Posts

Mike Rogers’ Senior NSA Retiree Working For Foreign Government Cooling Off

I’m still working through the Intelligence Authorization and proposed amendments, which have been posted but which may or may not get a vote.

I’m particularly puzzled by an Amendment Mike Rogers submitted at the last minute, after having proposed it in committee but withdrawn it. The description of what he proposed reads,

Chairman Rogers offered an amendment to the amendment in the nature of a substitute to require a “cooling off” period before former Intelligence Community senior employees could work for a foreign government or a company controlled by a foreign government. The amendment would also establish notification and reporting requirements for former IC senior employees. He subsequently withdrew the amendment.

After having withdrawn that he submitted this amendment, but did not list it as a Manager’s Amendment (see below for the text).

Effectively, the Amendment seems to do two things. First, it requires high ranking intelligence community personnel (and this includes Congress, presumably up to and including Rogers himself) to tell their Agency when they start negotiating a new job with a company with foreign ties.

It would also prohibit those high ranking people from working for a company with foreign ties for a year — or two, if it pertains to something they worked on. It also requires former employees to disclose any payment they get from a foreign country or foreign owned company.

Now, this Amendment seems like a total no-brainer (indeed, the reporting requirements should be in place for all employers). It’s a measure to prevent top IC officials to go work for foreign governments.

So why didn’t this pass through committee? And why is Rogers submitting it now? What former high ranking official went to work for a foreign entity, raising the need for such a no-brainer law?

One more question: I wonder whether Israel will be included among the covered countries. Sure, it’s a close ally — precisely the kind that might hire away top IC talent. But it’s also an aggressive spy targeting the US. Precisely the kind of country that would make this kind of amendment even remotely controversial.

Update: Via Matt Stoller and billmon, this is presumably what this about:

A longtime adviser to the U.S. Director of National Intelligence has resigned after the government learned he has worked since 2010 as a paid consultant for Huawei Technologies Ltd., the Chinese technology company the U.S. has condemned as an espionage threat, The Associated Press has learned.

Theodore H. Moran, a respected expert on China’s international investment and professor at Georgetown University, had served since 2007 as adviser to the intelligence director’s advisory panel on foreign investment in the United States. Moran also was an adviser to the National Intelligence Council, a group of 18 senior analysts and policy experts who provide U.S. spy agencies with judgments on important international issues.

Though I’m not convinced Moran would be covered under this law. Plus, he disclosed his tie to Huawei.

Read more

Why USA Freedumber Doesn’t End (What You and I Think of as) Bulk Collection

I fear, reading this Kevin Drum post, that my explanations of why USA Freedumber will not end what you and I think of as bulk collection have not been clear enough. So I’m going to try again.

It is now, with the bill in current form, a 4-part argument:

  • The bill uses the intelligence community definition of bulk collection in its claim to end bulk collection, not the plain English language meaning of it
  • The bill retains the “relevant to” language that got us into this problem
  • The “selection terms” it uses to prevent bulk collection would permit the collection of vast swaths of innocent people’s records
  • Such a reading would probably not rely on any new FISA Court opinion; existing opinions probably already authorize such collection

The intelligence versus the plain English definition of bulk collection

This entire bill is based on the intelligence community definition of bulk collection, not the common English definition of it. As defined by President Obama’s Presidential Policy Directive on SIGINT, bulk collection means,

the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).

Bulk collection, as defined by the intelligence commonly, only means collection that obtains all of a particular type of record: all phone records, all Internet metadata, all credit card records. Anything that stops short of that — all 202 Area Code phone records, all credit card records buying pressure cookers, all Internet metadata for email sent to Yemen — would not count as bulk collection under this definition.

A more commonsense meaning of bulk collection would be the collection of large volumes of data, sweeping up the data of totally innocent people, on which to do further (sometimes technically intrusive) searches to find the data of interest. What we call “Big Data,” for example, would very often not qualify as bulk collection as the intelligence community defines it (perhaps its starts with the health data of everyone born after 1946, for example, or the purchase records from just one online store) but would qualify as bulk collection as you and I would define it.

As I explained in this post, the means USA Freedumber uses to ensure that it does not permit bulk collection is to require the collection start from a “selection term.” Thus, by definition, it cannot be bulk collection because the technical (but not commonsense) definition of bulk collection is that which uses a selection term.

