed it was used for “contact chaining” — that is, exclusively to show who was within 3 (and starting in 2014, 2) degrees of separation, by phone calls [or texts, see update] made, from a suspected terrorist associate.

Here’s how the administration’s white paper on the program described it in 2013.

This telephony metadata is important to the Government because, by analyzing it, the Government can determine whether known or suspected terrorist operatives have been in contact with other persons who may be engaged in terrorist activities, including persons and activities within the United States. The program is carefully limited to this purpose: it is not lawful for anyone to query the bulk telephony metadata for any purpose other than counterterrorism, and Court-imposed rules strictly limit all such queries.

Though some claims to Congress and the press were even more definitive that this was just about contact chaining.

The documents on the 2009 violations released under FOIA made it clear that, historically at least, querying wasn’t limited to contact chaining. Almost every reference in these documents to the scope of the program includes a redaction after “contact chaining” in the description of the allowable queries. Here’s one of many from the government’s first response to Reggie Walton’s questions about the program.

Screen Shot 2016-01-05 at 10.48.44 AM

The redaction is probably something like “pattern analysis.”

Because the NSA was basically treating all Section 215 data according to the rules governing EO 12333 in 2009 (indeed, at the beginning of this period, analysts couldn’t distinguish the source of the two authorizations), it subjected the data to a number of processes that did not fit under the authorization in the FISC orders — things like counts of all contacts and automatic chaining on identifiers believed to be the same user as one deemed to have met the Reasonable Articulable Standard. The End to End report finished in summer 2009 described one after another of these processes being shut down (though making it clear it wanted to resume them once it obtained FISC authorization). But even in these discussions, that redaction after “contact chaining” remained.

Screen Shot 2016-01-05 at 11.00.33 AM

Even in spite of this persistent redaction, the public claims this was about contact chaining gave the impression that the pattern analysis not specifically authorized by the dragnet orders also got shut down.

The IG Reports that Savage liberated gives a better sense of precisely what the NSA was doing after it cleared up all its violations in 2009.

The Reports were ordered up by the FISC and covered an entire year of production (there was a counterpart of the Internet dragnet side, which was largely useless since so much of that dragnet got shut down around October 30, 2009 and remained shut down during this review period).

The show several things:

  • NSA continued to disseminate dragnet results informally, even after Reggie Walton had objected to such untrackable dissemination
  • Data integrity techs could — and did on one occasion, which was the most significant violation in the period — access data directly and in doing so bypass minimization procedures imposed on analysts (this would be particularly useful in bypassing subject matter restrictions)
  • Already by 2010, NSA did at least three different kinds of queries on the database data: in addition to contact chaining, “ident lookups,” and another query still considered Top Secret

It’s the last item of interest here.

The first thing to understand about the phone dragnet data is it could be queried two places: the analyst front-end (the name of which is always redacted), and a “Transaction Database” that got replaced with something else in 2011. (336)

Screen Shot 2015-08-29 at 7.08.12 PM

Basically, when the NSA did intake on data received from the telecoms, it would create a table of each and every record (which is I guess where the “transaction” name came from), while also making sure the telecoms didn’t send illegal data like credit card information.

Doing queries in the Transaction Database bypassed search restrictions. The March 2010 audit discovered a tech had done a query in the Transaction Database using a selector the RAS approval (meaning NSA had determined there was reasonable articulable suspicion that the selector had some tie to designated terrorist groups and/or Iran) of which had expired. The response to that violation, which NSA didn’t agree was a violation, was to move that tech function into a different department at NSA, away from the analyst function, which would do nothing to limit such restriction free queries, but would put a wall between analysts and techs, making it harder for analysts to ask techs to perform queries they would be unable to do.

Because the direct queries done for data integrity purposes were not subject to auditing under the phone dragnet orders, the monthly reports distinguished between those and analyst queries, the latter of which were audited to be sure they were RAS approved. But as the April 2010 report and subsequent audits showed, analysts also would do an “ident lookup.” (83)

Screen Shot 2015-08-29 at 2.16.18 PM

The report provided this classified/Five Eyes description of “ident lookups.”

Screen Shot 2015-08-29 at 2.19.12 PM

The Emphatic Access Restriction was a tool implemented in 2009 to ensure that analysts only did queries on RAS-approved selectors. What this detail reveals is that, rather than consulting a running list somewhere to see whether a selector was RAS approved, analysts would instead try to query, and if the query failed, that’s how they would learn the selector was not RAS approved.

