Mitch McConnell

1 2 3 5

Senate Narrowly Avoids Voting Themselves to Become “Typos”

The McCain (Cornyn) amendment to the Judiciary Appropriations bill that would let them get Electronic Communication Transaction Records with a National Security Letter just narrowly failed to get cloture, with Dan Sullivan flipping his vote to yes near the end but Mike Crapo, a likely no vote, not voting. The final vote was 59-37.

The floor debate leading up to the vote featured a few notable exchanges. Richard Burr was an absolutely douchebag, saying Ron “Wyden is consistently against providing LE the tools it needs to defend the American people.” He did so in a speech admitting that, “My colleague says this wouldn’t stop SB or Orlando. He’s 100% correct.”

Burr also insisted that we can’t let the Lone Wolf provision, which allegedly has never been used, expire. It was extended just last year and doesn’t expire until 2019.

More interesting though was the debate between Burr and Leahy over whether the FBI can’t obtain ECTRs because of a typo in the law as passed in 1993. Leahy basically described that Congress had affirmatively decided not to include ECTRs in NSLs (implicit in this, Congress also did not decide to include it in the 2001 expansion). Burr claimed that Congress meant to include it but didn’t in some kind of oversight.

Here’s how Mazie Hirono and Martin Heinrich described the debate in the report on the Intelligence Authorization, which has a version of the ECTR change.

The FBI has compared expanding these authorities to fixing a “typo” in the Electronic Communications Privacy Act (ECPA).

However, during consideration of ECPA reform legislation in 1993, the House Judiciary Committee said in its committee report that “Exempt from the judicial scrutiny normally
required for compulsory process, the national security letter is an extraordinary device. New applications are disfavored.”

The House Judiciary Committee report also makes clear that the bill’s changes to Section 2709(b) of ECPA were a “modification of the language originally proposed by the
FBI.”

This does not support claims that the removal of the ECTR language was a “typo.”

Burr effectively argued that because law enforcement wanted ECTRs to be included back in 1993, they were meant to be included, and Congress’ exclusion of them was just a typo.

In short, a member of the Senate just argued that if Congress affirmatively decides not to capitulate to every demand of law enforcement, it must be considered a “typo” and not legally binding law.

For the moment, the Senate voted down making itself a “typo,” but Mitch McConnell filed a motion to reconsider, meaning he can bring the vote back up as soon as he arm twists one more vote.

 

Key Details about the Mitch McConnell Bid to Expand FBI Surveillance

As I noted, one of the two poison pills that stalled (if not killed) ECPA reform in the Senate Judiciary Committee a few weeks back was a John Cornyn amendment that would give the FBI authority to obtain Electronic Communication Transaction Records — which have been billed as email records, but include far more, including URLs and IP records — with an NSL again.

In a move akin to what he did by attaching CISA to last year’s Omnibus bill, Mitch McConnell has moved to shove that amendment through, this time on the Judiciary Appropriation.

Here are some key details about that effort:

Generally, the amendment would not have prevented the Orlando shooting

Republicans are spinning (and therefore some reporters are reporting) the amendment as “an effort … to respond to last week’s mass shooting in an Orlando nightclub after a series of measures to restrict guns offered by both parties failed on Monday.”

The reason why the ECTR change would not have prevented the Orlando shooting — as I noted when John Cornyn made the same bogus claim — is that, at least according to FBI Director Jim Comey (then what would he know?) FBI already obtained Omar Mateen’s ECTRs. So it is false to say that this is a real response, except insofar as shifting the way FBI would have gotten ECTRs in this case would have had other implications.

The most obvious implication of obtaining ECTRs via a subpoena versus an NSL is the latter’s gag, which the executive would retain significant prerogative over keeping in place years after obtaining the records. NSL gags have been used to hide records collection from their targets — and given that these use a “related to” standard, probably hides the number of innocent people collected for their role in someone else’s suspicious behavior — but the record of the Nicholas Merrill NSL makes it clear the gag served even more prominently to hide the kinds of records the government obtained under a broad definition of ECTR.

FBI is doing this to bypass minimization the FISA Court fought for for years

For tactical reasons, privacy groups have been claiming that permitting FBI to obtain ECTRs with an NSL is an expansion of FBI authority. That’s not technically correct: whether it should have been or not, FBI obtained ECTRs with an NSL from 2001 to 2009, until the publication of an OLC memo gave some tech companies the ability to refuse NSLs asking for ECTRs. Indeed, there’s reason to believe some companies — notably including AT&T — still provide some records beyond those listed in the 2008 OLC memo with just an NSL.

But what happened next is critical for understanding why FBI wants this change now. When ECTR collection moved from NSLs to Section 215 orders starting in 2009, the number of 215 orders spiked from about 30 to about 200, and with that, court mandated minimization procedures spiked, and remained elevated, until FBI finally adopted minimization procedures mandated by the 2006 reauthorization of the authority after Edward Snowden’s leaks (which makes me wonder whether they were actually following FISC-ordered minimization in the interim). Given that we know the spike in 215 orders stemmed from ECTR requests, that has to mean that FISC believed this collection was sufficiently intrusive on innocent people that it needed to be minimized.

Side note: it’s possible that those 175 ECTR records a year were bulky records: more systematic collection on orders issued four times a year, just like the phone dragnet orders, in lieu of tens of thousands of orders obtained via an NSL prior to that. If that’s the case, it’s possible that USA Freedom Act’s limits on bulk have posed a problem for some, though not all, of this bulky collection. In most cases with a designated suspect, as with Mateen, the FBI could still get the records with a subpoena.

