June 20, 2019 / by 

 

The CIA (&etc) Money Orders

NSL v 215Both the NYT (Charlie Savage and Mark Mazzetti) and WSJ (Siobhan Gorman, Devlin Barrett, and Jennifer Valentine-Devries) tell the same story today: the CIA is collecting bulk data on international money transfers. Given that someone has decided to deal this story to two papers at the same time, and given the number of times the Administration has pre-leaked stories to Gorman of late to increasingly spectacular effect (even making most national security journalists forget the very existence of GCHQ’s notoriously voracious taps at cable landings just off Europe) I assume this may be some kind of limited hangout.

It’s not that I doubt in the least that CIA gets and uses financial data. I don’t even doubt the government uses PATRIOT authorities to do so (as both stories assert).

But it would be unlikely that this data comes in through an FBI order and does not also get shared with Treasury and National Counterterrorism Center (if not NSA), both of which would have better infrastructure for analyzing it, and both of which we know to use such data for their known intelligence products. Indeed, in response to a question from both papers about this practice Western Union points to Treasury programs.

 A spokeswoman for one large company that handles money transfers abroad, Western Union, did not directly address a question about whether it had been ordered to turn over records in bulk, but said that the company complies with legal requirements to provide information.

“We collect consumer information to comply with the Bank Secrecy Act and other laws,” said the spokeswoman, Luella Chavez D’Angelo. “In doing so, we also protect our consumers’ privacy.”

And at WSJ a consultant to the industry points even more firmly towards Treasury.

Money-transfer companies are “highly, highly aware of their obligations under the Patriot Act,” said Robert Pargac, a director in global investigations and compliance at Navigant Consulting Inc. who has worked at several such companies. Western Union said last month it would be spending about 4% of its revenue in 2014 on compliance with rules under the Patriot Act, the Treasury Department’s Office of Foreign Assets Control and other anti-money-laundering and terrorist-financing requirements.

We know that, at least until 2008, the FBI maintained that it could share materials that came in through Section 215 with any agency so long as that agency asserted it had a need for the information, and there’s little reason to believe the FBI has changed that policy. So I would assume at least Treasury and NCTC gets this data as well. It may be all this story indicates is that — as they do with much Section 702 data — CIA gets its own access to the data. That’s a minimization story, not a collection story, because we’ve known this data was collected (as WSJ points out).

Then there’s the evidence both papers point to to show that this is a Section 215 program. WSJ nods towards Claire Eagan’s reference to earlier bulk opinions.

The likely existence of bulk collection programs other than phone-records data has been mentioned in a recently declassified opinion from a judge on the Foreign Intelligence Surveillance Court, which approves such programs.

And NYT discusses it in more depth.

In September, the Obama administration declassified and released a lengthy opinion by Judge Claire Eagan of the surveillance court, written a month earlier and explaining why the panel had given legal blessing to the call log program. A largely overlooked passage of her ruling suggested that the court has also issued orders for at least two other types of bulk data collection.

Specifically, Judge Eagan noted that the court had previously examined the issue of what records are relevant to an investigation for the purpose of “bulk collections,” plural. There followed more than six lines that were censored in the publicly released version of her opinion.

Yet even in spite of NYT’s reference to the “largely overlooked” (but reported on by me, Julian Sanchez, and Marty Lederman) passage (actually there are two), it misses part of what Eagan wrote.

This Court has previously examined the issue of relevance for bulk collections. See [6 lines redacted]

While those involved different collections from the one at issue here, the relevance standard was similar. See 50 U.S.C. § 1842(c)(2) (“[R]elevant to an ongoing investigation to protect against international terrorism …. “). In both cases, there were facts demonstrating that information concerning known and unknown affiliates of international terrorist organizations was contained within the non-content metadata the government sought to obtain. As this Court noted in 2010, the “finding of relevance most crucially depended on the conclusion that bulk collection is necessary for NSA to employ tools that are likely to generate useful investigative leads to help identify and track terrorist operatives.”

That is, after the redaction, Eagan continues to discuss “those” opinions and invokes 50 USC 1842 — the Pen Register provision, not Section 215. Which would seem to suggest these earlier bulk collection opinions refer to Pen Register collection (one of these may well be the 2004 Colleen Kollar-Kotelly opinion).

So if the NYT’s and WSJ’s sources are pointing to that passage to describe what authorized this collection, they’re suggesting a law clearly designed for communications authorized the collection of money order data. Which is possible, but if so, it might point to a third party — the telecoms — providing the data rather than the money order companies. But then, that’s how the Internet metadata program always operated, with the telecoms providing the Internet companies’ data.

NYT also references the opinions the government has identified but will withhold from ACLU (I mentioned one here). Those explicitly relate to Section 215 (this may indicate there was both a significant Pen Register opinion and a significant 215 opinion in 2010). But note, those opinions come from an entry in the government’s Vaughn that effectively issues a “No Number No List” for the remainder of opinions, which may suggest there are even more.

Still, there’s one other reason I wonder whether the government is only or has only conducted this under Section 215 (NYT says the collection occurs under “provisions in the Patriot Act”, while WSJ says that explicitly). Indeed, I suspect the government may have collected such information using a National Security Letter, which would not involve review by the FISC, though may not be doing so anymore.

Both Ron Wyden’s bill and the Leahy-Sensenbrenner bill include language limiting what the government can get via a financial NSL (the Leahy-Sensenbrenner bill actually includes more restrictions) and explicitly state, “A request issued under this subsection may not require the production of records or information not listed in” the bill. The language would seem to exclude collection date of birth (which the WSJ mentions) and social security number (which the NYT mentions), both of which would permit systemic tracking. In addition, the Leahy-Sensenbrenner bill includes the same language prohibiting bulk collection as it uses in sections on Section 215 and Pen Registers.

In other words, the critics of the dragnet sure seem to think the government has used NSLs to get financial information far beyond what the letter of the law would seem to permit. Leahy, in particular, has shown acute interest in how the government gets financial records. And his bill prohibits the use of NSLs to collect bulk financial data.

As I have noted (and Sanchez noted before I did), after a drop in 2006 associated with the ability to get subscriber information with Pen Registers, 215 orders have risen to new highs in recent years, which comes at the same time as a dramatic drop in the number of NSLs. It seems highly likely that collection that used to occur via NSL (perhaps via numerous NSLs) now occurs via 215 order. And that switch happened in 2010, the year of one of the remaining 215 orders.

None of which is to say that anything in either story is not absolutely correct. Just that it seems that this story — as with the European collection story — may be just one part of the program.

 

Copyright © 2018 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/tag/ofac/