Posts

The ISP/ECTR Workaround: The New Broadband Rules May Be Not So Much What They’ll Sell, But What They Give Away

Senator Ed Markey and seven of his colleagues (Franken, Blumenthal, Warren, Sanders, Wyden, Leahy, and Van Hollen) just sent letters to major ISP providers (AT&T, Comcast, Charter, Verizon, Sprint, T-Mobile, and CenturyLink, the latter of which I find most interesting for the purposes of this post) regarding what practices they’ll follow in the wake of Congressional Review Act overturning President Obama’s broadband privacy rules.

The letters focus on a lot of consumer right issues — such as whether customers will learn of any changes in a provider’s privacy policy, the ability to opt in or out, forced arbitration, data breach provisions, and de-identification. That’s all great stuff and I look forward to the answers Markey gets; the information will be as useful as the information he has obtained from wireless providers about information they keep.

But towards the end, the letters include what I’ll call “Wyden questions,” not because I know they came from him, but because they address issues about which he has long been obsessed. There’s one on location, reflecting a concern that providers might presume consent from customers, resulting in the sharing of their location data with third parties.

Under Section 222 of the Communications Act, carriers may not disclose subscriber location information without the “express prior authorization of the customer”.  Over each of the last three years, how many times did your company disclose to third parties individually identifiable customer location data or other Customer Proprietary Network Information with a customer’s express prior authorization?  Does your company obtain the consent from the subscriber directly?  If not, and the third party obtains the consent (or claims they do), do you request or retain a copy of documentation showing that the customer provided such consent?

More interesting still is the question asking whether providers would retain and provide — in response to a National Security Letter — “netflow” records.

Many ISPs retain so called “netflow” records, related to their customers’ internet usage. Do you retain netflow records for your customers’ web browsing activity? If so, for how long do you retain them? Will you disclose netflow records pursuant to a National Security Letter, or only court orders?

Remember, on several occasions last year, Republicans tried to change the rules of National Security Letters so as to permit the FBI to demand providers to turn over “electronic communications transactional records” (ECTRs) with just a National Security Letter. The FBI always asks for ECTRs on NSLs, but a number of providers started refusing to turn them over in the wake of a 2008 OLC decision stating they weren’t included under the law. And Republicans have been trying to force through language that would permit FBI to always obtain such things.

While the discussion about ECTRs started by focusing on email and then moved to URLs, the possibility that FBI had been and wanted to obtain netflow data had been made apparent by — among other things — Nick Merrill’s efforts to declassify the NSL he received in 2004. As he described in a 2015 declaration,

Electronic communication service providers can also record internet “NetFlow” data. This data consists of a set of packets that travel between two points. Routers can be set to automatically record a list of all the NetFlows that they see, or all the NetFlows to or from a specific IP ,address. This NetFlow data can essentially provide a complete history of each electronic communications service used by a particular Internet user.

So in effect, this question (whether or not it comes from Wyden) would reflect a concern that that would become available if these providers were willing to respond to FBI’s requests for ECTRs, and may remain widely available because of the change in the broadband rules. It also reminds me of Wyden’s neverending quest to liberate an OLC memo John Yoo wrote as part of Stellar Wind, but which purportedly pertains to cybersecurity.

In wake of the broadband rule change, AT&T, Verizon, and Comcast (but not, for example, CenturyLink) have assured customers they won’t change their practices and won’t be selling individual customers’ data.

But I’m not seeing any of the providers making assurances about what they’ll be giving away to the government.

Working Thread: NSL IG Report

I give up. I’m going to have to do a working thread on the IG Report on FBI’s use of NSLs. Here goes. References are to page numbers, not PDF numbers (PDF numbers are page+15).

ix: The report noted that NSL numbers dropped off what they had been 2007 to 2009. It speculates that may have been because of heightened scrutiny. I wonder it wasn’t because they were misusing the phone and Internet dragnet programs and getting the information that way. In 2009, after which the NSL numbers grew again, Reggie Walton shut that option down.

x: About half of NSLs during this period were used to investigate USPs.

x: “certain Internet providers refused to provide electronic communication transactional records in response to ECPA NSLs.”

xii: They’re hiding the current status of permitting the use of NSLs to get journo contacts. Which would seem to confirm they are doing so.

xiii: They’re also hiding the status of the OLC memo they used to say they could get phone records voluntarily (see this post for why). They don’t hide things very well.