This would push through the more expansive of two ECTR efforts

There are actually two efforts to let the FBI obtain ECTRs via NSL. This amendment, which is largely similar to Cornyn’s amendment to ECPA reform, and language already approved in the Intelligence Authorization (see section 803 at pp 64-65) for next year. The Intel Authorization version basically just adds “ECTRs” to the records available under 18 USC 2709.

request the name, address, length of service, local and long distance toll billing records, and electronic communication transactional records of a person or entity, but not the contents of an electronic communication,

The amendment that will get a vote tomorrow, however, lays out what can be obtained in much greater detail with this list:

(A) Name, physical address, e-mail address, telephone number, instrument number, and other similar account identifying information.

(B) Account number, login history, length of service (including start date), types of service, and means and sources of payment for service (including any card or bank account information).

(C) Local and long distance toll billing records.

(D) Internet Protocol (commonly known as ‘IP’) address or other network address, including any temporarily assigned IP or network address, communication addressing, routing, or transmission information, including any network address translation information (but excluding cell tower information), and session times and durations for an electronic communication.

There are three big differences in the Cornyn version. The Cornyn amendment affirmatively permits FBI to obtain payment information. The Cornyn amendment affirmatively permits a lot more information, in addition to that financial information, that is used to correlate identities (things like all types of service used, all possible types of “address” or instrument number, and IP generally; see this post for more on correlations). Finally, Cornyn lays out that ECTRs include IP address information.

Nicholas Merrill described the significance of IP address information in a declaration he submitted, with the explanation, “I believe that the public would be alarmed if they knew what kinds of records the FBI apparently believes constitute ECTR,” in his bid to unseal the NSL he received.

Electronic communication service providers can maintain records of the IP addresses assigned to particular individuals and of the electronic communications involving that IP address. These records can identify, among other things, the identity of an otherwise anonymous individual communicating on the Internet, the identities of individuals in communication with one another, and the web sites (or other Internet content) that an individual has accessed.

Electronic communication service providers can also monitor and store information regarding web transactions by their users. These transaction logs can be very detailed, including the name of every web page accessed, information about the page’s content, the names of accounts accessed, and sometimes username and password combinations. This monitoring can occur by routing all of a user’s traffic through a proxy server or by using a network monitoring system.

Electronic communication service providers can also record internet “NetFlow” data. This data consists of a set of packets that travel between two points. Routers can be set to automatically record a list of all the NetFlows that they see, or all the NetFlows to or from a specific IP address. This NetFlow data can essentially provide a complete history of each electronic communications service used by a particular Internet user.

[snip]

Web servers also often maintain logs of every request that they receive and every web page that is served. This could include a complete list of all web pages seen by an individual, all search terms, names of email accounts, passwords, purchases made, names of other individuals with whom the user has communicated, and so on.

Content Delivery Networks, such as Akamai and Limelight Networks, are availability networks that popular websites use to increase the speed at which their content is delivered to users. For example, many of the country’s top media, entertainment, and electronic commerce companies use Akamai’s services to store images and other rich content so that users can download their pages more quickly. These Content Delivery Networks record every image, webpage, video clip, or other “object” downloaded by every user of their client websites. Content Delivery Networks can therefore serve as independent sources of a user’s web browsing history through the records that they store.

In 2004, when Merrill got his NSL, the FBI included Cell Site Location Information in its definition of ECTR. That is excluded here, but there are ways FBI can obtain general location information from IP address and other data included in ECTRs.

FBI likely would (and will, if and when the Intel Authorization passes) argue that ECTRs include the items identified by Merrill even if passed without the specifying language that appears in the Cornyn amendment. But with the language specifying login history and IP metadata, Cornyn’s gets much closer to admitting that this kind of information is what FBI is really after.

And, as noted, we should assume the reason FBI wants the gags associated with NSLs is to hide what they’re getting even more than from whom they’re getting it.

Long live the allegedly never used Lone Wolf

I said above that the amendment that will get a vote tomorrow is almost the same as the Cornyn amendment was. With regards to the NSL language, they’re virtually identical. But tomorrow’s amendment extends the Lone Wolf provision of the PATRIOT Act — which FBI keeps telling Congress they have never ever used — forever.

I suspect FBI is being disingenuous when they say the Lone Wolf has never been used. I suspect that it, like the roaming wiretap provision, was used by the FISA Court as a concept to justify approving something else. For example, a number of Americans have had FISA warrants deeming them agents of a foreign power even without ever speaking to a member of an actual terrorist group. I suspect — and this is just a wildarsed guess — that FISC will treat a foreign extremist and/or a non-Al Qaeda/ISIS jihadist forum as a lone wolf in concept (the law itself only applies here in the US), thereby finding the ties between the American and that non-formal Islamic extremist entity to reach the bar of agent of a foreign power via foreign-located lone wolf.

If I’m right, the lone wolf provision exists not so much because it has proven necessary as Congress understands it, but as a gimmick to get more Americans treated as foreign agents by FISC. Again, if I’m right, someday this will be disclosed in court (or understood by enough trial judges that it starts being a problem). But if this amendment passes, there will not be an easy time to review the use of lone wolf.

Why didn’t the GOP push this on USA Freedom Act?