We can’t be sure, but that suggests RAS approval went beyond simple one-to-one matching of identifiers. It’s possible an ident lookup needed to query the database to see if the data showed a given selector (say, a SIM card) matched another selector (say, a phone number) which had been RAS approved. It might go even further, given that NSA had automatically done searches on “correlated” numbers (that is, on a second phone number deemed to belong to the same person as the approved primary number that had been RAS approved). At least, that’s something NSA had done until 2009 and said it wanted to resume.

In other words, the fact that an ident lookup query queried the data and not just a list of approved selectors suggests it did more than just cross-check the RAS approval list: at some level it must tested the multiple selectors associated with one user to see if the underlying selectors were, by dint of the user himself being approved, themselves approved.

Indent lookups appear fairly often in these IG reports. Less frequent is an entirely redacted kind of query such as described but redacted in the September 2010 report. (166)

Screen Shot 2015-08-29 at 3.41.18 PM

The footnote description of that query is classified Top Secret NOFORN and entirely redacted.

Screen Shot 2015-08-29 at 3.49.14 PM

I have no idea what that query would be, but it’s clear it is done on the analyst facing interface, and only on RAS approved selectors.

The timing of this third query is interesting. Such queries appear in the September and October 2010 audits. That was a period when, in the wake of the July 2010 John Bates approval to resume the Internet dragnet, they were aligning the two programs again (or perhaps even more closely than they had been in 2009). It also appears after a new selector tracking tool got introduced in June 2010. That said, I’m unaware of anything in the phone dragnet orders that would have expanded the kinds of queries permitted on the phone dragnet data.

We know they had used the phone dragnet until 2009 to track burner phones (that is, matching calling patterns of selectors unknown to have a connection to determine which was a user’s new phone). We know that in November 2012, FISC approved an automated query process, though NSA never managed to implement it technically before Obama decided to shut down the dragnet. We also know that in 2014 they started admitting they were also doing “connection” chaining (which may be burner phone matching or may be matching of selectors). All are changes that might relate to more extensive non-chain querying.

We also don’t know whether this kind of query persisted from 2010 until last year, when the dragnet got shut down. I think it possible that the reasons they shut down the Internet dragnet in 2011 may have implicated the phone dragnet.

The point, though, is that at least by 2010, NSA was doing non-chain queries of the entire dragnet dataset that it considered to be approved under the phone dragnet orders. That suggests by that point, NSA was using the bulk set as a set already (or, more accurately, again, after the 2009 violations) by September 2010.

Last March James Clapper explained the need to retain records for a period of time, he justified it by saying you needed the historical data to discern patterns.

Q: And just to be clear, with the private providers maintaining that data, do you feel you’ve lost an important tool?

Clapper: Not necessarily. It will depend though, for one, retention period. I think, given the attitude today of the providers, they will probably do all they can to minimize the retention period. Which of course, from our standpoint, lessens the utility of the data, because you do need some — and we can prove this statistically — you do need some historical data in order to, if you’re gonna discern a pattern. And again, 215 to me, is much like my fire insurance policy. You know, my house has never burned down but every year I buy fire insurance just in case.

This would be consistent with the efforts to use the bulk dataset to find burner identities, at a minimum. It would also be consistent with Marco Rubio et al’s squeals about needing the historical data. And it would be consistent with the invocation of the National Academy of Sciences report on bulk data (though not on the phone dragnet), which NSA’s General Counsel raised in a Lawfare post today.

In other words, contrary to public suggestions, it appears NSA was using the phone dragnet to conduct pattern analysis that required the bulk dataset. That’s not surprising, though it is something the NSA suggested they weren’t doing.

They surely are still doing that on the larger EO 12333 dataset, along with a lot more complex kinds of analysis. But it seems some, like Rubio, either think we need to return to such bulk pattern analysis, or has used the San Bernardino attack to call to resume more intrusive spying.

Update: One of the other things the IG Reports make clear is that NSA was (unsurprisingly) collecting records of non-simultaneous telephone transactions. That became an issue when, in 2011, NSA started to age-off 5 year old data, because they would have some communication chains that reflected communications that were more than 5 years old but which were obtained less than 5 years before.

