Posts

Jim Comey Makes Bogus Claims about Privacy Impact of Electronic Communications Trasaction Record Requests

215 trackerOn November 30, Nicholas Merrill was permitted to unseal the NSL he received back in 2004 for the first time. That request asked for:

the names, addresses, lengths of service and electronic communication transaction records [ECTR], to include existing transaction/activity logs and all e-mail header information (not to include message content and/or subject fields) for [the target]

The unsealing of the NSL confirmed what has been public since 2010: that the FBI used to (and may still) demand ECTRs from Internet companies using NSLs.

On December 1, House Judiciary Committee held a hearing on a bill reforming ECPA that has over 300 co-sponsors in the House; on September 9, Senate Judiciary Committee had its own hearing, though some witnesses and members at it generally supported expanded access to stored records, as opposed to the new restrictions embraced by HJC.

Since then, a number of people are arguing FBI should be able to access ECTRs again, as they did in 2004, with no oversight. One of two changes to the version of Senator Tom Cotton’s surveillance bill introduced on December 2 over the version introduced on November 17 was the addition of ECTRs to NSLs (the other was making FAA permanent).

And yesterday, Chuck Grassley (who of course could shape any ECPA reform that went through SJC) invited Jim Comey to ask for ECTR authority to be added to NSLs.

Grassley: Are there any other tools that would help the FBI identify and monitor terrorists online? More specifically, can you explain what Electronic Communications Transactions Record [sic], or ECTR, I think that’s referred to, as acronym, are and how Congress accidentally limited the FBI’s ability to obtain them, with a, obtain them with a drafting error. Would fixing this problem be helpful for your counterterrorism investigations?

Comey: It’d be enormously helpful. There is essentially a typo in the law that was passed a number of years ago that requires us to get records, ordinary transaction records, that we can get in most contexts with a non-court order, because it doesn’t involve content of any kind, to go to the FISA Court to get a court order to get these records. Nobody intended that. Nobody that I’ve heard thinks that that’s necessary. It would save us a tremendous amount of work hours if we could fix that, without any compromise to anyone’s civil liberties or civil rights, everybody who has stared at this has said, “that’s actually a mistake, we should fix that.”

That’s actually an unmitigated load of bullshit on Comey’s part, and he should be ashamed to make these claims.

As a reminder, the “typo” at issue is not in fact a typo, but a 2008 interpretation from DOJ’s Office of Legal Counsel, which judged that FBI could only get what the law said it could get with NSLs. After that happened — a DOJ IG Report laid out in detail last year — a number (but not all) tech companies started refusing to comply with NSLs requesting ECTRs, starting in 2009.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

Even before that, in 2007, FBI had developed a new definition of what it could get using NSLs. Then, in 2010, the Administration proposed adding ECTRs to NSLs. Contrary to Comey’s claim, plenty of people objected to such an addition, as this 2010 Julian Sanchez column, which he could re-release today verbatim, makes clear.

They’re calling it a tweak — a “technical clarification” — but make no mistake: The Obama administration and the FBI’s demand that Congress approve a huge expansion of their authority to obtain the sensitive Internet records of American citizens without a judge’s approval is a brazen attack on civil liberties.

[snip]

Congress would be wise to specify in greater detail just what are the online equivalents of “toll billing records.” But a blanket power to demand “transactional information” without a court order would plainly expose a vast range of far more detailed and sensitive information than those old toll records ever provided.

Consider that the definition of “electronic communications service providers” doesn’t just include ISPs and phone companies like Verizon or Comcast. It covers a huge range of online services, from search engines and Webmail hosts like Google, to social-networking and dating sites like Facebook and Match.com to news and activism sites like RedState and Daily Kos to online vendors like Amazon and Ebay, and possibly even cafes like Starbucks that provide WiFi access to customers. And “transactional records” potentially covers a far broader range of data than logs of e-mail addresses or websites visited, arguably extending to highly granular records of the data packets sent and received by individual users.

As the Electronic Frontier Foundation has argued, such broad authority would not only raise enormous privacy concerns but have profound implications for First Amendment speech and association interests. Consider, for instance, the implications of a request for logs revealing every visitor to a political site such as Indymedia. The constitutionally protected right to anonymous speech would be gutted for all but the most technically savvy users if chat-forum participants and blog authors could be identified at the discretion of the FBI, without the involvement of a judge.

