Posts

Why USA Freedumber Doesn’t End (What You and I Think of as) Bulk Collection

I fear, reading this Kevin Drum post, that my explanations of why USA Freedumber will not end what you and I think of as bulk collection have not been clear enough. So I’m going to try again.

It is now, with the bill in current form, a 4-part argument:

  • The bill uses the intelligence community definition of bulk collection in its claim to end bulk collection, not the plain English language meaning of it
  • The bill retains the “relevant to” language that got us into this problem
  • The “selection terms” it uses to prevent bulk collection would permit the collection of vast swaths of innocent people’s records
  • Such a reading would probably not rely on any new FISA Court opinion; existing opinions probably already authorize such collection

The intelligence versus the plain English definition of bulk collection

This entire bill is based on the intelligence community definition of bulk collection, not the common English definition of it. As defined by President Obama’s Presidential Policy Directive on SIGINT, bulk collection means,

the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).

Bulk collection, as defined by the intelligence commonly, only means collection that obtains all of a particular type of record: all phone records, all Internet metadata, all credit card records. Anything that stops short of that — all 202 Area Code phone records, all credit card records buying pressure cookers, all Internet metadata for email sent to Yemen — would not count as bulk collection under this definition.

A more commonsense meaning of bulk collection would be the collection of large volumes of data, sweeping up the data of totally innocent people, on which to do further (sometimes technically intrusive) searches to find the data of interest. What we call “Big Data,” for example, would very often not qualify as bulk collection as the intelligence community defines it (perhaps its starts with the health data of everyone born after 1946, for example, or the purchase records from just one online store) but would qualify as bulk collection as you and I would define it.

As I explained in this post, the means USA Freedumber uses to ensure that it does not permit bulk collection is to require the collection start from a “selection term.” Thus, by definition, it cannot be bulk collection because the technical (but not commonsense) definition of bulk collection is that which uses a selection term.

And because they defined it that way, it means that every time some well-intentioned Congressman (it was all men, pushing this bill) boasted that this bill “ends bulk collection” they were only laying a legislative record that would prohibit the intelligence community definition of bulk collection, not the commonsense meaning.

The bill retains the “relevant to” language that gave us bulk collection in the first place

Man, Jim Sensenbrenner must have complained about the way the FISA Court reinterpreted the plain meaning of “relevant to” from the 2006 reauthorization of the PATRIOT Act three or four times in the post-passage press conference. He’s still angry, you see, that a court, in secret, defined the term “relevant to” to mean “any data that could possibly include.”

But this bill does nothing to change that erroneous meaning of the term.

Worse, it relies on it!

For most authorities — the Pen Register (PRTT) authority, the non-call record Section 215 authority, and all National Security Letter authorities –USA Freedumber leaves that language intact. It now requires the use of a selection term, but unlike the new call record language, those authorities don’t require that the selection term be “associated with a foreign power or an agent of a foreign power.” (You can compare the language for traditional Section 215 and the new call records Section 215 at b2B and b2C in this post.)  They don’t even require that the selection term itself be relevant to the investigation!

Thus, so long as there is a selection term — some term to ensure the NSA isn’t grabbing all of a certain kind of record — they’re going to still be able to get that data so long as they can argue that sorting through whatever data they get will yield useful information.

“Specific selection term” is too broad

Now, all that wouldn’t matter if the bill required specific selection terms to be tied to the individual or entity under investigation. Even the USA Freedumb bill didn’t require that.

But the language in USA Freedumber that got passed today makes things worse.

SPECIFIC SELECTION TERM.—The term ‘specific selection term’ means a discrete term, such as a term specifically identifying a person, entity, account, address, or device, used by the Government to limit the scope of the information or tangible things sought pursuant to the statute authorizing the provision of such information or tangible things to the Government.’

Again, note that the selection term only needs to limit the scope of production, not have a tie to the target of the investigation.