There’s one more point I find notable about this. The USA Freedom Act affected both NSL and Section 215 orders last year, both of which are central to the question of how FBI obtains ECTRs. It also extended the Lone Wolf provision to December 15, 2019. In other words, Congress just legislated on precisely these issues, and USA Freedom Act would have been the appropriate time to make changes that might be necessary.

So why didn’t FBI and Comey do that last year?

Update: With respect to this last question, I’ve been informed that there was a behind the scenes effort to add ECTRs to USAF, though not one that ever made a public draft of the bill.

The Play on the Scalia Replacement: Remember the Lame Duck

Within minutes after the public announcement of Antonin Scalia’s death, Senator Mike Lee’s flack Conn Carroll started predicting Obama would have zero chance of successfully naming a successor. After Carroll, one after another actual Senator followed that sentiment, including Chuck Grassley and Mitch McConnell, both of whom would have the ability to stall any Obama nominee. From that point, the GOP was pretty much committed, they said, to preventing any Obama nominee from being confirmed.

That led to a bunch of bad comparisons — between judges like Robert Bork who was rejected and Miguel Estrada who never got a vote — and simply going a year without acting on a President’s nominee. Even the comparison with Anthony Kennedy (who was nominated in November after two other nominees, including Bork, failed) is inapt, as he was nominated earlier than any Obama pick would be (though in a sense that fetishizes the year that would pass without a nominee).

I, like bmaz, believe Obama will pick someone fairly centrist, probably someone who has been recently confirmed by big margins.  I agree the most likely nominee will be Sri Srinivasan, who in 2013 was confirmed to the DC Circuit with a 97-0 vote — though I’m also mindful of the wisdom (given the GOP unanimity about obstructing this nominee) of picking someone who drive Democratic turnout — an African-American woman, for example. Though I highly doubt Obama will nominate Loretta Lynch, as some have suggested, not least because the fight over releasing data on HSBC’s continued money laundering will draw more attention as it moves toward appeal, which might focus attention on her role in administering the wrist slap in the face of egregious drug cartel and terrorist supporting money laundering.

After some reflection, some conservatives have suggested that the GOP would have been better served if they had simply not managed to pass Obama’s nominee, rather than making such a big stink about it.

I think that ignores how much both parties look forward to using this nominee to drive turnout — and regardless of who the respective nominees are, the GOP have a much bigger challenge in getting enough voters to turn out to elect a GOP president in November, so I’m sure they’re quite happy to have an issue that (they presumably hope) might flip some conservative Latino votes — though one likely outcome of an extended 8-member court is that the Fifth Circuit’s ruling staying Obama’s immigration orders will be upheld after a 4-4 tie on the court, which might have the opposite effect.

Furthermore, I think it ignores one other factor. Srinivasan has been predicted to be Obama’s most likely SCOTUS appointment for almost 3 years (few people consider how such predictions might have influenced Ruth Bader Ginsburg’s decision not to retire). The Republicans probably presume he’s the most likely candidate as well.

The presumption Srinivasan — or someone similar — would be the nominee easily justifies the GOP’s immediate promise they won’t confirm a nominee. That’s because they need to explain why someone they just overwhelmingly confirmed, someone who faced more opposition from the left than the right, suddenly became unacceptable.

More importantly, I presume the GOP wants to keep open the possibility of confirming Srinivasan or whatever centrist Obama appoints during the Lame Duck. Here’s why:

Barring any replay of Bush v. Gore, both sides will know on November 9 who would get to pick Scalia’s replacement if Obama’s pick failed. Both sides will also know the makeup of the Senate. Because of the demographic issues I mentioned earlier, the likely Democratic nominee, Hillary Clinton, is most likely to win. That’s not to say I think she’s necessarily the strongest candidate — even ignoring the potential the email scandal will taint close advisors like Huma Abedin or Jake Sullivan, I think it likely the economy will be crashing by November in a way that would favor Trump if he were the GOP nominee facing Hillary. But I think electoral demographics suggest the GOP will have a harder time winning this year, particularly after a year of Trump branding the GOP with bigotry.

Plus (ignoring my suspicion the economy will be crashing by November), we’re likely to have a more Democratic Senate after November. Harry Reid is the only retiring Democrat where the replacement race is currently perceived to be toss-up, whereas Marco Rubio, Mark Kirk, Kelly Ayotte, and Ron Johnson are all deemed to be likely toss-ups, if not Dem-favorable. It’s still most likely the GOP will have a slight majority, but a smaller one, in the Senate, one where people like Susan Collins could make more of a difference. But it is likely to be more Democratic.

If Hillary wins (the most likely outcome) and Democrats win the Senate (unlikely, but feasible), then the Republicans will have good reason to want to confirm an Obama nominee perceived to be centrist. Whereas Srinivasan looks far worse than Scalia to the Republicans, he would all of a sudden look far preferable to a Hillary choice with the time to wait out the Senate. The GOP would have time between November 9 and the Christmas break to confirm whatever Obama nominee has been languishing.

In other words, I think the GOP have provided a way to stall someone (like Srinivasan) they have recently confirmed, while leaving the possibility of confirming that person if November makes it likely the next nominee will be more liberal.