That legislative effort didn’t go anywhere, so instead (the IG report explained)  FBI started to use Section 215 orders to obtain that data. That constituted a majority of 215 orders in 2010 and 2011 (and probably has since, creating the spike in numbers since that year, as noted in the table above).

Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.

The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.

But the other reason Comey’s claim that getting this from NSL’s would not pose “any compromise to anyone’s civil liberties or civil rights” is bullshit is because the migration of ECTR requests to Section 215 orders also appears to have led the FISA Court to finally force FBI to do what the 2006 reauthorization of the PATRIOT Act required it do: minimize the data it obtains under 215 orders to protect Americans’ privacy.

By all appearances, the rubber-stamp FISC believed these ECTR requests represented a very significant compromise to people’s civil liberties and civil rights and so finally forced FBI to follow the law requiring them to minimize the data.

Which is probably what this apparently redoubled effort to let FBI obtain the online lives of Americans (remember, this must be US persons, otherwise the FBI could use PRISM to obtain the data) using secret requests that get no oversight: an attempt to bypass whatever minimization procedures — and the oversight that comes with it — the FISC imposed.

And remember: with the passage of USA Freedom Act, the FBI doesn’t have to wait to get these records (though they are probably prospective, just like the old phone dragnet was), they can obtain an emergency order and then fill out the paperwork after the fact.

For some reason — either the disclosure in Merrill’s suit that FBI believed they could do this (which has been public since 2010 or earlier), or the reality that ECPA will finally get reformed — the Intelligence Community is asserting the bogus claims they tried to make in 2010 again. Yet there’s even more evidence then there was then that FBI wants to conduct intrusive spying without real oversight.

DOJ Still Gets a Failing Grade on Strong Authentication

In DOJ’s Inspector General’s annual report on challenges facing the department, Michael Horowitz revealed how well DOJ is complying with the Office of Management and Budget’s directive in the wake of the OPM hack that agencies improve their own cybersecurity, including by adopting strong authentication for both privileged and unprivileged users.

DOJ’s still getting a failing grade on that front — just 64% of users are in compliance with requirements they use strong authentication.

Following OMB’s directive, the White House reported that federal civilian agencies increased their use of strong authentication (such as smartcards) for privileged and unprivileged users from 42 percent to 72 percent. The Justice Department, however, had among the worst overall compliance records for the percentage of employees using smartcards during the third quarter of FY 2015 – though it has since made significant improvements, increasing to 64 percent of privileged and unprivileged users in compliance by the fourth quarter. Given both the very sensitive nature of the information that it controls, and its role at the forefront of the effort to combat cyber threats, the Department must continue to make progress to be a leader in these critical areas.

Ho hum. These are only the databases protecting FBI’s investigations into mobs, terrorists, and hackers. No reason to keep those safe.

In any case, it may be too late, as the Crackas with Attitude already broke into the portal for some of those databases.

Ah well, we’ll just dump more information into those databases under CISA and see if that prevents hackers.

FBI’s 5-Year Effort to Avoid Inspector General Scrutiny of Its Phone Dragnet Use

Screen Shot 2015-08-05 at 1.15.53 PMAs part of today’s Senate Judiciary Hearing on DOJ OLC’s decision to make DOJ’s Inspector General ask nicely before it gets certain kinds of materials it needs to conduct its work, John Cornyn asked what changed in 2010 to make the FBI start pushing back against sharing information freely with the IG.

Inspector General Michael Horowitz responded,

I was not the Inspector General at that time, but my understanding is that the memos and decisions from the legal counsel at the FBI followed several OIG reviews of the handling of National Security Letters, Exigent Letters, and other hard-hitting OIG reviews, because there was no other change in the law, no policy change, no regulatory change…

Horowitz is suggesting that because Horowitz’ predecessor, Glenn Fine, released reports that showed FBI abuse of national security programs, FBI started pushing back against sharing information. The claim is particularly interesting given that the Exigent Letters report, which was released in January 2010, significantly implicated FBI’s General Counsel’s office, including then General Counsel and now lifetime appointed judge (with Cornyn’s backing) Valerie Caproni.

