Posts

The Secrets that Remain about Journalist NSLs

Someone has liberated to the Intercept a copy of the FBI’s guidelines for using NSLs to obtain the call records of journalists. The entire appendix is For Official Use Only save one paragraph noting that foreigners serving as spooks or working for news outlets that are agents of a foreign power don’t get any protection. Otherwise, this is only being protected under a claim of privilege, not classification. That’s particularly troubling given that the US Attorney Guidelines on subpoenaing the press includes equivalent language about agents of a foreign power not getting the special treatment (though here it is more focused on terrorists).

The protections of the policy do not extend to any individual or entity where there are reasonable grounds to believe that the individual or entity is a foreign power or an agent of a foreign power; a member or an affiliate of a foreign terrorist organization; designated a specially designated global terrorist; a specially designated terrorist; a terrorist organization; committing or attempting to commit a crime of terrorism; committing or attempting to commit the crime of providing material support or resources to a terrorist organization; or aiding, abetting, or conspiring in illegal activity with such individuals or entities. 28 C.F.R.50.10(b)(1)(ii).

The liberated passage (like the USA guidelines) does not, however, define who counts as a member of the news media.

For those so lucky as to be considered a member of the news media, when DOJ is obtaining their records to learn a confidential source, they need to get the Executive Assistant Director of National Security Branch (who must consult with the AAG for National Security) and General Counsel’s approval to obtain an NSL. Note, the Public Affairs Director is not involved in this process, as he or she is supposed to be in the subpoena process (though even there, the policy states that DOJ’s Policy and Statutory Enforcement Unit will make the call on who is or is not entitled to be a journalist). Which would say NSLs, on top of being secret and offering the journalist no opportunity to fight the subpoena, also receive only a national security review, not a press review.

Which brings me back to the other point about NSLs I keep harping on. The 2014 NSL IG report showed that the FBI was not reporting at least 6.8% of their NSLs, even to Congress, much less to the Inspector General. When asked about that, FBI said an accurate number was really not worth trying to do, even while it admitted that the uncounted NSLs were “sensitive” cases — a category that includes journalists (and politicians and faith leaders).

That means there’s at least a decent possibility that some of the NSLs the FBI chooses not to report to either Congress or the Inspector General — in spite of the clear legal obligation to do so — are of journalists.

Given that they’ve been hiding this unclassified NSL policy under a dubious claim of privilege, that decent possibility seems all the more likely.

Friday Morning: Some Place Warm

Warm, like the Philippines, the home of the Manila sound. It’s Friday once again and today’s jazz genre is the precursor to Pinoy rock (like Freddie Aguilar’s Anak) and Pinoy hip hop (like Andrew E’s Binibirocha).

The Manila sound emerged under Ferdinand Marcos’ regime; wish I knew more about this body of work to identify songs which pushed the envelope politically. You can still hear the ghost-like impact more than 300 years of Spanish colonialism in some riffs, shaped by other Asian and American influences.

Think I’ll try a mix mix cocktail later today with a little more contemporary Filipino jazz.

Coincidentally, “mix mix” is an apt description for this morning’s post. A lot of smallish, unrelated items in my inbox today…

The canary that didn’t chirp
Reddit may have received a National Security Letter, based on the disappearance of a notice in transparency reporting which up to now indicated no NSLs had been received. Was an NSL sent to Reddit in response to an online discussion last year with Edward Snowden, Laura Poitras, and Glenn Greenwald? Or did some other content trigger a possible NSL?

Department of Homeland Security’s Cyber Security Division wants to fix open source software
“Hello, we’re from the government. We’re here to help you.” Uh-huh. Color me skeptical about this initiative intended to reduce vulnerabilities in open source software. when the government finds a way to insert itself into technology, it’s an opportunity for co-option and compromise. Can you say ‘backdoor’?

