Nicholas Merrill Archives

Posts

Jim Comey Makes Bogus Claims about Privacy Impact of Electronic Communications Trasaction Record Requests

December 10, 2015/in FISA /by emptywheel

On November 30, Nicholas Merrill was permitted to unseal the NSL he received back in 2004 for the first time. That request asked for:

the names, addresses, lengths of service and electronic communication transaction records [ECTR], to include existing transaction/activity logs and all e-mail header information (not to include message content and/or subject fields) for [the target]

The unsealing of the NSL confirmed what has been public since 2010: that the FBI used to (and may still) demand ECTRs from Internet companies using NSLs.

On December 1, House Judiciary Committee held a hearing on a bill reforming ECPA that has over 300 co-sponsors in the House; on September 9, Senate Judiciary Committee had its own hearing, though some witnesses and members at it generally supported expanded access to stored records, as opposed to the new restrictions embraced by HJC.

Since then, a number of people are arguing FBI should be able to access ECTRs again, as they did in 2004, with no oversight. One of two changes to the version of Senator Tom Cotton’s surveillance bill introduced on December 2 over the version introduced on November 17 was the addition of ECTRs to NSLs (the other was making FAA permanent).

And yesterday, Chuck Grassley (who of course could shape any ECPA reform that went through SJC) invited Jim Comey to ask for ECTR authority to be added to NSLs.

Grassley: Are there any other tools that would help the FBI identify and monitor terrorists online? More specifically, can you explain what Electronic Communications Transactions Record [sic], or ECTR, I think that’s referred to, as acronym, are and how Congress accidentally limited the FBI’s ability to obtain them, with a, obtain them with a drafting error. Would fixing this problem be helpful for your counterterrorism investigations?

Comey: It’d be enormously helpful. There is essentially a typo in the law that was passed a number of years ago that requires us to get records, ordinary transaction records, that we can get in most contexts with a non-court order, because it doesn’t involve content of any kind, to go to the FISA Court to get a court order to get these records. Nobody intended that. Nobody that I’ve heard thinks that that’s necessary. It would save us a tremendous amount of work hours if we could fix that, without any compromise to anyone’s civil liberties or civil rights, everybody who has stared at this has said, “that’s actually a mistake, we should fix that.”

That’s actually an unmitigated load of bullshit on Comey’s part, and he should be ashamed to make these claims.

As a reminder, the “typo” at issue is not in fact a typo, but a 2008 interpretation from DOJ’s Office of Legal Counsel, which judged that FBI could only get what the law said it could get with NSLs. After that happened — a DOJ IG Report laid out in detail last year — a number (but not all) tech companies started refusing to comply with NSLs requesting ECTRs, starting in 2009.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

Even before that, in 2007, FBI had developed a new definition of what it could get using NSLs. Then, in 2010, the Administration proposed adding ECTRs to NSLs. Contrary to Comey’s claim, plenty of people objected to such an addition, as this 2010 Julian Sanchez column, which he could re-release today verbatim, makes clear.

They’re calling it a tweak — a “technical clarification” — but make no mistake: The Obama administration and the FBI’s demand that Congress approve a huge expansion of their authority to obtain the sensitive Internet records of American citizens without a judge’s approval is a brazen attack on civil liberties.

[snip]

Congress would be wise to specify in greater detail just what are the online equivalents of “toll billing records.” But a blanket power to demand “transactional information” without a court order would plainly expose a vast range of far more detailed and sensitive information than those old toll records ever provided.

Consider that the definition of “electronic communications service providers” doesn’t just include ISPs and phone companies like Verizon or Comcast. It covers a huge range of online services, from search engines and Webmail hosts like Google, to social-networking and dating sites like Facebook and Match.com to news and activism sites like RedState and Daily Kos to online vendors like Amazon and Ebay, and possibly even cafes like Starbucks that provide WiFi access to customers. And “transactional records” potentially covers a far broader range of data than logs of e-mail addresses or websites visited, arguably extending to highly granular records of the data packets sent and received by individual users.

As the Electronic Frontier Foundation has argued, such broad authority would not only raise enormous privacy concerns but have profound implications for First Amendment speech and association interests. Consider, for instance, the implications of a request for logs revealing every visitor to a political site such as Indymedia. The constitutionally protected right to anonymous speech would be gutted for all but the most technically savvy users if chat-forum participants and blog authors could be identified at the discretion of the FBI, without the involvement of a judge.

That legislative effort didn’t go anywhere, so instead (the IG report explained) FBI started to use Section 215 orders to obtain that data. That constituted a majority of 215 orders in 2010 and 2011 (and probably has since, creating the spike in numbers since that year, as noted in the table above).

Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.

The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.

But the other reason Comey’s claim that getting this from NSL’s would not pose “any compromise to anyone’s civil liberties or civil rights” is bullshit is because the migration of ECTR requests to Section 215 orders also appears to have led the FISA Court to finally force FBI to do what the 2006 reauthorization of the PATRIOT Act required it do: minimize the data it obtains under 215 orders to protect Americans’ privacy.