And because they defined it that way, it means that every time some well-intentioned Congressman (it was all men, pushing this bill) boasted that this bill “ends bulk collection” they were only laying a legislative record that would prohibit the intelligence community definition of bulk collection, not the commonsense meaning.

The bill retains the “relevant to” language that gave us bulk collection in the first place

Man, Jim Sensenbrenner must have complained about the way the FISA Court reinterpreted the plain meaning of “relevant to” from the 2006 reauthorization of the PATRIOT Act three or four times in the post-passage press conference. He’s still angry, you see, that a court, in secret, defined the term “relevant to” to mean “any data that could possibly include.”

But this bill does nothing to change that erroneous meaning of the term.

Worse, it relies on it!

For most authorities — the Pen Register (PRTT) authority, the non-call record Section 215 authority, and all National Security Letter authorities –USA Freedumber leaves that language intact. It now requires the use of a selection term, but unlike the new call record language, those authorities don’t require that the selection term be “associated with a foreign power or an agent of a foreign power.” (You can compare the language for traditional Section 215 and the new call records Section 215 at b2B and b2C in this post.)  They don’t even require that the selection term itself be relevant to the investigation!

Thus, so long as there is a selection term — some term to ensure the NSA isn’t grabbing all of a certain kind of record — they’re going to still be able to get that data so long as they can argue that sorting through whatever data they get will yield useful information.

“Specific selection term” is too broad

Now, all that wouldn’t matter if the bill required specific selection terms to be tied to the individual or entity under investigation. Even the USA Freedumb bill didn’t require that.

But the language in USA Freedumber that got passed today makes things worse.

SPECIFIC SELECTION TERM.—The term ‘specific selection term’ means a discrete term, such as a term specifically identifying a person, entity, account, address, or device, used by the Government to limit the scope of the information or tangible things sought pursuant to the statute authorizing the provision of such information or tangible things to the Government.’

Again, note that the selection term only needs to limit the scope of production, not have a tie to the target of the investigation.

And while I actually find comfort from some of these terms — I’d be happy if the financial NSLs could only search on a specific account and the toll record NSL could only get phone records of a specific device (though FBI does use NSLs to get 2 degree separation, so this would return more than just that device’s records). As I’ve said in the past, “entity” is far too broad. It could include al Qaeda — allowing the NSA to obtain all data that might have al Qaeda data within it — or VISA — allowing the NSA to obtain all of that credit card entity’s data.

Read more

USA Freedumber Appears to Strengthen RuppRoge’s Affirmative Endorsement of an Internet Dragnet

Working on a detailed comparison of the difference between the USA Freedumb and USA Freedumber bills, one of the most alarming changes is the gutting of Pen Register minimization procedures. They took language not only adding minimization procedures to Pen Register orders,

(b) APPLICATION.—Section 402(c) (50 U.S.C. 1842(c)), as amended by section 201 of this Act, is further amended by adding at the end the following new paragraph:

(4) a statement of proposed minimization procedures.

(c) ORDER.—Section 402(d) (50 U.S.C. 1842(d)) is amended—

(1) in paragraph (1), by inserting ‘‘and that the proposed minimization procedures meet the definition of minimization procedures under this title’’

But permitting the court to review whether the government met those minimization procedures.

(h) At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the minimization procedures by reviewing the circumstances under which information concerning United States persons was retained or disseminated.’

They even specified the government had to follow those minimization procedures!

USA Freedumber changed that by letting the Attorney General review what are are now called “privacy procedures.”

(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard non-publicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect  national security, include protections for the collection, retention, and use of information concerning United States persons.

They limit the extent of these “privacy procedures” “to the extent practicable … with the need to protect national security.” That is, they don’t have to follow these “privacy procedures” if it’ll harm national security, and the change seems to show legislative intent to deprive the FISC of any review.

That’s alarming for a number of reasons:

  • From the very beginning of the Internet dragnet, the government claimed FISC had almost no authority over the approval process (much less compliance) on Pen Registers
  • This language comes right out of — but makes worse — the section of Mike Rogers’ RuppRoge bill that affirmatively approves the (re)creation of an Internet dragnet
  • There’s a curious entry in the NSA classification guide showing FBI conducting a PRTT program after the time NSA’s program got shut down

NSA versus FISC

According to a footnote in the 2010 John Bates opinion on the Internet dragnet, when the government first applied to Colleen Kollar-Kotelly for a FISC order to authorize the dragnet, they claimed she had no authority to do anything but rubber stamp the application.