And while I actually find comfort from some of these terms — I’d be happy if the financial NSLs could only search on a specific account and the toll record NSL could only get phone records of a specific device (though FBI does use NSLs to get 2 degree separation, so this would return more than just that device’s records). As I’ve said in the past, “entity” is far too broad. It could include al Qaeda — allowing the NSA to obtain all data that might have al Qaeda data within it — or VISA — allowing the NSA to obtain all of that credit card entity’s data.

Read more

USA Freedumber Appears to Strengthen RuppRoge’s Affirmative Endorsement of an Internet Dragnet

Working on a detailed comparison of the difference between the USA Freedumb and USA Freedumber bills, one of the most alarming changes is the gutting of Pen Register minimization procedures. They took language not only adding minimization procedures to Pen Register orders,

(b) APPLICATION.—Section 402(c) (50 U.S.C. 1842(c)), as amended by section 201 of this Act, is further amended by adding at the end the following new paragraph:

(4) a statement of proposed minimization procedures.

(c) ORDER.—Section 402(d) (50 U.S.C. 1842(d)) is amended—

(1) in paragraph (1), by inserting ‘‘and that the proposed minimization procedures meet the definition of minimization procedures under this title’’

But permitting the court to review whether the government met those minimization procedures.

(h) At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the minimization procedures by reviewing the circumstances under which information concerning United States persons was retained or disseminated.’

They even specified the government had to follow those minimization procedures!

USA Freedumber changed that by letting the Attorney General review what are are now called “privacy procedures.”

(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard non-publicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect  national security, include protections for the collection, retention, and use of information concerning United States persons.

They limit the extent of these “privacy procedures” “to the extent practicable … with the need to protect national security.” That is, they don’t have to follow these “privacy procedures” if it’ll harm national security, and the change seems to show legislative intent to deprive the FISC of any review.

That’s alarming for a number of reasons:

  • From the very beginning of the Internet dragnet, the government claimed FISC had almost no authority over the approval process (much less compliance) on Pen Registers
  • This language comes right out of — but makes worse — the section of Mike Rogers’ RuppRoge bill that affirmatively approves the (re)creation of an Internet dragnet
  • There’s a curious entry in the NSA classification guide showing FBI conducting a PRTT program after the time NSA’s program got shut down

NSA versus FISC

According to a footnote in the 2010 John Bates opinion on the Internet dragnet, when the government first applied to Colleen Kollar-Kotelly for a FISC order to authorize the dragnet, they claimed she had no authority to do anything but rubber stamp the application.

2010 Bates Opinion footnote

We know that, having made that argument, the government got caught in violating the rules Kollar-Kotelly placed on the collection, but then continued to violate the rules for at least 5 more years, until 2009, when it got shut down for a while.

It would seem that the original language in USA Freedom Act would have clarified this issue, and made clear the FISC could exercise real oversight over any PRTT collection.

Adopting RuppRoge’s Internet Dragnet language

This language adopts the nomenclature from the HPSCI’s RuppRoge bill. (See page 18.)

But these “privacy procedures” seem qualitatively worse than the RuppRoge bill in several ways. RuppRoge provides loosey goosey judicial review of the privacy procedures. And it did not include the “extent practicable” language.

Given the background — given the fact that the government has already told the FISC it shouldn’t have real oversight over PRTT — this language seems to lay clear legislative intent that FISC should have no role whatsoever, especially not with minimization procedures (which, after all, is what they fought with the FISC over for at least  years).

The secrecy behind the FBI’s PRTT orders on behalf of NSA

PRTT1

Finally, there’s a series of entries on the classification guide for FISA programs leaked by Edward Snowden.

These entries show that FBI obtained counterterrorism information using PRTTs for NSA — which was considered Secret.

But that the FBI PR/TT program — which seems different than these individual orders — was considered TS/SI/NOFORN.

PRTT2

If you compare these entries with the rest of the classification guide, you see that this information — the fact that NSA gets PRTT information from FBI (in addition to information from Pen Registers, which seems to be treated differently at the Secret level)  — is treated with the same degree of secrecy as the actual targeting information or raw collected data on all other programs.

This is considered one of the most sensitive secrets in the whole FISA package.

PRTT3

Even minimized PRTT data is considered TS/SCI.