By all appearances, the rubber-stamp FISC believed these ECTR requests represented a very significant compromise to people’s civil liberties and civil rights and so finally forced FBI to follow the law requiring them to minimize the data.

Which is probably what this apparently redoubled effort to let FBI obtain the online lives of Americans (remember, this must be US persons, otherwise the FBI could use PRISM to obtain the data) using secret requests that get no oversight: an attempt to bypass whatever minimization procedures — and the oversight that comes with it — the FISC imposed.

And remember: with the passage of USA Freedom Act, the FBI doesn’t have to wait to get these records (though they are probably prospective, just like the old phone dragnet was), they can obtain an emergency order and then fill out the paperwork after the fact.

For some reason — either the disclosure in Merrill’s suit that FBI believed they could do this (which has been public since 2010 or earlier), or the reality that ECPA will finally get reformed — the Intelligence Community is asserting the bogus claims they tried to make in 2010 again. Yet there’s even more evidence then there was then that FBI wants to conduct intrusive spying without real oversight.

FBI Redacted Passages Showing Judge Mocking Its Stupid Claims

November 30, 2015/8 Comments/in PATRIOT /by emptywheel

As I noted earlier, today Nicholas Merrill was finally able to reveal the things he was requested to turn over to the FBI in response to a National Security Letter he received 11 years ago.

The expiration of his gag order also allowed him to publish an unredacted copy of the ruling ending the gag, which was released in redacted form in September. Comparing the two lets us see what the government believed had to be redacted in September. Not only does it show how ridiculous were FBI’s claims of secrecy, but also makes it clear FBI used such claims to hide the fact that the judge in the case, Victor Marrero, was mocking the stupidity of its claims.

The most important new disclosure is that the FBI no longer uses NSLs to get location information and that it considered location information to be included among log files. (In all passages, I have underlined what the government originally redacted.)

Additionally, the Government seeks to keep some information redacted despite publicly conceding that those types of records (i.e., “radius log” information, which is cell-tower based phone tracking information) are no longer sought through NSLs. Yet the Government still argues that this information should remain redacted because it would reveal techniques that might be used at some undetermined time under a hypothetical policy promulgated by a future administration.

More stunning is that the government wanted to hide that it can obtain daytime and evening phone numbers with one NSL.

For example, the Government seeks to prevent Merrill from disclosing that the Attachment requested “Subscriber day/evening telephone numbers” even though the Government now concedes that the phrase “telephone number” can be disclosed. The Court is not persuaded that there is a “good reason” to believe that disclosure of the fact that the Government can use NSLs to seek both day and evening telephone numbers could result in an enumerated harm, especially if it is already publicly known that the Government can use NSLs to obtain a telephone number, more generally.

By golly if the terrorists realize the FBI knows some people have separate work numbers, they’re sure to win!

Demands like this clearly tanked the government’s credibility with Judge Marrero, because he kicked their ass about the absurdity of some claims, such as their attempt to redact the “s” indicating that the FBI would ask for telephone numbers, plural.

As another example of the extreme and overly broad character of these redactions, the Government apparently believes that while the public can know that it seeks records of an “address” and a “telephone number,” there is a “good reason” to prevent disclosure of the fact that the Government can seek “addresses” and “telephone numbers.” (See Gov’t Mem. Attach.) In any event, based on the Government’s redactions alone, a potential target of an investigation, even a dim-witted one, would almost certainly be able to determine, simply by running through the alphabet, that “telephone numberll” could only be “telephone numbers.” Redactions that defy common sense such as concealing a single letter at the end of a word diminish the force of the Government’s claim to “good reason” to keep information under seal, and undermine its argument that disclosure of the currently-redacted information in the Attachment can be linked to a substantial risk of an enumerated harm.

Marrero then reminded the FBI that they had claimed they were chasing “sophisticated foreign adversaries,” not dim-witted terrorists.

Therefore, it strains credulity that future targets of other investigations would change their behavior in light of the currently-redacted information, when those targets (which, according to the Government, include “sophisticated foreign adversaries,” see Perdue Deel. ~ 56) have access to much of this same information from other government divisions and agencies.

And he revealed that their declarant was demanding things they had already disclosed be kept secret.

10 Also interestingly, the Perdue Declaration argues that the category of “[a] ny other information which [the recipient] consider [s] to be an electronic communication transactional record” should not be disclosed. (See Perdue Deel. , 70.) However, this category was not redacted by the Government in its submissions or even in the Perdue Declaration.

Here’s the thing though: the last two of these redactions were not hiding secret information at all. Instead, they (plus the phone number comments, though technically those included top secret information about the FBI obtaining telephone numbers, plural) served to hide the fact that Marrero was making fun of the FBI’s batshit claims.

Opinions may vary about whether the FBI’s 11-year fight to hide the fact it knows some people have work phone numbers was an appropriate use of secrecy. But hiding that a judge is mocking your stupid claims doesn’t fit under any legal use of classification. It’s abuse, pure and simple.