2010 Bates Opinion footnote

We know that, having made that argument, the government got caught in violating the rules Kollar-Kotelly placed on the collection, but then continued to violate the rules for at least 5 more years, until 2009, when it got shut down for a while.

It would seem that the original language in USA Freedom Act would have clarified this issue, and made clear the FISC could exercise real oversight over any PRTT collection.

Adopting RuppRoge’s Internet Dragnet language

This language adopts the nomenclature from the HPSCI’s RuppRoge bill. (See page 18.)

But these “privacy procedures” seem qualitatively worse than the RuppRoge bill in several ways. RuppRoge provides loosey goosey judicial review of the privacy procedures. And it did not include the “extent practicable” language.

Given the background — given the fact that the government has already told the FISC it shouldn’t have real oversight over PRTT — this language seems to lay clear legislative intent that FISC should have no role whatsoever, especially not with minimization procedures (which, after all, is what they fought with the FISC over for at least  years).

The secrecy behind the FBI’s PRTT orders on behalf of NSA

PRTT1

Finally, there’s a series of entries on the classification guide for FISA programs leaked by Edward Snowden.

These entries show that FBI obtained counterterrorism information using PRTTs for NSA — which was considered Secret.

But that the FBI PR/TT program — which seems different than these individual orders — was considered TS/SI/NOFORN.

PRTT2

If you compare these entries with the rest of the classification guide, you see that this information — the fact that NSA gets PRTT information from FBI (in addition to information from Pen Registers, which seems to be treated differently at the Secret level)  — is treated with the same degree of secrecy as the actual targeting information or raw collected data on all other programs.

This is considered one of the most sensitive secrets in the whole FISA package.

PRTT3

Even minimized PRTT data is considered TS/SCI.

PRTT4

Now, it is true that this establishes an exact parallel with the BR FISA program (which the classification guide makes clear NSA obtained directly). So it may be attributable to the fact that the existence of the programs themselves was considered a highly sensitive secret.

So maybe that’s it. Maybe this just reflects paranoia about the way NSA was secretly relying on the PATRIOT Act to conduct massive dragnet programs.

Except there’s the date.

This classification guide was updated on February 7, 2012 — over a month after NSA shut down the PRTT program. Also, over a month after — according to Theresa Shea — the NSA destroyed all the data it had obtained under PRTT. (Note, her language seems to make clear that this was the NSA’s program, not the FBI’s.)

That is, over a month after the NSA ended its PRTT program and destroyed the data from it (at least according to sworn declarations before a court), the NSA’s classification guide referred to an FBI PRTT program that it considered one of its most sensitive secrets. And seemed to consider active.

If FBI had a PRTT program active in 2012 that was separate from the NSA PRTT program (I’m not sure that’s the case; it could be they just didn’t update this part of the classification guide), then is it still active? Has the Internet dragnet just moved to FBI?

If so, it’s no wonder why the Intelligence Community would want to guarantee that FISC had no review of it.

Update: Note, too, that the bill removes reporting requirements related to PRTT.

 

The “Consult with Congress” Stage of USA Freedumb

Remember how, in the days after President Obama announced his principles for reforming the dragnet, his Senior Administration Official pretended that any efforts to make the scope of the program worse would come from Congress?

First and very importantly, the conference call left unclear (and most subsequent reporting often didn’t directly address) whether Obama’s plan would apply just to counterterrorism purposes (as the current phone dragnet does) or more broadly (as the House Intelligence Committee RuppRoge proposal does). But SAO is clear: Obama’s plan focuses on specific terrorist groups.

The existing program only allows for queries of numbers associated with specified terrorist groups. Our operational focus is to make sure we preserve that counterterrorism authority in any new legislation. We will continue consulting with Congress on these issues.

This, then, is another way in which the President’s plan is significantly better than the RuppRoge plan — that it sets out to only cover CT, whereas RuppRoge sets out to cover foreign intelligence purposes broadly. Though that “consult with Congress” bit seems to allow the possibility that the White House will move towards broader use for the query system.

Well, it looks like the Administration isn’t so passive after all. They’re working with House leadership to gut the bill.