PRTT4

Now, it is true that this establishes an exact parallel with the BR FISA program (which the classification guide makes clear NSA obtained directly). So it may be attributable to the fact that the existence of the programs themselves was considered a highly sensitive secret.

So maybe that’s it. Maybe this just reflects paranoia about the way NSA was secretly relying on the PATRIOT Act to conduct massive dragnet programs.

Except there’s the date.

This classification guide was updated on February 7, 2012 — over a month after NSA shut down the PRTT program. Also, over a month after — according to Theresa Shea — the NSA destroyed all the data it had obtained under PRTT. (Note, her language seems to make clear that this was the NSA’s program, not the FBI’s.)

That is, over a month after the NSA ended its PRTT program and destroyed the data from it (at least according to sworn declarations before a court), the NSA’s classification guide referred to an FBI PRTT program that it considered one of its most sensitive secrets. And seemed to consider active.

If FBI had a PRTT program active in 2012 that was separate from the NSA PRTT program (I’m not sure that’s the case; it could be they just didn’t update this part of the classification guide), then is it still active? Has the Internet dragnet just moved to FBI?

If so, it’s no wonder why the Intelligence Community would want to guarantee that FISC had no review of it.

Update: Note, too, that the bill removes reporting requirements related to PRTT.

 

The “Consult with Congress” Stage of USA Freedumb

Remember how, in the days after President Obama announced his principles for reforming the dragnet, his Senior Administration Official pretended that any efforts to make the scope of the program worse would come from Congress?

First and very importantly, the conference call left unclear (and most subsequent reporting often didn’t directly address) whether Obama’s plan would apply just to counterterrorism purposes (as the current phone dragnet does) or more broadly (as the House Intelligence Committee RuppRoge proposal does). But SAO is clear: Obama’s plan focuses on specific terrorist groups.

The existing program only allows for queries of numbers associated with specified terrorist groups. Our operational focus is to make sure we preserve that counterterrorism authority in any new legislation. We will continue consulting with Congress on these issues.

This, then, is another way in which the President’s plan is significantly better than the RuppRoge plan — that it sets out to only cover CT, whereas RuppRoge sets out to cover foreign intelligence purposes broadly. Though that “consult with Congress” bit seems to allow the possibility that the White House will move towards broader use for the query system.

Well, it looks like the Administration isn’t so passive after all. They’re working with House leadership to gut the bill.

TROUBLE FOR USA FREEDOM? – House leadership and Obama administration officials met with committee members Sunday to negotiate changes to key NSA reform legislation, parting late in the evening without reaching a final resolution, said a congressional staffer close to the process. Still, it seems clear that the USA FREEDOM Act, approved by the House Judiciary and Intelligence committees little more than a week ago, will not reach the House floor intact. Some passages have been watered down already, the staffer acknowledged, declining to go into specifics. The bill is set for “possible consideration” this week, according to the schedule circulated by House Majority Leader Eric Cantor’s office.

Word of the talks caused some of the bill’s most ardent privacy and civil liberties backers to cry foul and say they could withdraw support. Areas of concern to watchdogs include possible removal of transparency language allowing companies to tell their customers about the broad numbers of lawful intercept requests they receive; and a debate on whether the search terms used by the NSA to search communications records should be narrowly defined in statute.

“The version we fear could now be negotiated in secret and introduced on the House floor may not move us forward on NSA reform,” said human rights organization Access. “I am gravely disappointed if the House leadership and the administration chose to disrupt the hard-fought compromise that so many of us were pleased to support just two weeks ago,” said Kevin Bankston, policy director of the New America Foundation’s Open Technology Institute.

And while it’s not clear these secret changes would broaden the scope outside of counterterrorism (though I think that’s possible already), it does seem clear the Administration is pushing for these changes because the already weak bill is too strong for them.

It’s really hard to conclude this bill was ever an attempt to do anything but outsource one aspect of the dragnet to the telecoms, so as to “legally” access geolocation data, and the rest is an attempt to broaden the dragnet.