FBI Asks for at Least Eight Correlations with a Single NSL

November 30, 2015/6 Comments/in EO 12333 /by emptywheel

After 11 years and a number of lawsuits, Nicholas Merrill is finally permitted to release the National Security Letter he received from the FBI in 2004. Here’s the list of things the FBI asked for about one of Merrill’s ISP customers.

DSL account information
Radius log
Subscriber name and related subscriber information
Account number
Date the account opened or closed
Addresses associated with the account
Subscriber day/evening telephone numbers
Screen names or other on-line names associated with the account
Order forms
Records relating to merchandise orders/shipping information for the last 180 days
All billing related to account
Internet service provider (ISP)
All e-mail addresses associated with account
Internet Protocol (IP) address assigned to the account
All website information registered to the account
Uniform resource locator (URL) address assigned to the account
Any other information which you consider to be an electronic communication transactional record

Perhaps the most alarming thing — though it is by no means a surprise — is that they asked for the radius log of IPs accessing the site, which would provide the traffic for a given website.

But because I’m interested in how the FBI and NSA correlate identifiers — match a person’s various IDs together, so as to be able to put together a complete picture of that person — I wanted to highlight the many different kinds of correlations they would get here: 1) subscriber name, 2) addresses, 3) telephone numbers, 4) screen names, 5) billing (which would include credit card or bank information), 6) email addresses, 7) IP addresses, 8) URL. That’s 8 different correlations (most of which can and in some cases would bring up multiple pieces of information) that one NSL obtains. And for most of those (plus the DSL and ISP), there’d be a similar set of identifiers available from another provider.

This is what the government means when it does “connection” chaining: gluing together every fragment of your online life together to see it all.

Update: In a press conference on this release (and in the unredacted court opinion), Merrill revealed the FBI considered cell site location to be included in radius log. He explained that URL searches would be included in cached traffic under the electronic communication transactional record.

John Doe Ungagged: Nicholas Merrill Wins the Right to Reveal Contents of 11-Year Old National Security Letter

September 14, 2015/2 Comments/in Cybersecurity, PATRIOT /by emptywheel

Nicholas Merrill, who first challenged a National Security Letter 11 years ago, has won the right to talk about what he was ordered to turn over to the FBI in 2004. A key holding from the decision is that private citizens — as distinct from government officials who have signed non-disclosure agreements — cannot be prevented from talking about stuff that the government, as a whole, has already released.

A private citizen should be able to disclose information that has already been publicly disclosed by any government agency — at least once the underlying investigation has concluded and there is no reason for the identities of the recipient and target to remain secret. Otherwise, it would lead to the result that citizens who have not received such an NSL request can speak about information that is publicly known (and acknowledged by other agencies), but the very individuals who have received such NSL requests and are thus best suited to inform public discussion on the topic could not. Such a result would lead to “unending secrecy of actions taken by government officials” if private citizens actually affected by publicly known law enforcement techniques could not discuss them.

The judge in the case, Victor Marrero, gave the government 90 days to appeal. If they don’t (?!?!), Merrill will finally be ungagged after 11 years of fighting.

As noted, the FBI served the NSL back in 2004, when Merrill ran a small Internet Service Provider. Merrill sued under the name John Doe. He twice won court rulings that the gag orders were unconstitutional. But it wasn’t until 2010 that he was allowed to ID himself as Doe, and it wasn’t until 2014 — a decade after receiving the NSL — that he was able to tell the person whose records the FBI wanted. Even then, even after Edward Snowden revealed the need for more transparency about these things, the government fought Merrill’s demand to disclose what he had been asked to turn over, which was included in an attachment to the NSL itself.

See this post and this post for background on Merrill’s renewed fight to disclose how much FBI has demanded under an NSL.

Marrero found that the government just didn’t have really good reasons to gag this information, especially given that substantially similar information had been given out by other government agencies, and especially since the government admits it is only trying to hide the information from future targets, not anyone tied to the investigation that precipitated the NSL over a decade ago.

For the reasons discussed below, the court finds that the Government has not satisfied its burden of demonstrating a “good reason” to expect that disclosure of the NSL Attachment in its entirety will risk an enumerated harm, pursuant to Sections 2709 and 3511.

[snip]

The Government argues that disclosure of the Attachment would reveal law enforcement techniques that the FBI has not acknowledged in the context of NSLs, would indicate the types of information the FBI deems important for investigative purposes, and could lead to potential targets of investigations changing their behavior to evade law enforcement detection. {See Gov’t Mem. at 6.) The Court agrees that such reasons could, in some circumstances, constitute “good” reasons for disclosure.

