Patrick Leahy

1 2 3 8

The Loss of PRTT Minimization Review in USA F-ReDux

As I noted earlier, the House Judiciary Committee just released a new version of USA Freedom Act, which I’ve dubbed USA F-ReDux. I’ll have a lot more to say about it, but I want to make two minor point about things that got taken out of Leahy’s bill from last year.

Section 215 Minimization

215 tracker

First, last year’s bill had minimization procedures tied to bulky Section 215 collection effectively requiring the government to destroy the data that had not been determined to be two hops from a target within a period of time.

(C) for orders in which the specific selection term does not specifically identify an individual, account, or personal device, procedures that prohibit the dissemination, and require the destruction within a reasonable time period (which time period shall be specified in the order), of any tangible thing or information therein that has not been determined to relate to a person who is—

(i) a subject of an authorized investigation;

(ii) a foreign power or a suspected agent of a foreign power;

(iii) reasonably likely to have information about the activities of—

(I) a subject of an authorized 21 investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation;

(iv) in contact with or known to—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation,

Those minimization procedures resemble what we’ve seen from the minimization procedures FISC imposed on the phone dragnet, which probably means they also resemble what FISC was imposing in other cases. In the previous year (2013), FISC had imposed minimization procedures on almost 80% of all orders.

In other words, the clause basically required the government to do what the FISC was probably already forcing it to do in the majority of orders (which, in any case, permitted the government to keep, indefinitely, the records associated with people two hops out of someone whom the government had a traffic stop suspicion had ties to terror or spying).

Last year, however, the FISC modified fewer than 3% of orders, and at least one of those was probably a phone dragnet one. Perhaps the change means the government finally started complying with the requirement laid out in 2006 that it adopt minimization procedures (the impending Section 215 IG Report likely created an incentive to do that, as following the law on minimization was one of the recommendations Glenn Fine had made in 2008, so Michael Horowitz surely followed up on that recommendation; plus, the generally law-abiding James Baker assumed FBI’s General Counsel role in this period). Perhaps it means the government stopped making bulky collections (though that is unlikely). But for some reason, the number of orders on which the FISC imposed minimization procedures and a report back fell off a cliff.

And now the requirement that the government adopt minimization procedures for bulky collection is gone from the bill.

I might be alarmed by that, but this year’s bill does add a Rule of Construction clarifying that the FISA Court can impose additional minimization procedures on top of what the bill requires the government to adopt for Section 215. So it may be that if the FBI returns to its recidivist ways on minimization procedures, we’ll see the number of modified orders spike again.

PRTT “Privacy Procedures”

I’m more concerned about what happened on the Pen Register side.

Last year, the PRTT section added new “privacy” (not “minimization”) procedures.

IN GENERAL.—The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard nonpublicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect national security, include privacy protections that apply to the collection, retention, and use of information concerning United States persons.

Compare how squishy those privacy procedures are to the required Section 215 minimization procedures FBI blew off for years.

A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 1801 (e)(1) of this title, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; and

Rather than requiring the procedures minimize the retention and dissemination, the bill required only that privacy protections be applied. And there was no requirement limiting dissemination of non-foreign intelligence data.

But at least there were privacy procedures, right? Baby steps?

Last year’s bill had, and this year’s bill retains, a Rule of Construction (like that added to Section 215) that notes nothing limits FISC’s power to impose additional minimization procedures.

(2) RULE OF CONSTRUCTION.—Nothing in this subsection limits the authority of the court established under section 103(a) or of the Attorney General to impose additional privacy or minimization procedures with regard to the installation or use of a pen register or trap and trace device.

Which is all well and good, but FISC’s authority to do so with PRTT has no statutory basis, unlike Section 215. And during both the 2004 initial application for the Internet dragnet and John Bates’ 2010 reauthorization of it, the government made some fairly aggressive claims about FISC’s impotence to do anything but rubber stamp applications. So this Rule of Construction may not have the same weight as that in Section 215.

Which is why I worry that this section was removed from the bill.

(3) COMPLIANCE ASSESSMENT.—At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the privacy procedures required by this subsection by reviewing the circumstances under which information concerning United States persons was collected, retained, or disseminated.

As the documents on the phone dragnet violations showed, unless FISC has and exercises the authority to ensure compliance with minimization procedures, the government will cheat (or, more charitably, not find systematic years-long violations staring them in the face). FISC seemed to recognize this when it imposed compliance reports on its minimization of Section 215 orders in recent years. But it won’t have statutory authority to review assessment with these already-squishy “privacy procedures.”

Continue reading

If Section 215 Lapsed, Would the Government Finally Accede to ECPA Reform?

Now that the Section 215 Sunset draws nearer, the debate over what reformers should do has shifted away from whether USA Freedom Act is adequate reform to whether it is wise to push for Section 215 to sunset.

