Posts

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Did NSA Start Using Section 702 to Collect from VPNs in 2014?

I’ve finally finished reading the set of 702 documents I Con the Record dumped a few weeks back. I did two posts on the dump and a related document Charlie Savage liberated. Both pertain, generally, to whether a 702 “selector” gets defined in a way that permits US person data to be sucked up as well. The first post reveals that, in 2010, the government tried to define a specific target under 702 (both AQAP and WikiLeaks might make sense given the timing) as including US persons. John Bates asked for legal justification for that, and the government withdrew its request.

The second reveals that, in 2011, as Bates was working through the mess of upstream surveillance, he asked whether the definition of “active user,” as it applies for a multiple communication transaction, referred to the individual user. The question is important because if a facility is defined to be used by a group — say, Al Qaeda or Wikileaks — it’s possible a user of that facility might be an unknown US person user, the communications of which would only be segregated under the new minimization procedures if the individual user’s communication were reviewed (not that it mattered in the end; NSA doesn’t appear to have implemented the segregation regime in meaningful fashion). Bates never got a public answer to that question, which is one of a number of reasons why Rosemary Collyer’s April 26 702 opinion may not solve the problem of upstream collection, especially not with back door searches permitted.

As it happens, some of the most important documents released in the dump may pertain to a closely related issue: whether the government can collect on selectors it knows may be used by US persons, only to weed out the US persons after the fact.

In 2014, a provider challenged orders (individual “Directives” listing account identifiers NSA wanted to collect) that it said would amount to conducting surveillance “on the servers of a U.S.-based provider” in which “the communications of U.S. persons will be collected as part of such surveillance.” The provider was prohibited from reading the opinions that set the precedent permitting this kind of collection. Unsurprisingly, the provider lost its challenge, so we should assume that some 702 collection collects US person communications, using the post-tasking process rather than pre-targeting intelligence to protect American privacy.

The documents

The documents that lay out the failed challenge are:

2014, redacted date: ACLU Document 420: The government response to the provider’s filing supporting its demand that FISC mandate compliance.

2014, redacted date: EFF Document 13: The provider(s) challenging the Directives asked for access to two opinions the government relied on in their argument. Rosemary Collyer refused to provide them, though they have since been released.

2014, redacted date: EFF Document 6 (ACLU 510): Unsurprisingly, Collyer also rejected the challenge to the individual Directives, finding that post-tasking analysis could adequately protect Americans.

The two opinions the providers requested, but were refused, are:

September 4, 2008 opinion: This opinion, by Mary McLaughlin, was the first approval of FAA certifications after passage of the law. It lays out many of the initial standards that would be used with FAA (which changed slightly from PAA). As part of that, McLaughin adopted standards regarding what kinds of US person collection would be subject to the minimization procedures.

August 26, 2014 opinion: This opinion, by Thomas Hogan, approved the certificates under which the providers had received Directives (which means the challenge took place between August and the end of 2014). But the government also probably relied on this opinion for a change Hogan had just approved, permitting NSA to remain tasked on a selector even if US persons also used the selector.

The argument also relies on the October 3, 2011 John Bates FAA opinion and the August 22, 2008 FISCR opinion denying Yahoo’s challenge to Protect America Act. The latter was released in a second, less redacted form on September 11, 2014, which means the challenge likely post-dated that release.

The government’s response

The government’s response consists of a filing by Stuart Evans (who has become DOJ’s go-to 702 hawk) as well as a declaration submitted by someone in NSA that had already reviewed some of the taskings done under the 2014 certificates (which again suggests this challenge must date to September at the earliest). There appear to be four sections to Evans’ response. Of those sections, the only one left substantially unredacted — as well as the bulk of the SIGINT declaration — pertains to the Targeting Procedures. So while targeting isn’t the only thing the provider challenged (another appears to be certification of foreign intelligence value), it appears to be the primary thing.