One more thing: Commentary on this process has presumed that McConnell and Grassley (and Obama) learned of Scalia’s death when we all did. I would hope that Obama, at least, got word well before that, particularly given the involvement of at least the US Marshals and according to some reports the FBI. But I also wouldn’t leave out the possibility that one of the 39 other still unidentified guests at the ranch this weekend gave the Republican leadership a heads up as soon as a hearse showed up. So it’s possible that what looked like quick knee-jerk response on the part of Republican leadership was instead more considered, along the lines I’ve just laid out.

Marco Rubio Explains the Dragnet

SIGINT and 215A penny dropped for me, earlier this week, when Marco Rubio revealed that authorities are asking “a large number of companies” for “phone records.” Then, yesterday, he made it clear that these companies don’t fall under FCC’s definition of “phone” companies, because they’re not subject to that regulator’s 18 month retention requirement.

His comments clear up a few things that have been uncertain since February 2014, when some credulous reporters started reporting that the Section 215 phone dragnet — though they didn’t know enough to call it that — got only 20 to 30% of “all US calls.”

The claim came not long after Judge Richard Leon had declared the 215 phone dragnet to be unconstitutional. It also came just as the President’s Review Group (scoped to include all of the government’s surveillance) and PCLOB (scoped to include only the 215 phone dragnet) were recommending the government come up with a better approach to the phone dragnet.

The report clearly did several things. First, it provided a way for the government to try to undermine the standing claim of other plaintiffs challenging the phone dragnet, by leaving the possibility their records were among the claimed 70% that was not collected. It gave a public excuse the Intelligence Community could use to explain why PRG and PCLOB showed the dragnet to be mostly useless. And it laid the ground work to use “reform” to fix the problems that had, at least since 2009, made the phone dragnet largely useless.

It did not, however, admit the truth about what the 215 phone dragnet really was: just a small part of the far vaster dragnet. The dragnet as a whole aspires to capture a complete record of communications and other metadata indicating relationships (with a focus on locales of concern) that would, in turn, offer the ability to visualize the networks of the world, and not just for terrorism. At first, when the Bush Administration moved the Internet (in 2004) and phone (in 2006) dragnets under FISC authority, NSA ignored FISC’s more stringent rules and instead treated all the data with much more lax EO 12333 rules(see this post for some historical background). When FISC forced the NSA to start following the rules in 2009, however, it meant NSA could no longer do as much with the data collected in the US. So from that point forward, it became even more of a gap-filler than it had been, offering a thinner network map of the US, one the NSA could not subject to as many kinds of analysis. As part of the reforms imposed in 2009, NSA had to start tracking where it got any piece of data and what authority’s rules it had to follow; in response, NSA trained analysts to try to use EO 12333 collected data for their queries, so as to apply the more permissive rules.

That, by itself, makes it clear that EO 12333 and Section 215 (and PRTT) data was significantly redundant. For every international phone call (or at least those to countries of terrorism interest, as the PATRIOT authorities were supposed to be restricted to terrorism and Iran), there might be two or more copies of any given phone call, one collected from a provider domestically, and one collected via a range of means overseas (in fact, the phone dragnet orders make it clear the same providers were also providing international collection not subject to 215).  If you don’t believe me on this point, Mike Lee spelled it out last week. Not only might NSA get additional data with the international call — such as location data — but it could subject that data to more interesting analysis, such as co-location. Thus, once the distinction between EO 12333 and PATRIOT data became formalized in 2009 (years after it should have been) the PATRIOT data served primarily to get a thinner network map of the data they could only collect domestically.

Because the government didn’t want to admit they had a dragnet, they never tried to legislate fixes for it such that it would be more comprehensive in terms of reach or more permissive in terms of analysis.

So that’s a big part of why four beat journalists got that leak in February 2014, at virtually the same time President Obama decided to replace the 215 phone dragnet with something else.

The problem was, the government never admitted the extent of what they wanted to do with the dragnet. It wasn’t just telephony-carried voice calls they wanted to map, it was all communications a person might make from their phone, which increasingly means a smart phone. It wasn’t just call-chaining they wanted to do, it was connection chaining, linking identities, potentially using far more intrusive technological analysis.

Some of that was clear with the initial IC effort at “reform.” Significantly, it didn’t ask for Call Detail Records, understood to include either phone or Internet or both, but instead “records created as a result of communications of an individual or facility.” That language would have permitted the government to get backbone providers to collect all addressing records, regardless if it counted as content. The bill also permitted the use of such tools for all purposes, not just counterterrorism. In effect, this bill would have completed the dragnet, permitting the IC to conduct EO 12333 collection and analysis on records collected in the US, for any “intelligence” purpose.

But there was enough support for real reform, demonstrated most vividly in the votes on Amash-Conyers in July 2013, that whatever got passed had to look like real reform, so that effort was killed.

So we got the USA F-ReDux model, swapping more targeted collection (of communications, but not other kinds of records, which can still be collected in bulk) for the ability to require providers to hand over the data in usable form. This meant the government could get what it wanted, but it might have to work really hard to do so, as the communications provider market is so fragmented.

The GOP recognized, at least in the weeks before the passage of the bill, that this would be the case. I believe that Richard Burr’s claimed “mistake” in claiming there was an Internet dragnet was instead an effort to create legislative intent supporting an Internet dragnet. After that failed, Burr introduced a last minute bill using John Bates’ Dialing, Routing, Addressing, and Signaling language, meaning it would enable the government to bulk collect packet communications off switches again, along with EO 12333 minimization rules. That failed (in part because of Mitch McConnell’s parliamentary screw ups).

