Michael Horowitz Archives - Page 11 of 14

Posts

DOJ IG Report Confirms Government Flouted Statutory Requirements of Section 215 for 7 Years

May 21, 2015/6 Comments/in FISA /by emptywheel

For over a year, Congress has been working on a “reform” to Section 215 that it claims will rein in abusive government spying.

Also for about a year, DOJ’s Inspector General has been trying to release a Report on Section 215 use up to 2009. That investigation first began 1,800 days ago.

DOJ has finally managed to release the report.

It confirms a number of things I have been reporting for years: that the government uses the provision to collect records that have nothing to do with phone records in bulk, the majority of which are now Internet records, definitely including URLs and probably including subject lines.

But the takeaway report is something else I’ve been reporting on for some time.

The government completely blew off a requirement imposed with the 2006 PATRIOT Act Reauthorization that the FBI (which is the only agency that’s supposed to use Section 215) adopt minimization procedures specifically for Section 215. Even after FBI missed its September 2006 deadline by claiming it had Interim Procedures, FISC kept approving Section 215 orders, even including paragraphs that appear in every phone dragnet order claiming the government has met that statutory requirement. A year after DOJ’s Inspector General pointed out FBI was violating the statute, FISC started imposing its own minimization procedures and reporting requirements (though not — as a court operating with more transparency might have done — denying orders). Finally, in March 2013, DOJ adopted minimization procedures (though it did not start actually complying with them until more than four months after Edward Snowden’s leaks focused more attention on bulk 215 orders).

In other words, Congress imposed a mandate designed to protect innocent Americans’ privacy in 2006. And DOJ blew that statutory mandate off for years. And FISC let it do so for years, approving order after order requiring FBI to have fulfilled that mandate. And only after 7 years (and some unexpected transparency) did DOJ start following the law.

These are the people Congress is rushing headlong to provide new authorities (including an Emergency provision that is designed to invite abuse): government agencies who simply refuse to follow Congressional mandates.

The Loss of PRTT Minimization Review in USA F-ReDux

April 30, 2015/in FISA /by emptywheel

As I noted earlier, the House Judiciary Committee just released a new version of USA Freedom Act, which I’ve dubbed USA F-ReDux. I’ll have a lot more to say about it, but I want to make two minor point about things that got taken out of Leahy’s bill from last year.

Section 215 Minimization

First, last year’s bill had minimization procedures tied to bulky Section 215 collection effectively requiring the government to destroy the data that had not been determined to be two hops from a target within a period of time.

(C) for orders in which the specific selection term does not specifically identify an individual, account, or personal device, procedures that prohibit the dissemination, and require the destruction within a reasonable time period (which time period shall be specified in the order), of any tangible thing or information therein that has not been determined to relate to a person who is—

(i) a subject of an authorized investigation;

(ii) a foreign power or a suspected agent of a foreign power;

(iii) reasonably likely to have information about the activities of—

(I) a subject of an authorized 21 investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation;

(iv) in contact with or known to—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation,

Those minimization procedures resemble what we’ve seen from the minimization procedures FISC imposed on the phone dragnet, which probably means they also resemble what FISC was imposing in other cases. In the previous year (2013), FISC had imposed minimization procedures on almost 80% of all orders.

In other words, the clause basically required the government to do what the FISC was probably already forcing it to do in the majority of orders (which, in any case, permitted the government to keep, indefinitely, the records associated with people two hops out of someone whom the government had a traffic stop suspicion had ties to terror or spying).

Last year, however, the FISC modified fewer than 3% of orders, and at least one of those was probably a phone dragnet one. Perhaps the change means the government finally started complying with the requirement laid out in 2006 that it adopt minimization procedures (the impending Section 215 IG Report likely created an incentive to do that, as following the law on minimization was one of the recommendations Glenn Fine had made in 2008, so Michael Horowitz surely followed up on that recommendation; plus, the generally law-abiding James Baker assumed FBI’s General Counsel role in this period). Perhaps it means the government stopped making bulky collections (though that is unlikely). But for some reason, the number of orders on which the FISC imposed minimization procedures and a report back fell off a cliff.

And now the requirement that the government adopt minimization procedures for bulky collection is gone from the bill.