[snip]

The Government’s justifications might constitute “good” reasons if the information contained in the Attachment that is still redacted were not, at least in substance even if not in the precise form, already disclosed by government divisions and agencies, and thus known to the public. Here, publicly-available government documents provide substantially similar information as that set forth in the Attactunent. For that reason, the Court is not persuaded that it matters that these other documents were not disclosed by the FBI itself rather than by other government agencies, and that they would hold significant weight for a potential target of a national security investigation in ascertaining whether the FBI would gather such information through an NSL. The documents referred to were prepared and published by various government divisions discussing the FBI’s authority to issue NSLs, the types of materials the FBI seeks, and how to draft NSL requests.

[snip]

Now, unlike earlier iterations of this litigation, the asserted Government interest in keeping the Attachment confidential is based solely on protecting law enforcement sensitive information that is relevant to future or potential national security investigations.

[snip]

[I]t strains credulity that future targets of other investigations would change their behavior in light of the currently-redacted information, when those targets (which, according to the Government, [redacted] see Perdue Deel. ¶ 56) have access to much of this same information from other government divisions and agencies.

Effectively, Marrero is arguing that since the government has asserted potential national security targets are good at putting 2 plus 2 together, and 2 and 2 are already in the public domain, any targets can already access the information in the attachment.

Marrero’s quotations from already released documents and the redactions from the attachment make it clear the government is trying to hide they were getting activity logs…

And the various identities tied to an account (which we know the government matches to better be able to map activity across multiple identities).

I’ll lay more of this out shortly — effectively, Marrero has already done the mosaic work for targets, even without the attachment (though I suspect what the government is really trying to prevent is release of a document defendants can point to to support discovery requests).

Ultimately, Marrero points to the absurd — and dangerous, for a democracy — position that would result if the government were able to suppress this already public information.

If the Court were to find instead that the Government has met its burden of showing a good reason for nondisclosure here, could Merrillever overcome such a showing? Under the Government’s reasoning, the Court sees only two such hypothetical circumstances in which Merrill could prevail: a world in which no threat of terrorism exists, or a world in which the FBI, acting on its own accord and its own time, decides to disclose the contents of the Attachment. Such a result implicates serious issues, both with respect to the First Amendment and accountability of the government to the people.

Especially at a time when the President claims to want to reverse the practice of forever gags on NSLs, Marrero finds such a stance untenable.

Let’s see whether the government doubles down on secrecy.

FBI Doesn’t Want You To Know It Uses NSLs to “Correlate” All the Identities You Use Online

May 31, 2015/2 Comments/in FISA /by emptywheel

Back in March, I parsed the declaration Nicholas Merrill submitted in his bid to reveal the contents of what he was asked to turn over via an NSL back in 2004. As a reminder, here’s what FBI permitted Merrill to reveal at the beginning of this suit.

And here’s Merrill’s description of what kind of records his ISP, Calyx, might have had on customers.

Calyx Internet Access, like most ISPs, collected a wide array of information about its clients. For a given client, we may have collected their [1] name, [2] address and [3] telephone number; [4] other addresses associated with the account; [5] email addresses associated with the account; [6] IP addresses associated with the account; [7] Uniform Resource Locator (URL) addresses assigned to the account; [8] activity logs for the account; [9] logs tracking visitors to the client’s website; [10] the content of a client’s electronic communications; [11] data files residing on Calyx’s server; [12] the client’s customer list; [13] the client’s bank account and [14] credit card numbers; [15] records relating to merchandise bought and sold; and the [16] date the account was opened or closed. [numbers 1 through 16 added]

FBI has submitted a counter-declaration (posted by Cryptome) that — even in its excessively redacted form — includes a number of interesting details.

FBI’s limited new admission

The FBI now concedes that it had publicly confirmed some aspects of what it asked for from Merrill. It specifically admits that “screen names or other online names associated with the account” and “all email addresses associated with the account” may be disclosed, as well as that the request involved an “account number” from an “Internet service provider” (though in the sections that must describe these requests, those phrases remain redacted).

In addition, this paragraph appears without redaction:

The NSA issued to [Merrill’s ISP] Calyx requested “the names, addresses, lengths of service and electronic communication transaction records, to include existing transaction/activity logs and all e-mail header information (not to include message content and/or subject fields)” for the email account [email protected].

FBI disses Merrill for interacting with his ISP client

Part of — potentially a big part of — the declaration seems to insinuate that Merrill’s lawsuit should be distrusted because he had a personal relationship with the target of the NSL. It describes,

Merrill stated that he previously “engaged in ongoing communications with [redacted] on a variety of issues,” including “topics related to politics and current events.”

Interestingly, the declaration makes clear the NSL — which was almost certainly authorized as a terrorism investigation — was authorized in Pittsburgh. I raise that because Pittsburgh’s FBI office was investigating a number of anti-war targets as terrorists in the 2004-timeframe. So I do wonder whether Merrill thought the investigation improper for that reason.

FBI mentions just one kind of Internet production as having moved to Section 215 orders

As I’ve noted, we know some production obtained until 2009 using NSLs has moved under Section 215. This paragraph seems to acknowledge that, even while saying the FBI may ignore what the Office of Legal Counsel has told it ECPA permits FBI to obtain using an NSL.