That debate, repeatedly, has focused almost entirely on the phone dragnet that Section 215 authorizes. It seems most of the people engaging in this debate or reporting on it are unaware or uninterested in what the other roughly 175 Section 215 orders authorized last year did (just 5 orders authorized the phone dragnet).

But if Section 215 sunsets in June, those other 175 orders will be affected too (though thus far it looks like FISC is approving fewer 215 orders than they did last year). Yet the government won’t tell us what those 175 orders do.

We know — or suspect — some of what these other orders do. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year (and would have been unaffected and hidden in transparency reporting under USA Freedom Act).

The FBI has previously confirmed that it used Section 215 to collect records of explosives precursors — things like large quantities of acetone, hydrogen peroxide, fertilizer, and (probably now) pressure cookers; given that the Presidential Review Group consulted with ATF on its review of Section 215, it’s likely these are programmatic collection. (If the government told us it was, we might then be able to ask why these materials couldn’t be handled the same way Sudafed is handled, too, which might force the government to tie it more closely to actual threats.) This too would have been unaffected by USAF.

The government also probably uses Section 215 to collect hotel records (which is what it was originally designed for, though not in the bulk it is probably accomplished). This use of Section 215 will likely be reinforced if and when SCOTUS affirms the collection of hotel records in Los Angeles v. Patel.

But the majority of those 175 Section 215 orders, we now know, are for some kind of Internet records that may or may not relate to cyber investigations, depending on whether you think FBI talks out of its arse when trying to keep authorities, but which they almost certainly collect in sufficient bulk that FISC imposed minimization procedures on FBI.

Which brings me to my argument that reauthorizing Section 215 will forestall any ECPA reform.

We know most Section 215 orders are for Internet records because someone reliable — DOJ’s Inspector General in last year’s report on National Security Letters — told us that a collection of Internet companies successfully challenged FBI’s use of NSLs to collect this stuff after DOJ published an opinion on ECPA in 2008.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

That report went on to explain that FBI considered fixing this problem by amending the definition for toll records in Section 2709, but then bagged that plan and just moved all this collection to Section 215, which takes longer.

In the absence of a legislative amendment to Section 2709, [2.5 lines redacted]. [Deputy General Counsel of FBI’s National Security Law Branch] Siegel told us that the process of generating and approving a Section 215 application is similar to the NSL process for the agents and supervisors in the field, but then the applications undergo a review process in NSLB and the Department’s National Security Division, which submits the application to the Foreign Intelligence Surveillance Court (FISA Court). According to Siegel, a request that at one time could be accomplished with an NSL in a matter of hours if necessary, now takes about 30-40 days to accomplish with a standard Section 215 application.

In addition to increasing the time it takes to obtain transactional records, Section 215 requests, unlike NSL requests, require the involvement of FBI Headquarters, NSD, and the FISA Court. Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.

The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.

The government is, according to the report, going through all sorts of hoop-jumping on these records rather than working with Congress to pass ECPA reform.

Why?

That’s not all the Report told us. Even earlier than that problem, in 2007, the IG identified other uncertainties about what the FBI should be obtaining with an NSL, and FBI actually put together a proposal to Congress. The proposed definition included both financial information and what could be construed as location data in toll records. That bill has never been passed.

But while Internet companies have shown reluctance to let the FBI secretly expand the meaning of toll record, two telecoms have not (a third, which I suspect is Verizon, backed out of closer cooperation on NSLs in 2009, and presumably a fourth, which probably is T-Mobile, was never a part of it).

And here’s what happened to the kinds of records FBI has been obtaining (almost certainly from AT&T) in the interim:

Screen Shot 2015-03-19 at 5.15.23 PM

 

FBI is collecting 7 kinds of things from (probably) AT&T that the Inspector General doesn’t think fits under ECPA.

Now, I’m not sure precisely why ECPA reform has gone nowhere in the last 8 years, but all this redaction suggests one reason is the government doesn’t want to be bound by a traditional definition of toll record, so much so it’s willing to put up with the aggravation of getting Section 215 orders for (what may be the same kind of) information from Internet companies in order to not be bound by limits on its telecom (or at least AT&T) NSLs.

Don’t get me wrong. I’d rather have the Internet stuff be under Section 215 orders, where it will be treated with some kind of minimization (the FBI is still completely ignoring the 2006 language in Section 215 requiring it to adopt minimization procedures for that section, but FISC has stepped into the void and imposed some itself).

But ultimately what’s going on — in addition to the adoption of a dragnet approach for phone records (that might have been deemed a violation of 18 USC 2302-3 if litigated with an adversary) and financial records (that might have been deemed a violation of 12 USC 3401-3422 if litigated with an adversary), is that the government is also, apparently, far exceeding the common understanding of NSLs without going back to Congress to get them to amend the law (and this goes well beyond communities of interest — two or maybe three hop collection under an NSL — which isn’t entirely redacted in this report).