Screen Shot 2015-08-29 at 6.18.57 PM

My guess is this reflects texting chains that continued across days or weeks.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Richard Burr Just Told ISIS USAF Phone Program Gets Internet Phone Data

Richard Burr has apparently stated publicly that he’s looking into not Marco Rubio’s serial leaking of classified information, but Ted Cruz’s alleged disclosure of classified information at least night’s debate. That’s particularly curious given that Rubio has gotten privileged access to this information on the Senate Intelligence Committee, whereas Cruz has not.

I assume Burr is thinking of this passage, in which Cruz explained how the USA Freedom Act phone program adds to the tools the intelligence community gets.

It strengthened the tools of national security and law enforcement to go after terrorists. It gave us greater tools and we are seeing those tools work right now in San Bernardino.

And in particular, what it did is the prior program only covered a relatively narrow slice of phone calls. When you had a terrorist, you could only search a relatively narrow slice of numbers, primarily land lines.

The USA Freedom Act expands that so now we have cell phones, now we have Internet phones, now we have the phones that terrorists are likely to use and the focus of law enforcement is on targeting the bad guys.

[snip]

And the reason is simple. What he knows is that the old program covered 20 percent to 30 percent of phone numbers to search for terrorists. The new program covers nearly 100 percent. That gives us greater ability to stop acts of terrorism, and he knows that that’s the case.

Shortly thereafter, Rubio said,

RUBIO: Let me be very careful when answering this, because I don’t think national television in front of 15 million people is the place to discuss classified information.

Of course, that means Burr — who has the most privileged access to this information — just confirmed for ISIS and anyone else who wants to know (like, say, American citizens) that the IC is targeting “Internet phones” as well as the the more limited set of call records the Section 215 phone dragnet used to incorporate, and in doing so getting closer to 100% of “calls” (which includes texting and messaging) in the US.

I’m not sure why Burr would give OpSec tips to our adversaries, all to score political points against Cruz. Obviously, his tolerance for Rubio’s serial leaks, which effectively confirmed the very same information, shows this isn’t about protecting sources and methods.

Maybe it’s time to boot Burr, in addition to Rubio, from SSCI before he continues to leak classified information?

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Marco Rubio Explains the Dragnet

SIGINT and 215A penny dropped for me, earlier this week, when Marco Rubio revealed that authorities are asking “a large number of companies” for “phone records.” Then, yesterday, he made it clear that these companies don’t fall under FCC’s definition of “phone” companies, because they’re not subject to that regulator’s 18 month retention requirement.

His comments clear up a few things that have been uncertain since February 2014, when some credulous reporters started reporting that the Section 215 phone dragnet — though they didn’t know enough to call it that — got only 20 to 30% of “all US calls.”

The claim came not long after Judge Richard Leon had declared the 215 phone dragnet to be unconstitutional. It also came just as the President’s Review Group (scoped to include all of the government’s surveillance) and PCLOB (scoped to include only the 215 phone dragnet) were recommending the government come up with a better approach to the phone dragnet.

The report clearly did several things. First, it provided a way for the government to try to undermine the standing claim of other plaintiffs challenging the phone dragnet, by leaving the possibility their records were among the claimed 70% that was not collected. It gave a public excuse the Intelligence Community could use to explain why PRG and PCLOB showed the dragnet to be mostly useless. And it laid the ground work to use “reform” to fix the problems that had, at least since 2009, made the phone dragnet largely useless.

It did not, however, admit the truth about what the 215 phone dragnet really was: just a small part of the far vaster dragnet. The dragnet as a whole aspires to capture a complete record of communications and other metadata indicating relationships (with a focus on locales of concern) that would, in turn, offer the ability to visualize the networks of the world, and not just for terrorism. At first, when the Bush Administration moved the Internet (in 2004) and phone (in 2006) dragnets under FISC authority, NSA ignored FISC’s more stringent rules and instead treated all the data with much more lax EO 12333 rules(see this post for some historical background). When FISC forced the NSA to start following the rules in 2009, however, it meant NSA could no longer do as much with the data collected in the US. So from that point forward, it became even more of a gap-filler than it had been, offering a thinner network map of the US, one the NSA could not subject to as many kinds of analysis. As part of the reforms imposed in 2009, NSA had to start tracking where it got any piece of data and what authority’s rules it had to follow; in response, NSA trained analysts to try to use EO 12333 collected data for their queries, so as to apply the more permissive rules.