Curiously, this pertains only to the second bullet of the request (above), of 17 categories of information, suggesting just one kind of production moved to Section 215 orders.

FBI doesn’t want you to know how much of your activities it can correlate by going to your ISP

The FBI has a separate paragraph addressing why it cannot reveal the other 15 categories of information it requested from Merrill 11 years ago. The paragraphs are worth reading, because they’re each somewhat different. Some say not just counterterrorism and counterintelligence investigations might be affected with the release of the information, some claim greater use than others, some warn that potential criminals might avoid turning over certain kinds of information (perhaps an alternate email or phone number?) if they knew it could be obtained via an NSL.

All seem to pretend that a lot of this isn’t already available from exhibits submitted in other cases.

As I noted in this post, for example, here’s what the government obtains from Google subpoenaing a Google voice account and then the underlying Google account as a whole.

[T]he two reports Google provided in response to administrative subpoenas for information on Shantia Hassanshahi, the guy caught using the DEA phone dragnet (these were subpoenas almost certainly used to parallel construct data obtained from the DEA phone dragnet and PRISM targeted at the Iranian, “Sheikhi,” they found him through), included:

a primary gmail account

two secondary gmail accounts

a second name tied to one of those gmail accounts

a backup email (Yahoo) address

a backup phone (unknown provider) account

Google phone number

Google SMS number

a primary login IP

4 other IP logins they were tracking

3 credit card accounts

Respectively 40, 5, and 11 Google services tied to the primary and two secondary Google accounts, much of which would be treated as separate, correlated identifiers

There’s surely a significant overlap between this list and the things FBI says Merrill can’t reveal because if he did, it would tip off intelligence and criminal targets that the FBI can obtain them (though as Merrill made clear in his description of what Calyx had to turn over, they had more details about the websites run under an account).

Ultimately, though, the FBI seems to want to prevent anyone from realizing how much information your Internet providers have — and can be forced to turn over — that correlate all your multiple identities online.

FBI’s false transparency going forward

There’s one more really funny part of this declaration. It notes that Office of Director of National Intelligence released a report in February claiming that “the FBI will now presumptively terminate National Security Letter nondisclosure orders at the earlier of three years after the opening of a fully predicated investigation or the investigations close.”

But it says it won’t have to comply with that policy for this NSL because “the investigation at issue here was closed prior to the implementation of the policy.”

One would think that they would reveal all these categories of information going forward if they were really going to comply with ODNI’s order.

Unless the FBI has already started to change the way they write NSLs (or perhaps plan on leaving more to verbal communications with Agents or some other means of communicating the list without including these descriptions) so as to get all the information without stating that they’re demanding all that information.

Section 215’s Multiple Programs and Where They Might Hide after June 1

April 4, 2015/6 Comments/in Cybersecurity, FISA /by emptywheel

In an column explicitly limited to the phone dragnet, Conor Friedersdorf pointed to a post I wrote about Section 215 generally and suggested I thought the phone dragnet was about to get hidden under a new authority.

Marcy Wheeler is suspicious that the Obama Administration is planning to continue the dragnet under different authorities.

But my post was about more that just the phone dragnet. It was about two things: First, the way that, rather than go “cold turkey” after it ended the Internet dragnet in 2011 as the AP had claimed, NSA had instead already started doing the same kind of collection using other authorities that — while they didn’t collect all US traffic — had more permissive rules for the tracking they were doing. That’s an instructive narrative for the phone dragnet amid discussions it might lapse, because it’s quite possible that the Intelligence Community will move to doing far less controlled tracking, albeit on fewer Americans, under a new approach.

In addition, I noted that there are already signs that the IC is doing what Keith Alexander said he could live with a year ago: ending the phone dragnet in exchange for cybersecurity information sharing. I raised that in light of increasing evidence that the majority of Section 215 orders are used for things related to cybersecurity (though possibly obtained by FBI, not NSA). If that’s correct, Alexander’s comment would make sense, because it would reflect that it is working cybersecurity investigations under protections — most notably, FISC-supervised minimization — all involved would rather get rid of.

Those two strands are important, taken together, for the debate about Section 215 expiration, because Section 215 is far more than the dragnet. And the singular focus of everyone — from the press to activists and definitely fostered by NatSec types leaking — on the phone dragnet as Section 215 sunset approaches makes it more likely the government will pull off some kind of shell game, moving the surveillances they care most about (that is, not the phone dragnet) under some new shell while using other authorities to accomplish what they need to sustain some kind of phone contact and connection chaining.

So in an effort to bring more nuance to the debate about Section 215 sunset, here is my best guess — and it is a guess — about what they’re doing with Section 215 and what other authorities they might be able to use to do the same collection.

Here are the known numbers on how Section 215 orders break out based on annual reports and this timeline.