TROUBLE FOR USA FREEDOM? – House leadership and Obama administration officials met with committee members Sunday to negotiate changes to key NSA reform legislation, parting late in the evening without reaching a final resolution, said a congressional staffer close to the process. Still, it seems clear that the USA FREEDOM Act, approved by the House Judiciary and Intelligence committees little more than a week ago, will not reach the House floor intact. Some passages have been watered down already, the staffer acknowledged, declining to go into specifics. The bill is set for “possible consideration” this week, according to the schedule circulated by House Majority Leader Eric Cantor’s office.

Word of the talks caused some of the bill’s most ardent privacy and civil liberties backers to cry foul and say they could withdraw support. Areas of concern to watchdogs include possible removal of transparency language allowing companies to tell their customers about the broad numbers of lawful intercept requests they receive; and a debate on whether the search terms used by the NSA to search communications records should be narrowly defined in statute.

“The version we fear could now be negotiated in secret and introduced on the House floor may not move us forward on NSA reform,” said human rights organization Access. “I am gravely disappointed if the House leadership and the administration chose to disrupt the hard-fought compromise that so many of us were pleased to support just two weeks ago,” said Kevin Bankston, policy director of the New America Foundation’s Open Technology Institute.

And while it’s not clear these secret changes would broaden the scope outside of counterterrorism (though I think that’s possible already), it does seem clear the Administration is pushing for these changes because the already weak bill is too strong for them.

It’s really hard to conclude this bill was ever an attempt to do anything but outsource one aspect of the dragnet to the telecoms, so as to “legally” access geolocation data, and the rest is an attempt to broaden the dragnet.

The Civ Lib Community Gets Cold Feet

Civil liberties groups are — according to the Hill — getting cold feet on the USA Freedom (aka Freedumb) bill. The claim is that the Administration and “members of the House” are working to gut the bill.

“Last stage negotiations” between members of the House and the Obama administration could significantly weaken provisions in the NSA bill, people familiar with the discussions say.

“Behind the scenes, there’s some nervousness,” one House aide said.

But this makes limited sense: a bill, virtually identical in wording, was passed by two committees, the House Judiciary and House Intelligence Committee. So in principle, the bill should come to the floor with that same identical wording.

Except, as I noted, Mike Rogers said he had some “technical changes” to put into place. And unlike the technical changes Zoe Lofgren tried to put into place at HJC (to make clear that Section 215 can’t be used to collect content), Rogers got a vote of the committee to support making those technical changes without further review of the committee. So Mike Rogers has carte blanche to change this bill. Now wonder Jan Schakowsky is worried.

As I suggested, there are two things I think Rogers might want to fix: tweaking the definition of “specific selection term” (or eliminating it altogether) or changing the language on bulk collection to protect some programs that are bulk but thus far unknown.

Which is another way of saying that HJC got screwed in this deal. (Told them!)

We shall see: I’m of the opinion that if Rogers fucks with this the bill must be killed, otherwise Rogers will ruin it in conference.

The “Automated Query” at the Telecoms Will Include “Correlations”

In addition to Mike Rogers’ confirmation that HPSCI does not intend HR 3361 to change any of the voluminous collection programs the intelligence community does aside from the phone dragnet, his report on the bill also drew my attention to this previously public detail I had overlooked.

3 The Committee understands that ‘‘[t]he first ‘hop’ from a seed returns results including all identifiers (and their associated metadata) with a contact and/or connection with the seed. The second ‘‘hop’’ returns results that include all identifiers (and their associated metadata) with a contact and/or connection with an identifier revealed by the first ‘hop.’’ ’ In re Application of the FBI for an Order Requiring the Production of Tangible Things, BR 14–01, at 1–2 n.1 (FISC Feb. 5, 2014). [my emphasis]

This is a description of the currently desired “hop” system (though not, I don’t think, what is fully in place) connecting people through their phone — and likely, other communications — habits.

Before I get into what it says, let’s look at where it points. The language here is from a footnote on page 14 of the bill report–suggesting it’s something Mike Rogers wanted to make sure got in the Legislative Record. It cites back to the February 5, 2014 order amending the January 3 order to include the Administration’s request to have FISC review all the query terms.