I might be alarmed by that, but this year’s bill does add a Rule of Construction clarifying that the FISA Court can impose additional minimization procedures on top of what the bill requires the government to adopt for Section 215. So it may be that if the FBI returns to its recidivist ways on minimization procedures, we’ll see the number of modified orders spike again.

PRTT “Privacy Procedures”

I’m more concerned about what happened on the Pen Register side.

Last year, the PRTT section added new “privacy” (not “minimization”) procedures.

IN GENERAL.—The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard nonpublicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect national security, include privacy protections that apply to the collection, retention, and use of information concerning United States persons.

Compare how squishy those privacy procedures are to the required Section 215 minimization procedures FBI blew off for years.

A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 1801 (e)(1) of this title, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; and

Rather than requiring the procedures minimize the retention and dissemination, the bill required only that privacy protections be applied. And there was no requirement limiting dissemination of non-foreign intelligence data.

But at least there were privacy procedures, right? Baby steps?

Last year’s bill had, and this year’s bill retains, a Rule of Construction (like that added to Section 215) that notes nothing limits FISC’s power to impose additional minimization procedures.

(2) RULE OF CONSTRUCTION.—Nothing in this subsection limits the authority of the court established under section 103(a) or of the Attorney General to impose additional privacy or minimization procedures with regard to the installation or use of a pen register or trap and trace device.

Which is all well and good, but FISC’s authority to do so with PRTT has no statutory basis, unlike Section 215. And during both the 2004 initial application for the Internet dragnet and John Bates’ 2010 reauthorization of it, the government made some fairly aggressive claims about FISC’s impotence to do anything but rubber stamp applications. So this Rule of Construction may not have the same weight as that in Section 215.

Which is why I worry that this section was removed from the bill.

(3) COMPLIANCE ASSESSMENT.—At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the privacy procedures required by this subsection by reviewing the circumstances under which information concerning United States persons was collected, retained, or disseminated.

As the documents on the phone dragnet violations showed, unless FISC has and exercises the authority to ensure compliance with minimization procedures, the government will cheat (or, more charitably, not find systematic years-long violations staring them in the face). FISC seemed to recognize this when it imposed compliance reports on its minimization of Section 215 orders in recent years. But it won’t have statutory authority to review assessment with these already-squishy “privacy procedures.”

Michael Horowitz’ Monthly Complaint about FBI and DEA Stonewalling

April 14, 2015/2 Comments/in Intelligence /by emptywheel

The House Oversight Committee is having a hearing on the problems law enforcement agencies have with sexual harassment and misconduct, as reported by DOJ’s Inspector General. DEA Administrator Michele Leonhart will be offering amusing testimony about how the DEA has given its Agents clear instructions that they’re really the best evah™ but they need to stop breaking the law.

But because I’m an IG nerd, I’m as interested in what has become a monthly event during DOJ Inspector General Michael Horowitz’ tenure, when he provides details of FBI and DEA’s latest stonewalling of oversight. Here’s today’s version:

Further, we cannot be completely confident that the FBI and the DEA provided us with all information relevant to this review. When the OIG finally received from the FBI and DEA the requested information without extensive redactions, we found that it still was incomplete. For example, we determined that the FBI removed a substantial number of cases from the result of their search and provided additional cases to the OIG only after we identified some discrepancies. These cases were within the scope of our review and should have been provided as requested. Likewise, the DEA also provided us additional cases only after we identified some discrepancies. In addition, after we completed our review and a draft of the report, we learned that the DEA used only a small fraction of the terms we had provided to search its database for the information needed for our review. Rather than delay our report further, we decided to proceed with releasing it given the significance of our findings.

We also determined that the DEA initially withheld from us relevant information regarding an open case involving overseas prostitution. During a round of initial interviews, only one interviewee provided us information on this case. We later learned that several interviewees were directly involved in the investigation and adjudication of this matter, and in follow-up interviews they each told us that they were given the impression by the DEA that they were not to talk to the OIG about this case while the case was still open. In order to ensure the thoroughness of our work, the OIG is entitled to receive all information in the agency’s possession regardless of the status of any particular case.

As I have testified on multiple occasions, in order to conduct effective oversight, an Inspector General must have timely and complete access to documents and materials needed for its audits, reviews, and investigations. This review starkly demonstrates the dangers inherent in allowing the Department and its components to decide on their own what documents they will share with the OIG, and even whether the Inspector General Act requires them to provide us with requested information. The delays experienced in this review impeded our work, delayed our ability to discover the significant issues we ultimately identified, wasted Department and OIG resources during the pendency of the dispute, and affected our confidence in the completeness of our review.