The Phone Dragnet

Since its transfer under Section 215 in 2006, the phone dragnet has generally made up 4 or 5 orders a year (Reggie Walton imposed shorter renewal periods in 2009 as he was working through the problems in the program). 2009 is the one known year where many of the modified orders — which generally involve imposed minimization procedures — were phone dragnet orders.

We know that the government believes that if Section 215 were to sunset, it would still have authority to do the dragnet. Indeed, it not only has a still-active Jack Goldsmith memo from 2004 saying it can do the dragnet without any law, it sort of waved it around just before the USA Freedom Act debate last year as if to remind those paying attention that they didn’t necessarily think they needed USAF (in spite of comments from people like Bob Litt that they do need a new law to do what they’d like to do).

But that depends on telecoms being willing to turn over the dragnet data voluntarily. While we have every reason to believe AT&T does that, the government’s inability to obligate Verizon to turn over phone records in the form it wants them is probably part of the explanation for claims the current dragnet is not getting all the cell records of Americans.

A number of people — including, in part, Ron Wyden and other SSCI skeptics in a letter written last June — think the government could use FISA’s PRTT authority (which does not sunset) to replace Section 215, and while they certainly could get phone records using it, if they could use PRTT to get what it wants, they probably would have been doing so going back to 2006 (the difference in authority is that PRTT gets actual activity placed, whereas 215 can only get records maintained (and Verizon isn’t maintaining the records the government would like it to, and PRTT could not get 2 hops).

For calls based off a foreign RAS, the government could use PRISM to obtain the data, with the added benefit that using PRISM would include all the smart phone data — things like address books, video messaging, and location — that the government surely increasingly relies on. Using PRISM to collect Internet metadata is one of two ways the government replaced the PRTT Internet dragnet. The government couldn’t get 2 hops and couldn’t chain off of Americans, however.

I also suspect that telecoms’ embrace of supercookies may provide other options to get the smart phone data they’re probably increasingly interested in.

For data collected offshore, the government could use SPCMA, the other authority the government appears to have replaced the PRTT Internet dragnet with. We know that at least one of the location data programs NSA has tested out works with SPCMA, so that would offer the benefit of including location data in the dragnet. If cell phone location data is what has prevented the government from doing what they want to do with the existing phone dragnet, SPCMA’s ability to incorporate location would be a real plus for NSA, to the extent that this data is available (and cell phone likely has more offshore availability than land line).

The government could obtain individualized data using NSLs — and it continues to get not just “community of interest” (that is, at least one hop) from AT&T, but also 7 other things that go beyond ECPA that FBI doesn’t want us to know about. But using NSLs may suffer from a similar problem to the current dragnet, that providers only have to provide as much as ECPA requires. Thus, there, too, other providers are probably unwilling to provide as much data as AT&T.

Telecoms might be willing to provide data the government is currently getting under 215 under CISA and CISA collection won’t be tied in any way to ECPA definitions, though its application is a different topic, cybersecurity (plus leaks and IP theft) rather than terrorism. So one question I have is whether, because of the immunity and extended secrecy provisions of CISA, telecoms would be willing to stretch that?

Other Dragnets

In addition to the phone dragnet, FBI and other IC agencies seem to operate other dragnets under Section 215. It’s probably a decent guess that the 8-13 other 215 orders prior to 2009 were for such things. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year. Other items discussed involve hotel dragnets and explosives precursor dragnets, the latter of which would have been expanded after the 2009 Najibullah Zazi investigation. In other words, there might be up to 5 dragnets, each representing 4-5 orders a year (assuming they work on the same 90-day renewal cycle), so a total of around 22 of the roughly 175 orders a year that aren’t the phone dragnet (the higher numbers for 2006 are known to be combination orders both obtaining subscription data for PRTT orders and location data with a PRTT order; those uses stopped in part with the passage of PATRIOT reauthorization in 2006 and in part with FISC’s response to magistrate rulings on location data from that year).

Some of these dragnets could be obtained, in more limited fashion, with NSLs (NSLs currently require reporting on how many US persons are targeted, so we will know if they move larger dragnets to NSLs). Alternately, the FBI may be willing to do these under grand jury subpoenas or other orders, given the way they admitted they had done a Macy’s Frago Elite pressure cooker dragnet after the Boston Marathon attack. The three biggest restrictions on this usage would be timeliness (some NSLs might not be quick enough), the need to have a grand jury involved for some subpoenas, and data retention, but those are all probably manageable hurdles.

The Internet content

Finally, there is the Internet content — which we know makes up for a majority of Section 215 orders — that moved to that production from NSLs starting in 2009. It’s probably a conservative bet that over 100 of current dragnet orders are for this kind of content. And we know the modification numbers for 2009 through 2011 — and therefore, probably still — are tied to minimization procedure requirements imposed by the FISC.

A recent court document from a Nicholas Merrill lawsuit suggests this production likely includes URL and data flow requests. And the FBI has recently claimed –for what that’s worth — that they rely on Section 215 for cybersecurity investigations.