It may be moot anyway. I actually wonder whether Internet companies will use the immunity of CISA, if and when it passes, to turn whatever they’re turning over without a Section 215 order.

And it’s not like Pat Leahy and Mike Lee have been successful in their efforts to get ECPA reform that protects electronic communications passed. ECPA isn’t happening anyway.

But maybe it might, if Section 215 were to lapse and the government were forced to stop kluging all the programs that have never really been approved by Congress in the first place into Section 215.

What Was the Anthrax Attack Targeting Patrick Leahy Doing in the Iraq NIE?

Screen Shot 2015-03-19 at 1.27.47 PMAs Jason Leopold reports, the government recently released a newly declassified version of the 2002 NIE that justified the war with Iraq to Black Vault’s John Greenwald. Leopold has a useful overview of what the report includes. But I’m most appalled by this.

The NIE also restores another previously unknown piece of “intelligence”: a suggestion that Iraq was possibly behind the letters laced with anthrax sent to news organizations and senators Tom Daschle and Patrick Leahy a week after the 9/11 attacks. The attacks killed five people and sickened 17 others.

“We have no intelligence information linking Iraq to the fall 2001 attacks in the United States, but Iraq has the capability to produce spores of Bacillus anthracis — the causative agent of anthrax — similar to the dry spores used in the letters,” the NIE said. “The spores found in the Daschle and Leahy letters are highly purified, probably requiring a high level of skill and expertise in working with bacterial spores. Iraqi scientists could have such expertise,” although samples of a biological agent Iraq was known to have used as an anthrax simulant “were not as pure as the anthrax spores in the letters.”

Perhaps the inset discussing the US-developed anthrax used to attack two Senators and members of the media purports to respond to questions raised by anonymous sources leaking the previous year. But it basically does nothing but suggest the possibility Iraq might have launched the attack, even while providing one after another piece of evidence showing why that was all but impossible.

Moreover, by the time this NIE was completed in October 2002, that deliberate leak had been silent for a almost a year.

That the rumor appeared again, secretly, in the Iraq NIE really ought to raise questions about a whole slew of unanswered questions about the anthrax attack: about why Judy Miller got fake anthrax, about why the FBI scoped its investigation to find only lone wolves and therefore not to find any conspirators (and still almost certainly hasn’t found the culprit), about why the first person framed for the attack also happened to be someone who knew of efforts to reverse engineer Iraq’s purported bioweapon labs.

No. No, Iraq wasn’t linked to the anthrax letters in fall 2001. It’s a simple answer. But nevertheless, the question got treated as a serious possibility when Bush Administration was trying to drum up war against Iraq.

The Unopened Torture Report and Trusting CIA on Other Covert Operations

Yesterday, Pat Leahy issued a Sunshine Week statement criticizing Richard Burr for attempting to reclaim all copies of the Torture Report, but also complaining that State and DOJ haven’t opened their copy of the Torture Report.

I also was appalled to learn that several of the agencies that received the full report in December have not yet opened it.  In a Freedom of Information Act (FOIA) lawsuit seeking release of the full report, Justice Department and State Department officials submitted declarations stating that their copies remain locked away in unopened, sealed envelopes.  I do not know if this was done to attempt to bolster the government’s position in the FOIA lawsuit, or to otherwise avoid Federal records laws.  I certainly hope not.  Regardless of the motivation, it was a mistake and needs to be rectified.

The executive summary of the torture report makes clear that both the State Department and the Justice Department have much to learn from the history of the CIA’s torture program.  Both agencies were misled by the CIA about the program.  Both should consider systemic changes in how they deal with covert actions.  Yet neither agency has bothered to open the final, full version of the report, or apparently even those sections most relevant to them.

Today, Ron Wyden issued a Sunshine Week release linking back to a February 3 letter Eric Holder is still ignoring.  The letter — which I wrote about here — addresses 4 things: 1) the unclear limits on the President’s ability to kill Americans outside of war zones 2) the common commercial service agreement OLC opinion that should be withdrawn 3) some action the Executive took that Wyden and Russ Feingold wrote Holder and Hillary about in late 2010 and 4) DOJ’s failure to even open the Torture Report. Wyden’s statement, lumps all these under “secret law.”

U.S. Senator Ron Wyden, D-Ore., renewed his call for Attorney General Eric Holder to answer crucial questions on everything from when the government believes it has the right to kill an American to secret interpretations of law. The Justice Department has ignored these questions or declined to answer them, in some cases for years.

[snip]

“It is never acceptable to keep the basic interpretations of U.S. law secret from the American people. It doesn’t make our country safer, and erodes the public’s confidence in the government and intelligence agencies in particular,” Wyden said. “While it is appropriate to keep sources, methods and operations secret, the law should never be a mystery. Sunshine Week is the perfect time for the Justice Department to pull back the curtains and let the light in on how our government interprets the law.”

This may be secret law.

But I find it interesting that both Wyden’s letter and Leahy’s statement tie covert operations to the lessons from the Torture Report.