The Civ Lib Community Gets Cold Feet

Civil liberties groups are — according to the Hill — getting cold feet on the USA Freedom (aka Freedumb) bill. The claim is that the Administration and “members of the House” are working to gut the bill.

“Last stage negotiations” between members of the House and the Obama administration could significantly weaken provisions in the NSA bill, people familiar with the discussions say.

“Behind the scenes, there’s some nervousness,” one House aide said.

But this makes limited sense: a bill, virtually identical in wording, was passed by two committees, the House Judiciary and House Intelligence Committee. So in principle, the bill should come to the floor with that same identical wording.

Except, as I noted, Mike Rogers said he had some “technical changes” to put into place. And unlike the technical changes Zoe Lofgren tried to put into place at HJC (to make clear that Section 215 can’t be used to collect content), Rogers got a vote of the committee to support making those technical changes without further review of the committee. So Mike Rogers has carte blanche to change this bill. Now wonder Jan Schakowsky is worried.

As I suggested, there are two things I think Rogers might want to fix: tweaking the definition of “specific selection term” (or eliminating it altogether) or changing the language on bulk collection to protect some programs that are bulk but thus far unknown.

Which is another way of saying that HJC got screwed in this deal. (Told them!)

We shall see: I’m of the opinion that if Rogers fucks with this the bill must be killed, otherwise Rogers will ruin it in conference.

The “Automated Query” at the Telecoms Will Include “Correlations”

In addition to Mike Rogers’ confirmation that HPSCI does not intend HR 3361 to change any of the voluminous collection programs the intelligence community does aside from the phone dragnet, his report on the bill also drew my attention to this previously public detail I had overlooked.

3 The Committee understands that ‘‘[t]he first ‘hop’ from a seed returns results including all identifiers (and their associated metadata) with a contact and/or connection with the seed. The second ‘‘hop’’ returns results that include all identifiers (and their associated metadata) with a contact and/or connection with an identifier revealed by the first ‘hop.’’ ’ In re Application of the FBI for an Order Requiring the Production of Tangible Things, BR 14–01, at 1–2 n.1 (FISC Feb. 5, 2014). [my emphasis]

This is a description of the currently desired “hop” system (though not, I don’t think, what is fully in place) connecting people through their phone — and likely, other communications — habits.

Before I get into what it says, let’s look at where it points. The language here is from a footnote on page 14 of the bill report–suggesting it’s something Mike Rogers wanted to make sure got in the Legislative Record. It cites back to the February 5, 2014 order amending the January 3 order to include the Administration’s request to have FISC review all the query terms.

I don’t believe (but could be wrong — the new FISC docket is far less usable) that we ever got the revised order. But in the order to amend the order also dated February 5, that language appears in footnote 3. The footnote itself cites to the original application for the order dated January 3. But the reference footnoted cites the January 3 order, page 11-12. The footnoted discussion is a part (or summary) of the entirely redacted description of the automated query starting on page 11 and taking up all of page 12 of the order.

That is, this language on hops provides an unclassified version of the classified description of the automated query process (the one they haven’t gotten running yet).

So this is (part of) what the government has been trying — but failing, since November 2012 — to get up and running.

Which is reportedly one of the reasons the Intelligence Community has decided it may be in their best interest to outsource this to the telecoms.

In other words this language provides clues about why the IC was willing to outsource the dragnet.

The description of the hops reveals two things that got added to the 3- or 2-hop process the government once described.

First, they’re including “associated metadata” among the things that can be further chained. Even assuming we’re only talking voice telecom information, this would include cell site location on top of the other metadata (and, in the era of smart phones, potentially far, far more).

But in addition, they’re including “connections,” in addition to contacts, with the seed.

That is, you don’t have to ever call a target to be sucked up in the phone dragnet. You can be simply “connected” to that target. The kinds of connections in question surely include dropped burner phones (that is, a matching of phones that call the same pattern of phones as an inactive phone, and therefore are really targeting the same person). They may include common geolocation. But — again, given the advent of smart phones — they could include far, far more.