That, by itself, makes it clear that EO 12333 and Section 215 (and PRTT) data was significantly redundant. For every international phone call (or at least those to countries of terrorism interest, as the PATRIOT authorities were supposed to be restricted to terrorism and Iran), there might be two or more copies of any given phone call, one collected from a provider domestically, and one collected via a range of means overseas (in fact, the phone dragnet orders make it clear the same providers were also providing international collection not subject to 215).  If you don’t believe me on this point, Mike Lee spelled it out last week. Not only might NSA get additional data with the international call — such as location data — but it could subject that data to more interesting analysis, such as co-location. Thus, once the distinction between EO 12333 and PATRIOT data became formalized in 2009 (years after it should have been) the PATRIOT data served primarily to get a thinner network map of the data they could only collect domestically.

Because the government didn’t want to admit they had a dragnet, they never tried to legislate fixes for it such that it would be more comprehensive in terms of reach or more permissive in terms of analysis.

So that’s a big part of why four beat journalists got that leak in February 2014, at virtually the same time President Obama decided to replace the 215 phone dragnet with something else.

The problem was, the government never admitted the extent of what they wanted to do with the dragnet. It wasn’t just telephony-carried voice calls they wanted to map, it was all communications a person might make from their phone, which increasingly means a smart phone. It wasn’t just call-chaining they wanted to do, it was connection chaining, linking identities, potentially using far more intrusive technological analysis.

Some of that was clear with the initial IC effort at “reform.” Significantly, it didn’t ask for Call Detail Records, understood to include either phone or Internet or both, but instead “records created as a result of communications of an individual or facility.” That language would have permitted the government to get backbone providers to collect all addressing records, regardless if it counted as content. The bill also permitted the use of such tools for all purposes, not just counterterrorism. In effect, this bill would have completed the dragnet, permitting the IC to conduct EO 12333 collection and analysis on records collected in the US, for any “intelligence” purpose.

But there was enough support for real reform, demonstrated most vividly in the votes on Amash-Conyers in July 2013, that whatever got passed had to look like real reform, so that effort was killed.

So we got the USA F-ReDux model, swapping more targeted collection (of communications, but not other kinds of records, which can still be collected in bulk) for the ability to require providers to hand over the data in usable form. This meant the government could get what it wanted, but it might have to work really hard to do so, as the communications provider market is so fragmented.

The GOP recognized, at least in the weeks before the passage of the bill, that this would be the case. I believe that Richard Burr’s claimed “mistake” in claiming there was an Internet dragnet was instead an effort to create legislative intent supporting an Internet dragnet. After that failed, Burr introduced a last minute bill using John Bates’ Dialing, Routing, Addressing, and Signaling language, meaning it would enable the government to bulk collect packet communications off switches again, along with EO 12333 minimization rules. That failed (in part because of Mitch McConnell’s parliamentary screw ups).

But now the IC is left with a law that does what it said it wanted (plus some, as it definitely gets non-telephony “phone” “calls”), rather than one that does what it wanted, which was to re-establish the full dragnet it had in the US at various times in the past.

I would expect they won’t stop trying for the latter, though.

Indeed, I suspect that’s the real reason Marco Rubio has been permitted to keep complaining about the dragnet’s shortcomings.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Marco Rubio Leaks Classified Information for Political Gain Again

Last week, Marco Rubio leaked the classified detail that the new metadata program authorized by USA Freedom Act obtains records from “a large number” of companies. Yesterday, he leaked more classified details about the program, revealing that some of the companies in question aren’t subject to FCC regulations on phone companies (which require companies hold records for 18 months).

CHUCK TODD:

Your campaign has been pretty critical of one of your rivals, Senator Ted Cruz, for his vote on the U.S.A. Freedom Act. And Senator Mike Lee of Utah, somebody that you have a tax plan with, you guys are certainly allies on a lot of things, he has said that your rhetoric has been not based in fact and that it is not true, what you’ve been saying, that somehow federal officials can’t use the U.S.A. Freedom Act, use the courts to track the phone numbers that are necessary.

MARCO RUBIO:

Well on this issue, not only is he wrong, but others that argue that are wrong. We had a program that allowed us to collect the phone records, basically the phone bill. Not the content of your conversations or your emails or anything like that. Just your phone bill of every American. And it was stored.

Only 16 people in the U.S. government could look at that. And they could only look at it if they got a court order from a privacy court, from a FISA court to go in and look at those phone records. And they retained them for a significant period of time. Under this new law, we are trusting the phone companies to hold those records.