There are many reasons DOJ (and FBI) are probably refusing to open the Torture Report. The most obvious — the one everyone is pointing to — is that by not opening it, these Agencies keep it safe from the snooping FOIAs of the ACLU and Jason Leopold.

But the other reason DOJ and FBI might want to keep this report sealed is what it says about the reliability of the CIA.

The CIA lied repeatedly to DOJ, FBI, and FBI Director Jim Comey (when he was Deputy Attorney General) specifically. Specifically, they lied to protect the conduct of what was structured as a covert operation, CIA breaking the law at the behest of the President.

Of course, both DOJ generally and FBI specifically continue to partner with CIA as if nothing has gone on, as if the spooks retain the credibility they had back in 2001, as if they should retain that credibility. (I’m particularly interested in the way FBI participated in the killing of Anwar al-Awlaki, perhaps relying on CIA’s claims there, too, but it goes well beyond that.)

That’s understandable, to a point. If DOJ and the FBI are going to continue pursuing (especially) terrorists with CIA, they need to be able to trust them, to trust they’re not being lied to about, potentially, everything.

Except that ignores the lesson of the Torture Report, which is that CIA will lie about anything to get DOJ to rubber stamp criminal behavior.

No wonder DOJ and FBI aren’t opening that report.

As FBI’s Amerithrax Case Continues to Crumble, Bureau Digs in on North Korea Claims

Screen shot 2014-12-30 at 12.16.49 PM

In ads released even as their claims about North Korea come under scrutiny, FBI tries to make cybersecurity Agents look like Eliot Ness.

Less than 10 days ago, Jim laid out yet more evidence that the FBI’s claimed explanation for the anthrax attack — that USAMRIID researcher Bruce Ivins not only perpetrated the attack, but did so acting alone — was scientifically problematic. So 13 years ago, anonymous sources blamed Iraq for the attack, 12 years ago they blamed Steven Hatfill, and 6 years ago, they started blaming Bruce Ivins. Probably, none of those claims are true.

The FBI still hasn’t solved one of the most alarming terrorist attacks in this country, an attempt to kill two sitting US Senators. Instead, it persists in a claim (versus Ivins) that doesn’t comport with the science, to say nothing of the other circumstantial evidence. FBI only ever sustained that claim by assuming — based on no known evidence — that a Lone Wolf, rather than conspirators, launched the attack.

Even as new evidence undermining the FBI’s obstinate claims about Ivins got released, the FBI has been making equally obstinate claims that North Korea is behind the Sony hack.

And then someone crashed North Korea’s Internet which, given how tiny it is, is the strategic equivalent of launching spitballs at a small group of North Korea’s elite. A truly awesome use of American power!

As I noted on Salon, even as the FBI was leaking its certitude to the big press that North Korea was behind the hack, Kim Zetter was pointing out all the reasons that made no sense.

Now, with a week of holiday cheers under their belts, more of the press is beginning to note all the experts questioning the FBI’s claim. Shane Harris describes the FBI “doubling down” on its original theory.

In spite of mounting evidence that the North Korean regime may not have been wholly responsible for a brazen cyberassault against Sony—and possibly wasn’t involved at all—the FBI is doubling down on its theory that the Hermit Kingdom solely bears the blame.

“We think it’s them,” referring to the North Koreans, an FBI spokesperson told The Daily Beast when asked to respond to reports from private investigators that other culprits were responsible. The latest evidence, from the cyberanalysis firm the Norse Corp., suggests that a group of six individuals, including at least one disgruntled ex-Sony employee, is behind the assault, which has humiliated Sony executives, led to threats of terrorist attacks over the release of a satirical film, and prompted an official response from the White House.

The FBI said in a separate statement to journalists on Monday that “there is no credible information to indicate that any other individual is responsible for this cyberincident.” When asked whether that left open the possibility that other individuals may have assisted North Korea or were involved in the assault on Sony, but not ultimately responsible for the damage that was done, the FBI spokesperson replied, “We’re not making the distinction that you’re making about the responsible party and others being involved.”

Time catalogs the alternatives to FBI’s theories.

And Politico notes that when one cybersecurity company, Norse, shared its analysis, the FBI refused to share its own data, as the company had expected.

The FBI says it is standing by its conclusions, but the security community says the agency has been open and receptive to help from the private sector throughout the Sony investigation.

Norse, one of the world’s leading cyber intelligence firms, has been researching the hack since it was made public just before Thanksgiving.

Norse’s senior vice president of market development said the quickness of the FBI’s conclusion that North Korea was responsible was a red flag.

“When the FBI made the announcement so soon after the initial hack was unveiled, everyone in the [cyber] intelligence community kind of raised their eyebrows at it, because it’s really hard to pin this on anyone within days of the attack,” Kurt Stammberger said in an interview as his company briefed FBI investigators Monday afternoon.