But now the IC is left with a law that does what it said it wanted (plus some, as it definitely gets non-telephony “phone” “calls”), rather than one that does what it wanted, which was to re-establish the full dragnet it had in the US at various times in the past.

I would expect they won’t stop trying for the latter, though.

Indeed, I suspect that’s the real reason Marco Rubio has been permitted to keep complaining about the dragnet’s shortcomings.

NYT Buries the Ineffective CyberSecurity Lede

The NYT has a story today headlined,

Senate Rejects Measure to Strengthen Cybersecurity

On Carrots, Sticks, and Rand Paul

Now that USA F-ReDux has become USA FreeDone, I wanted to look at Steve Vladeck’s two bizarre posts attacking Rand Paul’s opposition to USA F-ReDux as a way of doing a post-mortem on the process.

I say bizarre because Vladeck complains that Paul “seize[d] the national spotlight in order to focus everyone’s attention on a hyper-specific question” — that of the Section 215 dragnet — when Vladeck has, at this late date, joined those of us who have long been pushing a focus on broader issues, specifically EO 12333 and Section 702. To support his claim that Paul is singularly focused on Section 215, Vladeck links to a second-hand report of a sentence in Paul’s campaign announcement, rather than to the announcement itself which (while more muddled than in other statements where Paul has named EO 12333 directly) invokes surveillance authorized by Executive Order, not the PATRIOT Act.

The president created this vast dragnet by executive order. And as president on day one, I will immediately end this unconstitutional surveillance.

Contrary to Vladeck’s miscitation, in this and other comments, Paul seized the national spotlight, in significant part, to talk about the broader issues, specifically EO 12333 and Section 702, that those pushing USA F-ReDux had set aside for future fights. Indeed, big parts of Paul’s filibuster speech — including his 10 and Ron Wyden’s 2 references to EO 12333 and his 18 and Wyden’s 3 references to 702 — sounds a lot like Vladeck’s series of posts worrying that this will be the only shot at reform and therefore regretting that we didn’t talk about the bigger issues as part of it.

Another deficiency of the USA FREEDOM Act is that it does not address bulk collection under Executive Order 12333. The bill also fails to address bulk collection under section 702 of the FISA Amendments Act.

One could say: What are you complaining about? You are getting some improvement. You still have problems, but you are getting some improvement.

I guess my point is that we are having this debate, and we don’t have it very often. We are having the debate every 3 years, and some people have tried to make this permanent, where we would never have any debate. Even though we are only having it every3 years, it is still uncertain whether I will be granted any amendments to this bill.

So, yes, I would like to address everything while we can. I think we ought to address section 702. I think we ought to–for goodness’ sake, why won’t we have some hearings on Executive Order 12333? I think they may be having them in secret, but I go back to what Senator Wyden said earlier. I think the principles of the law could be discussed in public. We don’t have to reveal how we do stuff. Do we think anybody in the world thinks we are not looking at their stuff? Why don’t we
explore the legality and the law of how we are doing it as opposed to leaving it unsaid and unknown in secret?

In other words, unlike the drone filibuster Vladeck points to as proof of “libertarian hijacking” — where Paul definitely defined his terms narrowly (but in a later iteration did succeed in getting more response from Jim Comey than Ron Wyden making demands) — Paul was arguing for precisely what Vladeck said we should be arguing about. He just has cooties, I guess is the substance of Vladeck’s argument, so Vladeck doesn’t want him as an ally.

Equally bizarre is Vladeck’s claim that, “it was the very same Senator Paul who all-but-singlehandedly torpedoed the Leahy bill back in November, helping to force the entirely unnecessary political and legal brinkmanship of the past week.” That’s bizarre because, as a matter of fact, Paul did not “singlehandedly” torpedo the bill; Bill Nelson played an equal role (and that’s even assuming the bill had enough votes to pass, which given that I know of 1 pro-cloture vote who was a no vote on passage and a significant number who weren’t committed to vote for it without improving amendment, was never a foregone conclusion). It’s easy to blame Paul because it absolves whoever it was that whipped a bill but didn’t even count all the Democratic votes on it, but Paul was in no way singlehandedly responsible.

But the view all the more bizarre, coming from Vladeck, because if Paul singlehandedly torpedoed the bill (he didn’t) he also singlehandedly made the 2nd Circuit ruling for ACLU possible (he didn’t, but that is Vladeck’s logic). And unlike most USA F-ReDux champions, Vladeck has been very attentive– if, at times, arguably mistaken in his understanding of it — to the interaction of USA F-ReDux legislation and the courts. While USA F-ReDux is — important additional Congressional reporting requirements on PRTT and bulky 215 collection notwithstanding — definitely a worse bill than its predecessor, that’s not the measure. So long as the 2nd Circuit decision ruling against “relevant to” and finding a Fourth Amendment interest at the moment of collection rather than review stands (the government still has a few weeks to challenge it), the measure is USA F-ReDux plusthe 2nd Circuit decision as compared to USAF without the additional leverage of an appellate court ruling. There are very important things the 2nd Circuit decision may add to USA F-ReDux. Every commenter is entitled to weigh that measure themselves, but if you’re going to hold Paul responsible for torpedoing the legislation last fall you also have to credit him with buying time so the 2nd Circuit could weigh in.

Which brings me to leverage.

