Posts

How ABC Investigative Reports Turn into NSA Briefings to the SSCI

I’m still working through the NSA reports to the Intelligence Oversight Board posted right before Christmas. Here’s a detail (in the Q4 2008 report) I find interesting:

Screen shot 2014-12-31 at 11.34.46 AM

The Shadow Factory was published on October 14, 2008.

8 days before that, the NSA notified the Senate Intelligence Committee (just the SSCI at first?!?!) about an impending (it aired on October 9) Brian Ross interview with whistleblowers from James Bamford‘s book on ABC.

The interview included a clip from Michael Hayden’s 2006 CIA Director confirmation hearing before SSCI in which he claimed Americans’ private conversations would never be intercepted.

In testimony before Congress, then-NSA director Gen. Michael Hayden, now director of the CIA, said private conversations of Americans are not intercepted.

“It’s not for the heck of it. We are narrowly focused and drilled on protecting the nation against al Qaeda and those organizations who are affiliated with it,” Gen. Hayden testified.

He was asked by Senator Orrin Hatch (R-UT), “Are you just doing this because you just want to pry into people’s lives?”

“No, sir,” General Hayden replied.

It also included flaccid responses from both then CIA Director Hayden and his spokesperson Mark Mansfield (who was actively involved in pre-emptive leaks to the press on torture) and Keith Alexander (who was Deputy Chief of Staff for Army Intelligence at the time of the violations).

In addition, the ABC report included a quote from then SSCI Chair Jello Jay Rockefeller (who, of course, would have found out about it from the agency days before the report).

The chairman of the Senate Intelligence Committee, Jay Rockefeller (D-WV), called the allegations “extremely disturbing” and said the committee has begun its own examination.

“We have requested all relevant information from the Bush Administration,” Rockefeller said Thursday. “The Committee will take whatever action is necessary.”

It also made clear that Orrin Hatch had been the one to pitch the softball to Hayden in 2006, about which — it is abundantly clear — he lied about.

Finally, it includes an anonymous quote from a “US intelligence official” making it clear that all US government employees might be spied on, contrary to Hayden’s public claims during the confirmation process.

Asked for comment about the ABC News report and accounts of intimate and private phone calls of military officers being passed around, a US intelligence official said “all employees of the US government” should expect that their telephone conversations could be monitored as part of an effort to safeguard security and “information assurance.”

There appear to be several things going on with this.

First, this is ABC News, one of the outlets notorious for laundering intelligence claims; indeed, it is possible this is a limited hangout, an attempt to preempt one of the most alarming revelations in Bamford’s book. While the report doesn’t say it explicitly, it implies the claims of whistleblowers Kinne and Faulk prove Hayden to have lied in his CIA Director confirmation hearing, in response to the softball thrown by Hatch. In any case, the briefing about this disclosure appears to have gone exclusively to SSCI (with follow-up briefings to both intelligence oversight committees afterwards), the committee that got the apparently false testimony (and not for the last time, from Michael Hayden!). But by briefing the Committee, it also gave Jello Jay an opportunity — and probably, explicit permission — to sound all stern about a practice the Committee likely knew about.

In the IOB Report, this is portrayed as a model of oversight. But from what we know about the parties involved, it is just as likely to have been an effort at press management.

Update: The 3Q 2009 report describes the outcome of the report. It found “no targeting of US persons.”

Stellar Wind and the Intelligence Oversight Board Reports

As I noted, the NSA released its quarterly reports to the Intelligence Oversight Board as a FOIA-coal-for-Christmas present. In them, we see how the NSA executed a bit of legal chicanery with respect to Stellar Wind which had previously been revealed in the 2009 Draft IG Report on Stellar Wind.

The report claims that NSA’s Inspector General did not get read into the program until August 2002. The IG Report claims to be mystified as to why NSA operated an illegal program for 9 months before reading in the IG; it offers the suggestion that President Bush didn’t want to read in the IG until NSA had a named IG, rather than an Acting one — but that doesn’t explain why they waited 4 months after Joel Brenner came in in April 2002.

(TS//SI//NF) We could not determine exact reasons for why the NSA IG was not cleared for the PSP until August 2002. According to the NSA General Counsel, the President would not allow the IG to be briefed sooner. General Hayden did not specifically recall why the IG was not brought in earlier, but thought that it had not been appropriate to do so when it was uncertain how long the Program would last and before operations had stabilized. The NSA IG pointed out that he did not take the IG position until April 2002, so NSA leadership or the White House may have been resistant to clearing either a new or an acting IG.