Now, for some reason, the government has always declined to revise ECPA to restore their ability to use NSLs to obtain this collection, which I suspect is because they don’t want the public to know how extensive the collection is (which is why they’re still gagging Merrill, 11 years after he got an NSL).

But the data here strongly suggests that going from NSL production to Section 215 production has not only involved more cumbersome application processes, but also added a minimization requirement.

And I guarantee you, FBI or NSA or whoever is doing this must hate that new requirement. Under NSLs, they could just horde data, as we know both love to do, the FBI even more so than the NSA. Under 215s, judges made them minimize it.

As I noted above, this is why I think Keith Alexander was willing to do a CISA for 215 swap. While CISA would require weak sauce Attorney General derived “privacy guidelines,” those would almost certainly be more lenient than what FISC orders, and wouldn’t come with a reporting requirement. Moreover, whereas at least for the phone dragnet, FISC has imposed very strict usage requirements (demanding that a counterterrorism dragnet be used only for counterterrorism purposes), CISA has unbelievably broad application once that data gets collected — not even requiring that terrorist usages be tied to international terrorism, which would seem to be a violation of the Keith Supreme Court precedent).

All of this is to suggest that for cybersecurity, IP theft, and leak investigations, CISA would offer FBI their ideal collection approach. It would certainly make sense that Alexander (or now, Admiral Mike Rogers and Jim Comey) would be willing to swap a phone dragnet they could largely achieve the same paltry results for using other authorities if they in exchange got to access cybersecurity data in a far, far more permissive way. That’d be a no-brainer.

There’s just one limitation on this formula, potentially a big one. CISA does not include any obligation. Providers may share data, but there is nothing in the bill to obligate them to do so. And to the extent that providers no longer provide this data under NSLs, it suggests they may have fought such permissive obligation in the past. It would seem that those same providers would be unwilling to share it willingly.

But my thoughts on CISA’s voluntary nature are for another post.

One final thought. If the government is contemplating some or all of this, then it represents an effort — one we saw in all versions of dragnet reform to greater (RuppRoge) or lesser degrees (USAF) — to bypass FISC. The government and its overseers clearly seem to think FISC-ordered minimization procedures are too restrictive, and so are increasingly (and have been, since 2009) attempting to replace the role played by an utterly dysfunctional secret court with one entirely within the Executive.

This is the reason why Section 215 sunset can’t be treated in a vacuum: because, to the extent that the government could do this in other authorities, it would largely involve bypassing what few restrictions exist on this spying. Sunsetting Section 215 would be great, but only if we could at the same time prevent the government from doing similar work with even fewer controls.

The NSL to 215 Collection: Data Flows AND URLs

March 29, 2015/2 Comments/in FISA /by emptywheel

Since last summer, I have been noting that majority of Section 215 production now consists of Internet data the government used to collect using National Security Letters but — after the Internet companies successfully refused compliance under NSLs anymore in light of an Office of Legal Counsel ruling limiting what could be obtained under NSLs — the government started using Section 215 to obtain.

We know most Section 215 orders are for Internet records because someone reliable — DOJ’s Inspector General in last year’s report on National Security Letters — told us that a collection of Internet companies successfully challenged FBI’s use of NSLs to collect this stuff after DOJ published an opinion on ECPA in 2008.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

That report went on to explain that FBI considered fixing this problem by amending the definition for toll records in Section 2709, but then bagged that plan and just moved all this collection to Section 215, which takes longer.

In the absence of a legislative amendment to Section 2709, [2.5 lines redacted]. [Deputy General Counsel of FBI’s National Security Law Branch] Siegel told us that the process of generating and approving a Section 215 application is similar to the NSL process for the agents and supervisors in the field, but then the applications undergo a review process in NSLB and the Department’s National Security Division, which submits the application to the Foreign Intelligence Surveillance Court (FISA Court). According to Siegel, a request that at one time could be accomplished with an NSL in a matter of hours if necessary, now takes about 30-40 days to accomplish with a standard Section 215 application.

In addition to increasing the time it takes to obtain transactional records, Section 215 requests, unlike NSL requests, require the involvement of FBI Headquarters, NSD, and the FISA Court. Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.

The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.

The government is, according to the report, going through all sorts of hoop-jumping on these records rather than working with Congress to pass ECPA reform.

Why?

The FISA Court imposed minimization procedures on this production, meaning it was fairly bulky. That led me to speculate — particularly given Claire McCaskill questions confirming Section 215 might be used for the purpose — the collection obtained URL search information. More recently, particularly when the FBI claimed (which, sadly, coming from the FBI can never be assumed to be true) it used Section 215 for cyber investigations, I became convinced it involved data flow records.

Meanwhile, in January 2014, Nicholas Merrill, the first person to fight an NSL order when he received one in 2004, started fighting to overturn the gag order that had been imposed on him a decade earlier (this came at the same time as President Obama claimed he would move FBI to end its forever gags on NSLs). And while the FBI agreed to let Merrill tell the target of the NSL about it, it ordered him to keep most of what he had been ordered to turn over secret. He is currently permitted to reveal the following:

In other words, while FBI is okay with Merrill telling the target of a decade-old investigation he or she was targeted, he can’t tell us what — as far back as 2004 — FBI claimed was included under ECPA’s definition of electronic communication transactional records.