This was not an isolated incident. Rather, we have faced repeated instances over the past several years in which our timely access to records has been impeded, and we have highlighted these issues in our reports on very significant matters such as the Boston Marathon Bombing, the Department’s use of the Material Witness Statute, the FBI’s use of National Security Letters, and ATF’s Operation Fast and Furious.

The Congress recognized the significance of this impairment to the OIG’s independence and ability to conduct effect oversight, and included a provision in the Fiscal Year 2015 Appropriations Act — Section 218 — which prohibits the Justice Department from using appropriated funds to deny, prevent, or impede the OIG’s timely access to records, documents, and other materials in the Department’s possession, unless it is in accordance with an express limitation of Section 6(a) of the IG Act. Despite the Congress’s clear statement of intent, the Department and the FBI continue to proceed exactly as they did before Section 218 was adopted – spending appropriated funds to review records to determine if they should be withheld from the OIG. The effect is as if Section 218 was never adopted. The OIG has sent four letters to Congress to report that the FBI has failed to comply with Section 218 by refusing to provide the OIG, for reasons unrelated to any express limitation in Section 6(a) of the IG Act, with timely access to certain records.

We are approaching the one year anniversary of the Deputy Attorney General’s request in May 2014 to the Office of Legal Counsel for an opinion on these matters, yet that opinion remains outstanding and the OIG has been given no timeline for the issuance of the completed opinion. Although the OIG has been told on occasion over the past year that the opinion is a priority for the Department, the length of time that has now passed suggests otherwise. Instead, the status quo continues, with the FBI repeatedly ignoring the mandate of Section 218 and the Department failing to issue an opinion that would resolve the matter. The result is that the OIG continues to be prevented from getting complete and timely access to records in the Department’s possession. The American public deserves and expects an OIG that is able to conduct rigorous oversight of the Department’s activities. Unfortunately, our ability to conduct that oversight is being undercut every day that goes by without a resolution of this dispute.

At some point, Congress is going to have to decide whether it will use the power of the purse — as they have authorized by statute — to force DEA and FBI to meet the same standards of disclosure that mere citizens would be required if DEA and FBI were investigating them.

Until then, we should just assume FBI and DEA are breaking the law.

DEA Likely Has More than One Dragnet

April 8, 2015/9 Comments/in Drug War, Financial Fraud /by emptywheel

As yesterday’s USAT story on the DEA dragnet reported, DOJ’s Inspector General is investigating DEA’s dragnet. I first reported that in April 2014.

As I also reported in February, FBI is obstructing that investigation — so much so, that DOJ’s Inspector General Michael Horowitz encouraged Congress to start using appropriations to force it to stop.

The unfulfilled information request that causes the OIG to make this report was sent to the FBI on November 20,2014. Since that time, the FBI has made a partial production in this matter, and there have been multiple discussions between the OIG and the FBI about this request, resulting in the OIG setting a final deadline for production of all material of February 13,2015.

On February 12, 2015, the FBI informed the OIG that it would not be able to produce the remaining records by the deadline. The FBI gave an estimate of 1-2 weeks to complete the production but did not commit to do so by a date certain. The reason for the FBI’s inability to meet the prior deadline set by the OIG for production is the FBI’s desire to continue its review of emails requested by the OIG to determine whether they contain any information which the FBI maintains the OIG is not legally entitled to access, such as grand jury, Title III electronic surveillance, and Fair Credit Reporting Act information.

DOJ IG’s comments about this investigation are worth reconsideration for two reasons.

First, FBI’s obstruction of the investigation emphasize what we already knew from the Shantia Hassanshahi case (via which we first learned about this database). The FBI is (was) also using this database, and for purposes that far exceed counter-narcotics (Hassanshahi was busted for sanctions violations). And, as the Homeland Security investigator’s dramatically changing stories about how he first identified Hassanshahi suggest, for each of those usages, there’s likely some kind of parallel construction going on.

How many cases have been based off this giant dragnet?

But also look at how DOJ’s IG has described this investigation.