One of the things Brenner instituted — the report claims it started almost a year after he came in and more than 6 months after he got read into the program — was to make the IOB reports technically correct by stating that there might be incidents not noticed to IOB but instead noticed to the President.

(C) Second, in March 2003, the IG advised General Hayden that he should report violations of the Authorization to the President. In February of 2003, the OIG learned of PSP incidents or violations that had not been reported to overseers as required, because none had the clearance to see the report.

(TS//SI//OC/NF) Before March 2003, NSA quarterly reports on intelligence activities sent to the President’s Intelligence Oversight Board (through the Assistant to the Secretary of Defense for Intelligence Oversight) stated that the Director was not aware of any unlawful surveillance activities by NSA other than that described in the report. Beginning in March 2003, at the IG’s direction, NSA quarterly reports stated that except as disclosed to the President, the Director was not aware of any unlawful surveillance activities by NSA. Also beginning in March 2003, PSP violations, including those not previously reported to the Intelligence Oversight Board, were reported in “Presidential Notifications.”

But that’s actually not correct. The change appears in the December 4, 2002 report.

Screen shot 2014-12-27 at 7.36.43 AM

If the remaining chronology is correct — that Brenner had not yet convinced Hayden to tell the President about violations and that there were some February 2003 violations that did not get reported — then the December 2002 report was inaccurate, because the President would not have been noticed.

What I find interesting about it is how signatures were handled before that. In the June 2002 report — at a time when Brenner was not read into the program — he signed the report himself.  In the August 27, 2002 report (which was presumably submitted just after Brenner got read into Stellar Wind), Brian McAndrew, who had been Acting IG before Brenner took over, signed for him.

Screen shot 2014-12-27 at 7.34.02 AM

And, in perhaps related metadata, there’s this, from the December 2001 report (that is, the first one after the initiation of Stellar Wind).

Screen shot 2014-12-27 at 8.12.00 AM

 

I think, though am not certain, this note comes from Michael Hayden (with an “H” in the circle), to whom the memo is addressed. He appears to have asked Robert Deitz to discuss the implications of this notice further before he signed it. And someone amended the notice, to include violations known to affiliated (agency?) directors but not to Hayden.

That is, it seems possible that even Michael Hayden hesitated to say this report included all violations of law without Robert Deitz (who has written some robust defenses of NSA since the Snowden leaks) holding his hand somewhat.

Update: Note that the coversheet with Hayden’s note was initially dated December 7, 2001. But the date on the letter he signed was January 4, 2002. That suggests they could have actually changed the content of the letter in response to Hayden’s concerns, though such a delay appears normal given the other reports. 

Of course, this entire structure is premised on the caveat that the President can instruct agency heads not to include violations he doesn’t want them to. And the gaming of some signatures to avoid making false declarations is child’s play compared to what Obama did at the beginning of his Administration, which was basically to let the entire board lapse by not appointing anyone.

Still, the games they were playing with their declarations suggests these men — who’ve made broad comments about how well NSA follows the law — know they were fibbing.

Maybe the Spooks Don’t Want FTC to Know NSA’s Tricks?

In awesome news, the Federal Trade Commission has hired Ashkan Soltani — the tech expert who helped Bart Gellman on many of his most important Snowden scoops — as its new Chief Technology Officer.

The news has elicited wails from NSA’s mail mouthpieces, Stewart Baker and Michael Hayden.

“I’m not trying to demonize this fella, but he’s been working through criminally exposed documents and making decisions about making those documents public,” said Michael Hayden, a former NSA director who also served as CIA director from 2006 to 2009. In a telephone interview with FedScoop, Hayden said he wasn’t surprised by the lack of concern about Soltani’s participation in the Post’s Snowden stories. “I have no good answer for that.”

[snip]

Stewart Baker, a former NSA general counsel, said, while he’s not familiar with the role Soltani would play at the FTC, there are still problems with his appointment. “I don’t think anyone who justified or exploited Snowden’s breach of confidentiality obligations should be trusted to serve in government,” Baker said.

I find Hayden’s wails especially disgusting, given the way — it is now clear — the government spent so much effort covering up how he extended the illegal wiretap program in March 2004. I mean, I’m not trying to demonize the fella, but he’s a criminal, and yet he’s complaining about the press reporting on abuses?

That said, I’m curious whether this isn’t the real reason there seems to be organized pushback against Soltani’s hire.