So what this little footnote calls to my attention (thanks, Mike Rogers!) is that they’ve gotten approval for different kinds of chaining, beyond actual phone contacts (remember, this could include Internet contacts over a smart phone). And they’ve included metadata generally, not just phone call records, surely including geolocation, among the things they might chain on.

Which explains one incentive for outsourcing this. They can’t use geolocation for chaining in government hands. They can in private hands. There’s likely far more information for which that is true when you consider smart phones.

They can’t access that information now. They will be able to once HR 3361 outsources everything to the telecoms.

But really, this is about reform.

Update: This post was tweaked on 5/18 for clarity.

Mike Rogers: Still Working on His Technical Changes

According to the HPSCI Report on HR 3361 — which reformers refer to as the USA Freedom Act — Mike Rogers is still changing the fine print.

Members of the Committee will continue to work to make a number of important technical changes to ensure the preservation of operational equities before the full House considers the bill. These technical changes will ensure that the bill does not inadvertently disrupt important intelligence operations.

[snip]

Chairman Rogers offered an amendment to revise the emergency authority of Section 102, add Section 604, and make other technical changes. The amendment was agreed to by a voice vote.

Given Rogers’ assurances that the bill before us changes no other programs, I’m going to guess that there are actually a few other bulk collection programs that would, under the plain meaning of the bill, be prohibited (bulk collection, even as the Intelligence Community defines it, which means there are no discriminators). Given that Rogers was trying to remove the definition of selection term, I suspect that’s the rub: they think they can still do these bulk collections under the law, but need to tweak the definition of specific selection term (remember, the HPSCI bill originally used “specific identifiers or selection terms”). 

Ah well, I’m sure we should all trust Mike Rogers. What could go wrong?

Mike Rogers: USA Freedom Act Only Changes Phone Dragnet

In my analysis of the HR 3361 — hailed by reformers as the USA Freedom Act — I have posited the possibility that the claim to forbid “bulk collection” across a number of authorities actually changes almost nothing. I based that on a two-part argument.

First, the bill only promises to eliminate bulk collection as the intelligence committee defines it — that is, it only eliminates collection that has no discriminator, and therefore collects all of a certain kind of record (so, all phone records). It does not promise to eliminate what you and I might consider bulk collection — the collection of very untargeted information (say, all phone records in the 202 Area Code).

Then I noted that we know of no other program that operates without discriminators. All NSL programs — save perhaps the financial records one and the subscriber records one — build in discriminators (and the financial records one is based on “entities,” which is what the bill’s definition of a discriminator uses anyway). And we don’t know enough about the other Section 215 programs to know if they use discriminators or not.

If this logic is correct, then the bill changes very little, in spite of the broad promises.

In his report on the bill, Mike Rogers confirms that I am right. (h/t Katherine Hawkins)

It notes that the prohibition on “bulk” collection only applies to indiscriminate collection, but not to the collection of “a large number of communications records or other tangible things.”

This bill first bans the bulk collection of tangible things under Section 215 of the USA PATRIOT Act. This ban is intended to stop the use of Section 215 to acquire bulk call detail records and to prohibit any future attempt to acquire bulk electronic communications records. The Committee recognizes that ‘‘bulk’’ collection means indiscriminate acquisition. It does not mean the acquisition of a large number of communications records or other tangible things—it would be nonsensical and dangerous for our intelligence agencies’ collection authorities to contract as the number of our adversaries expands.

The report then implicitly reveals (or at least claims as part of the legislative record) that no other collection program operates without discriminators, because the bill will not end any other current program.

The Committee’s decision to end the bulk collection of telephone metadata does not extend to any other intelligence programs currently conducted under FISA, including access to business records through Section 215 for foreign intelligence, counterterrorism, and counterintelligence purposes, and the targeting of persons outside the United States under Section 702.

The report also makes clear that any ban on bulk NSL collection is not meant to affect any ongoing NSL program.

Second, this bill contains amendments to other collection authorities, including Section 402 of FISA and National Security Letter authorities. These amendments respond to concerns that those existing authorities could somehow contain a ‘‘loophole’’ that would permit the reconstitution of a bulk telephone records program. The Committee does not intend these prophylactic amendments to affect any programs currently authorized by Section 402 or the use of National Security Letters.