Administrative Subpoenas

The OIG is examining the DEA’s use of administrative subpoenas to obtain broad collections of data or information. The review will address the legal authority for the acquisition or use of these data collections; the existence and effectiveness of any policies and procedural safeguards established with respect to the collection, use, and retention of the data; the creation, dissemination, and usefulness of any products generated from the data; and the use of “parallel construction” or other techniques to protect the confidentiality of these programs.

DOJ IG is investigation DEA’s use of subpoenas to obtain broad collections of data or information. Its review will address the legal authority underlying these data collections.

Collections, plural.

Admittedly, we already know of two DEA dragnets: the international dragnet described by the USAT, and the domestic one — Hemisphere — though that resides at least partially with the White House Drug Czar.

But the authority used in the USAT dragnet, 21 USC 876, is the drug equivalent of Section 215, permitting the agency to obtain “tangible things” relevant to (that phrase again) an investigation. We know FBI used equivalent language under Section 215 to collect financial and Internet records as well.

Hell, the DEA couldn’t very well track drug cartels without following the money, via whatever means. Plus, we know cartels have used things like travelers checks and gift cards to move money in recent years.

So I would be willing to bet more than a few quarters that DOJ IG’s use of the term “collections” suggests there’s more than just these telecom dragnets hiding somewhere.

FBI’s Cell Phone Investigative Kiosk Would Allow Fourth Amendment Violations

April 7, 2015/2 Comments/in Intelligence /by emptywheel

Jim Comey wants to sacrifice individual security to ensure the FBI can access cell phones easily.

But in an audit of a forensic lab in Philadelphia, DOJ’s Inspector General found that the FBI is not keeping adequate control of the kiosks that FBI uses to do initial reviews of data on cell phones.

As the report describes, cell phone kiosks serve as a “preview” tool of the contents of the data stored on a phone.

Cell Phone Investigative Kiosks (Kiosks) are available at select FBI field offices and RCFLs. A Kiosk is a preview tool that allows users to quickly and easily view data stored on a cell phone, extract the data to use as evidence, put it into a report, and copy the report to an electronic storage device such as a compact disk. Kiosks are not designed to take the place of full-scale cell phone examinations performed by certified Forensic Examiners; however, the evidence produced by a Kiosk is admissible in a court of law. Kiosk users are required to take a one-time hour-long training course and be familiar with computers. In addition, FBI policy requires Kiosk users to confirm they possess the proper legal authority for the search of data on cell phones or loose media.

The FBI only recently started tracking who had access to these kiosks. And when DOJ IG audited this office’s use of the kiosk, it found that 27% of the people who were accessing it hadn’t filled out the requisite paperwork to ensure only appropriate people used it.

We found that the PHRCFL did not have adequate controls over the access and use of its Kiosks. FBI policy requires Kiosk users to confirm they possess the proper legal authority for the search of data on cell phones or loose media. During our fieldwork, the FBI did not provide any information to show that PHRCFL Kiosk users were required to sign-in, identify the case related to the evidence being examined, or, as required by FBI policy, confirm that they possessed the proper legal authority to search for evidence on the cell phone. In addition, the FBI did not provide us with any information regarding controls in place at the PHRCFL to ensure that users do not use the Kiosks for non-law enforcement matters.

[snip]

we conducted limited testing of 25 visits during FYs 2012 through 2014 to verify compliance with the procedures in place. When the PHRCFL began using the Acknowledgment Form in May 2012, its visitor’s log contained a field for the purpose of each visitor’s visit. We selected names from the visitor’s log whose stated purpose for the visit was Kiosk usage and compared those names and dates to the corresponding Acknowledgment Forms. For the 17 visits we selected between May 2012 and January 2013, we found that approximately 24 percent of the PHRCFL Kiosk-related visitor log entries did not have corresponding Acknowledgment Forms.

[snip]

We believe that although the Kiosks are an efficient tool for law enforcement officers to use to examine digital evidence that may not require the extensive examination of a certified Forensic Examiner, Kiosks are vulnerable to potentially serious abuse. For example, without proper controls, it is possible that a Kiosk user could use this tool to view private cell phone information for non-law enforcement purposes. It also is possible for a user to use a Kiosk without proper legal authority, thereby engaging in a Fourth Amendment violation.