The suggestion is also interesting given that Fine resigned in 2010 after starting an investigation into the use ofSection 215 and PRTT. It took years before DOJ had a working Inspector General again, resulting in a long delay before Congress got another report on how the government was using the phone dragnet.

All of which is all the more troubling, given that Horowitz revealed that,

Just yesterday, I’m told, in our review of the FBI’s use of the bulk telephony statute, a review that this committee has very much been interested in our doing, we got records with redactions, not for grand jury, Title III, or fair credit information, because those have been dealt with, but for other areas that the FBI has identified legal concerns about.

This is particularly troubling given that just weeks ago the USA Freedom Act mandated certain IG reviews of phone dragnet activities.

But the FBI is still obstructing such efforts.

The Inspectors General Bring Out the Space Heroes to Defend Full Access

John GlennA few weeks back, I noted that Office of Legal Counsel had finally released its opinion on whether DOJ had to share everything its Inspector General requested, or could hold things (and investigations) up until the Deputy Attorney General decided such disclosure would be in the interest of DOJ.

OLC ruled against the Inspector General, finding that rules limiting dissemination of wiretap, grand jury, and financial data required DOJ’s preferred arrangement, even given Congress’ recent appropriations instructions to give Inspectors General what they need.

Senators Chuck Grassley and Ron Johnson and Congressmen Bob Goodlatte and John Conyers expressed concern about the opinion when it was released. Grassley now has a hearing — titled “‘All’ Means All: The Justice Department’s Failure to Comply with Its Legal Obligation to Ensure Inspector General Access to All Records Needed for Independent Oversight” — tomorrow to address the issue.

In anticipation of that hearing, the Inspectors General have brought out the big guns.

First, retired Senator and space hero wrote a letter, reminding that the intent when he and others in Congress passed the Inspector General act in 1978, they intended IGs to get access to everything.

The success of the IG Act is rooted in the principles on which the Act is grounded–independence, direct reporting to Congress, dedicated staff and resources, unrestricted access to agency records, subpoena power, special protections for agency employees who cooperate with the IG, and the ability to refer criminal matters to the Department of Justice without clearing such referrals through the agency. We considered these safeguards to be vital when we developed the Act and they remain essential today.

In addition, yesterday the Council of the Inspectors General on Integrity and Efficiency sent a letter to Ron Johnson, Tom Carper, Jason Chaffetz, and Elijah Cummings asking for immediate legislation to fix the problem created by the OLC memo. In addition to expressing concern about the impact of the memo for DOJ’s Inspector General (that IG, Michael Horowitz, is Chair of CIGIE, so that’s sort of him reiterating his concerns), the other agency IG’s worried that the memo might affect their ability to conduct their own work, as well.

The OLC opinion’s restrictive reading of the IG Act represents a potentially serious challenge to the authority of every Inspector General and our collective ability to conduct our work thoroughly, independently, and in a timely manner. Our concern is that, as a result of the OLC opinion, agencies other than DOJ may likewise withhold crucial records from their Inspectors General, adversely impacting their work. Even absent this opinion, agencies such as the Peace Corps and the U.S. Chemical Safety and Hazard Investigation Board (CSB) have restricted or denied their OIGs access to agency records on claims of common law privileges or assertions that other laws prohibit access.

[snip]

Uncertainty about the legal authority of Inspectors General to access all information in an agency’s possession could also negatively affect interactions between the staffs of the Offices of Inspector General and the agencies they oversee. Prior to this opinion, agency personnel could be confident, given the clear language of Section 6(a) of the IG Act, that they were required to and should share information openly with Inspector General staff, and typically they did so without reservation or delay. This led to increased candor during interviews, greater efficiency of investigations and other reviews, and earlier and more effective detection and resolution of waste, fraud, and abuse within Federal agencies. We are concerned that witnesses and other agency personnel, faced with uncertainty regarding the applicability of the OLC opinion to other records and situations, may now be less forthcoming and fearful of being accused of improperly divulging information. Such a shift in mindset also could deter whistleblowers from directly providing information about waste, fraud, abuse, or mismanagement to Inspectors General because of concern that the agency may later claim that the disclosure was improper and use that decision to retaliate against the whistleblower.