I don’t believe (but could be wrong — the new FISC docket is far less usable) that we ever got the revised order. But in the order to amend the order also dated February 5, that language appears in footnote 3. The footnote itself cites to the original application for the order dated January 3. But the reference footnoted cites the January 3 order, page 11-12. The footnoted discussion is a part (or summary) of the entirely redacted description of the automated query starting on page 11 and taking up all of page 12 of the order.

That is, this language on hops provides an unclassified version of the classified description of the automated query process (the one they haven’t gotten running yet).

So this is (part of) what the government has been trying — but failing, since November 2012 — to get up and running.

Which is reportedly one of the reasons the Intelligence Community has decided it may be in their best interest to outsource this to the telecoms.

In other words this language provides clues about why the IC was willing to outsource the dragnet.

The description of the hops reveals two things that got added to the 3- or 2-hop process the government once described.

First, they’re including “associated metadata” among the things that can be further chained. Even assuming we’re only talking voice telecom information, this would include cell site location on top of the other metadata (and, in the era of smart phones, potentially far, far more).

But in addition, they’re including “connections,” in addition to contacts, with the seed.

That is, you don’t have to ever call a target to be sucked up in the phone dragnet. You can be simply “connected” to that target. The kinds of connections in question surely include dropped burner phones (that is, a matching of phones that call the same pattern of phones as an inactive phone, and therefore are really targeting the same person). They may include common geolocation. But — again, given the advent of smart phones — they could include far, far more.

So what this little footnote calls to my attention (thanks, Mike Rogers!) is that they’ve gotten approval for different kinds of chaining, beyond actual phone contacts (remember, this could include Internet contacts over a smart phone). And they’ve included metadata generally, not just phone call records, surely including geolocation, among the things they might chain on.

Which explains one incentive for outsourcing this. They can’t use geolocation for chaining in government hands. They can in private hands. There’s likely far more information for which that is true when you consider smart phones.

They can’t access that information now. They will be able to once HR 3361 outsources everything to the telecoms.

But really, this is about reform.

Update: This post was tweaked on 5/18 for clarity.

Mike Rogers: Still Working on His Technical Changes

According to the HPSCI Report on HR 3361 — which reformers refer to as the USA Freedom Act — Mike Rogers is still changing the fine print.

Members of the Committee will continue to work to make a number of important technical changes to ensure the preservation of operational equities before the full House considers the bill. These technical changes will ensure that the bill does not inadvertently disrupt important intelligence operations.

[snip]

Chairman Rogers offered an amendment to revise the emergency authority of Section 102, add Section 604, and make other technical changes. The amendment was agreed to by a voice vote.

Given Rogers’ assurances that the bill before us changes no other programs, I’m going to guess that there are actually a few other bulk collection programs that would, under the plain meaning of the bill, be prohibited (bulk collection, even as the Intelligence Community defines it, which means there are no discriminators). Given that Rogers was trying to remove the definition of selection term, I suspect that’s the rub: they think they can still do these bulk collections under the law, but need to tweak the definition of specific selection term (remember, the HPSCI bill originally used “specific identifiers or selection terms”). 

Ah well, I’m sure we should all trust Mike Rogers. What could go wrong?

Mike Rogers: USA Freedom Act Only Changes Phone Dragnet

In my analysis of the HR 3361 — hailed by reformers as the USA Freedom Act — I have posited the possibility that the claim to forbid “bulk collection” across a number of authorities actually changes almost nothing. I based that on a two-part argument.

First, the bill only promises to eliminate bulk collection as the intelligence committee defines it — that is, it only eliminates collection that has no discriminator, and therefore collects all of a certain kind of record (so, all phone records). It does not promise to eliminate what you and I might consider bulk collection — the collection of very untargeted information (say, all phone records in the 202 Area Code).

Then I noted that we know of no other program that operates without discriminators. All NSL programs — save perhaps the financial records one and the subscriber records one — build in discriminators (and the financial records one is based on “entities,” which is what the bill’s definition of a discriminator uses anyway). And we don’t know enough about the other Section 215 programs to know if they use discriminators or not.

If this logic is correct, then the bill changes very little, in spite of the broad promises.

In his report on the bill, Mike Rogers confirms that I am right. (h/t Katherine Hawkins)

It notes that the prohibition on “bulk” collection only applies to indiscriminate collection, but not to the collection of “a large number of communications records or other tangible things.”