Later in the report, the IG noted that none of the centralized databases tracking other uses of the forensic office track use of the kiosk. That, combined with the paperwork failures, would sure permit FBI to do a whole lot of illegal cell phone searching that would not be tracked.

Which might explain why the numbers FBI shows for searching cell phones don’t actually match Director Comey’s stated concerns about iPhone encrypting its phone.

DOJ Pissed Away $2.1 Million on Drones that Don’t Work

March 25, 2015/8 Comments/in Drones /by emptywheel

DOJ’s IG just released a report on the Department’s drone use. Its overall recommendation is that FBI get more drones, so it has them in locations around the country for quick use if they’re needed (sigh). It also found that FBI doesn’t have good records of how it partners with other agencies (notably, Customs and Border Patrol) to use their drones, which seems like it might present discovery problems.

But I’m most struck by how much money DOJ is blowing on drones that don’t work.

The IG reports — but seems unconcerned — that half of the drones FBI has bought are not operational.

Our September 2013 interim report found that between 2004 and 2013, the FBI spent approximately $3 million to acquire small UAS it deployed to support its investigations. As of August 2014, the FBI had acquired 34 UAS vehicles and associated control stations, of which it considered 17 vehicles and a smaller number of control stations to be operational.

I find this more troubling given that FBI claims only to have used drones in 13 investigations between September 2006 and August 2014. So are they losing more than one drone every time they use one for an investigation?

The IG is far more concerned about ATF’s sunk drone costs.

Our September 2013 interim report found that ATF possessed UAS and planned to deploy them operationally. Specifically, between September 2011 and September 2012, ATF’s UAS program spent approximately $600,000 to purchase three different types of rotary-wing UAS with a total of six UAS vehicles.

[snip]

ATF officials reported that ATF never flew its UAS in support its operations because TOB testing and pilot training revealed a series of technological limitations with the UAS models it had acquired. In particular, ATF determined the real-time battery capability for one UAS model lasted for only about 20 minutes even though the manufacturer specified its flight time was 45 minutes. ATF determined that the other two models of UAS acquired also were unreliable or unsuitable for surveillance. One UAS program manager told us ATF found that one of its smaller UAS models, which cost nearly $90,000, was too difficult to use reliably in operations. Furthermore, the TOB discovered that a gas-powered UAS model, which cost approximately $315,000 and was specified to fly for up to 2 hours, was never operable due to multiple technical defects.

In June 2014, the Special Operations Division concluded that ATF’s UAS were unsuitable for operational use, suspended all ATF UAS-related activities, and reassigned all UAS staff until after DOJ issues and ATF reviews new UAS policy recommendations. In September 2014, the TOB transferred its six UAS vehicles and other related equipment purchased prior to June 2014 to the Naval Criminal Investigative Service at no cost.

Although the OIG did not specifically audit ATF’s UAS contracts, we are troubled that the process ATF used to purchase these UAS resulted in ATF spending approximately $600,000 on UAS models it ultimately determined to have significant mechanical and technical problems that rendered them unsuitable to deploy in support of ATF operations.

By my calculation, all of ATF’s investments in drones ($600,000) and half of FBI’s investments in drones (half of $3 million) have been lost to drones that either never did or no longer work. $2.1 million on drones that don’t fly.

Don’t get me wrong. I’m not crazy about DOJ buying up a fleet of small drones for investigative uses they’re keeping inadequate paperwork on in the first place.

But neither am I happy about DOJ pissing away all this money on drones that don’t work.

If Section 215 Lapsed, Would the Government Finally Accede to ECPA Reform?

March 19, 2015/1 Comment/in Cybersecurity, FISA /by emptywheel

Now that the Section 215 Sunset draws nearer, the debate over what reformers should do has shifted away from whether USA Freedom Act is adequate reform to whether it is wise to push for Section 215 to sunset.

That debate, repeatedly, has focused almost entirely on the phone dragnet that Section 215 authorizes. It seems most of the people engaging in this debate or reporting on it are unaware or uninterested in what the other roughly 175 Section 215 orders authorized last year did (just 5 orders authorized the phone dragnet).

But if Section 215 sunsets in June, those other 175 orders will be affected too (though thus far it looks like FISC is approving fewer 215 orders than they did last year). Yet the government won’t tell us what those 175 orders do.

We know — or suspect — some of what these other orders do. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year (and would have been unaffected and hidden in transparency reporting under USA Freedom Act).