And all of these phone companies have different periods of time that they hold it. Some will hold it for 18 months. Some will hold it for six months. This is a valuable tool. If in fact you have identified someone as a potential terrorist or if in fact someone carries out a terrorist activity, the ability to look at who they’ve been calling and who they’ve been talking to is part of a larger puzzle that you can put together to see what network they’ve been working with, who they’ve been communicating with.

We have now lost that capacity in many cases.

For a guy who’s trying to out-hawk his presidential rivals, Marco Rubio sure leaks classified information frequently. And make no mistake. He’s leaking this classified information for political gain, after having been read into that classified information while serving on the Senate Intelligence Committee.

I don’t know why Rubio thinks revealing the details of this program that the Administration deliberately misled the public about qualifies him to be President.

I just want to know when he’s going to be kicked off the Intel Committee.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Marco Rubio Leaks that the Phone Dragnet Has Expanded to “A Large Number of Companies”

Last night, Marco Rubio went on Fox News to try to fear-monger over the phone dragnet again.

He repeated the claim that the AP also idiotically parroted uncritically — that the government can only get three years of records for the culprits in the San Bernardino attack.

In the case of these individuals that conducted this attack, we cannot see any phone records for the first three years in which — you can only see them up to three years. You’ll not be able to see the full five-year picture.

Again, he’s ignoring the AT&T backbone records that cover virtually all of Syed Rizwan Farook’s 28-year life that are available, that 215 phone dragnet could never have covered Tashfeen Malik’s time in Pakistan and Saudi Arabia, and that EO 12333 collection not only would cover Malik’s time before she came to the US, but would also include Farook’s international calls going back well over 5 years.

So he’s either an idiot or he’s lying on that point.

I’m more interested in what he said before that, because he appears to have leaked a classified detail about the ongoing USA Freedom dragnet: that they’ve been issuing orders to a “large and significant number of companies” under the new dragnet.

There are large and significant number of companies that either said, we are not going to collect records at all, we’re not going to have any records if you come asking for them, or we’re only going to keep them on average of 18 months. When the intelligence community or law enforcement comes knocking and subpoenas those records, in many cases there won’t be any records because some of these companies already said they’re not going to hold these records. And the result is that we will not be able in many cases to put together the full puzzle, the full picture of some of these individuals.

Let me clear: I’m certain this fact, that the IC has been asking for records from “a large number of companies,” is classified. For a guy trying to run for President as an uber-hawk, leaking such details (especially in appearance where he calls cleared people who leak like Edward Snowden “traitors”) ought to be entirely disqualifying.

But that detail is not news to emptywheel readers. As I noted in my analysis of the Intelligence Authorization the House just passed, James Clapper would be required to do a report 30 days after the authorization passes telling Congress which “telecoms” aren’t holding your call records for 18 months.

Section 307: Requires DNI to report if telecoms aren’t hoarding your call records

This adds language doing what some versions of USA Freedom tried to requiring DNI to report on which “electronic communications service providers” aren’t hoarding your call records for at least 18 months. He will have to do a report after 30 days listing all that don’t (bizarrely, the bill doesn’t specify what size company this covers, which given the extent of ECSPs in this country could be daunting), and also report to Congress within 15 days if any of them stop hoarding your records.

That there would be so many companies included Clapper would need a list surprised me, a bit. When I analyzed the House Report on the bill, I predicted USAF would pull in anything that might be described as a “call.”

We have every reason to believe the CDR function covers all “calls,” whether telephony or Internet, unlike the existing dragnet. Thus, for better and worse, far more people will be exposed to chaining than under the existing dragnet. It will catch more potential terrorists, but also more innocent people. As a result, far more people will be sucked into the NSA’s maw, indefinitely, for exploitation under all its analytical functions. This raises the chances that an innocent person will get targeted as a false positive.

At the same time, I thought that the report’s usage of “phone company” might limit collection to the providers that had been included — AT&T, Verizon, and Sprint — plus whatever providers cell companies aren’t already using their backbone, as well as the big tech companies that by dint of being handset manufacturers, that is, “phone” companies, could be obligated to turn over messaging records — things like iMessage and Skype metadata.

Nope. According to uber-hawk who believes leakers are traitors Marco Rubio, a “large number” of companies are getting requests.

From that I assume that the IC is sending requests to the entire universe of providers laid out by Verizon Associate General Counsel Michael Woods in his testimony to SSCI in 2014:

Screen Shot 2015-12-08 at 1.17.27 AM

Woods describes Skype (as the application that carried 34% of international minutes in 2012), as well as applications like iMessage and smaller outlets of particular interest like Signal as well as conferencing apps.