Fixing a problem with business iPhones may create a new one
A key reason the USDOJ went after Apple to crack the passcode on the San Bernardino shooter’s iPhone: poor or missing mobile device management software. Had the iPhone’s owner and issuer San Bernardino County installed an MDM app that could override the assigned user’s passcode, the FBI would have had immediate access to the iPhone’s contents. Employers are likely moving toward more and better MDM to prevent a future costly #AppleVsFBI situation. However, the new SideStepper malware is spreading and taking advantage of MDM’s ability to push software to enterprise-owned iPhones without the users’ approval.

FCC’s very busy Thursday

  • FCC approved a $9.25 monthly subsidy for Lifeline-eligible low-income folks to use on high-speed internet service. Now if only high-speed internet was less than $10/month, or available across the U.S. to all low-income citizens…there are still wide swaths of the U.S. where high-speed internet is simply a pipe dream, let alone adequate competition to keep prices within reach of the subsidy.
  • The subsidy’s approval came amid a lot of political scrambling and maneuvering due to conservatives’ resistance on spending (what a surprise, right?), though the investment should increase the number of users able to access state and federal programs online, reducing costs to operate them over the long run.
  • The FCC also voted to proceed with rulemaking on the handling of users’ personal information over ISPs. Privacy is currently regulated on telecommunications by the FCC, but not on ISPs. Implementing rules on ISPs substantially similar to telecoms may protect consumers’ privacy, which is otherwise wide open. It would also force more equitable competition between ISPs and telecoms on consumer communications services. Perhaps this makes it easier to understand why NBC and MSNBC — both owned by cable ISP company Comcast — have been completely in the tank for Donald Trump? (Might even explain why Trump was such an ass to Univision’s Jorge Ramos, as Comcast owns competitor Telemundo.)

Today in literacy

  • Participating in a book club could land you in prison in Angola (QZ) — There’s either more to this story, or Angola is incredibly repressive and ripe for trouble.
  • Fairy tales, now with more firearms (NPR) — The idiots at NRA think there’s not enough violence in fairy tales, so they’ve rewritten them with weapons added. Distorting the Constitution isn’t enough; why not distort children’s fiction, too?
  • Lawful Hacking: using Existing Vulnerabilities for Wiretapping on the Internet (Northwestern Journal of Technology and Intellectual Property) — Not a book, but a worthwhile read for infosec literacy.

Public Service Announcement: Backup/Alternate Site
You may have noticed the site’s connectivity going up and down; there’s some tinkering going on under the hood. If the site should go down for long, you can find our more recent content at this alternate site (bookmark for emergency use). If the site needs to stay down for longer periods of time for repairs or redesign, we’ll redirect traffic there. Comments left at the other site will not be ported back to this page, however, and the alternate location is not intended to replace this one though you may find you like the alternate site’s mobile version better.

That’s a wrap, I’m off to find some calamondins, or an approximation for a mix mix cocktail. Have a good weekend!

Michael Horowitz’ Monthly Complaint about FBI and DEA Stonewalling

The House Oversight Committee is having a hearing on the problems law enforcement agencies have with sexual harassment and misconduct, as reported by DOJ’s Inspector General. DEA Administrator Michele Leonhart will be offering amusing testimony about how the DEA has given its Agents clear instructions that they’re really the best evah™ but they need to stop breaking the law.

But because I’m an IG nerd, I’m as interested in what has become a monthly event during DOJ Inspector General Michael Horowitz’ tenure, when he provides details of FBI and DEA’s latest stonewalling of oversight. Here’s today’s version:

Further, we cannot be completely confident that the FBI and the DEA provided us with all information relevant to this review. When the OIG finally received from the FBI and DEA the requested information without extensive redactions, we found that it still was incomplete. For example, we determined that the FBI removed a substantial number of cases from the result of their search and provided additional cases to the OIG only after we identified some discrepancies. These cases were within the scope of our review and should have been provided as requested. Likewise, the DEA also provided us additional cases only after we identified some discrepancies. In addition, after we completed our review and a draft of the report, we learned that the DEA used only a small fraction of the terms we had provided to search its database for the information needed for our review. Rather than delay our report further, we decided to proceed with releasing it given the significance of our findings.