He said the briefing was set up after his company approached the agency with its findings.

Stammberger said after the meeting the FBI was “very open and grateful for our data and assistance” but didn’t share any of its data with Norse, although that was what the company expected.

It’s a bad thing, given how much evidence is out there about this hack, that the FBI won’t let more of its thinking be tested publicly.

Meanwhile, in a remarkable joining of opinion, both Jack Goldsmith and Moon of Alabama note that Obama may have wasted US credibility by so quickly accusing North Korea.

And NYT’s Ombud, Margaret Sullivan, admits that NYT too quickly repeated — and granted anonymity to — FBI’s flimsy claims.

[A]s a reader, Brad Johnson, noted in an email. He wrote: “Did NYT learn its lesson from the Iraq WMD debacle, or is the paper back to bad habits of writing stories from whole cloth based on anonymous White House and intelligence agency officials?”

Now that the matter of who was behind the hack is coming under more scrutiny, including in The Times (though with less prominence), those kinds of questions are even more germane.

One thing is certain: Anonymity continues to be granted to sources far more often than a last-resort basis would suggest.

Though Sullivan’s caution didn’t lead the Editorial Board to show any.

I’m glad people are now showing skepticism, even if it is too late to preserve American credibility (as if we had that anyway after StuxNet).

There’s one more factor that deserves notice here: the role of cybersecurity firms in laundering government propaganda.

One of the most pregnant observations in Zetter’s Countdown to Zero Day comes after Symantec published the first details implicating the US and Israel in the StuxNet attack. The Symantec team expected a bunch of others to jump in and start validating their work. Instead, they were met with almost complete silence. While Zetter didn’t say it explicitly, the implication was that the security industry is driven by its interest in retaining the good will of the US Government. Here, the first security firm to back the North Korea claim was Mandiant, the firm that served as a surrogate for claims against China.

And while in this case there is no lack of experts willing to push back against US claims, I just wonder whether at least some of the initial credulity on the North Korea claims arose because of the dominance of USG contractors among the earliest reports on the hack? While there are some equivalents in the WMD vein, the cyberindustry, in particular, seems particularly prone to serving as a cut-out for both poorly analyzed intelligence and even propaganda.

Ah well. It’s not like anyone is demanding FBI resume its hunt for the terrorist who might have killed two sitting US Senators. Why do I think this will be any different?

5 Democrats Have Called on Obama Not to Reauthorize the Dragnet Tomorrow

Tomorrow is dragnet day, the next 90-day reauthorization for the dragnet.

In advance of that date, Pat Leahy just called on President Obama to simply let the dragnet end.

The President can end the NSA’s dragnet collection of Americans’ phone records once and for all by not seeking reauthorization of this program by the FISA Court, and once again, I urge him to do just that.  Doing so would not be a substitute for comprehensive surveillance reform legislation – but it would be an important first step.

Leahy joins 4 other Democrats who have already called for the President to unilaterally stop the dragnet.

At a hearing last month, Adam Schiff suggested to DIRNSA Mike Rogers that they move forward without waiting for a new law.

“There’s nothing in statute that requires the government to gather bulk data, so you could move forward on your own with making the technological changes,” Schiff said. “You don’t have to wait for the USA Freedom Act.”

There’s no reason for the NSA to wait for congressional approval to put additional limits on the program “if you think this is the correct policy,” Schiff added. “Why continue to gather the bulk metadata if [Obama administration officials] don’t think this is the best approach?”

And back in June, Senators Wyden, Udall, and Heinrich not only made a similar suggestion in a letter to the President, but laid out how Obama could achieve what he says he wants to without waiting for legislation.

But the President is not going to end the dragnet. Heck, for all we know, FISC has already signed the reauthorization.

Mind you, it may be that President Obama can’t start the new-and-improved dragnet without offering providers immunity and compensation. But if Obama can’t simply end the dragnet without offering telecoms and second level contractors broad immunity, then he’s obviously planning on something more exotic than just regular phone contact chaining.

Only Remaining Senator Personally Targeted by Terrorist Attack Still Believes in Constitution

The Senate just voted down cloture on the USA Freedom Act, 58-42. Even while we disagreed on the bill, I extend sincere condolences to civil liberties allies who worked hard to pass this in good faith. I know you all have worked hard in good faith to pass something viable.

Several things about the vote were predictable (in fact, I predicted them in June). Just as one example, I noted to allies that if Jeff Flake — who had a great record on civil liberties while he was still in the House — did not support the effort, it would fail. Four Senators — cosponsors Mike Lee, Ted Cruz, and Dean Heller, plus Lisa Murkowski voted for cloture; Rand Paul did not. Bill Nelson voted against cloture as well (there are reports he is claiming it was a mistake, but given how closely this bill was whipped that would be … telling).