2: It just makes me nuts we’re only now reviewing NSL use from 2009. Know what has happened in the interim, for example? A key player in this stuff, Valerie Caproni, has become a lifetime appointed judge.

11: Report  notes that FBI tends to always use “overproduction” whether or not it was unauthorized or simply too broad.

17: Footnote 35 seems to suggest they have exceptions to the mandatory reporting requirements. What could go wrong?

39: So as recently as 2009, the tracking system did not alert OGC of manual NSLs in some percentage of the cases.

57 The numbers reported to Congress are off from the numbers shown to IG by as much as 2,800.

58: Love footnote 73, which aims to explain why the NSL numbers reported to Congress are significantly lower than those reported to OIG.

After reviewing the draft of this report, the FBI told the OIG for the first time that the NSL data provided to Congress would almost never match the NSL data provided to the OIG because the NSL data provided to Congress includes NSLs issued from case files marked “sensitive,” whereas the NSL data provided to the OIG does not. According to the FBI, the unit that provided NSL data to the OIG does not have access to the case files marked “sensitive” and was therefore unable to provide complete NSL data to the OIG. The assertion that the FBI provided more NSL data to Congress than to the OIG does not explain the disparities we found in this review, however, because the disparities we found reflected that the FBI reported fewer NSL requests to Congress than the aggregate totals.

The FBI just gives up on 100% accuracy in its NSL numbers.

After reviewing the draft of this report, the FBI told the OIG that while 100 percent accuracy can be a helpful goal, attempting to obtain 100 percent accuracy in the NSL subsystem would create an undue burden without providing corresponding benefits. The FBI also stated that it has taken steps to minimize error to the greatest extent possible.

59: On the discrepancies, OIG points out the obvious:

[T]he total number of manually generated NSLs that the FBI inspectors identified is relatively small compared to the total number of 30,442 NSL requests issued by the FBI that year. What remains unknown, however is, whether the FBI inspectors identified all the manually identified generally NSLs issued by the FBI or whether a significant number remains unaccounted for and unreported.

61: The database tracking 2007 requests — a year where there were discrepancies for 215 orders too — “is retired and unavailable.”

62: The report doesn’t have subscriber only data, which I suspect is obtained in bulk.

63: There is a significant change in the make-up of what FBI is getting in 2009, from subscriber records and toll and financial records in 2008 to toll records, then subscriber and electronic communication records in 2009. I strongly suspect that says some of the 214 and 215 collection moved to NSLs.

71: Apparently it was the release of an earlier OLC memo that led at least 2 Internet companies to refuse NSLs.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electornic communication transactional records because that term does not appear in subsection (b).

Read more

Where Does the Bulk Collection Under NSLs Happen?

Back in January, I noted that both the President’s Review Group and those behind the Leahy-Sensenbrenner USA Freedom Act seemed very concerned that the government is using NSLs to conduct bulk collection (which is the term I used, based off the fact that both made parallel changes to Section 215 and NSL collection). Both required (recommended, in the case of PRG) that the government fix that by requiring that NSL’s including language asserting that the particular information sought has a tie to the investigation in question, and some limits on the amount of information collected.

Here’s how the PRG phrased it.

Recommendation 2 We recommend that statutes that authorize the issuance of National Security Letters should be amended to permit the issuance of National Security Letters only upon a judicial finding that:

(1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and

(2) like a subpoena, the order is reasonable in focus, scope, and breadth.

The thing is, because NSLs haven’t shown up in any troves of leaked documents, we don’t know why USA Freedom original backers and PRG are so concerned NSLs today collect data beyond reasonable breadth (though IG reports done years ago raised big concerns, many of them about whether FBI was meeting the legal standards required).

We don’t know what kind of bulk collection they’re engaging in.

Because FBI — not NSA — primarily uses NSLs, we don’t know what the problem is.