Much of what is unredacted reviews the public details of NSA’s targeting procedure. Analysts have to use the totality of circumstances to figure out whether someone is a non US person located overseas likely to have foreign intelligence value, relying on things like other SIGINT, HUMINT, and (though the opinion redacts this) geolocation information and/or filters to weed out known US IPs. After a facility has been targeted, the analyst is required to do post-task analysis, both to make sure that the selector is the one intended, but also to make sure that no new information identifies the selector as being used by a US person, as well as making sure that the target hasn’t “roamed” into the US. Post-task analysis also ensures that the selector really is providing foreign intelligence information (though in practice, per PCLOB and other sources, this is not closely reviewed).

Of particular importance, Evans dismisses concerns about what happens when a selector gets incorrectly tasked as a foreigner. “That such a determination may later prove to be incorrect because of changes in circumstances or information of which the government was unaware does not render unreasonable either the initial targeting determination or the procedures used to reach it.”

Evans also dismisses the concern that minimization procedures don’t protect the providers’ customers (presumably because they provide four ways US person content may be retained with DIRNSA approval). Relying on the 2008 opinion that states in part…

The government argues that, by its terms, Section 1806(i) applies only to a communication that is unintentionally acquired,” not to a communication that is intentionally acquired under a mistaken belief about the location or non-U.S. person status of the target or the location of the parties to the communication. See Government’s filing of August 28, 2008. The Court finds this analysis of Section 1806(i) persuasive, and on this basis concludes that Section 1806(i) does not require the destruction of the types of communications that are addressed by the special retention provisions.”

Evans then quotes McClaughlin judging that minimization procedures “constitute a safeguard against improper use of information about U.S. persons that is inadvertently or incidentally acquired.” In other words, he cites an opinion that permits the government to treat stuff that is initially targeted, even if it is later discovered to be an American’s communication, differently than it does other US person information as proof the minimization procedures are adequate.

The missing 2014 opinion references

As noted above, the provider challenging these Directives asked for both the 2008 opinion (cited liberally throughout the unredacted discussion in the government’s reply) and the 2014 one, which barely appears at all beyond the initial citation.  Given that Collyer reviewed substantial language from both opinions in denying the provider’s request to obtain them, the discussion must go beyond simply noting that the 2014 opinion governs the Directives in question. There must be something in the 2014 opinion, probably the targeting procedures, that gets cited in the vast swaths of redactions.

That’s especially true given that on the first page of Evans’ response claims the Directives address “a critical, ongoing foreign intelligence gap.” So it makes sense that the government would get some new practice approved in that year’s certification process, then serve Directives ostensibly authorized by the new certificate, only to have a provider challenge a new type of request and/or a new kind of provider challenge their first Directives.

One thing stands out in the 2014 opinion that might indicate the closing of a foreign intelligence gap.

Prior to 2014, the NSA could say an entity — say, Al Qaeda — used a facility, meaning they’d suck up any people that used that facility (think how useful it would be to declare a chat room a facility, for example). But (again, prior to 2014) as soon as a US person started “using” that facility — the word use here is squishy as someone talking to the target would not count as “using” it, but as incidental collection — then NSA would have to detask.

The 2014 certifications for the first time changed that.

The first revision to the NSA Targeting Procedures concerns who will be regarded as a “target” of acquisition or a “user” of a tasked facility for purposes of those procedures. As a general rule, and without exception under the NSA targeting procedures now in effect, any user of a tasked facility is regarded as a person targeted for acquisition. This approach has sometimes resulted in NSA’ s becoming obligated to detask a selector when it learns that [redacted]

The relevant revision would permit continued acquisition for such a facility.

[snip]

For purposes of electronic surveillance conducted under 50 U.S.C. §§ 1804-1805, the “target” of the surveillance ‘”is the individual or entity … about whom or from whom information is sought.”‘ In re Sealed Case, 310 F.3d 717, 740 (FISA Ct. Rev. 2002) (quoting H.R. Rep. 95-1283, at 73 (1978)). As the FISC has previously observed, “[t]here is no reason to think that a different meaning should apply” under Section 702. September 4, 2008 Memorandum Opinion at 18 n.16. It is evident that the Section 702 collection on a particular facility does not seek information from or about [redacted].

In other words, for the first time in 2014, the FISC bought off on letting the NSA target “facilities” that were used by a target as well as possibly innocent Americans, based on the assumption that the NSA would weed out the Americans in the post-tasking process, and anyway, Hogan figured, the NSA was unlikely to read that US person data because that’s not what they were interested in anyway.