Equally predictable was the fear-mongering. GOP Senator after GOP Senator got up and insisted if the phone dragnet ended, ISIL would attack the country. None noted, of course, that the phone dragnet had never succeeded in preventing a terrorist attack. Pat Leahy made that point but it’s one opponents of the dragnet need to make in more concerted fashion.

Then there was a piece of news that neither side — supporter or opponent — seemed to want to mention. Dianne Feinstein revealed that at first 2 of 4 providers (presumably the fourth is T-Mobile though it could even be Microsoft, given that Skype is a more important phone carrier for international traffic) had refused to keep phone records, but that they had voluntarily agreed to do so for a full two years (this is at least a 6 month extension for Verizon, though may be significantly longer for cell calls).

The most dramatic part of the debate came after everyone left, when a frustrated Pat Leahy made the case for defending the Constitution. He recalled the anthrax letter addressed to him, on September 18, 2001, that killed a postal worker who processed it (another letter killed a Tom Daschle aide see Meryl Nass’ correction). “13 years ago this week, a letter was sent to me, addressed to me. It was so deadly, with the antrax in it that one person who touched the envelope–addressed to me, that I was supposed to open–They died!” Leahy reminded that the FBI had still not caught all the culprits for the attack. (That he believes that was first reported here in 2008; I believe FBI has, in fact, caught none of the culprits.) That attack targeting him personally, Leahy noted, did not convince him he had to abrogate the Constitution. “This nation should not let our liberties to be set aside by passing fears.” Leahy said. “If we do not protect our Constitution we do not deserve to be in this body.”

Senators like Marco Rubio got up and screamed about terrorists. But unless I’m mistaken, Pat Leahy is the only one remaining in the Senate who was personally targeted by a terrorist.

Maybe we ought to highlight that point?

Updated w/additions from Leahy’s comments.

Fixes for USA Freedom Act

I’m now being accused by USA Freedom Act champions of not providing constructive suggestions on how to improve USAF (even though I have, both via channels they were involved in and channels they are not party to) [oops, try this tweet, which is still active].

Now that it appears people who previously claimed I was making all this up now concede some of my critiques as a valid, here goes: my suggestions for how to fix the problems I identified in this post.

Problem: No one will say how the key phone record provision of the bill will work

Fix: Permit the use of correlations — but provide notice to defendants because this is probably unconstitutional warrantless surveillance

There is one application of connection chaining that I find legitimate, and two that are probably unconstitutional. The legitimate application is the burner phone one: to ask providers to use their algorithms (including new profiles of online use) to find the new phones or online accounts that people adopt after dropping previous ones, which is what AT&T offers under Hemisphere. To permit that, you might alter the connection chaining language to say providers can chain on calls and texts made, as well as ask providers to access their own records to find replacement phones. Note, however, that accuracy on this mapping is only about 94% per Hemisphere documents, so it seems there needs to be some kind of check before using those records.

The two other applications — the ones I’m pretty sure are or should be unconstitutional without a warrant — are 1) the use of cloud data, like address books, calendars, and photos, to establish connections, and 2) the use of phone records like Verizon’s supercookie to establish one-to-one correlations between identities across different platforms. I think these are both squarely unconstitutional under the DC Circuit’s Maynard decision, because both are key functions in linking all these metadata profiles together, and language in Riley would support that too. But who knows? I’m not an appellate judge.

To prevent the government from doing this without really independent judicial review — and more generally to ensure Section 215 is not abused going forward — the best fix is to require notice to defendants if any evidence from Section 215 or anything derived from it, including the use of metadata as an index to identify content, is used in a proceeding against them. Given that Section 215’s secret application is now unclassified, they should even get a fairly robust description of how it was used. After all, if this is just third party doctrine stuff, it can’t be all that secret!

Problem: USAF negotiates from a weak position and likely moots potentially significant court gains

Fix (sort of): Provide notice to defendants under Section 215

I’m frankly of the opinion that ACLU’s Alex Abdo kicked DOJ’s ass so thoroughly in the 2nd Circuit, that unless that decision is mooted, it will provide a better halt to dragnets than any legislation could. But I get that that’s a risk, especially with Larry Klayman botching an even better setup in the DC Circuit.

But I do think the one way to make sure we don’t lose the opportunity for a judicial fix to this is to provide notice to defendants of any use or derivative use of Section 215. The government has insisted (most recently in the Reaz Qadir Khan case, but also did so in the Dzhokhar Tsarnaev and derivative cases, where we know they used the phone dragnet) that it doesn’t have to give such notice. If they get it — with the ability to demonstrate that their prosecution arises out of a warrantless mosaic analysis of their lives which provides the basis for the order providing access to their content — then at least there may be a limited judicial remedy in the future, even if it’s not Abdo fighting for his own organization. FISCR said PAA was legal because of precisely these linking procedures, but if they’re not (or if they require a warrant) then PRISM is not legal either. Defendants must have the ability to argue that in court.