We also determined that the DEA initially withheld from us relevant information regarding an open case involving overseas prostitution. During a round of initial interviews, only one interviewee provided us information on this case. We later learned that several interviewees were directly involved in the investigation and adjudication of this matter, and in follow-up interviews they each told us that they were given the impression by the DEA that they were not to talk to the OIG about this case while the case was still open. In order to ensure the thoroughness of our work, the OIG is entitled to receive all information in the agency’s possession regardless of the status of any particular case.

As I have testified on multiple occasions, in order to conduct effective oversight, an Inspector General must have timely and complete access to documents and materials needed for its audits, reviews, and investigations. This review starkly demonstrates the dangers inherent in allowing the Department and its components to decide on their own what documents they will share with the OIG, and even whether the Inspector General Act requires them to provide us with requested information. The delays experienced in this review impeded our work, delayed our ability to discover the significant issues we ultimately identified, wasted Department and OIG resources during the pendency of the dispute, and affected our confidence in the completeness of our review.

This was not an isolated incident. Rather, we have faced repeated instances over the past several years in which our timely access to records has been impeded, and we have highlighted these issues in our reports on very significant matters such as the Boston Marathon Bombing, the Department’s use of the Material Witness Statute, the FBI’s use of National Security Letters, and ATF’s Operation Fast and Furious.

The Congress recognized the significance of this impairment to the OIG’s independence and ability to conduct effect oversight, and included a provision in the Fiscal Year 2015 Appropriations Act — Section 218 — which prohibits the Justice Department from using appropriated funds to deny, prevent, or impede the OIG’s timely access to records, documents, and other materials in the Department’s possession, unless it is in accordance with an express limitation of Section 6(a) of the IG Act. Despite the Congress’s clear statement of intent, the Department and the FBI continue to proceed exactly as they did before Section 218 was adopted – spending appropriated funds to review records to determine if they should be withheld from the OIG. The effect is as if Section 218 was never adopted. The OIG has sent four letters to Congress to report that the FBI has failed to comply with Section 218 by refusing to provide the OIG, for reasons unrelated to any express limitation in Section 6(a) of the IG Act, with timely access to certain records.

We are approaching the one year anniversary of the Deputy Attorney General’s request in May 2014 to the Office of Legal Counsel for an opinion on these matters, yet that opinion remains outstanding and the OIG has been given no timeline for the issuance of the completed opinion. Although the OIG has been told on occasion over the past year that the opinion is a priority for the Department, the length of time that has now passed suggests otherwise. Instead, the status quo continues, with the FBI repeatedly ignoring the mandate of Section 218 and the Department failing to issue an opinion that would resolve the matter. The result is that the OIG continues to be prevented from getting complete and timely access to records in the Department’s possession. The American public deserves and expects an OIG that is able to conduct rigorous oversight of the Department’s activities. Unfortunately, our ability to conduct that oversight is being undercut every day that goes by without a resolution of this dispute.

At some point, Congress is going to have to decide whether it will use the power of the purse — as they have authorized by statute — to force DEA and FBI to meet the same standards of disclosure that mere citizens would be required if DEA and FBI were investigating them.

Until then, we should just assume FBI and DEA are breaking the law.

Jim Comey Lied When He Claimed FBI Needs a Judge to Read Your Email

I believe that Americans should be deeply skeptical of government power. You cannot trust people in power. The founders knew that. That’s why they divided power among three branches, to set interest against interest. — FBI Director Jim Comey

As part of a piece on James Risen’s stories, 60 Minutes did an interview with Jim Comey. It rehearsed his role in running up hospital steps in 2004 to prevent Andy Card from getting an ill John Ashcroft to rubber stamp illegal surveillance — without mentioning that Comey and the other hospital heroes promptly got the same program authorized by bullying the FISA Court. Trevor Timm called out this aspect of 60 Minutes’ report here.

CBS also permitted Comey to engage in Apple encryption fear-mongering without challenge. CNN, to its credit, called Comey on his misrepresentations here.

But perhaps Comey’s biggest stretcher came when Scott Pelley asked him whether FBI engages in surveillance without a court order.