Mind you, in his opinion approving the practice, Hogan included a bunch of mostly redacted language pretending to narrow the application of this language.

This amended provision might be read literally to apply where [redacted]

But those circumstances fall outside the accepted rationale for this amendment. The provision should be understood to apply only where [redacted]

But Hogan appears to be policing this limiting language by relying on the “rationale” of the approval, not any legal distinction.

The description of this change to tasking also appears in a 3.5 page discussion as the first item in the tasking discussion in the government’s 2014 application, which Collyer would attach to her opinion.

Collyer’s opinion

Collyer’s opinion includes more of the provider’s arguments than the Reply did. It describes the Directives as involving “surveillance conducted on the servers of a U.S.-based provider” in which “the communications of U.S. person will be collected as part of such surveillance.” (29) It says [in Collyer’s words] that the provider “believes that the government will unreasonably intrude on the privacy interests of United States persons and persons in the United States [redacted] because the government will regularly acquire, store, and use their private communications and related information without a foreign intelligence or law enforcement justification.” (32-3) It notes that the provider argued there would be “a heightened risk of error” in tasking its customers. (12) The provider argued something about the targeting and minimization procedures “render[ed] the directives invalid as applied to its service.” (16) The provider also raised concerns that because the NSA “minimization procedures [] do not require the government to immediately delete such information[, they] do not adequately protect United States person.” (26)

All of which suggests the provider believed that significant US person data would be collected off their servers without any requirement the US person data get deleted right away. And something about this provider’s customers put them at heightened risk of such collection, beyond (for example) regular upstream surveillance, which was already public by the time of this challenge.

Collyer, too, says a few interesting things about the proposed surveillance. For example, she refers to a selector as an “electronic communications account” as distinct from an email — a rare public admission from the FISC that 702 targets things beyond just emails. And she treats these Directives as an “expansion of 702 acquisitions” to some new provider or technology. Finally, Collyer explains that “the 2014 Directives are identical, except for each directive referencing the particular certification under which the directive is issued.” This means that the provider received more than one Directive, and they fall under more than one certificate, which means that the collection is being used for more than one kind of use (counterterrorism, counterproliferation, and foreign government plus cyber). So the provider is used by some combination of terrorists, proliferators, spies, or hackers.

Ultimately, though, Collyer rejected the challenge, finding the targeting and minimization procedures to be adequate protection of the US person data collected via this new approach.

Now, it is not certain that all this relied on the new targeting procedure. Little in Collyer’s language reflects passing familiarity with that new provision. Indeed, at one point she described the risk to US persons to involve “the government may mistakenly task the wrong account,” which suggests a more individualized impact.

Except that after her almost five pages entirely redacted of discussion of the provider’s claim that the targeting procedures are insufficient, Collyer argues that such issues don’t arise that frequently, and even if they do, they’d be dealt with in post-targeting analysis.

The Court is not convinced that [redacted] under any of the above-described circumstances occurs frequently, or even on a regular basis. Assuming arguendo that such scenarios will nonetheless occur with regard to selectors tasked under the 2014 Directives, the targeting procedures address each of the scenarios by requiring NSA to conduct post-targeting analysis [redacted]

Similarly, Collyer dismissed the likelihood that Americans’ data would be tasked that often.

[O]ne would not expect a large number of communications acquired under such circumstances to involve United States person [citation to a redacted footnote omitted]. Moreover, a substantial proportion of the United States person communications acquired under such circumstances are likely to be of foreign intelligence value.

As she did in her recent shitty opinion, Collyer appears to have made these determinations without requiring NSA to provide real numbers on past frequency or likely future frequency.

However often such collection had happened in the past (which she didn’t ask the NSA to explain) or would happen as this new provider started responding to Directives, this language does sound like it might implicate the new case of a selector that might be used both by legitimate foreign intelligence targets and by innocent Americans.

Does the government use 702 collection to obtain VPN traffic?