This bill first bans the bulk collection of tangible things under Section 215 of the USA PATRIOT Act. This ban is intended to stop the use of Section 215 to acquire bulk call detail records and to prohibit any future attempt to acquire bulk electronic communications records. The Committee recognizes that ‘‘bulk’’ collection means indiscriminate acquisition. It does not mean the acquisition of a large number of communications records or other tangible things—it would be nonsensical and dangerous for our intelligence agencies’ collection authorities to contract as the number of our adversaries expands.

The report then implicitly reveals (or at least claims as part of the legislative record) that no other collection program operates without discriminators, because the bill will not end any other current program.

The Committee’s decision to end the bulk collection of telephone metadata does not extend to any other intelligence programs currently conducted under FISA, including access to business records through Section 215 for foreign intelligence, counterterrorism, and counterintelligence purposes, and the targeting of persons outside the United States under Section 702.

The report also makes clear that any ban on bulk NSL collection is not meant to affect any ongoing NSL program.

Second, this bill contains amendments to other collection authorities, including Section 402 of FISA and National Security Letter authorities. These amendments respond to concerns that those existing authorities could somehow contain a ‘‘loophole’’ that would permit the reconstitution of a bulk telephone records program. The Committee does not intend these prophylactic amendments to affect any programs currently authorized by Section 402 or the use of National Security Letters.

So: no changes to any existing Section 215 collection programs, and no changes to any existing NSL programs (though the report also makes clear that the government should not try to use NSLs to replicate the existing phone dragnet).

One more thing: Rogers’ report makes it clear that the government can still use Section 215 to collect as much historical phone data as it wants.

The government can continue to obtain specified historical call detail records through the existing Section 215 authority.

This means the government has the ability to obtain far more than 5 years of call data on selected targets, and can do so by obtaining any records that transit AT&T backbones, because AT&T keeps records for years and years. While there is a 5 year age off requirement in the bill, that only applies to data that is not relevant to an investigation, and as we’ve learned, everything can be deemed relevant to an investigation.

So don’t take my word for it, take Mike Rogers’ (which will serve as the legislative record in any case). This bill only changes the phone dragnet’s prospective collection.

Update: Note that Rogers is still working on some “technical changes” to preserve operational equities, which may mean there are some programs that would be affected but he’s going to massage the bill to exempt them.

“Specific Selection Term:” Still Not Convinced

While I was squawking about how Jim Sensenbrenner issued a manager’s amendment (aka USA Freedumb) purporting to end bulk collection by tying everything to a “specific selection term” without defining what “specific selection term” meant, the House Judiciary Committee released an updated version of the bill defining the term.

(2) SPECIFIC SELECTION TERM.—The term ‘specific selection term’ means a term used to uniquely describe a person, entity, or account.’

All the relevant invocations of the term now refer back to this definition.

The language not only doesn’t convince me this bill works, I think it validates my concern about the bill.

That’s because the word “entity” is already too loosely defined. Is this like the definition of the entity that struck us on 9/11 that Presidents have expanded anachronistically? Al Qaeda = AQAP = al-Nusra?

And in just about every case imaginable — an entity’s phone numbers, its bank accounts, its email addresses (though perhaps not domain name and IP) — there is a necessary translation process between the entity and the selector(s) that would be used for a search.

That this translation happens shows up in some of the invocations of “specific selection term” where they say the “specific selection term” will be used as a “basis” for selecting what to actually search on, as with the Pen Register section.

(3) a specific selection term to be used as the basis for selecting the telephone line or other facility to which the pen register or trap and trace device is to be attached or applied; and’

Al Qaeda is not the name of the telephone line (or facility, which itself has been an invention used to conduct bulk collection in the name of a specific selector).

This “basis for” language shows up even with the NSL language.

COUNTERINTELLIGENCE ACCESS TO TELEPHONE TOLL AND TRANSACTIONAL RECORDS.—Section 2709(b)  of title 18, United States Code, is amended in the matter preceding paragraph (1) by striking ‘‘may’’ and inserting ‘‘may, using a specific selection term as the basis for a request’’.

If the bill just required account identifiers or eliminated that “as a basis for” language, it might work. But as it is, that “as a basis for” involves analysis that also involves the possibility of using far different — and far broader — terms for the actual queries. (And it’s not clear — at least not to me — where and whether judges would get to approve this translation process.)

But you don’t have to take my word for it. You can look at a program that relied on “specific selection terms” “as a basis for” unbelievably vast collection.