Problem: USAF’s effects in limiting bulk collection are overstated

Fix: Put temporal limits on traditional 215 collection, add flexibility into the emergency provision, but adopt existing emergency provision

USAF prohibits using a communications provider corporate person as a selector, but permits the use of a non-communications corporate person as a selector, meaning it could still get all of Visa’s or Western Union’s records. I understand the government claims it needs to retain the use for corporate person selectors to get things like all the guests at Caesars Palace to see if there are suspected terrorists there. The way to permit this, without at the same time permitting a programmatic dragnet (of, say, all Las Vegas hotels all the time), might be to temporally limit the order — say, limit the use of any non-communications provider order to get a month of records.

But this creates a problem, which is that it currently takes (per the NSL IG Report) 30-40 days to get a Section 215 order. The way to make it possible to get records when you need them, rather than keeping a dragnet, is to permit the use of the emergency provision more broadly. You might permit it to be used with counterintelligence uses as well as the current counterterrorism use (that is, make it available in any case where Section 215 would be available), though you should still limit use of any data collected to the purpose for which it was collected. You might even extend the deadline to submit an application beyond 7 days.

That exacerbates the existing problems with the emergency provision, however, which is that the government gets to keep records if the court finds they misused the statute. To fix this, I’d advise tying the change to the adoption of the existing language from the emergency provision currently in place on the phone dragnet order, specifically permitting FISC to require records be discarded if the government shouldn’t have obtained them. I’d also add a reporting requirement on how many emergency provisions were used (that one would be included in the public reporting) and, in classified form to the intelligence and judiciary committees, fairly precisely what it had been used for. I’d additionally require FBI track this data, so it can easily report what has become of it.

Given that the government may have already abused the emergency provisions, this requires close monitoring. So no loosening of the emergency provision should be put into place without the simultaneous controls.

Problem: USAF would eliminate any pushback from providers

Fix: Put “good faith” language back in the law and provide appeal of demand for proprietary requests

I’d do two things to fix the current overly expansive immunity provisions. First, I’d put the language that exists in other immunity provisions requiring good faith compliance with orders, such that providers can’t be immunized for stuff that they recognize is illegal.

I’d also add language giving them an appeal if the government were obtaining proprietary information. While under current law the government should be able to obtain call records, they shouldn’t be able to require providers also share their algorithms about business records, which is (I suspect) where this going (indeed, the Yahoo documents suggest that’s where it has already gone under PRISM). So make it clear there’s a limit to what is included under third party doctrine, and provide providers with a way to protect their data derived from customer records.

Problem: USAF may have the effect of weakening existing minimization procedures

Fix: Include language permitting FISC approval and review of compliance with traditional 215 minimization procedures and PRTT, adopt emergency provision language currently in place

This should be simple. Just include language letting the court review minimization procedures and review compliance, which is currently what happens and should happen as we get deeper and deeper into mosaic collection (indeed, this might be pitched as a solution to what should be a very urgent constitutional problem for the status quo practice).

Additionally, the bill should integrate the emergency provision currently applicable to the phone dragnet for all Section 215 use, along with reporting on how often and how it is used.

Both of these, importantly, simply codify the current status quo. If the government won’t accept the current status quo, after years of evidence on why it needs this minimal level of oversight from FISC, then that by itself should raise questions about the intelligence community’s intent going forward.

Problem: USAF’s transparency provisions are bullshit

Fix: Require reporting from all providers, give FBI 2 years and a budget to eliminate exemptions, give NSA 2 years to be able to answer all questions

One minimal fix to the transparency provisions is to require reporting not just from all communications providers, but from all providers who have received orders, such that the government would have to report on financial and location dragnets, which are both currently excluded. This would ensure that financial and location dragnets that currently exist and are currently exempted from reporting are included.

As to the other transparency provisions, the biggest problem is that the bill permits both the NSA and FBI to say “omigosh we simply can’t count all this.” I think they’re doing so for different reasons. In my opinion, the NSA is doing so because it is conducting illegal domestic wiretapping, especially to pursue cybersecurity targets. It is doing so because it hasn’t gotten Congress to buy off on using domestic wiretapping to pursue cybertargets. I would impose a 2 year limit on how long ODNI can avoid reporting this number, which should provide plenty of time for Congress to legislate a legal way to pursue cybertargets (along with limits to what kind of cybertargets merit such domestic wiretapping, if any).

I think the FBI refusing to count its collection because it wants to passively collect huge databases of US persons so it can just look up whether people who come under its radar are suspicious. I believe this is unconstitutional — it’s certainly something the government lied to the FISCR in order to beat back Yahoo’s challenge, and arguably the government made a similar lie in Amnesty v. Clapper. If I had my way, I’d require FBI to count how many US persons it was collecting on and back door searching yesterday. But if accommodation must be made, FBI, too, should get just 2 years (and significant funding) to be able to 1) tag all its data (as NSA does, so most of it would come tagged) 2) count it and its back door searches 3) determine whether incoming data is of interest within a short period of time, rather than sitting on it for 30 years. Ideally, FBI would also get 2 years to do the same things with its NSL data.