I raise this now because — in addition to having planned on writing this post since January — of questions about whether the HjC HJC and HPSCI “reform” bills will really end what you and I (as distinct from the Intelligence Community) would consider bulk collection.

And NSL reporting — unlike that for Section 215 — provides some hints on where the bulk collection might be.

Here’s what the most recent FISA report to Congress says about (most) NSLs issued last year.

Requests Made for Certain Information Concerning Different United States Persons Pursuant to National Security Letter Authorities During Calendar Year 2013 (USA PATRIOT Improvement and Reauthorization Act of 2005, Pub. L. No. 109-177 (2006))

Pursuant to Section 118 of the USA PATRIOT Improvement and Reauthorization Act, Pub. L. 109-177 (2006), the Department of Justice provides Congress with annual reports regarding requests made by the Federal Bureau of Investigation (FBI) pursuant to the National Security Letter (NSL) authorities provided in 12 U.S.C. § 3414, 15 U.S.C. § 1681u, 15 U.S.C. § 1681v, 18 U.S.C § 2709, and 50 U.S.C. § 436.

In 2013, the FBI made 14,219 requests (excluding requests for subscriber information only) for information concerning United States persons. These sought information pertaining to 5,334 different United States persons.2

2 In the course of compiling its National Security Letter statistics, the FBI may over-report the number of United States persons about whom it obtained information using National Security Letters. For example, NSLs that are issued concerning the same U.S. person and that include different spellings of the U.S. person’s name would be counted as separate U.S. persons, and NSLs issued under two different types of NSL authorities concerning the same U.S. person would be counted as two U.S. persons.

The report would seem to say that the 14,219 requests were based off requests about 5,334 US persons. That’s not really bulk collection, at least on its face! So where is the bulk collection PRG and USAF seem worried about?

It’s possible this report hides some bulk collection in a different Agency. The law requiring this report only requires DOJ to report on the number of requests DOJ made in the previous year.

 In April of each year, the Attorney General shall submit to Congress an aggregate report setting forth with respect to the preceding year the total number of requests made by the Department of Justice for information concerning different United States persons under–

(A) section 2709 of title 18, United States Code (to access certain communication service provider records), excluding the number of requests for subscriber information;

[the law goes on to list the other NSL provisions]

While DOJ’s report should cover both FBI and DEA, I suppose it’s possible that some other entities — not just NSA but also Treasury, NCTC, and CIA — are submitting NSLs themselves, particularly in the case of financial records (though I think Treasury doesn’t have to use NSLs to do this).

The other obvious place the language of the report hides bulk collection is in subscriber records. The law exempts subscriber information requests from the reporting pertaining to US persons. The FBI could be applying for what amount to phone books of all the subscribers of all the phone companies and Internet service providers in the United States and it wouldn’t show up in this report, even though those requests might pertain to hundreds of millions of US persons.

I assume to some extent it is doing this, because there must be a reason subscriber records were excluded from this law. And this would count as bulk collection even according to the Intelligence Community definition of the term.

Via the PRG, we can get a sense of how many such subscriber requests there are. It says FBI issued 21,000 NSLs in FY 2012.

FBI issued 21,000 NSLs in Fiscal Year 2012, primarily for subscriber information.

While the reporting period is different, DOJ reported that FBI obtained 15,229 NSLs in 2012. Which means the balance — so around 5,500 NSLs — would be for subscriber data. Even if only a significant fraction of those are for all of companies’ subscribers, that’s still a fairly comprehensive list of subscriber information across a broad range of providers.

Those 5,500 requests could each be 50 US persons or 120 million US persons; we don’t know. That would be pretty significant bulk collection. But not the same kind of privacy risk PRG seems to have in mind (and if that were the only problem, why change all 4 NSL statutes, as USA Freedom Act did and to the extent it makes a difference still does)?

Still, we know that even the other NSLs — the ones for which we have real data about how many US persons the NSLs “pertained to” — affected far more US persons. That’s because the Exigent Letters IG Report made it clear that two providers (one of these is AT&T, which did it routinely; see page 75ff) provided community of interest information — multiple hops of call records — in response to NSLs. In discovering that, DOJ’s IG complained that FBI was routinely getting information — the derivative call records — that it had not done a relevancy determination for, but it didn’t object across the board.