Neither FBI Director Jim Comey nor Deputy Attorney General Sally Yates are appearing at tomorrow’s hearing. FBI Associate Deputy Director Kevin Perkins and Associate Deputy Attorney General Carlos Uriarte have pulled the unpleasant duty of appearing on a panel with Horowitz. But I imagine Grassley intends tomorrow’s hearing to be rather aggressive.

How CISA Might Hurt FBI’s Ability to Fight Cyberattacks

DOJ’s Inspector General just released a report on how well FBI’s cybersecurity initiative has been going. In general, it finds that the FBI has improved its ability to investigate cyberattacks.

But among the most significant challenges facing the FBI is in two-way information sharing with the private sector.

You might think that the Cyber Information Sharing Act — which after all, aims to increase information sharing between the private sector and those in government who will investigate it — would help that.

On one count it would: private sector entities interviewed by the IG were reluctant to cooperate with the FBI because of FOIA concerns.

During our interviews with private sector individuals, we found that private sector entities are reluctant to share information, such as PII or sensitive or proprietary information, with the government because of concerns about how that information could be used or the possibility that it could be publicly released under the Freedom of Information Act (FOIA).26 One private sector professional told us that he had declined to be interviewed by the OIG due to FOIA concerns.

CISA would include a blanket exception from FOIA — which is not necessarily a good thing, but should placate those who have these concerns.

But other private sector entities expressed concerns about the multiple uses to which shared data would be put. They cited Snowden disclosures showing data might be used for other purposes.

In addition, several private sector individuals discussed with us the challenges in collaborating with the FBI in a “post-Snowden” era. One private sector individual emphasized that Snowden has redefined how the private sector shares information with the United States government. We were told by private industry representatives and the FBI that, following the Snowden disclosures, private sector entities have become more reluctant to share information with the United States government because they are uncertain as to how the information they provide will be used and are concerned about balancing national security and individual privacy interests.

The recent reports on the use of cyber signatures for upstream Section 702 collection show that the NSA and FBI might be able to use signatures to search all traffic (though I suspect FISC has put more limitations on this practice than is currently known).

Just as troubling, however, are the broad permissions under CISA to use the data turned over under the law for prosecutions on a range of crimes. Right now, ECPA has provided tech companies — at least the ones that pushed back on NSLs demanding Internet data — a way to protect their customers from fishing expeditions. CISA is voluntary (though I can imagine many ways pressure would be brought to participate), but it does undermine that system of protections for customers.

When commenting on this, Jim Comey apparently added in proprietary information among the concerns of providers, along with the explicitly described “guard[ing] customer data.

The FBI Director has acknowledged private sector concerns related to proprietary information and the need to guard customer data and stated the FBI will do what it can to protect private sector privacy.27

Given NSA’s voracious use of any information it gets its hands on, and the broad permissions for information sharing in the bill, the protections for trade secrets may not be enough for the private sector, since it’s now clear the government, not just competitors, is exploiting trade secrets.

The IG ends this section urging the FBI to provide “appropriate assurances” about its handing of Personally Identifiable Information.

More generally, efforts to detect, prevent, and mitigate threats are hampered because neither the public nor private sector can see the whole picture.

The FBI Director further explained government lacks visibility into the many private networks maintained by companies in the United States, and the FBI “has information it cannot always share [with the private sector].” Consequently, each can see distinct types of cyber threats, but the information is not always visible to the other. We believe that the FBI should strengthen its outreach efforts to provide appropriate assurances regarding its handling of PII and proprietary information received from the private sector and work to reduce classification, where appropriate, of information in its possession in order to improve sharing and collaboration in both directions consistent with appropriate privacy and other limitations.

It is just my opinion, but I suspect CISA, as written, would further exacerbate concerns.

Finally, Inspector General Michael Horowitz’ statement releasing this report includes something not developed in the report itself, perhaps because it is a more recent concern: security of data shared with the federal government.

And, the FBI continues to face challenges relating to information sharing with private sector entities, in part because of concerns in the private sector about privacy and the security of sensitive information it shares with the government.