In December, Merrill sued to be able to tell us that. And on March 20, a redacted version of his declaration in that suit was released. While the government redacted what they had asked of him (and bizarrely, redacted language in his lawyer’s declaration that appeared unredacted in documents they included as exhibits; see this Cryptome document for the full packet), Merrill provided a pretty good sense of what might have been included in those 15 (of 16!) redacted or partly redacted orders from a decade ago. First, he described all the records he had:

Calyx Internet Access, like most ISPs, collected a wide array of information about its clients. For a given client, we may have collected their [1] name, [2] address and [3] telephone number; [4] other addresses associated with the account; [5] email addresses associated with the account; [6] IP addresses associated with the account; [7] Uniform Resource Locator (URL) addresses assigned to the account; [8] activity logs for the account; [9] logs tracking visitors to the client’s website; [10] the content of a client’s electronic communications; [11] data files residing on Calyx’s server; [12] the client’s customer list; [13] the client’s bank account and [14] credit card numbers; [15] records relating to merchandise bought and sold; and the [16] date the account was opened or closed. [numbers 1 through 16 added]

Of all those 16 things, the only thing that should have been impossible to be included among the 16 requests the FBI made in its NSL demand on Merrill 11 years ago is the actual content of the client’s communication, item 10 (though see my caveat below, explaining that they may well have demanded that too).

In addition to describing the kinds of things he had — which therefore might be among the 16 things FBI demanded of him — Merrill described the kinds of things ISPs might have that the FBI might want. He includes URL searches and IP-based identifiers.

Electronic communication service providers can maintain records of the IP addresses assigned to particular individuals and of the electronic communications involving that IP address. These records can identify, among other things, the identity of an otherwise anonymous individual communicating on the Internet, the identities of individuals in communication with one another, and the web sites (or other Internet content) that an individual has accessed.

Electronic communication service providers can also monitor and store information regarding web transactions by their users. These transaction logs can be very detailed, including the name of every web page accessed, information about the page’s content, the names of accounts accessed, and sometimes username and password combinations. This monitoring can occur by routing all of a user’s traffic through a proxy server or by using a network monitoring system.

[snip]

Web servers also often maintain logs of every request that they receive and every web page that is served. This could include a complete list of all web pages seen by an individual, all search terms, names of email accounts, passwords, purchases made, names of other individuals with whom the user has communicated, and so on.

And he described flow data — the kinds of things FBI might use in a hacking investigation.

Electronic communication service providers can also record internet “NetFlow” data. This data consists of a set of packets that travel between two points. Routers can be set to automatically record a list of all the NetFlows that they see, or all the NetFlows to or from a specific IP ,address. This NetFlow data can essentially provide a complete history of each electronic communications service used by a particular Internet user.

In short, Merrill is strongly hinting that he was asked for both URL information and NetFlow information. Merrill is hinting that the FBI was using NSLs to obtain detailed descriptions of all of the Internet activities for targets of NSLs.

Merrill also suggests that email subject lines — now considered content — might be demanded. That’s interesting because he got served his NSL before the hospital confrontation in 2004, and the government (specifically Michael Hayden) has claimed that subject lines were metadata, not content. So he may be indicating that back in 2004, the FBI was treating subject lines as an electronic communication transactional record (and given that FBI did not withdraw the substance of his NSL until 2006, perhaps continued to do so).

So back in 2004, at least, the FBI was making vast demands for records of all of a target’s Internet activity.

There’s good reason to believe that this is precisely the kind of production (at least some) Internet companies successfully moved to Section 215 orders in 2009. That’s true, in part, because in the NSL IG Report describing all the crazy requests FBI had been making under ECPA, the most substantive ongoing crazy requests appeared to be connected to AT&T production. Seven types of records from a provider that is almost certainly AT&T were redacted in that IG Report. So while it’s likely the FISC now reviews and minimizes that same kind of requests to ISPs as part of Section 215 orders, it probably doesn’t from telecoms.

That said, all that might change if the Cybersecurity Information Sharing Act passes. That bill would pre-empt existing laws, including ECPA, for sharing of cybersecurity, leak, or IP theft investigations (and can be used to investigate a broad array of serious crimes). So CISA would provide the legal cover for ISPs to share such information, at least for any ISPs who would “voluntarily” share such data. For that reason, we should look much more closely at the terms of that “voluntary” production.

That’s the subject of another post, however.

For now, take Merrill’s declaration as pretty strong confirmation that the FBI at least was obtaining both URL search information and data flow information using nothing more than an NSL. Its desire to get such expansive data again is likely at least as pressing an issue behind current surveillance legislation debates as its desire to continue a dragnet of all our phone records.