As I noted, it seems likely, though not certain, that the new collection exploited the new permission to keep tasking a selector even if US persons were using it, in addition to the actual foreigners targeted. I’m still trying to puzzle this through, but I’m wondering if the provider was a VPN provider, being asked to hand over data as it passed through the VPN server. (I think the application approved in 2014 would implicate Tor traffic as well, but I can’t see how a Tor provider would challenge the Directives, unless it was Nick Merrill again; in any case, there’d be no discussion of an “account” with Tor in the way Collyer uses it).

What does this mean for upstream surveillance

In any case, whether my guesstimates about what this is are correct, the description of the 2014 change and the discussion about the challenge would seem to raise very important questions given Collyer’s recent decision to expand the searching of upstream collection. While the description of collection from a provider’s server is not upstream, it would seem to raise the same problems, the collection of a great deal of associated US person collection that could later be brought up in a search. There’s no hint in any of the public opinions that such problems were considered.

The Phone Metadata Program Metadata

ODNI released a bunch of the remaining phone dragnet primary orders (and amendments) here. I will have more to say about this later. Of particular note, though, they seem to be withholding the BR 09-15 primary order, which was right in the middle of PATRIOT reauthorization, when NSA kept disseminating results in violation of Reggie Walton’s orders.

  1. Howard, Malcolm BR 06-05 (5/24/06)
  2. Howard, Malcolm BR 06-08 (8/18/06)
  3. Scullin, Frederick, BR 06-12 (11/15/06)
  4. Broomfield, Robert, BR 07-04 (2/02/07)
  5. Gorton, Nathaniel, BR 07-10 (5/03/07)
  6. Gorton, Nathaniel, BR 07-14 (7/23/07)
  7. Vinson, Roger, BR 07-16 (10/18/07)
  8. Howard, Malcolm, BR 08-01 (1/?/08)
  9. Kollar-Kotelly, Colleen, BR 08-04 (4/3/08)
  10. Zagel, James, BR 08-07 (6/26/08)
  11. Zagel, James, BR 08-08 (8/19/08) [or 9/19/08]
  12. Walton, Reggie, BR 08-13 (12/12/08)
  13. Walton, Reggie, BR 09-01 (3/5/09)
  14. Walton, Reggie, BR 09-06 (5/29/09)
  15. Walton, Reggie (?) BR 09-09 (7/8/09) [see also]
  16. Walton, Reggie, BR 09-13 (9/3/09)
  17. Walton, Reggie (?) BR 09-15 (10/30/09) [See also]
  18. Walton, Reggie (?) BR 09-19 [see also]
  19. Walton, Reggie, BR 10-10 (2/26/10)
  20. Walton, Reggie, BR 10-17 (5/14/10)
  21. Walton, Reggie, BR 10-49 (8/04/10)
  22. Walton, Reggie, BR 10-70 (10/29/10)
  23. Bates, John, BR, 11-07 (1/20/11)
  24. Feldman, Martin, BR 11-57 (4/13/11)
  25. Bates, John, BR 11-107 (6/22/11)
  26. ~9/20/11?
  27. BR-11-191 [see also]
  28. ~1/29/12?
  29. ~4/29/12?
  30. ~7/28/12?
  31. ~10/26/12?
  32. ~1/25/13?
  33. Vinson, Roger, BR 13-80, (4/25/13)
  34. Eagan, Claire, BR 13-109, (7/18/13)
  35. McLaughlin, Mary, BR 13-158 (10/11/13)
  36. 1/3/14

1/19: Updated to add the 7/9/09 order and BR 09-19.

1/20: There is one more missing primary order. In an NSA declaration dated November 12, SID Director Theresa Shea said there had been 34 approvals. As shown above, the McLaughlin order is the 33rd of identified orders.

1/26: I think I’ve corrected all the date errors I originally hate (the date stamp is not all that accurate). For the 2011-2013 dates, I’ve worked backwards of the 4/25/13 order.

Robert Litt and Mike Rogers KNOW Congress Hasn’t Ratified the Phone Dragnet

WaPo has a biting profile of Robert Litt, ODNI’s General Counsel who made one more failed attempt to rationalize James Clapper’s lies to Congress last week.