That concern about ensuring that records obtained via a national security request are “relevant” according to the plain meaning of the term sure seems quaint right now, doesn’t it?

But the potential that FBI is using NSLs to obtain derivative records off of the original selector would sure explain why PRG and Pat Leahy and others are concerned about NSLs (and what we would call — but IC wouldn’t — “bulk collection”).

I assume they can only do this with complicit providers (and I suspect this explains the rise of Section 215 orders with attached minimization requirements in recent years).

But if it happens in significant number at all, it would explain why Leahy and PRG consider it an equivalent problem to Section 215. Because it would mean FBI was using NSLs — not just with telecom and Internet records, but possibly with other things (though I don’t see how you could do this on credit reports) — to get data on associations several levels removed from the target of the NSL.

Here’s the immediate takeaway, though.

Aside from the phone book application (which is significant and I think would be curtailed given the HJC bill, unless FBI were to make requests of AT&T using “AT&T” as the selection term) and financial records (which I’m still thinking through), NSLs appear to include a great deal of “bulk” collection (that is, collection of innocent persons’ data based on association). But they appear to do so from specific identifiers.

And that will not be curtailed by the HJC bill, not at all. It is clear these requests for NSLs are already currently based off selectors — it shows in this reporting.

So at least for two uses of NSLs — credit reports and call details (but not subscriber records) — the House bill simply codifies the status quo.

Update: Here’s the financial records language on NSLs:

Financial institutions, and officers, employees, and agents thereof, shall comply with a request for a customer’s or entity’s financial records made pursuant to this subsection by the Federal Bureau of Investigation when the Director of the Federal Bureau of Investigation (or the Director’s designee in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director) certifies in writing to the financial institution that such records are sought for foreign counter intelligence  [2] purposes to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution of the United States.

It’s clearly intended to work for things that would be a selection term — “customer” or “entity” (which in this context would seem to be different from a customer!) — but I’m not sure it requires that the collection be based off the customer selection term.

When FBI Director Jim Comey Ate 20 Journalists for Lunch, NSL Edition

Yesterday, charismatic FBI Director Jim Comey had what was alternately described as a “lunchtime interview” and a “roundtable” with a bunch of journalists. (See NYT, ABC, AFP, NPR, McClatchy, HuffPo, LAT, WSJ, Politico, AP)

Where he proceeded to eat them for lunch.

While he addressed many topics, it appears one of his key goals was to lobby to keep National Security Letter authority as is rather than adopt the NSA Review Group’s recommended changes.

Here’s how Politico described it (I don’t mean to pick on Josh Gerstein; his was one of the most thorough reports of what Comey said, even in spite of writing one of the single bylined stories; the outlets above all published some version of this story.)

“The national security letter is not only among the most highly regulated things the FBI does, but a very important building block tool of our national security investigations,” Comey said. “What worries me about their suggestion that we impose a judicial procedure on NSLs, is that it would actually make it harder for us to do national security investigations than bank fraud investigations.”

Comey said applying to a judge for a letter to track down an internet user who made a post indicating an interest in carrying out a terrorist bombing would take days or perhaps weeks, even if more judges were added to the court.

“Being able to do it in a reasonably expeditious way is really important to our investigations. So one of my worries about the proposal in the review group is it would add or introduce a delay,” he said. The director did say he believed there was merit to the review panel’s suggestion that such national security letters not come with a permanent bar on the recipient discussing the order with anyone other than legal counsel.

“We ought to be able to work something out that adopts a nondisclosure regime that is more acceptable to a broader array of folks than the one we have now,” he said.

Comey acknowledged that the FBI process for issuing such letters was too lax several years ago, but insisted it has since been fixed and is now rigorous and heavily audited. “No doubt the process for NSLs was broken in some ways six years ago or longer. It is not broken today. And so I don’t know why we would make natioanls [sic] security investigations harder in that respect than criminal investigations,” he said. He also said doing so would likely encourage his agents to go through prosecutors to get a grand jury subpoena instead—a process that doesn’t require the same number of approvals. [my emphasis]

Here’s the problem with this (aside from the hilarious claims that a program with no external oversight is the most “highly regulated” thing the FBI does, as bolded).