So it appears the intelligence committees, because they’re morons who don’t understand technology (and ignored Woods) got themselves in a pickle, because they didn’t realize that if you want full coverage from all “phone” communication, you’re going to have to go well beyond even AT&T, Verizon, Sprint, Apple, Microsoft, and Google (all of which have compliance departments and the infrastructure to keep such records). They are going to try to obtain all the call records, from every little provider, whether or not they actually have the means with which to keep and comply with such requests. Some — Signal might be among them — simply aren’t going to keep records, which is what Rubio is complaining about.

That’s a daunting task — and I can see why Rubio, if he believes that’s what needs to happen, is flustered by it. But, of course, it has nothing to do with the end of the old gap-filled dragnet. Indeed, that daunting problem arises because the new program aspires to be more comprehensive.

In any case, I’m grateful Rubio has done us the favor of laying out precisely what gaps the IC is currently trying to fill, but hawks like Rubio will likely call him a traitor for doing so.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Only Remaining Senator Personally Targeted by Terrorist Attack Still Believes in Constitution

The Senate just voted down cloture on the USA Freedom Act, 58-42. Even while we disagreed on the bill, I extend sincere condolences to civil liberties allies who worked hard to pass this in good faith. I know you all have worked hard in good faith to pass something viable.

Several things about the vote were predictable (in fact, I predicted them in June). Just as one example, I noted to allies that if Jeff Flake — who had a great record on civil liberties while he was still in the House — did not support the effort, it would fail. Four Senators — cosponsors Mike Lee, Ted Cruz, and Dean Heller, plus Lisa Murkowski voted for cloture; Rand Paul did not. Bill Nelson voted against cloture as well (there are reports he is claiming it was a mistake, but given how closely this bill was whipped that would be … telling).

Equally predictable was the fear-mongering. GOP Senator after GOP Senator got up and insisted if the phone dragnet ended, ISIL would attack the country. None noted, of course, that the phone dragnet had never succeeded in preventing a terrorist attack. Pat Leahy made that point but it’s one opponents of the dragnet need to make in more concerted fashion.

Then there was a piece of news that neither side — supporter or opponent — seemed to want to mention. Dianne Feinstein revealed that at first 2 of 4 providers (presumably the fourth is T-Mobile though it could even be Microsoft, given that Skype is a more important phone carrier for international traffic) had refused to keep phone records, but that they had voluntarily agreed to do so for a full two years (this is at least a 6 month extension for Verizon, though may be significantly longer for cell calls).

The most dramatic part of the debate came after everyone left, when a frustrated Pat Leahy made the case for defending the Constitution. He recalled the anthrax letter addressed to him, on September 18, 2001, that killed a postal worker who processed it (another letter killed a Tom Daschle aide see Meryl Nass’ correction). “13 years ago this week, a letter was sent to me, addressed to me. It was so deadly, with the antrax in it that one person who touched the envelope–addressed to me, that I was supposed to open–They died!” Leahy reminded that the FBI had still not caught all the culprits for the attack. (That he believes that was first reported here in 2008; I believe FBI has, in fact, caught none of the culprits.) That attack targeting him personally, Leahy noted, did not convince him he had to abrogate the Constitution. “This nation should not let our liberties to be set aside by passing fears.” Leahy said. “If we do not protect our Constitution we do not deserve to be in this body.”

Senators like Marco Rubio got up and screamed about terrorists. But unless I’m mistaken, Pat Leahy is the only one remaining in the Senate who was personally targeted by a terrorist.

Maybe we ought to highlight that point?

Updated w/additions from Leahy’s comments.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Intelligence Committee’s “Secret” Briefings on the Boston Attack

There are 15 members of the Senate Intelligence Committee. By my count, at least 5 of them revealed some part of what they got briefed on the Boston attack yesterday afternoon to the press.

Saxby Chambliss says an agency may not have shared one piece of evidence.

“There now appears that may have been some evidence that was obtained by one of the law enforcement agencies that did not get shared in a way that it could have been. If that turns out to be the case, then we have to determine whether or not that would have made a difference,” Chambliss said.

Though Chambliss would not get into specifics on  the information or whether or not the bombing could have been prevented, he told Channel 2 Action News that they will find out if someone dropped the ball.