Scott Pelley: There is no surveillance without court order?

James Comey: By the FBI? No. We don’t do electronic surveillance without a court order.

Scott Pelley: You know that some people are going to roll their eyes when they hear that?

James Comey: Yeah, but we cannot read your emails or listen to your calls without going to a federal judge, making a showing of probable cause that you are a terrorist, an agent of a foreign power, or a serious criminal of some sort, and get permission for a limited period of time to intercept those communications. It is an extremely burdensome process. And I like it that way.

Comey was admittedly careful to caveat his answer, stating that FBI does not engage in “electronic surveillance” without a court order. That probably excludes FBI’s use of National Security Letters. Though as DOJ’s Inspector General has made clear, FBI uses NSLs for a number of things — including communities of interest, obtaining one or possibly two degree collection of phone records, as well as a bunch of other things that remain redacted — that the NSL law didn’t envision. Indeed, FBI’s NSL requests have gotten so exotic that some Internet companies started to refuse — successfully — in 2009 to comply with the requests, forcing FBI to use Section 215 orders instead.

But the second part of that exchange — Comey’s claim that “we cannot read your emails without going to a federal judge” is egregiously false.

As both ODNI and PCLOB have made clear, FBI can and does query incidentally collected data obtained under Section 702 (PRISM) — that is, it accesses email content — without a warrant. Alarmingly, it does so at the assessment level, before FBI even has any real evidence of wrong-doing.

Second, whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts.

That’s not conducting electronic surveillance — because FBI gets the email after the electronic surveillance has already occurred. But that does entail warrantless access of US person content, and does so without any review by a judge. Indeed, with Section 702 collection, a judge never even reviews the foreign targets, much less the US incidental collection accessed by the FBI.

Now I get that Jim Comey is a terrifically charismatic guy, with great PR instincts. But still, 60 Minutes is supposed to be a journalism show. Why, when Comey was telling 60 Minutes straight out they should not trust the government, did they let him make so many bogus claims?

The FBI Has Significant Problems Counting Its National Security Letters

NSL numbersToday’s Inspector General Report on FBI’s use of National Security Letters has set off a bunch of alarm bells in my head.

At issue are two unexplained problems.

First, the Inspector General identified a huge drop in NSL use for the years covering this report: FBI obtained 49,425 NSLs in 2006, the year before this report. It obtained 54,935 afterwards. The years in-between — the 3 years covered by this report — NSLs dropped off a relative cliff, with 20% fewer in 2007 and even fewer in 2009.

The IG wasn’t able to offer any explanation for this, besides the possibility that increased scrutiny on NSL use led people to use other methods to get this information.

However, two supervisors and a division counsel told us that they believe agents use NSLs less often now than they did five years ago. These individuals told us that because of increased scrutiny on NSL use agents employ alternative investigative tools when possible.

In testimony last year, Jim Comey said FBI agents would just use grand jury subpoenas rather than NSLs if the NSLs became too onerous, so that may be where the activity disappeared to.

Hey, if 20% of FBI NSLs could be grand jury subpoenas without any problem, let’s make them do that!

It’s FBI’s other counting problems — and its non-answers — that have me even worried.

According to the IG, the FBI is not reporting as much as 7.3% [update, 10/16: I think the correct number is 6.8%] of its NSL use to Congress. For example, when the IG tried to pull NSLs by NSL type (that is, toll billing, financial records, electronic transaction records), it found a significant discrepancy between what had been reported to Congress and what FBI’s internal spreadsheets showed.

[T]he NSL data in the itemized spreadsheets does not exactly match the NSL data reported to Congress in 2008 and 2009. The total number of requests reported for each year [by transaction type] is more than the total number of NSL requests reported to Congress by 2,894 and 2,231 requests, respectively. (63)

So for 2009, where FBI requested just 30,442 NSLs, FBI did not report 7.3% of the NSLs it requested.

(I can’t double check my math here because FBI redacted some of these tables, but I guess that’s one of the hazards of overclassifying things.)