Soltani is scheduled to give a presentation Nov. 19 at the Strata+Hadoop World conference in Barcelona, Spain, on “how commercial tracking enables government surveillance.” According to the conference website, Soltani’s presentation will explore how “the dropping costs of bulk surveillance is aiding government eavesdropping, with a primary driver being how the NSA leverages data collected by commercial providers to collect information about innocent users worldwide.”

At FTC, Soltani will be in a role where he can directly influence the kind of regulatory pressure placed on data collectors to protect user privacy. He understands — probably far more than we know from the WaPo stories — how NSA is capitalizing on already collected data. Which means he may be able to influence how much remains available to the spooks.

So maybe all this wailing is an effort to sustain the big commercial data’s unwitting support for big spooky data?

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal

If the documents relating to Yahoo’s challenge of Protect America Act released last month are accurate reflections of the documents actually submitted to the FISC and FISCR, then the government submitted a misleading document on June 5, 2008 that was central to FISCR’s ultimate ruling.

As I laid out here in 2009, FISCR relied on the the requirement  in EO 12333 that the Attorney General determine there is probable cause a wiretapping technique used in the US is directed against a foreign power to judge the Protect America Act met probable cause requirements.

The procedures incorporated through section 2.5 of Executive Order 12333, made applicable to the surveillances through the certifications and directives, serve to allay the probable cause concern.

The Attorney General hereby is delegated the power to approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes, provided that such techniques shall not be undertaken unless the Attorney General has determined in each case that there is probable cause to believe that the technique is directed against a foreign power or an agent of a foreign power.

44 Fed. Reg. at 59,951 (emphasis supplied). Thus, in order for the government to act upon the certifications, the AG first had to make a determination that probable cause existed to believe that the targeted person is a foreign power or an agent of a foreign power. Moreover, this determination was not made in a vacuum. The AG’s decision was informed by the contents of an application made pursuant to Department of Defense (DOD) regulations. See DOD, Procedures Governing the Activities of DOD Intelligence Components that Affect United States Persons, DOD 5240.1-R, Proc. 5, Pt. 2.C.  (Dec. 1982).

Yahoo didn’t buy this argument. It had a number of problems with it, notably that nothing prevented the government from changing Executive Orders.

While Executive Order 12333 (if not repealed), provides some additional protections, it is still not enough.

[snip]

Thus, to the extent that it is even appropriate to examine the protections in the Executive Order that are not statutorily required, the scales of the reasonableness determination sway but do not tip towards reasonableness.

Yahoo made that argument on May 29, 2008.

Sadly, Yahoo appears not to have noticed the best argument that Courts shouldn’t rely on EO 12333 because the President could always change it: Sheldon Whitehouse’s revelation on December 7, 2007 (right in the middle of this litigation) that OLC had ruled the President could change it in secret and not note the change publicly. Whitehouse strongly suggested that the Executive in fact had changed EO 12333 without notice to accommodate its illegal wiretap program.

But the government appears to have intentionally withheld further evidence about how easily it could change EO 12333 — and in fact had, right in the middle of the litigation.

This is the copy of the Classified Annex to EO 12333 that (at least according to the ODNI release) the government submitted to FISCR in a classified appendix on June 5, 2008 (that is, after Yahoo had already argued that an EO, and the protections it affords, might change). It is a copy of the original Classified Appendix signed by Ed Meese in 1988.

As I have shown, Michael Hayden modified NSA/CSS Policy 1-23 on March 11, 2004, which includes and incorporates EO 12333, the day after the hospital confrontation. The content of the Classified Annex released in 2013 appears to be identical, in its unredacted bits, to the original as released in 1988 (see below for a list of the different things redacted in each version). So the actual content of what the government presented may (or may not be) a faithful representation of the Classified Appendix as it currently existed.

But the version of NSA/CSS Policy 1-23 released last year (starting at page 110) provides this modification history:

This Policy 1-23 supersedes Directive 10-30, dated 20 September 1990, and Change One thereto, dated June 1998. The Associate Director for Policy endorsed an administrative update, effective 27 December 2007 to make minor adjustments to this policy. This 29 May 2009 administrative update includes changes due to the FISA Amendments Act of 2008 and in core training requirements.

That is, Michael Hayden’s March 11, 2004 modification of the Policy changed to the Directive as existed before 2 changes made under Clinton.

Just as importantly, the modification history reflects “an administrative update” making “minor adjustments to this policy” effective December 27, 2007 — a month and a half after this challenge started.