One of the most newsworthy bits is that WaPo published the name of Alfreda Frances Bikowsky, the analyst who got Khaled el-Masri kidnapped and tortured by mistake, for the first time.

A far more subtle but equally important detail comes in its description of why House Intelligence Chair Mike Rogers banned Litt from appearing before the Committee last summer.

Some lawmakers have found Litt’s manner off-putting at best. Rogers, the chairman of the House Intelligence Committee, made clear to the DNI’s office last summer that Litt was no longer welcome before his panel.

“The committee has not found Bob to be the most effective witness to explain complex legal and policy issues,” said a U.S. government official familiar with the falling-out. Rogers was also bothered that Litt faulted the committee for not doing more to share information about the surveillance programs with other members, unaware that doing so would have violated committee rules. [my emphasis]

For what it’s worth, I suspect Rogers is not worried as much about Litt’s honesty (Rogers hasn’t objected to James Clapper or Keith Alexander’s lies, for example, and has himself been a key participant in sustaining them), but rather, for his usual candor and abrasiveness, which the article also shows inspiring members of Congress to want to repeal the dragnet. Litt couches his answers in legalese, but unlike most IC witnesses, you can often parse it to discern where the outlines of truth are.

But I am acutely interested that Litt blames Rogers for not “doing more to share information about the surveillance programs with other members.”

That refers, of course, to Rogers’ failure to make the Administration’s notice on the phone dragnet available to members in 2011, before the PATRIOT Reauthorization. As a result of that, 65 Congressmen voted to reauthorize the PATRIOT Act without full notice (perhaps any formal notice) of the phone dragnet — a sufficiently large block to make the difference in the vote. In spite of that fact, the Administration and even FISA Judges have repeatedly pointed to Congress’ reauthorization of the phone dragnet to explain why it’s legal even though it so obviously exceeds the intent of the Section 215 as passed.

Apparently Litt blames Rogers for that. And doing so got him banished from the Committee.

Frankly, Litt is right in this dispute. Rogers’ excuse that committee rules prevented him from sharing the letter the Administration stated they wanted to be shared with the rest of Congress rings hollow, given that just one year earlier, Silvestre Reyes did make the previous letter available. If committee rules prevent such a thing, they are Rogers’ committee rules, and they were fairly new at the time. (Ironically, by imposing those rules, Rogers prevented members of his own party, elected with strong Tea Party backing, from learning about intelligence programs, though he may have just imposed the rules to increase the value of his own special access.)

So it is Rogers’ fault the Administration should not be able to claim Congress ratified the FISA Court’s expansive understanding of Section 215.

And Rogers and Litt’s spat about it make it clear they both know the significance of it: claims of legislative ratification fail because Congress did not, in fact, know what they were voting on, at least in 2011.

Unsurprisingly, that has not prevented the Administration from making that claim. Litt himself made a variety of it before PCLOB in November, months after he had this fight with Rogers.

[NSA General Counsel Raj] DE: So in other words, and some of this is obviously known to you all but just to make sure members of the public are aware, not only was this program approved by the Foreign Intelligence Surveillance Court every 90 days, it was twice, the particular provision was twice re-authorized by Congress with full information from the Executive Branch about the use of the provision.

[snip]

MR. LITT: I just want to add one very brief comment to Raj’s in terms of the extent to which Congress was kept informed. By statute we’re required to provide copies of significant opinion and decisions of the FISC to the Intelligence and Judiciary Committees of both Houses of Congress and they got the materials relating to this program, as we were required to by law.

Now, Litt’s intejection here is particularly interesting. He doesn’t correct De. He shifts the claim somewhat, to rely on Judiciary and Intelligence Committee notice. But even there, his claim fails, given that the Administration did not provide all relevant opinions to those Committees until after the first dragnet reauthorization in 2010. Litt probably thinks that’s okay because he didn’t qualify when Congress got the materials.

But it’s still a blatant lie, according to the public record.

More significantly, the Administration repeated that lie to both the FISC and, more significantly still, the 3 Article III Judges presiding over challenges to the dragnet generally.

The Administration keeps running around, telling everyone who is obligated to listen that Congress has ratified their expansive interpretation of the phone dragnet. It’s not true. And the fact that Litt and Rogers fought — way back in the summer — over who is responsible makes it clear they know it’s not true.