That’s troubling enough, as is FBI’s lackadaisical attitude towards correcting the disparity.

After reviewing the draft of this report, the FBI told the OIG that while 100 percent accuracy can be a helpful goal, attempting to obtain 100 percent accuracy in the NSL subsystem would create an undue burden without providing corresponding benefits. The FBI also stated that it has taken steps to minimize error to the greatest extent possible.

Ho hum, we’re just the FBI, why expect us to be able to police ourselves?

But it gets weirder.

First, the one theory the IG came up with to explain the discrepancy is that FBI is not counting all the manual NSLs that bypass their automatic counting system implemented in response to the first IG Reports on NSLs.

In fact, they’re not: FBI’s Inspection Division found they’re not counting some significant (not single digit) percentage number of their manual NSLs (they redact how much they’re not counting on page 39).

But the IG seems to suspect there may be even more manual requests that are not being counted at all.

[T]he total number of manually generated NSLs that the FBI inspectors identified is relatively small compared to the total number of 30,442 NSL requests issued by the FBI that year. What remains unknown, however is, whether the FBI inspectors identified all the manually identified generally NSLs issued by the FBI or whether a significant number remains unaccounted for and unreported.(58)

If you guessed that FBI redacted under what circumstances FBI permits agents to bypass this automatic counting system, you’d be right. That discussion is in footnote 35 on page 17, and again on pages 113-115.

But I worry, given one observation from the IG, that they’re bypassing the automatic system in cases of “sensitive” investigations. Some apparent moron tried to explain why the IG found higher numbers for NSLs than Congress because the NSLs related to sensitive investigations were being reported to Congress but not the IG.

After reviewing the draft of this report, the FBI told the OIG for the first time that the NSL data provided to Congress would almost never match the NSL data provided to the OIG because the NSL data provided to Congress includes NSLs issued from case files marked “sensitive,” whereas the NSL data provided to the OIG does not. According to the FBI, the unit that provided NSL data to the OIG does not have access to the case files marked “sensitive” and was therefore unable to provide complete NSL data to the OIG. The assertion that the FBI provided more NSL data to Congress than to the OIG does not explain the disparities we found in this review, however, because the disparities we found reflected that the FBI reported fewer NSL requests to Congress than the aggregate totals. (58)

Aside from the revelation that FBI doesn’t understand how numbers work — that if Congressional reporting reflected a larger universe of NSLs than what the IG got to see, Congressional numbers should be higher, now lower — this also seems to mean that the IG is not being permitted to review the NSLs relating to sensitive investigations.

Now, it’s not entirely clear what FBI means by “sensitive” in this circumstance. But generally, “sensitive” investigations at FBI are those that investigate reporters, faith leaders, and politicians.

So it seems possible the FBI is not permitting the IG to review precisely the practices he should review.

Which brings me to another matter that is almost entirely redacted.

As I’ve reported repeatedly, one thing the last IG report on Exigent Letters showed is that a number of journalists have had their phone records collected by FBI. In addition, the 2011 DIOG made it acceptable to use NSLs to do so. Here’s the section of the executive summary of this report that describes whether FBI has resolved this issue.

Journalist NSLs

From which I can only assume that FBI is continuing to use NSLs to collect journalist records (if FBI would like to declassify this language to prove me wrong, I welcome their transparency!).

So to sum up:

  • FBI can’t figure out why its NSL numbers dropped of a cliff for the years in question
  • FBI can’t figure out what happened to up to 7.3% of its NSLs
  • The IG thinks it is possible there are even more NSLs missing from those numbers
  • When asked, the FBI said maybe discrepancies come from files on sensitive investigations that the IG has no access to
  • The FBI does appear to be continuing its use of NSLs to hunt down journalists’ sources, which qualifies under the DIOG as a “sensitive” investigation, along with faith leaders and politicians

All that could be badly wrong — much of this information is redacted from both me, and in some cases, from Congress.

But doesn’t it raise some awfully big questions?

FBI Hides More and More of its National Security Letter Use

Recently I have started blogging occasionally over at Expose Facts — an entity serving whistleblowers and transparency. There’s even a SecureDrop, if you want to drop me secret documents to read!