By presenting the original Classified Appendix — to which Hayden had apparently reverted in 2004 — rather than the up-to-date Policy, the government was presenting what they were currently using. But they hid the fact that they had made changes to it right in the middle of this litigation. A fact that would have made it clear that Courts can’t rely on Executive Orders to protect the rights of Americans, especially when they include Classified Annexes hidden within Procedures.

In its language relying on EO 12333, FISCR specifically pointed to DOD 5240.1-R. The Classified Annex to EO 12333 is required under compliance with part of that that complies with the August 27, 2007 PAA compliance.

That is, this Classified Annex is a part of the Russian dolls of interlocking directives and orders that implement EO 12333.

And they were changing, even as this litigation was moving forward.

Only, the government appears to have hidden that information from the FISCR.

Update: Clarified that NSA/CSS Policy 1-23 is what got changed.

Update: Hahaha. The copy of DOD 5240.1 R which the government submitted on December 11, 2007, still bears the cover sheet labeling it as an Annex to NSA/CSS Directive 10-30. Which of course had been superseded in 2004.

Note how they cut off the date to hide that it was 1990?

Note how they cut off the date to hide that it was 1990?

Read more

Missing from the EO 12333 Discussion: Its Classified Annex Michael Hayden Revised on March 11, 2004

NSA Authorities TimelineI recommend this ArsTechnica background piece on EO 12333. It describes how Ronnie Reagan issued EO 12333 to loosen the intelligence rules imposed by Jimmy Carter (with links to key historical documents). It includes interviews with the NSA whistleblowers describing how George Bush authorized the collection of telecom data from circuits focused on the US under the guise of EO 12333, calling the bulk of the US person data collected “incidental.” And it describes how Bush and Obama have continued using EO 12333 as a loophole to obtain US person data.

But there’s a key part of the story Ars misses, which I started to lay out here. As this graphic notes, the NSA is governed by a set of interlocking authorities and laws. The precedence of those authorities and laws is not terribly clear — and NSA’s own training programs don’t make them any more clear. Bush’s revision to EO 12333 played on that interlocking confusion.

Perhaps most alarming, however, the NSA continued to use a classified annex to EO 123333 written by Michael Hayden the day he reauthorized the illegal wiretap program at least until recent years — and possibly still. And that classified annex asserts an authority to wiretap Americans on the Attorney General’s authorization for periods of up to 90 days, and wiretap “about” collection based solely on NSA Director authority.

Among the documents released to ACLU and EFF via FOIA was an undated “Core Intelligence Oversight Training” program that consists of nothing more than printouts of the authorities governing NSA activities (as I noted in this post, with one exception, the NSA training programs we’ve seen are unbelievably horrible from a training efficacy standpoint). It includes, in part, EO 12333, DOD 5240.1-R, and NSA/CSS Policy 1-23 (that is, several of the authorities NSA considers among its signature authorities). As part of a 2009 issuance of the latter document (starting on page 110), the training documents also include the classified annex to EO 12333 (starting on page 118). And although both documents are part of that 2009 issuance (which incorporated language reflecting the FISA Amendments Act), they are dated March 11, 2004 — the day after the hospital confrontation, when the Bush Administration continued its illegal wiretap program without DOJ sanction — and signed by then DIRNSA Michael Hayden.

That is, as part of the FOIA response to ACLU and EFF, DOJ revealed how it was secretly applying EO 12333 at least as recently as 2009.

And that secret application of EO 12333 includes two provisions that illustrate how the government was abusing EO 12333, even in the face of revisions to FISA. They include provisions permitting the wiretapping of Americans for 90-day periods based on AG certification, and the wiretapping of “about” communications for apparently unlimited periods based on DIRNSA certification. (see page 123)

Read more

Working Thread, Internet Dragnet 4: Later 2009 Documents

The early focus on the dragnet violations was on the phone dragnet. At the end of March, however, DOJ started preparing to look more closely at the PRTT program in late April 2009, which may be why some of the following violations got disclosed to Reggie Walton in conjunction with a May reauthorization application. The CIA, FBI, and NCTC access to the PRTT seems to have been a bigger issue than the BR  FISA data.

All that said, when the NSA completed its End-to-End report sometime in fall 2009, they didn’t report all that much beyond the violations noted in May (though they did note the NSA did not shut down some automatic process when it said it did), mostly by claiming they didn’t realize the original dragnet order meant what it said (in spite of the violation in the first dragnet order).