So: no changes to any existing Section 215 collection programs, and no changes to any existing NSL programs (though the report also makes clear that the government should not try to use NSLs to replicate the existing phone dragnet).

One more thing: Rogers’ report makes it clear that the government can still use Section 215 to collect as much historical phone data as it wants.

The government can continue to obtain specified historical call detail records through the existing Section 215 authority.

This means the government has the ability to obtain far more than 5 years of call data on selected targets, and can do so by obtaining any records that transit AT&T backbones, because AT&T keeps records for years and years. While there is a 5 year age off requirement in the bill, that only applies to data that is not relevant to an investigation, and as we’ve learned, everything can be deemed relevant to an investigation.

So don’t take my word for it, take Mike Rogers’ (which will serve as the legislative record in any case). This bill only changes the phone dragnet’s prospective collection.

Update: Note that Rogers is still working on some “technical changes” to preserve operational equities, which may mean there are some programs that would be affected but he’s going to massage the bill to exempt them.

“Specific Selection Term:” Still Not Convinced

While I was squawking about how Jim Sensenbrenner issued a manager’s amendment (aka USA Freedumb) purporting to end bulk collection by tying everything to a “specific selection term” without defining what “specific selection term” meant, the House Judiciary Committee released an updated version of the bill defining the term.

(2) SPECIFIC SELECTION TERM.—The term ‘specific selection term’ means a term used to uniquely describe a person, entity, or account.’

All the relevant invocations of the term now refer back to this definition.

The language not only doesn’t convince me this bill works, I think it validates my concern about the bill.

That’s because the word “entity” is already too loosely defined. Is this like the definition of the entity that struck us on 9/11 that Presidents have expanded anachronistically? Al Qaeda = AQAP = al-Nusra?

And in just about every case imaginable — an entity’s phone numbers, its bank accounts, its email addresses (though perhaps not domain name and IP) — there is a necessary translation process between the entity and the selector(s) that would be used for a search.

That this translation happens shows up in some of the invocations of “specific selection term” where they say the “specific selection term” will be used as a “basis” for selecting what to actually search on, as with the Pen Register section.

(3) a specific selection term to be used as the basis for selecting the telephone line or other facility to which the pen register or trap and trace device is to be attached or applied; and’

Al Qaeda is not the name of the telephone line (or facility, which itself has been an invention used to conduct bulk collection in the name of a specific selector).

This “basis for” language shows up even with the NSL language.

COUNTERINTELLIGENCE ACCESS TO TELEPHONE TOLL AND TRANSACTIONAL RECORDS.—Section 2709(b)  of title 18, United States Code, is amended in the matter preceding paragraph (1) by striking ‘‘may’’ and inserting ‘‘may, using a specific selection term as the basis for a request’’.

If the bill just required account identifiers or eliminated that “as a basis for” language, it might work. But as it is, that “as a basis for” involves analysis that also involves the possibility of using far different — and far broader — terms for the actual queries. (And it’s not clear — at least not to me — where and whether judges would get to approve this translation process.)

But you don’t have to take my word for it. You can look at a program that relied on “specific selection terms” “as a basis for” unbelievably vast collection.

The phone dragnet program.

In every single phone dragnet order, there’s a section that says records may only be searched if they’ve been associated with particular entities. Here’s the first one:

Screen shot 2014-05-06 at 10.15.18 PM

Read more

USA Freedumb Act and RuppRoge Both Adopt Intelligence Community Definition of “Bulk Collection”

Update: An updated version of the Managers Amendment does define the term:

(2) SPECIFIC SELECTION TERM.—The term  ‘specific selection term’ means a term used to uniquely describe a person, entity, or account.

This is far better than nothing. Though I have concerns about “entity” and I suspect there will be some pushback here, since not even phone numbers “uniquely describe a person,” much less IPs. (Update: see my post on my concerns about the definition.)

As I noted in this post, USA Freedumb Act (what I’ve renamed the compromised USA Freedom Act) purports to limit bulk collection by tying all collection to specific selection terms. It does this for Section 215.