Things will remain the same over here; I just hope to broaden my readership and support an important cause. I post links here to the more interesting posts over there.

Today, I’ve got a second post on the DOJ IG Report on FBI’s use of National Security Letters. It examines the extent to which FBI and the President’s Intelligence Oversight Board, which reviews legal violations of intelligence agencies, have classified information about FBI’s use of NSLs, even information that had been public in prior DOJ IG reports.

That is, both in the unclassified and the classified reports, FBI and President’ Obama’s oversight board demanded Horowitz hide information that had been released in some form in the 3 earlier reports DOJ’s IG did on NSLs.

FBI or PIAB are hiding:

  • What kind of information FBI collects using NSLs
  • What kind of violations FBI reports (or doesn’t report) to its overseers
  • PIAB’s judgements about FBI’s compliance with NSL statute

This information is, of course, central to Congress and the public’s understanding of whether FBI continues to abuse the NSL statute, as it did for the first 5 years after 9/11 (this report only covers NSL use until 2009; FBI’s more current use remains unexamined).

FBI’s suppression of this information is all the more troublesome given that the USA Freedom Act currently being debated in the Senate addresses some of the FBI’s use of NSLs.

Go read the rest!

Company B (Verizon? Sprint?) Stopped Playing Nice with FBI in 2009

I’m reading this DOJ IG report on NSLs — about which I’ll have far more later.

But given everything we’ve learned about NSA’s dragnet, I’m rather interested in footnote 156:

Company A, Company B, and Company C are the three telephone carriers described in our Exigent Letters Report that provided telephone records to the TCAU in response to exigent letters and other informal requests between 2003 and 2006. As described in our Exigent Letters Report, the FBI entered into contracts with these carriers in 2003 and 2004, which required that the communication service providers place their employees in the TACU’s office space and give these employees access to their companies’ databases so they could immediately service FBI requests for telephone records. Exigent Letters Report, 20. As described in the next chapter, TCAU no longer shares office space with the telephone providers. Companies A and C continue to serve FBI requests for telephone records and provide the records electronically to the TCAU. Company B did not renew its contract with the FBI in 2009 and is no longer providing telephone records directly to the TCAU. Company B continues to provide telephone records in response to NSL requests issued directly by the field without TCAU’s assistance.

I’m guessing Company B is Verizon, because it always comes second! Though it could also be Sprint.

Recall that Reggie Walton shut down Verizon production for part of 2009 (I’ll have posts reinforcing this claim sometime in the near future). Verizon may have started being a jerk about providing foreign calls records at that point which — at least technically were provided voluntarily. So that’s why it might be Verizon.

At the same time. Sprint is a good candidate because, at the end of the year, it demanded legal process from the phone dragnet. Also, it has challenged DOJ’s reimbursements, which has gotten it sued.

Given ongoing discussions about whether NSA gets all the phone records it’d like under Section 215 — and the explanation they’re missing cell records — I’m particularly interested in this development.

Is Twitter EFF’s Second NSL Client?

In the past, I’ve tracked the efforts of a telecom — which WSJ convincingly argued was Credo — to challenge a 2011 National Security Letter. It has the support of EFF on that challenge. I also noted language in Credo’s Transparency Report (which was issued after DOJ permitted providers to give broad bands for NSLs, but before DOJ permitted them to give broad bands for other national security demands) saying it was prohibited from giving more information about NSLs and Section 215 orders.

It is important to note that it may not be possible for CREDO or any telecom carrier to release to the public a full transparency report, as the USA PATRIOT Act and other statutes give law enforcement the ability to prevent companies from disclosing whether or not they have received certain orders, such as National Security Letters (NSLs) and Section 215 orders seeking customer information. [my emphasis]

Today, EFF noted that it has filed what should be its response to the government’s appeal in that case.

Only, it makes it it representing not just the known telecom client, but also an Internet client.