It was only after that that they noticed FISC NSA had been collecting content from the start of the program (see document O). Once they admitted that, NSA decided not to reapply for a Primary Order, and Reggie Walton issued a supplemental order (document E) ordering them not to collect any more, but also not to access the data they did have. Only after that did DOJ submit the End-to-End report, accompanied by DOJ and Keith Alexander reports that admitted the content violation.

See also Working Thread 1, Working Thread 2, Working Thread 3, and Internet Dragnet Timeline. No one else is doing this tedious work; if you find it useful, please support it.

Read more

Internet Dragnet Materials, Working Thread 1

I Con the Record just released some ridiculously overclassified Internet dragnet documents it claims shows oversight but which actually shows how they evaded oversight. I’ve added letters to ID each document (I’ll do a post rearranging them into a timeline tomorrow or soon thereafter).

For a timeline I did earlier of the Internet dragnet program see this post.

This will be the first of several working threads, starting with descriptions of what we’ve got.

8/12: Note I will be updating this as I can clarify dates and content.

So-called Judicial oversight

A. FISC Opinion and Order: This is the Kollar-Kotelly order that initially approved the dragnet on July 14, 2004. A searchable version is here.

B. FISC Primary Order: This is an Internet dragnet order signed by Reggie Walton, probably in 2008 or very early 2009. It shows that the Internet dragnet program, which was almost certainly illegal in any case, had less oversight than the phone dragnet program (though at this point also collected fewer records). It was turned over pursuant to FAA requirements on March 13, 2009.

C. FISC Primary Order: This is an Internet dragnet order probably from May 29, 2009 (as identified in document D), signed by Reggie Walton. It shows the beginning of his efforts to work through the Internet violations. It appears to have been provided to Congress on August 31, 2009.

D. FISC Order and Supplemental Order: This is a version of the joint June 22, 2009 order released on several occasions before. It shows Reggie Walton’s efforts to work through the Internet dragnet violations. Here’s one version.

E. FISC Supplemental Order: This appears to be the dragnet order shutting down dragnet production. It would date to fall 2009 (production was likely shut down in October 2009, though this might reflect the initial shut-down).

F. FISC Primary Order: I’m fairly sure this is an order from after Bates turned the Internet dragnet back on in 2010 (and is signed by him), though I will need to verify that. It does require reports on how the NSA will segregate previously violative records, which is consistent with it dating to 2011 sometime (as is the requirement that the data be XML tagged).

G. FISC Memorandum Opinion Granting in Part and Denying in Part Application to Reinitiate, in Expanded Form, Pen Register/Trap and Trace Authorization: This is the order, from sometime between July and October 2010, where John Bates turned back on and expanded the Internet dragnet. Here’s the earlier released version (though I think it is identical).

H. Declaration of NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency: This was a report Walton required in document C, above, and so would be in the May-June 2009 timeframe. Update: Likely date June 18, 2009.

I. Government’s Response to the FISC’s Supplemental Order: This is the government’s response to an order from Walton, probably in his May 29, 2009 opinion (see this order for background), or even earlier in May.Update: This response dates to June 18, 2009 or slightly before.

J. Declaration of NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency: This appears to be the declaration submitted in support of Response I and cited in several places. Update: likely date June 18, 2009.

K. Supplemental Declaration of Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency: This appears to be the declaration that led to document C above.

L. Government’s Response to the FISC’s Supplemental Order Requesting a Corrective Declaration: This is a declaration admitting dissemination outside the rules responding to 5/29 order.

M. Government’s Response to a FISC Order: This is the government’s notice that it was using automatic queries on Internet metadata, just as it also was with the phone dragnet. This notice was provided to Congress in March 2009.

N. Declaration of Lieutenant General Keith B. Alexander, U.S. Army, Director, NSA, Concerning NSA’s Compliance with a FISC Order: After Walton demanded declarations in response to the initial phone dragnet violation, he ordered NSA to tell him whether the Internet dragnet also had the same problems. This is Keith Alexander’s declaration describing the auto scan for that program too. It was provided to Congress in March 2009.

O. Preliminary Notice of Potential Compliance Incident: This is the first notice of the categorical violations that ultimately led to the temporary shutdown of the dragnet, in advance of order E.

P. Notice of Filing: This is notice of a filing in response to inquiry from Judge Walton. It could be from any time during David Kris’ 2009 to early 2011 tenure.