I’d be very interested in whether this stems just from trade secret concerns or from the concern that several of the agencies that would automatically get data shared with the government have their own cybersecurity challenges.

 

OLC Undermines DOJ Inspector General Independence

For over a year, DOJ’s Inspector General has been trying to ensure it got ready access to things like grand jury materials (this has been pertinent in the Fast and Furious investigation and how DEA and FBI use the latter’s dragnet, among other things). As part of this effort, the IG asked OLC to weigh in on whether it should be able to access this information, or whether it needed to ask nicely, as it has been forced to do.

Here’s the opinion. Here’s the key passage:

In particular, Title III permits Department officials to disclose to OIG the contents of intercepted communications when doing so could aid the disclosing official or OIG in the performance of their duties related to law enforcement, including duties related to Department leadership’s supervision of law enforcement activities on a programmatic or policy basis. Rule 6(e) permits disclosure of grand jury materials to OIG if a qualifying attorney determines that such disclosure could assist her in the performance of her criminal law enforcement duties, including any supervisory law enforcement duties she may have. And FCRA permits the FBI to disclose to OIG consumer information obtained pursuant to section 626 if such disclosure could assist in the approval or conduct of foreign counterintelligence investigations, including in the supervision of such investigations on a programmatic or policy basis. In our view, however, Title III and Rule 6(e) forbid disclosures that have either an attenuated or no connection with the conduct of the Department’s criminal law enforcement programs or operations, and section 626 of FCRA forbids disclosures that have either an attenuated or no connection with the approval or conduct of foreign counterintelligence investigations.

And here’s OIG’s response.

Today’s opinion by the OLC undermines the OIG’s independence, which is a hallmark of the Inspector General system and is essential to carrying out the OIG’s oversight responsibilities under the Inspector General Act. The OLC’s opinion restricts the OIG’s ability to independently access all records in the Justice Department’s possession that are necessary for our audits, reviews, and investigations, and is contrary to the principles and express language set forth in the Inspector General Act.

The opinion also finds that, in adopting Section 218 of the Department of Justice’s FY 2015 Appropriations Act, Congress’ intent was not sufficiently clear to support independent OIG access to all records in the Department’s possession. The OLC’s opinion reaches this conclusion even though Congress passed Section 218 “to improve OIG access to Department documents and information” following the Department’s failure to independently and timely provide all responsive records to the OIG, and Section 218 explicitly provides that the Department may not use appropriated funds to withhold records from the OIG for reasons other than as expressly provided in the Inspector General Act.

As a result of the OLC’s opinion, the OIG will now need to obtain Justice Department permission in order to get access to important information in the Department’s files – putting the agency over which the OIG conducts oversight in the position of deciding whether to give the OIG access to the information necessary to conduct that oversight. The conflict with the principles enshrined in the Inspector General Act could not be clearer and, as a result, the OIG’s work will be adversely impacted.

The OIG will immediately ask Congress to pass legislation ensuring that the OIG has independent access to the information it needs for its work. The Attorney General and the Deputy Attorney General have each expressed their commitment to join the OIG in this effort.

Inspector General Michael E. Horowitz stated:

“I strongly disagree with the OLC opinion. Congress meant what it said when it authorized Inspectors General to independently access ‘all’ documents necessary to conduct effective oversight. Without such access, our Office’s ability to conduct its work will be significantly impaired, and it will be more difficult for us to detect and deter waste, fraud, and abuse, and to protect taxpayer dollars. We look forward to working with the Congress and the Justice Department to promptly remedy this serious situation.”

[This post has been updated to add the opinion.]

DOJ IG: FBI’s Secret Applications of PRTT Are Even More Secret than Its Secret Applications of Section 215

DOJ’s Inspector General just released its unclassified summary of its classified report on FBI’s use of Pen Register/Trap and Trace authority.

It is rather thin, just 5 pages long. It explains what it is in the secret report.

We described the different types of pen registers that were used and the variety of information that was collected, as well as some of the technological and legal issues the Department and FBI faced with particular uses of pen register authority. We also describe the investigative circumstances under which the authority is generally used and trends in its use. The FBI and the Intelligence Community determined that much of this information is classified or “for official use only,” and therefore we cannot include it in this Executive Summary.