The FBI has previously confirmed that it used Section 215 to collect records of explosives precursors — things like large quantities of acetone, hydrogen peroxide, fertilizer, and (probably now) pressure cookers; given that the Presidential Review Group consulted with ATF on its review of Section 215, it’s likely these are programmatic collection. (If the government told us it was, we might then be able to ask why these materials couldn’t be handled the same way Sudafed is handled, too, which might force the government to tie it more closely to actual threats.) This too would have been unaffected by USAF.

The government also probably uses Section 215 to collect hotel records (which is what it was originally designed for, though not in the bulk it is probably accomplished). This use of Section 215 will likely be reinforced if and when SCOTUS affirms the collection of hotel records in Los Angeles v. Patel.

But the majority of those 175 Section 215 orders, we now know, are for some kind of Internet records that may or may not relate to cyber investigations, depending on whether you think FBI talks out of its arse when trying to keep authorities, but which they almost certainly collect in sufficient bulk that FISC imposed minimization procedures on FBI.

Which brings me to my argument that reauthorizing Section 215 will forestall any ECPA reform.

We know most Section 215 orders are for Internet records because someone reliable — DOJ’s Inspector General in last year’s report on National Security Letters — told us that a collection of Internet companies successfully challenged FBI’s use of NSLs to collect this stuff after DOJ published an opinion on ECPA in 2008.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

That report went on to explain that FBI considered fixing this problem by amending the definition for toll records in Section 2709, but then bagged that plan and just moved all this collection to Section 215, which takes longer.

In the absence of a legislative amendment to Section 2709, [2.5 lines redacted]. [Deputy General Counsel of FBI’s National Security Law Branch] Siegel told us that the process of generating and approving a Section 215 application is similar to the NSL process for the agents and supervisors in the field, but then the applications undergo a review process in NSLB and the Department’s National Security Division, which submits the application to the Foreign Intelligence Surveillance Court (FISA Court). According to Siegel, a request that at one time could be accomplished with an NSL in a matter of hours if necessary, now takes about 30-40 days to accomplish with a standard Section 215 application.

In addition to increasing the time it takes to obtain transactional records, Section 215 requests, unlike NSL requests, require the involvement of FBI Headquarters, NSD, and the FISA Court. Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.

The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.

The government is, according to the report, going through all sorts of hoop-jumping on these records rather than working with Congress to pass ECPA reform.

Why?

That’s not all the Report told us. Even earlier than that problem, in 2007, the IG identified other uncertainties about what the FBI should be obtaining with an NSL, and FBI actually put together a proposal to Congress. The proposed definition included both financial information and what could be construed as location data in toll records. That bill has never been passed.

But while Internet companies have shown reluctance to let the FBI secretly expand the meaning of toll record, two telecoms have not (a third, which I suspect is Verizon, backed out of closer cooperation on NSLs in 2009, and presumably a fourth, which probably is T-Mobile, was never a part of it).

And here’s what happened to the kinds of records FBI has been obtaining (almost certainly from AT&T) in the interim:

FBI is collecting 7 kinds of things from (probably) AT&T that the Inspector General doesn’t think fits under ECPA.

Now, I’m not sure precisely why ECPA reform has gone nowhere in the last 8 years, but all this redaction suggests one reason is the government doesn’t want to be bound by a traditional definition of toll record, so much so it’s willing to put up with the aggravation of getting Section 215 orders for (what may be the same kind of) information from Internet companies in order to not be bound by limits on its telecom (or at least AT&T) NSLs.

Don’t get me wrong. I’d rather have the Internet stuff be under Section 215 orders, where it will be treated with some kind of minimization (the FBI is still completely ignoring the 2006 language in Section 215 requiring it to adopt minimization procedures for that section, but FISC has stepped into the void and imposed some itself).

But ultimately what’s going on — in addition to the adoption of a dragnet approach for phone records (that might have been deemed a violation of 18 USC 2302-3 if litigated with an adversary) and financial records (that might have been deemed a violation of 12 USC 3401-3422 if litigated with an adversary), is that the government is also, apparently, far exceeding the common understanding of NSLs without going back to Congress to get them to amend the law (and this goes well beyond communities of interest — two or maybe three hop collection under an NSL — which isn’t entirely redacted in this report).