The Electronic Frontier Foundation (EFF) filed two briefs on Friday challenging secret government demands for information known as National Security Letters (NSLs) with the Ninth Circuit Court of Appeals.  The briefs—one filed on behalf of a telecom company and another for an Internet company—remain under seal because the government continues to insist that even identifying the companies involved might endanger national security.

While the facts surrounding the specific companies and the NSLs they are challenging cannot be disclosed, their legal positions are already public: the NSL statute is a violation of the First Amendment as well as the constitutional separation of powers.

Now, one obvious potential Internet client would be Google. It is known to have fought NSLs in Judge Susan Illston’s court and lost.

But I wonder whether it isn’t Twitter.

I say that, first of all, because of the cryptic language in Twitter’s own Updated Transparency Report, which was released after the DOJ settlement which should have permitted it to report NSLs. But instead of doing so, it pointed out that it can’t report its national security orders, if any, with enough particularity. It called out NSLs specifically. And it used a language of prohibition.

Last week, the U.S. Department of Justice and various communications providers reached an agreement allowing disclosure of national security requests in very large ranges. While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public, especially for entities that do not receive a significant number of – or any – national security requests.

As previously noted, we think it is essential for companies to be able to disclose numbers of national security requests of all kinds – including national security letters and different types of FISA court orders – separately from reporting on all other requests. For the disclosure of national security requests to be meaningful to our users, it must be within a range that provides sufficient precision to be meaningful. Allowing Twitter, or any other similarly situated company, to only disclose national security requests within an overly broad range seriously undermines the objective of transparency. In addition, we also want the freedom to disclose that we do not receive certain types of requests, if, in fact, we have not received any.

Unfortunately, we are currently prohibited from providing this level of transparency. We think the government’s restriction on our speech not only unfairly impacts our users’ privacy, but also violates our First Amendment right to free expression and open discussion of government affairs. We believe there are far less restrictive ways to permit discussion in this area while also respecting national security concerns. Therefore, we have pressed the U.S. Department of Justice to allow greater transparency, and proposed future disclosures concerning national security requests that would be more meaningful to Twitter’s users. We are also considering legal options we may have to seek to defend our First Amendment rights. [my emphasis]

It was a defiant Transparency Report, and it discussed prohibitions in a way that no one else — except Credo — had done.

Moreover, it would make sense that EFF would be permitted to represent Twitter in such a matter, because it already had a role in Twitter’s challenge of the Administrative subpoena for various WikiLeaks’ associates Twitter data.

Finally, EFF notes that this Internet client is fighting just 2 NSLs; Google is fighting 19.

The very same day that the district court issued that order striking down the statute, a second EFF client filed a similar petition asking the same court to declare the NSL statute to be unconstitutional and to set aside the two NSLs that it received.

Notwithstanding the fact that it had already struck down the NSL statute on constitutional grounds in EFF’s first NSL case, but indicating that it would be up to the Ninth Circuit to evaluate whether that evaluation was correct, the district court denied EFF’s client’s petitionand ordered them to comply with the remaing NSL in the interim.

If Twitter is the client, it would present real First Amendment issues. It would suggest that, after Twitter took the rare step of not just challenging but giving notice in an Administrative subpoena, DOJ decided to use NSLs, which are basically Administrative subpoenas with additional gags, in response.

Update: in potentially related news, Verizon just updated its Transparency Report, claiming it can’t provide details on some bulk orders.

We note that while we now are able to provide more information about national security orders that directly relate to our customers, reporting on other matters, such as any orders we may have received related to the bulk collection of non-content information, remains prohibited.

DOJ Will Continue to Use NSLs to Get Journalist Contacts

For years, I have been harping on the language in FBI’s Domestic Investigations and Operations Guide that permits DOJ to get journalists’ contact information using NSLs because — given that they are not warrants — they need no Attorney General review.

A heavily-redacted section (PDF 166) suggests that in investigations with a national security nexus (so international terrorism or espionage, as many leak cases have been treated) DOJ need not comply with existing restrictions requiring Attorney General approval before getting the phone records of a journalist. The reason? Because NSLs aren’t subpoenas, and that restriction only applies to subpoenas.