The journalists all, without an exception I’ve found, permitted Comey to misrepresent the Review Group’s two recommendations pertaining to National Security Letters (though HuffPo did include additional reporting noting that two of the Review Group members were Comey’s law professors and he thinks their emphasis is on gag orders preventing recipients from discussing the orders).

I described what the Review Group’s NSL recommendations were here (Julian Sanchez also did a good post).

But to understand why this is important enough for me to be an asshole over, it helps to see Review Group Recommendation 1, affecting the Section 215 dragnet, next to Review Group Recommendation 2, affecting NSLs.

Recommendation 1

We recommend that section 215 should be amended to authorize the Foreign Intelligence Surveillance Court to issue a section 215 order compelling a third party to disclose otherwise private information about particular individuals only if [it  finds that

(1)] the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and

(2) like a subpoena, the order is reasonable in focus, scope, and breadth.

 

Recommendation 2

We recommend that statutes that authorize the issuance of National Security Letters should be amended to permit the issuance of National Security Letters only upon a judicial finding that:

(1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and

(2) like a subpoena, the order is reasonable in focus, scope, and breadth.

[punctuation and spacing altered in brackets]

That is, Recommendation 1 (affecting Section 215) and Recommendation 2 (affecting NSLs) are — in the clauses changing the standard of review to eliminate bulk collection — substantively exactly the same. And while the NSLs require judicial review to get to any enforceable of standard of review — which is definitely one huge proposed change to the NSLs — viewed together like this, it is clear that at least as significant a goal of the Review Group is to end bulk collection under any authority.

Particularly when you consider Recommendation 3, which recommends real minimization procedures for NSLs.

The Review Group recommended judicial review of NSLs, sure. But it also recommended either preventing or (given the likelihood this has been going on) eliminating  bulk collection.

And yet a room full of — in some cases — very good journalists allowed the FBI Director to criticize what they all reported as the Review Group’s recommendation that NSL’s undergo judicial review without even mentioning he misrepresented the recommendation, addressing only a fraction of what the Review Group recommended.

Read more

To Justify Dragnet, FBI Implies It Can’t File 300 More NSLs in a Year

So Mark Hosenball just reported this, uncritically.

The U.S. government only searched for detailed information on calls involving fewer than 300 specific phone numbers among the millions of raw phone records collected by the National Security Agency in 2012, according to a government paper obtained by Reuters on Saturday.

As Jim Sensenbrenner noted the other day, if the government is doing only what it says it is with the database — finding US persons who are in contact with suspected terrorists — the FBI could use a grand jury subpoena or a National Security Letter to do so. Collecting all the phone records of Americans would only be required if the FBI were doing so many checks such a process became onerous.

Except that the FBI routinely gets upwards of 10,000 NSLs a year. Adding these 300 would be a drop in the bucket.

So the difficulty of getting NSLs can’t be the problem.

Which suggests the 300 claim is implicit acknowledgment they’re doing something more with this data than they’re letting on.

Did the Government “Know Who Journalists Are Talking To” in the Kiriakou Investigation?

As I laid out in this post, the complaint in the Jon Kiriakou case shows that the Patrick Fitzgerald-led investigative team could have found Kiriakou as the ultimate source for some Gitmo detainee lawyers’ information on two people associated with the torture program without accessing journalists’ communications directly (though the FBI has the contents two of Kiriakou’s email accounts, which likely contain a great deal of communication with journalists).

The sole possible exceptions are two emails between Journalist A and the Gitmo detainee lawyers’ investigator:

At 11:31 a.m. on August 19, 2008, approximately two hours after KIRIAKOU disclosed Covert Officer A’s last name to Journalist A, Journalist A sent an email to the defense investigator referenced above that contained Covert Officer
A’s full name in the subject line. The email further stated: “His name is [first and last name of Covert Officer A].” At 1:35 p.m., Journalist A sent a final email to the defense investigator in which he stated: “my guy came through with his memory.” Neither Journalist A nor any other journalist to my knowledge has published the name of Covert Officer A.