The phone dragnet program.

In every single phone dragnet order, there’s a section that says records may only be searched if they’ve been associated with particular entities. Here’s the first one:

Screen shot 2014-05-06 at 10.15.18 PM

Read more

USA Freedumb Act and RuppRoge Both Adopt Intelligence Community Definition of “Bulk Collection”

Update: An updated version of the Managers Amendment does define the term:

(2) SPECIFIC SELECTION TERM.—The term  ‘specific selection term’ means a term used to uniquely describe a person, entity, or account.

This is far better than nothing. Though I have concerns about “entity” and I suspect there will be some pushback here, since not even phone numbers “uniquely describe a person,” much less IPs. (Update: see my post on my concerns about the definition.)

As I noted in this post, USA Freedumb Act (what I’ve renamed the compromised USA Freedom Act) purports to limit bulk collection by tying all collection to specific selection terms. It does this for Section 215.

No order issued under this subsection may authorize the collection of tangible things without the use of a specific selection term that meets the requirements of subsection (b)(2).

It does it for Pen Register/Trap and Trace.

(3) a specific selection term to be used as the basis for selecting the telephone line or other facility to which the pen register or trap and trace device is to be attached or applied;

And it does for all four NSL types, as here with call records under ECPA.

COUNTERINTELLIGENCE ACCESS TO TELEPHONE TOLL AND TRANSACTIONAL RECORDS.—Section 2709(b) of title 18, United States Code, is amended in the matter preceding paragraph (1) by striking ‘‘may’’ and inserting ‘‘may, using a specific selection term as the basis for a request’’.

In fact, that’s the same mechanism RuppRoge (the House Intelligence Committee’s bill) uses to prevent bulk collection — though it limits bulk collection for fewer categories of things.

It does so for electronic communications records.

Notwithstanding any other provision of law, the Federal Government may not acquire under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) records of any electronic communications without the use of specific identifiers or selection terms.

And it does so for sensitive business records.

Notwithstanding any other provision of law, the Federal Government may not acquire under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) library circulation records, library patron lists, book sales records, book customer lists, firearm sales records, tax return records, education records, or medical records containing information that would identify a person without the use of specific identifiers or selection terms.

And this limitation, both bills proclaim, will prevent bulk collection.

Neither bill defines what they mean by selection term or specific identifier.

Before I consider whether these bills will, in fact, prevent what you and I might consider bulk collection, note what has happened: both of these bills — the crappy Intelligence Committee wish list bill and the allegedly less crappy “reform” bill — have adopted the definition of “bulk collection” used by the notoriously Orwellian Intelligence Community.

This is perhaps best explained in Obama’s President’s Policy Directive on surveillance.

References to signals intelligence collected in “bulk” mean the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).

Now, we’re at a huge disadvantage to be able to assess whether this definition of bulk collection bears any resemblance to what ordinary humans might understand bulk collection to mean, because the government is being very disingenuous about what they claim it to mean.

The government often publicly claims selectors are things “like telephone numbers or email addresses,” as they did repeatedly at the last PCLOB hearing.

I can assure you, however, that when they refer to “selectors like email or telephone,” they’re downplaying their use of things like other IDs (phone handset and SIM card IDs, credit card numbers, Internet IDs or even passwords, IP address, and site cookies). And nothing in the definition says selection terms have to have anything to do with actual people (as the evidence they use malware code as a selector would indicate). Plus, I could envision many things — such as “Area Code 202” or “Western Union transfers over $100”  — that would seem to qualify as selection terms.

But we can measure whether limits to selectors or search terms prohibits bulk collection via another means — by looking at the program about which we’ve gotten most details on selector searches: upstream 702 collection.

While we can’t assess how many “innocent” Americans get sucked up in this purportedly non-bulk collection (and I doubt NSA can either!), we do have an idea how many American communications get sucked up who shouldn’t according to the one-end foreign rule on the collection.

Up to 56,000 American communications a year, according to FISC Judge John Bates’ estimate (because the NSA refused to provide him the real numbers).

56,000 American communications that should not, under the law, have been targeted, sucked up using “identifiers” and “selection terms.”

And the government doesn’t consider that bulk collection at all.

That, my friends, is the standard two different Committees in Congress have adapted as well, doing the intelligence community’s bidding, claiming they’ve solved the bulk collection problem.