I was not a fan of any version of USAF because all left every key provision save the CDR function (and even some of that was left dangerously open to interpretation until HJC wrote its final bill report) subject to the whim of the Executive and/or the FISC, and the bill itself jettisoned necessary leverage over the Executive (Vladeck has written about the gutting of the FISC advocate, and a parallel gutting has happened on transparency provisions from the start). That is, rather than exercise some kind of authority over the Executive, Congress basically wrote down what the Executive wanted and passed it in a way that the Executive still had a lot of leeway to decide what it wanted to do.

I get why that happened and I don’t mean to diminish the work of those who pushed for more: the votes and leadership buy-in simply isn’t there yet to actually start limiting what Article II will do in secret.

But that means none of the other things Vladeck wants will be possible until we get more leverage. And while the outcome of the bill may be the same and/or worse, what is different about the passage of USA F-ReDux is that leadership in both house of Congress barely kept it together.

And Rand Paul, whether he has cooties or not, was key to that process.

That’s true, in large part, because Mitch McConnell was aiming to set up an urgent crisis as a way to scare people into making the bill worse. He succeeded in doing so by delaying consideration of the bill until the last minute, but when Paul — and Ron Wyden and Martin Heinrich — prevented him from getting a short-term extension to do so without lapsing the dragnet, that changed the calculus of the crisis. It meant those who had bought into the idea you need a dragnet to keep the country safe could be pressured to vote against McConnell’s efforts to weaken USA F-ReDux. (Note, there are some who have claimed that Paul objected to immediately considering USA F-ReDux Sunday night, giving McConnell his opportunity to amend the bill, but the congressional record doesn’t support that; McConnell didn’t call for immediate consideration of the bill itself until he had already filled the tree with amendments.)

And while I don’t want to minimize the utterly crucial efforts of Mike Lee to actually whip the vote, that effort was made easier by the very real threat that if the bill had to go back to the House it would die, resulting in a more permanent lapse to Section 215 and the other expired authorities. Leahy and others used that threat repeatedly, in fact, to argue that surveillance hawks needed to support an amended bill. And the threat was heightened because John Boehner had real worries that if he tried something funny, his own leadership would be at risk.

Last year, the privacy community was mostly fighting with carrots against an Executive branch that was dictating what it was willing to give up. Now, it’s fighting with carrots and sticks. We haven’t gotten the Executive branch to give up anything it didn’t already want to give up yet. But having dealt McConnell a big defeat and having the threat to do so with Boehner might make that possible going forward.

Having someone like Rand Paul, who is not afraid to be accused of having cooties, to make that possible is a critical part of that process. That doesn’t negate the efforts of anyone else (again, I’m really encouraged by Mike Lee’s role in all this). But it does mean people holding carrots but demanding things that will only be obtained with some sticks, too, ought not to dismiss the efforts to make the threat of a stick real.

 

The FISC Purportedly Continues to Have Problems with “Relevant” and “All”

Amid posts bewailing Rand Paul because the Senator’s substantial discussions of the problems with EO 12333 and Section 702 spying aren’t the substantial discussions he wants (I’ll return to these once more pressing matters have passed), Steve Vladeck has returned to the USA F-ReDux topic on which he doesn’t keep contradicting himself: the amicus.

As he notes (and I noted here), Mitch McConnell is (as we speak) attempting to water down the already flimsy FISC amicus via amendment. And Vladeck — as he has before — exposed the false claims that the objections to the amicus comes from the judiciary, this time as represented in the letter from Director of the Administrative Offices of US Courts James Duff.

Why is such a radical amendment to a provision in the House bill that was negotiated very carefully so necessary? According to the memo, “Amendment 1451 is responsive to the judiciary’s continual opposition to the amicus structure of the USA Freedom Act,” as manifested in “a letter to Congress from the director of the Administrative Office of the U.S. Courts.”

[snip]

I don’t mean to belabor the point. If anything, as I suggested yesterday, section 401 of the House-passed USA FREEDOM Act is a terribly weak version of what should have been a very good (and unobjectionable) idea–allowing a security-cleared outside lawyer to participate in the tiny percentage of cases before the FISC that involve applications for anything besides individualized warrants (you know, the cases in which adversarial participation is already authorized).Part of why section 401 is so weak is because members of Congress have consistently allowed themselves to be snookered by (or have found it convenient to hide behind) the objections of the “judiciary.”

On the merits, though, these objections are patently unavailing. And they certainly aren’t the objections of the “judiciary.”

I’ve also tracked how others, like James Clapper, have been using these purported judiciary concerns to undercut the “advocate” that President Obama used to pretend to want.

What’s particularly interesting, however, is one of the recurrent problems the “judges” seem to keep having. Duff emphasizes that one problem with amici is the Executive would lie to the FISC if telling the truth might risk revealing useful information to an amici. And as one part of that, he focuses on USA F-ReDux’s intent to get

Designated amici are required to have access to “all relevant” legal precedent, as well as certain other materials “the court determines are relevant.

[snip]

We are concerned that a lack of parallel construction in proposed clause (6)(A)(i) (apparently differentiating between access to legal precedent as opposed to access to other materials) could lead to confusion in its application.

This is what Clapper seemed to be going after last September.

Clapper signals he will make the amicus curiae something different. First, he emphasized this amicus will not interfere with ex parte communications between the court and the government. That may violate this passage of Leahy’s bill, which guarantees the special advocate have access to anything that is “relevant” to her duties.

(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—

[snip]

(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;

Given that in other parts of 50 USC 1861, “relevant” has come to mean “all,” it’s pretty amazing that Clapper says the advocate won’t have access to all communication between the government and the court.