It may be moot anyway. I actually wonder whether Internet companies will use the immunity of CISA, if and when it passes, to turn whatever they’re turning over without a Section 215 order.

And it’s not like Pat Leahy and Mike Lee have been successful in their efforts to get ECPA reform that protects electronic communications passed. ECPA isn’t happening anyway.

But maybe it might, if Section 215 were to lapse and the government were forced to stop kluging all the programs that have never really been approved by Congress in the first place into Section 215.

FBI Now Holding Up Michael Horowitz’ Investigation into the DEA

February 24, 2015/7 Comments/in Drug War /by emptywheel

Man, at some point Congress is going to have to declare the FBI legally contemptuous and throw them in jail.

They continue to refuse to cooperate with DOJ’s Inspector General, as they have been for basically 5 years. But in Michael Horowitz’ latest complaint to Congress, he adds a new spin: FBI is not only obstructing his investigation of the FBI’s management impaired surveillance, now FBI is obstructing his investigation of DEA’s management impaired surveillance.

I first reported on DOJ IG’s investigation into DEA’s dragnet databases last April. At that point, the only dragnet we knew about was Hemisphere, which DEA uses to obtain years of phone records as well as location data and other details, before it them parallel constructs that data out of a defendant’s reach.

But since then, we’ve learned of what the government claims to be another database — that used to identify Shantia Hassanshahi in an Iranian sanctions case. After some delay, the government revealed that this was another dragnet, including just international calls. It claims that this database was suspended in September 2013 (around the time Hemisphere became public) and that it is no longer obtaining bulk records for it.

According to the latest installment of Michael Horowitz’ complaints about FBI obstruction, he tried to obtain records on the DEA databases on November 20, 2014 (of note, during the period when the government was still refusing to tell even Judge Rudolph Contreras what the database implicating Hassanshahi was). FBI slow-walked production, but promised to provide everything to Horowitz by February 13, 2015. FBI has decided it has to keep reviewing the emails in question to see if there is grand jury, Title III electronic surveillance, and Fair Credit Reporting Act materials, which are the same categories of stuff FBI has refused in the past. So Horowitz is pointing to the language tied to DOJ’s appropriations for FY 2015 which (basically) defunded FBI obstruction.

Only FBI continues to obstruct.

There’s one more question about this. As noted, this investigation is supposed to be about DEA’s databases. We’ve already seen that FBI uses Hemisphere (when I asked FBI for comment in advance of this February 4, 2014 article on FBI obstinance, Hemisphere was the one thing they refused all comment on). And obviously, FBI access another DEA database to go after Hassanshahi.

So that may be the only reason why Horowitz needs the FBI’s cooperation to investigate the DEA’s dragnets.

Plus, assuming FBI is parallel constructing these dragnets just like DEA is, I can understand why they’d want to withhold grand jury information, which would make that clear.

Still, I can’t help but wonder — as I have in the past — whether these dragnets are all connected, a constantly moving shell game.

That might explain why FBI is so intent on obstructing Horowitz again.

Does the FBI STILL Have an Identity Crisis?

February 23, 2015/2 Comments/in FISA /by emptywheel

I’ve finished up my working threads on the NSA, CIA, and FBI Section 702 minimization procedures. And they suggest that FBI has an identity crisis. Or rather, an inability to describe what it means by “identification of a US person” in unclassified form.

Both the NSA and CIA minimization procedures have some form of this definitional paragraph (this one is NSA’s):

Identification of a United States person means (1) the name, unique title, or address of a United States person; or (2) other personal identifiers of a United States person when appearing in the context of activities conducted by that person or activities conducted by others that are related to that person. A reference to a product by brand name, or manufacturer’s name or the use of a name in a descriptive sense, e.g., “Monroe Doctrine,” is not an identification of a United States person.

Even though the FBI minimization procedures have a (briefer than NSA and CIA’s) definitional section and gets into when someone counts as US person from a geographical standpoint, it doesn’t have the equivalent paragraph on what they consider US person identifying information, which is central to minimization procedures.

Now, I might assume that this is just an oversight, something FBI forgot to incorporate as it was writing its own 702 minimization procedures incorporating what NSA has done.