But they still keep saying it.

DiFi’s Circular Defense of the Phone Dragnet’s Legality Proves It Is Illegal

In the report on her own Fake FISA Fix, DiFi makes this case that the phone dragnet program is not illegal.

First, in reference to the call records program, some people will say that the FISA Improvements Act codifies an illegal program. It does not. This legislation does not provide any new legislative authority with which the government may acquire call records or any other information under Section 215—in fact, it narrows the existing authority for it. Section 2 of the FISA Improvements Act clearly prohibits the use of the Business Records authority to collect bulk communication records except through the supplemental procedures and restrictions required by this section, as are detailed in this report.

As part of this previously classified program, in 2006, the Department of Justice sought approval from the FISA Court to collect call records in large number under the Section 215 Business Records provision. The FISA Court approved that request, and has reviewed and renewed that authority every 90 days for the past seven years. These renewal applications have been approved by at least 15 different federal court judges selected by the Chief Justice of the United States to serve on this Court.

The Department of Justice’s legal analysis of the call records program has recently been publicly released, as have the two most recent opinions by the FISA Court as part of the reauthorization of the program every 90 days.

Critics of the program may dispute the legal reasoning, but there should be no disagreement that this program currently is authorized under law and has been determined to be legal and Constitutional by the Executive and Judicial branches. [my emphasis]

Her rebuttal that this doesn’t codify the program is pretty funny given that just 1 paragraph earlier she talks about “codifying existing privacy protections,” which is the equivalent claim.

I’m more interested in what she doesn’t address.

She lays out how DOJ applied for and got authorization to collect this data in 2006 (she doesn’t say what date).

She points to two FISC court opinions — the one that forgot to address Jones and the one that cleaned up that obvious error — and the Administration White Paper. And she claims that’s “the legal reasoning.”

But of course, it’s not. There was either legal reasoning dated February 24, 2006 that they’re hiding, or there was an absence of legal reasoning, which ought to be a major giveaway in either case.

Moreover, all three documents DiFi points to as “the legal reasoning” suffer from a critical flaw. They all point to Congress’ “fully informed” reauthorization of the law to justify the validity of the law today.

But that “fully informed” reauthorization didn’t happen.

Indeed, DiFi’s own comments on the Fake FISA Fix twice tacitly admit that, when she notes that every member of the Senate got a chance to read notice on the dragnet, while remaining silent about the House.

In addition, information concerning the bulk telephone metadata program has been made available to every member of the Senate prior to the reauthorization of Section 215, most recently in 2011.

[snip]

For example, the NSA telephone metadata program was approved by federal judges and overseen by Congress, where every member of the Senate had access to information concerning how the programs were conducted and an opportunity to voice objections and debate their efficacy.

The White Paper goes even further. It obliquely admits not just that Mike Rogers refused to allow the House to learn about the dragnet before they voted on it.

An updated version of the briefing paper, also recently released in redacted form to the public, was provided to the Senate and House Intelligence Committees again in February 2011 in connection with the reauthorization that occurred later that year. See Letter from Assistant Attorney General Ronald Weich to the Honorable Dianne Feinstein and the Honorable Saxby Chambliss, Chairman and Vice Chairman, Senate Select Committee on Intelligence (Feb. 2, 2011); Letter from Assistant Attorney General Ronald Weich to the Honorable Mike Rogers and the Honorable C.A. Dutch Ruppersberger, Chairman and Ranking Minority Member, House Permanent Select Committee on Intelligence (Feb. 2, 2011). The Senate Intelligence Committee made this updated paper available to all Senators later that month. See Letter from Sen. Diane Feinstein and Sen. Saxby Chambliss to Colleagues (Feb. 8, 2011). [my emphasis]

But it also, even more obliquely, admits that the Executive did not provide the legal reasoning in question until August 16, 2010, after PATRIOT was reauthorized the first time.