But the really interesting thing — the reason McConnell’s as-we-speak attempt to gut the amicus further — is that the House already fixed some of this. In a manager’s amendment presented as technical clarifications (but which, on this issue, were not), Bob Goodlatte rewrote this passage:

(i) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials that the court determines are relevant to the duties of the amicus curiae;

To read like this, to directly address one of Huff’s stated concerns:

(i) shall have access to any relevant legal precedent, and application, certification, petition, motion, or such other materials that the court determines are relevant to the duties of the amicus curiae;

That is, Goodlatte already gave the court complete discretion over what the amicus could access, up to and including underlying legal precedents.

Of course, all that assumes the courts will get all the information they need, which they have a long history of not doing.

Here’s the real takeaway though. The President likes to claim he supports this reform. But he has already made it clear he didn’t really want an advocate at the FISC, but would instead like the FISC to remain a rubber stamp.

ACLU’s Poker Face

Thus far, I have not seen a statement from the ACLU on last night’s developments with respect to the PATRIOT Act — the passage of cloture, McConnell’s failure to even ask for an immediate vote, followed by McConnell filing several amendments that would weaken USA F-ReDux. [Correction: here is one. h/t EG]

Indeed, no one even seems to be interested what the ACLU thinks about all this, reporting the key players to include Mitch McConnell and Richard Burr, the White House and Intelligence Agencies, and the House, especially House leadership that would be forced to shepherd any changes to USA F-ReDux back through the House, but not the ACLU.

I’m interested.

Especially with Burr’s amendment to extend the transition period to the new phone records program to a full year. After all, ACLU’s lawsuit just got punted back to the District to see what happens now, but it was punted based on the presumption that Congress was going to fix the illegal dragnet “soon.”

A year is not “soon,” at least not in my book.

If ACLU agrees with me, they can asks the judges to provide some relief “sooner” than a year from now, either by ordering an earlier end to the dragnet or — at the very least — requiring the NSA to pull all of ACLU’s records from their dragnet. Indeed, given the number of active court challenges the ACLU has against the government, they’d be able to argue pretty compellingly they need quicker relief than a year.

In the past, NSA has suggested it would be too onerous to pull the records of one plaintiff from the dragnet. Who knows whether they were just bullshitting judges, but if it is too onerous, that would present other issues.

All of which is my way of saying the ACLU may have a few cards of interest in their hand that no one is much considering. I’m not going to ask them what they’re holding, mind you. I like that they may be deliberating in secret to thwart efforts to extend the dragnet.

I’m just noting that they do appear to still be holding some cards…

Mitch McConnell Just Made the Country Less Safe in Bid to Ensure FISC Continues to Be Rubber Stamp

I predicted back in April that Mitch McConnell would use the threat of straight reauthorization of a program that doesn’t do what the Intelligence Community wants to demand changes to USA F-ReDux.

And a data retention mandate — presented in the guise of a requirement that providers give notice if they plan not to retain data at least 18 months — is one the things McConnell will try to push through today.

(k) PROSPECTIVE CHANGES TO EXISTING PRACTICES RELATED TO CALL DETAIL RECORDS.—

(1) IN GENERAL.—Consistent with subsection (c)(2)(F), an electronic communication service provider that has been issued an order to produce call detail records pursuant to an order under subsection (c) shall notify the Attorney General if that service provider intends to retain its call detail records for a period less than 18 months.

(2) TIMING OF NOTICE.—A notification under paragraph (1) shall be made not less than 180 days prior to the date such electronic communications service provider intends to implement a policy to retain such records for a period less than 18 months.’’.

McConnell repeated his justification for a retention mandate last night by pointing to a provider that refused to agree to keep documents for a call record program, as he did last week. Why is Mitch worried about document retention for a call record program?

Remarkably, McConnell’s data mandate is for a shorter period of time than the 2 year data handshake the major telecoms have agreed to, according to Dianne Feinstein.

McConnell also submitted standalone amendments, the first requiring certification from James Clapper that the dragnet works before existing dragnet authorities expire, with the second one extending the expiration of the dragnet to a year.

McConnell submitted an amicus provision that simply codifies the status quo, which already permits a court to name an amicus. Significantly, McConnell’s amicus provision eliminates the reporting to Congress that Richard Burr’s bill at least had. But McConnell’s bill does include FISCR fast-track review, which I believe may actually be counterproductive. So McConnell’s amicus amendment permits the FISC to go on making shit up without any notice that’s what they’re doing.

Finally, there’s one other provision in one of two substitute bills Mitch put forward this month: an elimination of the reporting requirement of any significant FISC decisions (Section 402 is removed entirely).

Now, frankly, even in the existing USA F-ReDux, the reporting requirement permits the Executive too much discretion about what kind of details they’ll release. Even in FOIA suits, where a judge gets to weigh in, the government has been able to withhold even information that is almost certainly in the public record. Their summaries of important decisions would surely look like useless Vaughn Index summaries.

But that’s too much for Mitch McConnell — and the Intelligence Community folks whose demands he is serving. And, of course, elimination of this weak reporting requirement eliminates the only check against ongoing bulk or bulky collection, because the language surrounding Specific Selection Term includes big potential loopholes.

So consider what this means.