Department of Justice policy with regard to the issuances of subpoenas for telephone toll records of members of the news media is found at 28 C.F.R. § 50.10. The regulation concerns only grand jury subpoenas, not National Security Letters (NSLs) or administrative subpoenas. (The regulation requires Attorney General approval prior to the issuance of a grand jury subpoena for telephone toll records of a member of the news media, and when such a subpoena is issued, notice must be given to the news media either before or soon after such records are obtained.) The following approval requirements and specific procedures apply for the issuance of an NSL for telephone toll records of members of the news media or news organizations. [my emphasis]

So DOJ can use NSLs–with no court oversight–to get journalists’ call (and email) records rather than actually getting a subpoena.

The section includes four different approval requirement scenarios for issuing such NSLs, almost all of which are redacted. Though one only partly redacted passage makes it clear there are some circumstances where the approval process is the same as for anyone else DOJ wants to get an NSL on:

If the NSL is seeking telephone toll records of an individual who is a member of the news media or news organization [2 lines redacted] there are no additional approval requirements other than those set out in DIOG Section 18.6.6.1.3 [half line redacted]

And the section on NSL use (see PDF 100) makes it clear that a long list of people can approve such NSLs:

  • Deputy Director
  • Executive Assistant Director
  • Associate EAD for the National Security Branch
  • Assistant Directors and all DADs for CT/CD/Cyber
  • General Counsel
  • Deputy General Counsel for the National Security Law Branch
  • Assistant Directors in Charge in NY, Washington Field Office, and LA
  • All Special Agents in Charge

In other words, while DOJ does seem to offer members of the news media–which is itself a somewhat limited group–some protection from subpoena, it also seems to include loopholes for precisely the kinds of cases, like leaks, where source protection is so important.

See also this post, where I tried to write it really plainly.

Then, last year, after it got caught obtaining the call records of some Pulitzer Prize winners, DOJ pretended to roll out new protections for journalists.

Charlie Savage reports that DOJ has just rolled out the final version of those great new protections.

Here’s the last paragraph of his report on the “new guidelines.”

The rules cover grand jury subpoenas used in criminal investigations. They exempt wiretap and search warrants obtained under the Foreign Intelligence Surveillance Act and “national security letters,” a kind of administrative subpoena used to obtain records about communications in terrorism and counterespionage investigations.

Which makes these “new guidelines” worth approximately shit in any leak — that is, counterintelligence — investigation.

The Section 215 Phone Dragnet Is Just a Fraction of the Dragnet

I’ve been harping on the Review Group (and Leahy-Sensenbrenner’s) recommendation to end bulk collection with National Security Letters. I’ve also noted the Review Group’s nod to EO 12333 in its use of the phrase “or under any other authority” when recommending limits to Section 702.

So I wanted to draw attention to this language from Tuesday’s Senate Judiciary Committee hearing with the Review Group, in which Chris Coons asks Richard Clarke what other authorities the Review Group had considered. Clarke notes that the phone dragnet provides a small fraction of the data collected.

COONS: The review, if I might, Mr. Clarke, my last question, it looks at two authorities, Section 702 and Section 215. And these are both sections about which there’s been a lot of public debate and discussion.

But the review group also recommends greater government disclosure about these and other surveillance authorities it possesses. But the report, appropriately and understandably, does not itself disclose any additional programs.

What review, if any, did the group make of undisclosed programs or could you at least comment about whether lessons learned from such review is, in fact, reflected in the report?

CLARKE: Well, there was a great deal of metadata collected by the national security letter program. And we do speak to that in the recommendations.

There was also a great deal of communications-related information collected under the executive order 12333.

Public attention is focused on 215, but 215 produces a small percentage of the overall data that’s collected.

That’s consistent with what this post shows — that the US based metadata collection is just a small fraction of a large collection of metadata, and the 12333 collected data is at least partly duplicative of (but not subject to the same protections as) the Section 215 dragnet (and NSLs are subject to even less protection).

But I’m glad to see someone like Clarke echoing the warnings I’ve been giving.