No order issued under this subsection may authorize the collection of tangible things without the use of a specific selection term that meets the requirements of subsection (b)(2).

It does it for Pen Register/Trap and Trace.

(3) a specific selection term to be used as the basis for selecting the telephone line or other facility to which the pen register or trap and trace device is to be attached or applied;

And it does for all four NSL types, as here with call records under ECPA.

COUNTERINTELLIGENCE ACCESS TO TELEPHONE TOLL AND TRANSACTIONAL RECORDS.—Section 2709(b) of title 18, United States Code, is amended in the matter preceding paragraph (1) by striking ‘‘may’’ and inserting ‘‘may, using a specific selection term as the basis for a request’’.

In fact, that’s the same mechanism RuppRoge (the House Intelligence Committee’s bill) uses to prevent bulk collection — though it limits bulk collection for fewer categories of things.

It does so for electronic communications records.

Notwithstanding any other provision of law, the Federal Government may not acquire under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) records of any electronic communications without the use of specific identifiers or selection terms.

And it does so for sensitive business records.

Notwithstanding any other provision of law, the Federal Government may not acquire under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) library circulation records, library patron lists, book sales records, book customer lists, firearm sales records, tax return records, education records, or medical records containing information that would identify a person without the use of specific identifiers or selection terms.

And this limitation, both bills proclaim, will prevent bulk collection.

Neither bill defines what they mean by selection term or specific identifier.

Before I consider whether these bills will, in fact, prevent what you and I might consider bulk collection, note what has happened: both of these bills — the crappy Intelligence Committee wish list bill and the allegedly less crappy “reform” bill — have adopted the definition of “bulk collection” used by the notoriously Orwellian Intelligence Community.

This is perhaps best explained in Obama’s President’s Policy Directive on surveillance.

References to signals intelligence collected in “bulk” mean the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).

Now, we’re at a huge disadvantage to be able to assess whether this definition of bulk collection bears any resemblance to what ordinary humans might understand bulk collection to mean, because the government is being very disingenuous about what they claim it to mean.

The government often publicly claims selectors are things “like telephone numbers or email addresses,” as they did repeatedly at the last PCLOB hearing.

I can assure you, however, that when they refer to “selectors like email or telephone,” they’re downplaying their use of things like other IDs (phone handset and SIM card IDs, credit card numbers, Internet IDs or even passwords, IP address, and site cookies). And nothing in the definition says selection terms have to have anything to do with actual people (as the evidence they use malware code as a selector would indicate). Plus, I could envision many things — such as “Area Code 202” or “Western Union transfers over $100”  — that would seem to qualify as selection terms.

But we can measure whether limits to selectors or search terms prohibits bulk collection via another means — by looking at the program about which we’ve gotten most details on selector searches: upstream 702 collection.

While we can’t assess how many “innocent” Americans get sucked up in this purportedly non-bulk collection (and I doubt NSA can either!), we do have an idea how many American communications get sucked up who shouldn’t according to the one-end foreign rule on the collection.

Up to 56,000 American communications a year, according to FISC Judge John Bates’ estimate (because the NSA refused to provide him the real numbers).

56,000 American communications that should not, under the law, have been targeted, sucked up using “identifiers” and “selection terms.”

And the government doesn’t consider that bulk collection at all.

That, my friends, is the standard two different Committees in Congress have adapted as well, doing the intelligence community’s bidding, claiming they’ve solved the bulk collection problem.

USA Freedumb Act: The Timing

A number of people have expressed appreciation for this analysis: if you find this useful, please consider donating to support my work. 

I’m going to do a series of more finished posts on the “compromised” version of Jim Sensenbrenner’s USA Freedom Act, which I hereby dub the USA Freedumb Act (thanks to Fake John Schindler for the suggestion), because so many of the reforms have been gutted. Here’s the initially proposed bill. Here’s my working thread on USA Freedumb.

You will hear a great many respectable people making positive comments about this bill, comments they normally would not make. That’s because of the carefully crafted timing.