Over the last two weeks, Mitch McConnell has pursued policies that have led to a lapse in the phone (and CIA money transfer) dragnets. He didn’t even try to bring USA F-ReDux for an immediate vote last night; he only tried to bring up Lone Wolf and Roving Wiretap.

And his goal, for letting the dragnet expire, is to ensure the FISA Court continues to be dysfunctional.

Mitch McConnell has — according to his claims, not mine — made the country less safe with this lapse in the dragnet. All in a bid to ensure the FISC continues to operate as a rubber stamp.

Devin Nunes Will Let Dragnet Lapse So Mitch McConnell Can Save Face?!?!

NYT has a remarkable article describing how a number of hawks are willing to risk letting PATRIOT Act authorities lapse so Mitch McConnell can save face.

Senior lawmakers are scrambling this week in rare recess negotiations to agree on a face-saving change to legislation that would rein in the National Security Agency’s dragnet of phone records, with time running out on some of the government’s domestic surveillance authority.

[snip]

If negotiators accept minor changes to the House bill, it will mark a significant retreat for Senator Mitch McConnell of Kentucky, the majority leader, and Senator Richard M. Burr of North Carolina, the chairman of the Senate Intelligence Committee.

Sadly, the NYT continues the typically credulous mainstream reporting on this topic. For example, Mitch McConnell never really wanted a straight reauthorization.

Mr. McConnell and Mr. Burr wanted a straight extension of the existing surveillance authority, although an appeals court judge ruled this month that such authority was illegal.

False. Burr revealed what they want Friday night. They want to move bulky Internet production back to NSLs. They want to expand the current dragnet to include Internet calls and even straight IP (and, oddly, documents!), and they want to expand it well beyond its counterterrorism focus to include all foreign intelligence. They want to criminalize whistleblowing about this law in particular. They want to eliminate all special privacy protections — over the standard NSA ones — for US persons.

And very importantly, they want to use the claim to need a 2-year transition period to finally obtain the authorities for NSA to conduct the bulk collection they actually want to do, in which place they’ll be well positioned to claim having the government retain the data is most efficient.

I could go on. But after Friday night no journalists with any self-respect should propagate Mitch’s “straight reauthorization” canard, which — it was clear over a month ago — was only ever a negotiating tactic.

NYT also falsely claims Burr wants just Lone Wolf and Roving Wiretap made permanent.

Mr. Burr wants the so-called lone wolf and roving authorities to be made permanent to avoid cliffhangers like the one Congress finds itself in now. The House bill would extend them to December 2019.

The title to that section of Burr’s bill reads,

PERMANENT AUTHORITY FOR ACCESS TO BUSINESS RECORDS, ROVING SURVEILLANCE, AND INDIVIDUAL TERRORISTS AS AGENTS OF FOREIGN POWERS UNDER THE FOREIGN INTELLIGENCE SURVEILLANCE ACT OF 1978 [my emphasis]

And the language of it repeals both parts of both laws that include a sunset.

But the really absurd part of this story — and to be fair, NYT has to report these arguments as if they’re serious, and I should be grateful they have been recorded in all their absurdity — is that Burr and Nunes are now claiming that the largest phone companies in the US don’t know how to 1) store data, or 2) “search stored phone data after a warrant [actually, a Reasonable Articulable Suspicion order, not a warrant] is issued, then communicate the results to the government.”

The two men have said phone companies, which would collect the data instead of the N.S.A. under the USA Freedom Act, are not equipped to handle the task.

[snip]

Leaders of the House Intelligence and Judiciary Committees from both parties, along with supporters in the Senate, said they could assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in.

Mr. Burr said he would like that period to be two years, a proposal not very likely to be accepted by the House.

“The question is whether the technology can be developed in time, over a six-month window,” Mr. Nunes said in an interview. “I think it can be. I was at N.S.A. reviewing this 10 days ago.”

He added: “We believe six months works, but it wouldn’t be bad to have a little longer.”

But even that change has irked lawmakers, who worked for months on the compromise that passed the House. Representative Adam B. Schiff of California, the ranking Democrat on the House Intelligence Committee, said the technology in question — the ability to search stored phone data after a warrant is issued, then communicate the results to the government — was “a pretty minor deal” that could easily meet a certification deadline.

The men overseeing our intelligence community claim to not understand that phone companies store this information — and respond to lawful government requests for it — every day.

In truth, this is likely another ploy to expand the role of providers down the road (as happened under PRISM), after we’ve all become less vigilant — beyond simply providing phone records (as these silly Congressmen claim) to doing far more analysis.

After all, the only way these claims make sense, is if the government expects to get real pushback from providers going forward — and that’s not going to happen if all they want is call records delivered to the government, which telecoms have been doing forever.

So that’s the likely play: to set up some mechanism whereby the hawks can claim — in 6 months time — that telecoms are unwilling or unable (the same standard they use for drones killing!) to do what the government will ask. At which point we’ll be fighting to get the government out of an expanded dragnet business.

One more thing.

The Republicans also claim that the telecoms have been harassed by privacy advocates.

Republicans have also expressed a desire to protect the phone companies against harassment from privacy activists over their participation in a new surveillance program.

This is likely a bid to do something to shroud the dragnets (it won’t be just telecom going forward) in secrecy from here on out. Probably not the act-specific Espionage Act, like Burr wants, but probably some other means to ensure that no one ever gets standing to challenge what will still be an unconstitutional program going forward.

I guess they hope we won’t notice because we’re laughing at their other batty excuses so hard?

1 2 3 5