Except that we know the FBI has suffered from this same kind of identity crisis in the past, in an analogous situation. As Glenn Fine described in the 2008 Inspector General Report on Section 215 (the one the successor for which has been stalled for declassification review for over 6 months), the FBI never got around to (and almost certainly still hasn’t gotten around to, except under modifications from the FISA Court) complying with Section 215’s requirement that it adopt minimization procedures specific to Section 215.

One holdup was disagreement over what constituted US person identifying information.

Unresolved issues included the time period for retention of information, definitional issues of “U.S. person identifying information,” and whether to include procedures for addressing material received in response to, but beyond the scope of, the FISA Court order; uploading information into FBI databases; and handling large or sensitive data collections.

(Note, there’s very good reason to believe FBI is still having all these problems, not least because several of them showed up in Michael Horowitz’ NSL IG Report last year.)

One problem Fine pointed out is that the AG Guidelines adopted in lieu of real minimization procedures don’t provide any guidance on when US identifying information is necessary to share.

When we asked how an agent would determine, for example, whether the disclosure of U.S. person identifying information is necessary to understand foreign intelligence or assess its importance, the FBI General Counsel stated that the determination must be made on a case-by-case basis.

While NSA’s 702 SMPs do lay out cases when FBI can and cannot share US person identifying information (those are, in some ways, less permissive than CIA’s sharing guidelines, if you ignore the entire criminal application and FBI’s passive voice when it comes to handling “sensitive” collections), if the guidelines for what counts as PII are not clear — or if they’re expansive enough to exempt (for example) Internet handles such as “emptywheel” that would clearly count as PII under NSA and CIA’s SMPs, then it would mean far more information on Americans can be shared in unminimized form.

And remember, FBI’s sharing rules are already far more lenient than NSA’s, especially with regards to sharing with state, local, and other law enforcement partners.

Call me crazy. But given the FBI’s past problems defining precisely this thing, I suspect they’re still refusing to do so.

DOJ IG Michael Horowitz Points Out How Premature 215 Reauthorization Would Be. Again.

February 10, 2015/in FISA /by emptywheel

Back in November, I pointed out how batshit crazy it was to rush to pass USA Freedom Act — legislation purporting to provide new transparency requirements and requiring new IG Reports — when a report that was pending for 1,616 days was being held up in declassification review.

Today, in a report on the most significant challenges faced by the government, the IG explains what happened to the review: it is caught up in declassification review.

Ongoing OIG work, such as our reviews of the Department’s requests for and use of business records under Section 215 of the USA PATRIOT Reauthorization Act and the Department’s use of pen register and trap-and-trace devices under the Foreign Intelligence Surveillance Act (FISA), also address privacy concerns implicated by the use of national security authorities to collect data. Although the OIG completed both of these reviews months ago, and we have provided classified briefings to Congress regarding them, we have been unable to release the classified reports to Congress or non-classified reports to the public because the classification review being conducted by the intelligence community, which includes the FBI, is still ongoing.

This is craziness! Congress is actively legislating on this topic … tomorrow! There’s also the matter of the secret FBI PRTT program, that I strongly suspect is a location dragnet, which this report likely covers.

But the IC is suppressing a report that has been in the works for over 4 years with a slow declassification review?

My common sense observation that we should not pass new legislation on Section 215 without benefitting from an independent review of what really happened back in 2009 (and to a lesser degree, what was going on now, and what has been going on with PRTT) was met with a remarkable din of crickets.

Today, DOJ Inspector General Michael Horowitz made the same point again.

Department of Justice Inspector General Michael E. Horowitz today issued a classified report entitled, The Federal Bureau of Investigation’s Use of Section 215 Orders: Assessment of Progress in Implementing Recommendations and Examination of Use in 2007 through 2009. The Department of Justice (DOJ) Office of the Inspector General (OIG) provided a final draft of the report to the Intelligence Community in June 2014 for a classification review, but the OIG has not been informed of when that review will be completed. We have therefore provided today’s classified report, with certain information redacted, to the relevant Congressional oversight and intelligence committees, as well as to DOJ leadership offices. We will issue a public, unclassified version of the report, with any necessary redactions, at the conclusion of a separate and final classification review currently being conducted by the FBI.

If anyone is counting (well, I am) that review has now been pending for 1,701 days.

Um, hello??? How can the IC be considered a good faith partner in passing dragnet reform, including requirements for IG review, if by stalling for over 6 months on declassification it can make such IG review useless?