Q: Government’s Application for Use of Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes: This appears to be the application following Order E, above. I don’t think it’s the 2010 application that led to the reauthorization of the dragnet, because it refers to facilities whereas the 2010 order authorized even broader collection. (Remember Bates’ 2010 order said the government applied, but then withdrew, an application.) Update and correction: this application must post-date December 2009, because that’s when NSA changed retention dates from 4.5 years to 5. Also note reference to change in program and request to access illegally collected data from before 10/09.

R. Memorandum of Law and Fact in Support of Application for Pen Registers and Trap and Trace Devices for Foreign Intelligence Purposes: This appears to be the memorandum of law accompanying application Q.

S. Declaration of General Keith B. Alexander, U.S. Army, Director, NSA, in Support of Pen Register/Trap and Trace Application: This is Alexander’s declaration accompanying Q.

T. Exhibit D in Support of Pen Register/Trap and Trace Application: This is a cover letter. I’m not sure whether it references prior communications or new ones.

U. First Letter in Response to FISC Questions Concerning NSA bulk Metadata Collection Using Pen Register/Trap and Trace Devices: This is the first of several letters in support of reinitiation of the program. The tone has changed dramatically here. For that reason, and because so much of it is redacted, I think this was part of the lead-up to the 2010 reauthorization.

V. Second Letter in Response to FISC Questions concerning NSA bulk Metadata Collection Using Pen Register/Trap and Trace Devices: This second letter is entirely redacted except for the sucking up to Bates stuff.

W. Third Letter in Response to FISC Questions Concerning NSA Bulk Metadata Collection Using Pen Register/Trap and Trace Devices: More sucking up. Some language about trying to keep access to the existing illegally collected data. 

X. Application for Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes: This is the first application for the Internet dragnet, from 2004. Very interesting. Note it wasn’t turned over until July 2009, after Congress was already learning of the new problems with it.

Y. Memorandum of Law and Fact in Support of Application for Pen Registers and Trap and Trace Devices for Foreign Intelligence Purposes: The memorandum of law accompanying X. Also turned over to Congress in 2009.

Z. Declaration of General Michael V. Hayden, U.S Air Force, Director, NSA, in Support of Pen Register/Trap and Trace Application: This goes with the initial application. NSA has left stuff unredacted that suggests they were access less bandwith than they, in the end, were. Also remember NSA violated this from the very beginning.

AA. Application for Use of Pen Register/Trap and Trace Devices for Foreign Intelligence PurposesThis appears to be the application for the second PRTT order. I’ll return to this tomorrow, but I don’t think it reflects the violation notice it should.

BB. Declaration of NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate: This is NSA’s declaration in conjunction with the first reapplication for the dragnet. This should have declared violations. It was turned over to Congress in March 2009. [update: these appear to be early 2009 application]

CC. Declaration Lieutenant General Keith B. Alexander, U.S. Army, Director, NSA, Concerning NSA’s Implementation of Authority to Collect Certain Metadata: This is Alexander’s declaration accompanying the End-to-End report, from sometime in fall 2009.

DD: NSA’s Pen Register Trap and Trace FISA Review Report: The end-to-end report itself. it was provided to Congress in January 2010.

EE: DOJ Report to the FISC NSA’s Program to Collect Metadata: DOJ’s accompaniment to the end-to-end report.

FF: Government’s First Letter to Judge Bates to Confirm Understanding of Issues Relating to the FISC’s Authorization to Collect Metadata: After Bates raauthorized the Internet dragnet, DOJ realized they might not be on the same page as him. Not sure if this was in the 2009 attempt or the 2010 reauthorization.

GG: Government’s Second Letter to Judge Bates to Confirm Understanding of Issues Relating to the FISC’s Authorization to Collect Metadata: A follow-up to FF.

HH: Tab 1 Declaration of NSA Chief, Special Oversight and Processing, Oversight and Compliance, Signals Intelligence: This appears to be the 90-day report referenced in document C. Update: Actually it is referenced in Document A: note the paragraphs describing the chaining that were discontinued before the dragnet approval.

II: Verified Memorandum of Law in Response to FISC Supplemental Order: This is one of the most fascinating documents of all. It’s a 2009-2011 (I think August 17, 2009, though the date stamp is unclear) document pertaining to 3 PRTT targets, relying on criminal PRTT law and a 2006 memo that might be NSA’s RAS memo (though the order itself is FBI, which makes me wonder whether it seeds the FBI program). It may have been what they used to claim that Internet content counted as metadata.

JJ: Memorandum of Law in Response to FISC Order: A September 25, 2006 response to questions from the FISC, apparently regarding whether rules from criminal pen registers apply to PATRIOT PRTT. While I think this addresses the application to Internet, I also think this language may be being used for location.