Our classified report also describes the FBI’s practices for storing and handling pen register information, most of which have remained substantially unchanged since our 2007 – 2009 review period, and it provides an overview of the compliance process and a summary of the compliance incidents involving the use of pen register authority that occurred from 2007 through 2009. Our classified report also includes several findings, only one of which we can describe in this unclassified Executive Summary.

The claim is rather interesting, given that documents EPIC obtained under FOIA make it clear FBI has used PRTT orders to get location data (not at all surprising given that it does so under criminal PRTTs as well), and that it has 7 exotic applications of Post Cut Through Dialed Digits. Those EPIC documents also reveal that John Bates redefined the meaning of Dialing, Routing, Addressing, and Signaling to include some content.

How is it EPIC could obtain those documents but DOJ’s IG can’t tell us what he found about these practices?

The one conclusion DOJ’s IG can share, sort of, is that FBI has problems weeding out data it shouldn’t have.

[W]e highlighted the challenges the Department faced, and still faces, in ensuring that the government collects or uses only that information that it is lawfully permitted to obtain.

[snip]

We found that the Department’s National Security Division and FBI do not conduct systematic compliance reviews of pen registers, and instead rely on personnel assigned to cases involving pen registers to report any compliance violations.

The report repeatedly notes that “the government is not authorized under FISA to obtain the contents of wire or electronic communications with a pen register order.” Which, of course, we know it has, both under the NSA program, as well as under PCTDD (indeed, discussions with the FISC over both the content collection under the NSA collection and the PCTDD uses took place in 2009, within the scope of the report).

So I assume part of the problem — part of the reason why FBI treats its PRTT programs with greater secrecy than its Section 215 programs — is because it violates the law but doesn’t have the means in place to catch its own violations.

I mean, if FBI wants to declassify the proof that that isn’t true, by all means they should do so. But the available evidence suggests the FBI and government more generally is probably still violating the terms of PRTT under FISA.

Did FBI Stall an IG Review of Innocent Americans Sucked Up in the Dragnet?

I mentioned earlier that the FBI withheld information on the Bureau’s use of phone dragnet tippers from DOJ’s Inspector General long enough to make any review unusable for Congress’ consideration before it passed USA F-ReDux.

That’s important because of this passage from the Stellar Wind IG Report.

Another consequence of the Stellar Wind program and the FBI’s approach to assigning leads was that many threat assessments were conducted on individuals located in the United States, including U.S. persons, who were determined not to have any nexus to terrorism or represent a threat to national security.402 These assessments also caused the FBI to collect and retain a significant amount of personal identification about the users of tipped telephone numbers and e-mail addresses. In addition to an individual’s name and home address, such information could include where the person worked, records of foreign travel, and the identity of family members. The results of these threat assessments and the information that was collected generally were reported in communications to FBI Headquarters and uploaded into FBI databases.

The FBI’s collection of U.S. person information in this manner is ongoing under the NSA’s FISA-authorized bulk metadata collection. To the extent leads derived from this program generate results similar to those under Stellar Wind, the FBI will continue to collect and retain a significant amount of information about individuals in the United States, including U.S. persons, that do not have a nexus to terrorism or represent a threat to national security.

We recommend that as part of the [redacted] project, the Justice Department’s National Security Division (NSD), working with the FBI, should collect addresses disseminated to FBI field offices that are assigned as Action leads and that require offices to conduct threat assessments. The information compiled should include whether individuals identified in threat assessments are U.S. or non-U.S. persons and whether the threat assessments led to the opening of preliminary or full national security investigations. With respect to threat assessments that conclude that users of tipped telephone numbers or e-mail addresses are not involved in terrorism and are not threats to national security, the Justice Department should take steps to track the quantity and nature of U.S. person information collected and how the FBI retains and utilizes this information. This will enable the Justice Department and entities with oversight responsibilities, including the OIG and congressional committees, to assess the impact this intelligence program has on the privacy interests of U.S. persons and to consider whether, and for how long, such information should be retained. (PDF 666-7/329-330)

After a preceding section talking about how many of the tippers to FBI — which, after all, may be two hops away from someone of interest — weren’t all that useful, DOJ’s IG (the current IG, Michael Horowitz’s predecessor, Glenn Fine) noted how many Americans with no nexus to terrorism nevertheless have their names, home addresses, workplace, travel records, and family members’ identities collected and stored in an FBI database, potentially for decades. And, we now know, those assessments would include a search for any previously-collected content, which the FBI could read without a warrant.