As you recall, Mike Rogers originally got the House Parliamentarian to rule that the bill could go through the House Intelligence Committee. And his bill, which I affectionately call “RuppRoge” after Rogers and Dutch Ruppersberger and Scooby Doo’s “Rut Roh” phase, is genuinely shitty. Not only does it put the NSA onsite at providers and extend call records collection beyond terrorism applications, but it also extends such collection beyond call records generally. It is likely an attempt to get the US back into the Internet dragnet business. Shitty bill.

That said, in key ways RuppRoge is very similar to USA Freedumb. Both “limit” bulk collection by limiting collection to selectors (Freedumb does so across the board, including for NSLs, whereas RuppRoge does so for sensitive Business Records, call records, and Internet metadata). Both propose a similarly (IMO) flimsy FISC advocate. Both propose laughably weak FISC transparency measures. Both will include compensation and immunity for providers they don’t currently have.

Aside from three areas where RuppRoge is better — it forces agencies to update their EO 12333 proposals, doesn’t extend the PATRIOT Act, and provides a (not very useful) way to challenge certificates, all the way up to SCOTUS — and three where it is far worse — it develops more Insider Threat measures, it applies for uses beyond terrorism and beyond call records, and doesn’t include new (but now circumscribed) IG reporting  — they’re not all that different. [Correction: USA Freedumb ALSO applies beyond terrorism.]

They’re differently shitty, but both are pretty shitty.

The reason why otherwise respectable people are welcoming the shitty Freedumb bill, however, is that it gives House Judiciary Committee — with a number of real reformers on it — first pass on this bill. It’s a jurisdictional issue. It puts the jurisdiction for surveillance bills back where it belongs, at the Judiciary Committee.

Oh, by the way, one of the more extensive (in terms of text) real changes in Freedumb is it finally includes the House Judiciary Committee, along with the House and Senate Intelligence Committees and Senate Judiciary Committee, among the committees that get certain kinds of reporting. Jurisdiction. (No, I can’t explain to you why it wasn’t included in the first place in 2008, and no, I can’t explain why that detail is not better known.) It gives everyone on HJC a tiny reason to support the bill, because they’ll finally get the reporting they should have gotten in 2008.

The House Intelligence Committee will consider RuppRoge the day after HJC considers Freedumb, Thursday. Which has elicited hasty (overly hasty, IMO) statements of support for Freedumb, as a way to head off the shitty RuppRoge.

Effectively, the National Security State has managed to put two differently shitty bills before Congress and forced reformers to choose. Freedumb is the better (as in less horrible) bill, and it might get better in Committee. But it’s not a runaway call. And the haste has prevented anyone from really figuring out what a central change to both programs means, which limits collection to selectors, which could be defined in very broad terms (and about which — you’ll have to take my word for now — the NSA has lied in public comments).

One more timing issue that I suspect explains the sudden activity surrounding “reform.” The Privacy and Civil Liberties Oversight Board is due to release a report on Section 702 in the next month or so (its comment period for the report closed on April 11). Given the comments of David Medine, James Dempsey, and Patricia Wald at hearings, I strongly suspect PCLOB will recommend reforms — at least — to back door searches, and possibly to upstream collection. Both are items which were gutted as USA Freedom became Freedumb. (In addition, two aspects that would have expanded PCLOB’s authorities — giving it a role in picking the FISC advocate and giving it subpoena power — have been removed.) So in the same way that President Obama rushed to reaffirm NSA’s unified structure, in which the Information Assurance Division and Cybercommand functions are unified with the more general NSA spying function, before his handpicked Review Group recommended they be split, this seems to be a rush to pre-empt any recommendations PCLOB makes.

Ultimately, these two shitty bills are destined to be merged in conference anyway, and reformers seem to have given up 75% of the field before we get started.

Which means just about the only “reform” we’ll get are actually tactical fixes to help the Security State deal with legal and technical issues they’ve been struggling with.

The USA Freedumb Act has become — with DiFi’s Fake FISA Fix and RuppRoge before it — the third fake reform since Edward Snowden’s leaks first got published. Wearing down the reformers seems to be working.