[snip]

For example, in an email dated April 10, 2008, Journalist A provided the defense investigator with Officer B’s home phone number.

The implication in the complaint is that the FBI got these emails from the investigator. But unlike Kiriakou’s emails, which it explains were, “recovered from search warrants served on two email accounts associated” with Kiriakou, the complaint doesn’t explain how and from whom the FBI obtained the emails between Journalist A and the defense team investigator.

Nevertheless, the complaint provides fairly innocuous possible explanations for how the FBI got a whole lot of emails involving journalists for this investigation. So maybe we have nothing to worry about.

Or maybe we do. It is also possible the government collected all communications within two degrees of separation from the defense investigator–thereby exposing a wide range of journalists’ sources–and we’d never know it.

That’s true for two reasons.

First, because this investigation is the first known leak investigation that has extended into the period–post October 15, 2011–during which the new Domestic Investigation and Operations Guide was in effect. The new DIOG made it a lot easier to use National Security Letters to get the contact information of journalists in investigations, like this one, with a national security nexus.

[T]he new DIOG seems to make it a lot easier to get news media contact records in national security investigations. A heavily-redacted section (PDF 166) suggests that in investigations with a national security nexus (so international terrorism or espionage, as many leak cases have been treated) DOJ need not comply with existing restrictionsrequiring Attorney General approval before getting the phone records of a journalist. The reason? Because NSLs aren’t subpoenas, and that restriction only applies to subpoenas.

Department of Justice policy with regard to the issuances of subpoenas for telephone toll records of members of the news media is found at 28 C.F.R. § 50.10. The regulation concerns only grand jury subpoenas, not National Security Letters (NSLs) or administrative subpoenas. (The regulation requires Attorney General approval prior to the issuance of a grand jury subpoena for telephone toll records of a member of the news media, and when such a subpoena is issued, notice must be given to the news media either before or soon after such records are obtained.) The following approval requirements and specific procedures apply for the issuance of an NSL for telephone toll records of members of the news media or news organizations. [my emphasis]

So DOJ can use NSLs–with no court oversight–to get journalists’ call (and email) records rather than actually getting a subpoena.

Read more

Throwing our PATRIOT at Assange

Last week, U.S. Attorney General Eric Holder admitted what bmaz laid out yesterday — the problems with prosecuting WikiLeaks’ Julian Assange under the Espionage Act. But at the same time, he said, the Espionage Act may play a role in a possible Assange indictment.

“I don’t want to get into specifics here, but people would have a misimpression if the only statute you think that we are looking at is the Espionage Act,” Mr. Holder said Monday at a news conference. “That is certainly something that might play a role, but there are other statutes, other tools that we have at our disposal.”

So even with all the problems in applying the Espionage Act to Assange, Holder is still invoking the provision in his discussion of the “tools that we have at our disposal” to combat Assange.

Legally, the stance could have import beyond the question of whether or not they can indict him.

Consider, for example, this language on the National Security Letter provision of the PATRIOT Act, which allows the FBI, with no court oversight, to require financial service and telecommunications providers to  turn over data pertaining to any investigation the Department of Justice asserts is an espionage investigation:

A wire or electronic communication service provider shall comply with a request for subscriber information and toll billing records information, or electronic communication transactional records in its custody or possession made by the Director of the Federal Bureau of Investigation under subsection (b) of this section.

The Director of the Federal Bureau of Investigation, or his designee in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director, may—

request the name, address, length of service, and local and long distance toll billing records of a person or entity if the Director (or his designee) certifies in writing to the wire or electronic communication service provider to which the request is made that the name, address, length of service, and toll billing records sought are relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States; [my emphasis]

Or this language from Section 215 of the PATRIOT Act, which allows the FBI, with FISA Court approval, to require private businesses to secretly turn over a broad range of business records or tangible items pertaining to any investigation DOJ asserts is an espionage investigation.