Fine recommended that FBI begin to track what happens with the Americans sucked up in PATRIOT-authorized dragnets.

But we can be virtually certain FBI chose not to heed that recommendation, because it hasn’t heeded similar recommendations with NSLs, and because FBI refuses to track any of their other FISA-related activities.

And Horowitz has been very disciplined in following up on previous IG recommendations in reports that follow up on like topics, so that is likely one of the things he planned to investigate with his focus on the “receiving, processing, and disseminating [of] leads” from the phone dragnet.

The review will examine the FBI’s procedures for receiving, processing, and disseminating leads the NSA develops from the metadata, as well as any changes that have been made to these procedures over time. The review will also examine how FBI field offices respond to leads and the scope and type of information field offices collect as a result of any investigative activity that is initiated. In addition, the review will examine the role the leads have had in FBI counterterrorism efforts

Frankly, because NSA had to curtail so much of what they were doing with the phone dragnet in 2009, there should be fewer Americans sucked up in the dragnet now then there was when Fine did his Stellar Wind review in 2008-09. Though if FBI continued to require an assessment of every new identifier, it would still result in a lot of innocent Americans having their lives unpacked and stored for 30 years by the FBI.

But those numbers will likely be higher — potentially significantly higher — under USA F-ReDux, because any given query will draw off of more kinds of information. More importantly, FBI is exempted from counting the queries it does on any database of call detail records obtained under the new CDR function.

(C) the number of search terms that included information concerning a United States person that were used to query any database of call detail records obtained through the use of such orders;

[snip]

(A) FEDERAL BUREAU OF INVESTIGATION.—Paragraphs (2)(A), (2)(B), and (5)(C) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

This strongly suggests the data will come in through the FBI, be treated under FBI’s far more permissive (than NSA’s) minimization procedures, and searched regularly. Which likely means the privacy implications of innocent Americans sucked up into the dragnet will be far worse. And all that’s before any of the analysis NSA will do on these query results.

There was no public consideration of the privacy impact of the innocent Americans sucked in under the CDR function during the USA F-ReDux debate (though I wrote about it repeatedly).

But if DOJ’s IG intended to include past recommendations in its review of what FBI does with the phone dragnet data — which would be utterly consistent with past practice — that’s one of the things this review, the review FBI stalled beyond the point when it could be useful, would have focused on.

 

FBI Successfully Runs Out the Clock on DOJ’s Inspector General Review of Use of Phone Metadata

While everyone was focused on USA F-ReDux last week, DOJ’s Inspector General submitted its semiannual report. In it, Michael Horowitz reiterated his complaint that FBI was stonewalling on document production. He listed 4 requests made after Congress defunded such stonewalling on which FBI was still stonewalling at the end of March.

The OIG has sent four letters to Congress to report that the FBI has failed to comply with Section 218 by refusing to provide the OIG, for reasons unrelated to any express limitation in Section 6(a) of the IG Act, with timely access to certain records in ongoing OIG reviews. Those reviews are:

  • Two FBI whistleblower retaliation investigations, letter dated February 3, 2015, which is available here;
  • The FBI documents related to review of the DEA’s use of administrative subpoenas, letter dated February 19, 2015, which is available here;
  • The FBI’s use of information derived from collection of telephony metadata under Section 215 of the Patriot Act, letter dated February 25, 2015, which is available here; and
  • The FBI’s security clearance adjudication process, letter dated March 4, 2015, which is available here.

As of March 31, 2015, the OIG document requests were outstanding in every one of the reviews and investigations that were the subject of the letters above. The OIG is approaching the 1 year anniversary of the Deputy Attorney General’s request in May 2014 to the Office of Legal Counsel for an opinion on these matters, yet that opinion remains outstanding and the OIG has been given no timeline for the issuance of the completed opinion. Although the OIG has been told the opinion is a priority for the Department, the length of time that has now passed suggests otherwise. Instead, the status quo continues, with the FBI repeatedly ignoring the mandate of Section 218 and the Department failing to issue an opinion that would resolve the matter. The result is that the OIG continues to be prevented from getting complete and timely access to records in the Department’s possession. The OIG’s ability to conduct effective and rigorous oversight is being undercut every day that goes by without a resolution of this dispute.