“Information sharing between agencies is critical. And we created the Department of Homeland Security to supervise that. We created the National Counter Terrorism Center to be the collection point for all of this information, and we’re going to get to the bottom of whether or not somebody along the way dropped the ball on some information and did not share it in a way that it should have been shared.”

Chambliss also suggested that some of the walls that had been eliminated after 9/11 may have been unintentionally recreated.

“Post-911 we thought we had created a systems that would allow for the free flow of information between agencies,” said Senator Saxby Chambliss, a Republican from Georgia and member of the intelligence panel. “And I think there have been some stone walls .. .that have been re-created that were probably unintentional.”

Richard Burr revealed that FSB had contacted the government more than the single, January 2011 time that has been reported; it contacted us (he didn’t say what agency) at least once since October 2011.

Russian authorities alerted the US government not once but “multiple’’ times over their concerns about Tamerlan Tsarnaev — including a second time nearly a year after he was first interviewed by FBI agents in Boston — raising new questions about whether the FBI should have focused more attention on the suspected Boston Marathon bomber, according to US senators briefed on the probe Tuesday.

[snip]

In a closed briefing on Tuesday, members of the Senate Intelligence Committee learned that Russia alerted the United States about Tsarnaev in “multiple contacts’’ — including “at least once since October 2011,’’ said Richard Burr, a Republican of North Carolina, speaking with reporters afterward.

Susan Collins revealed that one agency even had problems sharing information within its own agency and repeated that magic word, “stovepipe.”

“But I’m very concerned that there still seem to be serious problems with the sharing of information, including critical investigative information,’’ she said after emerging from the closed-door committee briefing. “That is troubling to me, this many years after the attacks on our country in 2001, that we still seem to have stovepipes that prevent information from being shared effectively, not only among agencies but also with the same agency in one case.”

Russian authorities alerted the US government not once but “multiple’’ times over their concerns about Tamerlan Tsarnaev — including a second time nearly a year after he was first interviewed by FBI agents in Boston — raising new questions about whether the FBI should have focused more attention on the suspected Boston Marathon bomber, according to US senators briefed on the probe Tuesday.

The FBI has previously said it interviewed Tsarnaev in early 2011 after it was initially contacted by the Russians. After that review, the FBI has said, it determined he did not pose a threat.

In a closed briefing on Tuesday, members of the Senate Intelligence Committee learned that Russia alerted the United States about Tsarnaev in “multiple contacts’’ — including “at least once since October 2011,’’ said Richard Burr, a Republican of North Carolina, speaking with reporters afterward.

Marco Rubio shared details echoing those reported elsewhere, that the brothers had gotten both their beliefs and bomb instructions online. Dianne Feinstein — the only Democrat I found blabbing to the press — said to hold off on making judgments.

Now, none of these details are that informative. I’m interested in the multiple follow-up complaints from Russia, particularly given that other reports say FBI asked for follow-up information from Russia three different times and got nothing (was FSB sharing it with the CIA?). I’m interested in the agency that couldn’t share information within its own agency.

Other than that, I get the impression this is more of what plagues our counterterrorism efforts in the first place: a flood of information with an imperfect ability to sort it (not to mention the very distinct possibility that there were no definitive pieces of intelligence that would have alerted authorities to the brothers’ violent intent).

But I wonder, given that no one seems to take the “closed” part of “closed hearings” very seriously. Why can’t we just brief this stuff publicly, so taxpayers and citizens can learn whether the billions we’ve spent on counterterrorism have done anything more than create even more bureaucracies.

Update: This story confirms that the second request was to CIA, which referred it back to the FBI.

Meanwhile, a review of Russia’s contacts with the U.S. authorities, shows that six months after the Russians asked the FBI to review the activities of Tsarnaev’s brother, Tamerlan, Russian authorities made an identical request to the CIA.

The official, who is not authorized to comment publicly, said the CIA was aware of the FBI’s prior review—which turned up nothing improper—and referred the Russian request back to the FBI.

The CIA is prohibited from conducting intelligence operations on U.S. soil.

The FBI, which had closed its review on Tsarnaev in June 2011 after sharing its results with Russian officials, again contacted their Russian counterparts, asking if they had developed additional information on the Cambridge, Mass., man.

But the official said Russian authorities never responded.

This story notes that FSB has been accompanying the FBI as it questions the Tsarnaev parents and provides background on all the ways US-Russian relations are strained right now.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.