The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution. [my emphasis]

Between these two provisions, the government can collect a wide range of information on US persons — things like donations via credit card and server data — simply by claiming the investigation involves spying. They don’t have to even claim there’s a connection between those US persons making those donations or accessing the particular server and the alleged spy. They don’t have to prove that the case involves spying or that they have the ability to indict under the Espionage Act. They only have to claim they are pursuing an authorized — ultimately, the AG does the authorizing — investigation to protect against spying.

Which is what the Attorney General is suggesting here, that they are investigating Assange and the Espionage Act might play a role.

Mind you, they’d also have to claim (to themselves, in the case of the NSL, to FISC in the case of Section 215) that they were collecting data on a US person for reasons above and beyond that person’s First Amendment right to read stuff on the InterToobz or donate to people the government is loosely alleging may be sort of like a spy. Mind you, if the government did collect — say — the names of Americans donating to WikiLeaks via MasterCard or Visa or Paypal, or the names of Americans accessing the WikiLeaks site for the day Amazon hosted it, those people might have a great lawsuit claiming they had been targeted for First Amendment protected activities.

If they ever found out they were targeted.

But of course, we don’t have any way of knowing whether the government decided to use the PATRIOT Act provisions allowing them to collect data on Americans so long as they assert a connection to an Espionage investigation. Because that all remains secret.

Now, I have no idea whether the government is doing this (though I could imagine that if financial service providers like MasterCard and Visa got a really onerous request from DOJ, they might choose to end their relationship with Assange rather than provide ongoing compliance with the DOJ request).

But it seems these PATRIOT provisions are just the tip of the iceberg of potential investigative techniques they could have access to (FISA wiretaps are another) based on the stance that DOJ is investigating Assange for spying, whether or not they ever intend to charge him with spying.

China Google Attack and the Terrorist Surveillance Program

thumb.phpAs you may know, there was quite a lot of buzz this week about Google potentially leaving China over the hacking of Google’s system. From MSNBC/Reuters:

Google, the world’s top search engine, said on Tuesday it might shut down its Chinese site, Google.cn, after an attack on its infrastructure it believed was primarily aimed at accessing the Google mail accounts of Chinese human rights activists.

Unlike ordinary viruses that are released into cyberspace and quickly spread from computer to computer, the type of attack launched against Google and at least 20 other companies were likely handcrafted uniquely for each targeted organization.

It appears to be a problem that is quite deep according to an in depth article in MacWorld:

Google, by implying that Beijing had sponsored the attack, has placed itself in the center of an international controversy, exposing what appears to be a state-sponsored corporate espionage campaign that compromised more than 30 technology, financial and media companies, most of them global Fortune 500 enterprises.

The U.S. government is taking the attack seriously. Late Tuesday, U.S. Secretary of State Hillary Clinton released a statement asking the Chinese government to explain itself, saying that Google’s allegations “raise very serious concerns and questions.”

But the Macworld article goes on to explain why the United States government may be taking this much more seriously than they let on:

“First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses – including the Internet, finance, technology, media and chemical sectors – have been similarly targeted,” wrote Google Chief Legal Officer David Drummond in a Tuesday blog posting.

“Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.”

Drummond said that the hackers never got into Gmail accounts via the Google hack, but they did manage to get some “account information (such as the date the account was created) and subject line.”

That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press.

“Right before Christmas, it was, ‘Holy s***, this malware is accessing the internal intercept [systems],'” he said.

Uh, “account information”, “subject line”, “search warrants” and “intercept systems”. That ring a bell? This appears to indicate that the state-sponsored Chinese hackers have hacked into the portion of the Google infrastructure that deals with government warrants, intercepts, national security letters and other modalities pertinent to the Terrorist Surveillance Program. That, if true, could be very problematic, one would think.

Now, this is based upon information and belief, but it is my understanding that Google doesn’t store any gmail data in China, which means that this search warrant/intercept machine was located in the US, likely in Mountain View California

That is, if Google’s Mountain View HQ search warrant search interface/computer was hacked, we are probably talking about the same computer used by the Google Legal Department to perform queries in response to DOJ warrants, subpoenas, national security letters, and FISA orders.

Yeah, if that is the case it could be a problem.