Of particular note, as of March 31, FBI was still stonewalling an October 10, 2014 request (and January 2015 deadline) connected with DOJ IG’s review of how FBI has been using metadata from phone dragnets.

The OIG requested these records in connection with its pending review of the FBI’s use of information derived from the National Security Agency’s collection of telephony metadata obtained from certain telecommunications service providers under Section 215 of the Patriot Act. The timeliness of production is particularly important given that Section 215 of the Patriot Act is set to expire in June of this year.

FBI was also still stonewalling records of how it used DEA’s dragnet, but in the case of phone metadata, Horowitz specifically tied the investigation to the upcoming sunset of Section 215 authority.

DOJ’s IG wanted to review what was happening with the 2-hop dragnet data that got turned over to FBI before Congress reauthorized Section 215. And FBI successfully stalled that effort until after Congress passed a bill that will almost certainly result in far more phone metadata being turned over to FBI, and under far more permissive rules than they had been under.

I’ll explain why that was probably important in a follow-up post. But for the moment, as pundits declare winners and losers on yesterday’s passage of USA F-ReDux (I’ll do my own version of that too, shortly!), it’s worth noting that FBI successfully ran out the clock on its own IG, preventing us from learning about the privacy impact of one little-considered aspect of the dragnet.

DOJ IG Issues Yet Another Classified Report that Should Be Public Before Congress Votes on PATRIOT Act

DOJ’s Inspector General just announced it completed its draft report on the use of Pen Register/Trap and Trace between 2007 and 2009 15 months ago, but the Intelligence Community only finished its classification review last month. It has now issued a classified version of that report to the Judiciary and Intelligence Committees.

Department of Justice Inspector General Michael E. Horowitz today issued a classified report entitled, The Federal Bureau of Investigation’s Use of Pen Register and Trap and Trace Devices under the Foreign Intelligence Surveillance Act in 2007 through 2009. The Department of Justice (DOJ) Office of the Inspector General (OIG) completed a draft of this report in February 2014. At that time, we provided the draft report to DOJ, the Federal Bureau of Investigation (FBI), and the Intelligence Community to conduct factual accuracy and classification reviews. In May 2014, we circulated an updated draft report that reflected minor revisions made in response to the factual accuracy comments we received. We did not receive the final results of the classification reviews until April 30, 2015.

We are providing today’s classified report to the relevant Congressional oversight and intelligence committees, as well as to DOJ leadership offices. We recently submitted a short unclassified Executive Summary of the report to DOJ, the FBI, and the Intelligence Community for review. We will publicly release the Executive Summary as soon as that review is completed.

This is another report that should have been released long before the current debate on the PATRIOT Act. While PRTT is not among the authorities that sunsets on Sunday, the issues surrounding the shut-down of the bulk Internet program in (around) October 2009 are central to the debate about the dragnet going forward, because “call” records are increasingly Internet records.

Moreover, the USA F-ReDux calls for “privacy guidelines” that I believe are still inadequate to protect US persons’ privacy in the ways the IC is likely using PRTT today. Plus, PRTT is likely used for applications — such as tower dumps and Stingrays — that affect the privacy of many people not otherwise targeted. Congress should have details about that before they legislate.

In addition, Richard Burr’s bill actually adopts a definition of “content” — excluding Dialing, Routing, Addressing, and Signaling data from the definition of content — that responds directly to the issues behind the Internet dragnet shutdown in 2009.

Last week, much of DC discovered for the first time — because of the delayed release of DOJ IG’s report on Section 215 — what I had been reporting for months: that the bulk of Section 215 orders actually collect bulky Internet data. That report also disclosed that, at least as used up until 2009 (that is, as FBI just started using 215 for that Internet collection), Section 215 wasn’t all that useful.

It is highly likely that the 15-month old PRTT report DOJ’s IG just released would have information that is equally important to this debate.

But the public is not going to have access to it.