Moreover, in early 2007, the Department of Justice began providing all significant FISC pleadings and orders related to this [Section 215] program to the Senate and House Intelligence and Judiciary committees. By December 2008, all four committees had received the initial application and primary order authorizing the telephony metadata collection. Thereafter, all pleadings and orders reflecting significant legal developments regarding the program were produced to all four committees. [my emphasis]

So to sum up DiFi’s legal defense of the dragnet:

  1. Three documents say it is legal
  2. All 3 documents say it is legal largely because Congress has reauthorized a previously legally suspect program
  3. One of those 3 documents that says it is legal because Congress reauthorized a legally suspect program admits (obliquely) that Congress was not fully informed either time it reauthorized that suspect program
  4. DiFi’s document pointing to these 3 documents claiming it is legal because Congress reauthorized a legally suspect program also admits Congress was not fully informed when it reauthorized that suspect program

I’m convinced! DiFi has made the case! The program does not, because of the ample notice problems in the past, fulfill the standards which the 3 documents require it would need to meet to be legal.

But it might be if her Fake FISA Fix becomes law.

Docket Inflation at the FISA Court?

Screen shot 2013-10-18 at 3.17.36 PMAs I noted in my last post, I’m a bit alarmed by the docket numbers we’re seeing out of the FISC court. The order released today appears to be the 158th docket for the year.

Compare that to the docket numbers from 2009, as revealed in the orders Reggie Walton issued while trying to clean up NSA’s act. His November 5, 2009 order appears to be just the 15th docket for the year, as compared to Mary McLaughlin’s October order being the 158th.

We’re running at 10 times the pace we were 4 years ago.

The thing is, while the comparison does make this year seem especially bad, it actually seems to be part of a longer trend. Here’s the numbers of NSLs and Section 215 orders the FISC has issued since 2005.

Screen shot 2013-10-18 at 4.17.42 PM

 

 

Before we knew how extensive the phone dragnet was, these numbers suggested some of the NSL production got moved into the secret interpretations of Section 215 after 2010 (which is about the same time Ron Wyden and Mark Udall got especially shrill about it).

While that may or may not explain the big jump between 2009 — when the Walton numbers are perfectly consistent — and 2011, it’s not the phone dragnet driving the numbers. That has only been responsible for something like 6 dockets in any given year, and more often just 4 (for example, even in 2009, the multiple iterations were just additional entries to the docket tied to that quarter’s order).

I thought, too, the Boston Marathon attack might explain higher numbers for this year. But we might even come in slightly lower than we did last year.

Which is another way of noting how deceitful these numbers are. Any single NSL could include more than one American. We know at least some of the Section 215 orders include every American.

So how many records might these entail of each one could represent every American?

Mary McLaughlin Repeats Claire Eagan’s Error

FISC just released the opinion accompanying the most recent Section 215 phone dragnet order.

(Note: does it concern anyone besides me that FISC is now up to 158 dockets for Business Records production this year??)

In it, Judge Mary McLaughlin repeats the very same error Claire Eagan made.

Although the definition of relevance set forth in Judge Egan’s decision is broad, the Court is persuaded that that definition is supported by the statutory analysis set out in the August 29 Opinion. That analysis is reinforced by Congress’ s re-enactment of Section 215 after receiving information about the government’s and the FISA Court’s interpretation of the statute.

As I’ve noted over and over and over, the public record shows that the notice on Section 215 did not actually meet the terms of Eagan’s opinion.

Eagan says,

The ratification presumption applies here where each Member was presented with an opportunity to learn about a highly-sensitive classified program important to national security in preparation for upcoming legislative action. [my emphasis]

Not only did the vast majority of Members have to go out of their way to learn about this program, 19% in fact had no way of learning everything they needed to know about it. Therefore, the ratification presumption fails, and that legal basis crumbles.

Each member was not presented with such an opportunity — certainly not one identified as such.

Now, perhaps FISC’s clerks are incompetent and haven’t even scanned the Google alerts on the issues before them (McLaughlin did finally address US v. Jones, so maybe it’s just a very slow Google alert?).

But this points to the problem with FISC’s lack of an adversary. Because anyone coming before the court would presumably help out FISC’s clerks by pointing them to the many many many reports of how inadequate this notice really was.

Instead, they keep repeating the same mistake over and over — and proving the claims about being a rubber stamp.