So-called Congressional oversight

KK: Government’s Motion to Unseal FISC Documents in Order to Brief Congressional Intelligence and Judiciary Committees: This is a request to unseal an order — I suspect document E — so it could be briefed to Congress.

LL:  Order Granting the Government’s Motion to Unseal FISC Documents in Order to Brief Congressional Intelligence and Judiciary Committees: Walton’s order to unseal KK for briefing purposes. 

MM: April 27, 2005 Testimony of the Attorney General and Director, FBI Before the Senate Select Committee on Intelligence: This is the 2005 testimony in which — I pointed out before — Alberto Gonzales did not brief Congress about the Internet dragnet.

So-called Internal oversight

NN: NSA IG Memo Announcing its Audit of NSA’s Controls to Comply with the FISA Court’s Order Regarding Pen Register/Trap and Trace Devices: This lays out an audit with PRTT compliance, noting that the audit also pertains to BR FISA (phone dragnet). It admits the audit was shut down when the order was not renewed. It’s unclear whether this was the 2009 or the 2011 shutdown, but the implication is it got shut down because it would not pass audit. 

OO: NSA IG Memo Suspending its Audit of NSA after the NSA’s PRTT Metadata Program Expired: the formal announcement they were shutting down the IG report. Again, it’s not clear whether this was the 2009 or the 2011 shutdown.

If you find this work valuable, please consider donating to support the work.  

Say, Why Should Mikey Hayden Get a Say on Torture that Purportedly Preceded Him?

My favorite call for John Brennan’s head thus far comes from Fred Fleitz, who helped John Bolton sex up WMD claims leading into the Iraq War.  He says John Brennan has to resign not just to shore up CIA’s relations with Congress, but also NSA’s.

I believe CIA director John Brennan and agency officials involved in the monitoring of computers used by the SSCI staff must resign to help mend the CIA’s relationship with Congress. Such resignations would go a long way toward restoring the confidence of the SSCI in the CIA and, it is to be hoped, would win the agency and the National Security Agency some crucial allies in both houses of Congress to fend off several ill-advised intelligence-reform proposals currently under discussion there.

But that’s not my favorite part. Nor is where this “intelligence” professional says a report voted out with support from John McCain (in the first vote) and Susan Collins (in the second) is a Democratic vote. Nor is the bit where Fleitz claims the program was properly briefed, which it wasn’t.

My favorite part is Fleitz’ conflicting claims about Michael Hayden.

The main focus of the SSCI probe reportedly is to prove Democratic claims that the effectiveness of the enhanced-interrogation program has been exaggerated. Former CIA director Michael Hayden and other former senior CIA officials involved in the enhanced-interrogation program dispute this. According to Hayden, as late as 2006 fully half of the government’s knowledge about the structure and activities of al-Qaeda came from harsh interrogations.

Despite their firsthand knowledge of the enhanced-interrogation program, there is no input in the SSCI report from Hayden, former CIA general counsel John Rizzo, or other CIA officials, since the report is based solely on an examination of documents.

Assertion 1) Michael Hayden claims half of the government’s knowledge about al Qaeda came from torture, meaning no more than half came from the illegal torture he was conducting at the time over at NSA (and also meaning that relatively more intelligence has come in from SIGINT since Hayden left).

Assertion 2) Michael Hayden, whose entire CIA tenure post-dated the Detainee Treatment Act that made the torture program illegal, should have some say in a torture report.

Maybe Hayden was spying on the CIA while he was in charge of NSA. Or maybe (ok, in fact) Hayden continued torture after such time as Congress made it doubly illegal.

But in the same way that Cofer Black should not need to have a say in torture if the CIA’s false narrative were not false, Michael Hayden shouldn’t either.

Man, as much as this report is demonstrating how much CIA lies and how useless their torture program was, it also demonstrates the misnomer of the whole “intelligence” label.

Snowden: “A Classified Executive Order”

NSA Authorities TimelineYesterday, I noted that the subject of Edward Snowden’s emailed question to NSA’s Office of General Counsel pertained to one of the under-reported themes of his leaks, the way NSA uses EO 12333 to collect data on Americans that either clearly was or might have been covered by stricter laws passed by Congress. I also noted how unbelievably shitty the NSA training programs released to ACLU and EFF are, particularly the way seemingly outdated documents that remain in effect appear to allow spying on Americans prohibited by statute.

I’d like to return to the precise language Snowden used to refer to this email exchange (and a thus-far unreleased exchange he claims to have had with NSA’s Compliance folks).

Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. 

I suggested yesterday that this was likely a conflict over whether EO 12333 superseded laws passed by Congress, including but not limited to FISA.

But note: Snowden says he asked about a “classified” EO.

EO 12333 is unclassified.

So there are two possibilities. First, that there’s a classified EO — one that remains classified  — that we don’t know about, one Congress may not even be fully cognizant of (on the premise that this EO supersedes the law).

That’s possible. But EO 12333 is the only EO referenced in USSID 18’s list of references.

USSID 18 References

The other possibility is far more interesting.

As I noted, the documents laying out the core regulations governing NSA conflict badly, largely because many of the documents are very dated, and have been (or should have been) superseded by recent laws (like the FISA Amendments Act) and court decisions (like John Bates’ 2011 ruling on upstream collection).

Of particular interest is NSA/CSS Policy 1-23 (starting at PDF 110). That policy is interesting, first of all, because it was first issued on March 11, 2004 by Michael Hayden. That is, this policy dates to the very day when Michael Hayden agreed to continue the illegal wiretap program even as half of DOJ threatened to quit.

The policy was updated twice, once to make what were considered minor adjustments in policy in 2007, and once in 2009 to incorporate FISA Amendments Act changes. Thus, the policy at least purports to fully incorporate FAA. The 2009 reissue — and its classified annex — is considered among the signature authorizing milestones according to a timeline leaked by Snowden, above, and the only one that mentions a classified annex.

But — as I noted yesterday — the policy still relies on (and incorporates) a classified annex to EO 12333 that was written in 1988 (though the document itself bears the March 11, 2004 date). Read more

NSA Collection: Show Me the $$

As part of its superb piece on NSA spying on Tuesday, Frontline included interviews with key sources. In my opinion, the most enlightening was that with former HPSCI staffer Diane Roark, so you should read that entire interview (especially her comments on NSA at 9/11).

Both she and Tom Drake mention a part of the illegal NSA program that has been largely forgotten: the financial records. Here’s Roark’s non-denial.

And from what you knew at that point, what type of information was taken, and how pervasive was the collection?

It is now quite obvious, since the Snowden revelations, that the program grew progressively over time. Initially, I knew that it involved a lot of broad domestic surveillance, bulk collection, domestically. And I knew that it involved emails, landlines, regular house phones, cell phones. I also knew that they had branched out into non-communications data.

Which is what, bank records? 

I’m not really — they have not acknowledged that. All I can tell you is that when I met the second time with Gen. Hayden in July, I said to him that it appeared the program was expanding, not only in number of servers, but also that two new data categories had recently been added, and he nodded to confirm that. I knew that one of those data programs was not communications data. …

And other commentators have made allusions to other personal data that may be collected. Of course, we all know that transportation data, airline data is connected. We know that international banking data is collected; that has been acknowledged. But there have been allusions to other items, too, by people hypothetically, such as credit, medical, banking and so on.

And here’s Drake’s more explicit mention of it.

You watched the president [George W. Bush] come out and say this is a valuable program; one side of the communications has to be outside; we’re following terrorists; this has prevented attacks on our country. The vice president [Dick Cheney] attacks the Times for publishing. You’re watching this, and you know what’s going on inside. What are you thinking?

This actually was part of the triggering event for me in which increasingly I knew I was going to have to touch the third rail, back to your earlier question. I realized that they were lying, that they were desperate to protect the domestic surveillance program. And so they could use the excuse, although it was still in violation of FISA, that as long as one link somehow was tied to a suspected terrorist, that justified collecting or targeting the link that was in the United States proper.

That was just the tip of the iceberg. The far larger program was the dragnet surveillance, the vast bulk copy of millions and millions of phone records, email records, Internet usage and financial transactional and credit card information.

Since the Snowden leaks started we’ve heard almost nothing about this. There have been the two stories about the CIA collecting Western Union records with at least one end foreign. There is the 2010 Section 215 order tied to an allegedly specific investigation, which must long post-date the CIA-related orders.

What happened to this collection? Is it the April 2, 2004 modification we have never learned about? Is it the second secret Section 215 appendix included in Glenn Fine’s 2008 report? Have they been accomplishing this via NSLs, or perhaps only recently moved it to Section 215? I have suggested in the past that for domestic records, FBI would be the likely lead … is that right?

The financial records collection has, outside of Shane Harris’ book (on TIA), completely disappeared.

But it must be under a new shell somewhere.