Again, I think the better option is just to make NSA and FBI count their data, which will show both are violating the Constitution. Apparently, Congress doesn’t want to make them do that. So make them do that over the next 2 years, giving them time to replace unconstitutional programs.

Problem: Other laudable provisions — like the Advocate — will easily be undercut

Fix: Add exemption in the ex parte language on FISA review for the advocate

In this post, I noted that the provision requiring the advocate have all the material she needs to do to do her job conflicts with the provision permitting the government to withhold information on classification or privilege grounds. If there is any way to limit this — perhaps by requiring the advocate be given clearance into any compartments for the surveillance under question (though not necessarily the underlying sources and methods used in an affidavit), as well as mandating that originator controlled (ORCON) documents be required to be shared. This might work like a CIPA provision, that the government must be willing to share something if it wants FISC approval (and with it, the authority to obligate providers).

But since that post, we’ve seen how, in the Yahoo challenge, the government convinced Reggie Walton to apply the ex parte provisions applying to defendants to Yahoo. That precedent would now, in my opinion, apply language on review to any adversary. To fix that, the bill should include conforming language in all the places (such as at 50 USC 1861(c)) that call for ex parte review to make it clear that ex parte review does not apply to an advocate’s review of an order.

I fully expect the IC to find this unacceptable (Clapper has already made it clear he’ll only accept an advocate that is too weak to be effective). But bill reformers should point to the clear language in the President’s speech calling for “a panel of advocates from outside government to provide an independent voice in significant cases before the Foreign Intelligence Surveillance Court.” If the IC refuses to have an advocate that can do the job laid out by statute, they should have to answer to the President, who has called for real advocates (not amici). 

To recap — all this pertains only to the bill on its face, not to the important things the bill is missing, such as a prohibition on back door searches. But these are things that would make USA Freedom Act far better.

I suspect the intelligence community would object to many, if not all of them. But if they do, then it would certainly clarify what their intent really is.

Why I Don’t Support USA Freedom Act

Earlier today, Harry Reid filed for cloture for the USA Freedom Act. So Patrick Leahy’s reform for the phone dragnet will get a vote in the lame duck.

As you may remember, I don’t support USAF. Here’s a summary of why.

No one will say how the key phone record provision of the bill will work

USAF rolls out a new Call Detail Record provision providing for prospective daily collection of selected phone records. While it would replace the phone dragnet — which is a really really important improvement– there are many questions about the provision that James Clapper’s office refused to answer (and refused to respond to a FOIA I filed to find out). Most importantly, no one can explain what “connection chaining” — which clearly permits the chaining on things other than phone calls and texts made — includes. I worry that language will be used to connect on things available through phone cloud storage, like address books, calendars, and photos (which we know the NSA uses overseas). I also strongly believe (though some people I’ve talked to disagree) that Verizon’s supercookie qualifies as a CDR under the bill (it can be collected under other authorities in any case) and therefore will make it easier to access communications records for “correlated” identities accessed via the same phone. Whether this is the intent or not, we know from the Yahoo precedent that there will be significant mission creep within months of passing this bill.

USAF negotiates from a weak position and likely moots potentially significant court gains

Right now, the main PATRIOT authorities at question here — Section 215 and PRTT — are scheduled to sunset in June. They’ll be renewed one way or another. But in April to May, reformers will have more leverage than they do now.

Bill supporters claim civil liberties groups have never gotten concessions from a sunset. That’s plainly wrong, because reformers did on FISA Amendments Act, where (among other things) protection for Americans overseas was won with the wait. Admittedly, given the new Senate, we’d be worse positioned (with the exception of Thad Cochran being potentially better than Barb Mikulski at Appropriations). That said, we would likely be better prepared not to squander our far stronger position in the House, as civil liberties groups did on USAF, so legislatively it might be a wash, though with reformers having more leverage.

More importantly, passing this now may moot court decisions in 3 circuit courts (the 2nd and DC, where phone dragnet challenges have already been heard, and the 9th, where the hearing hasn’t been held yet). While Larry Klayman clearly botched his hearing in DC with a surprisingly receptive panel and a precedent that would make this program glaringly illegal, the 2nd seems otherwise poised to rule the FISC’s redefinition of “relevant to” to mean “everything” illegal, across all programs. In other words, this legislation will probably pre-empt making real change in the courts in the near term. And no one will get standing again on these issues in the near future.

USAF’s effects in limiting bulk collection are overstated

As I said, I believe USAF eliminates the existing phone dragnet by requiring the use of selectors for collection. That’s good!

However, because the bill permits non-communications companies to be used as selectors, it almost certainly won’t end known financial dragnets involving Western Union transfers and purchase records (and as I describe below, those dragnets are also excluded from transparency provisions). I also think the bill will do nothing to limit FBI’s PRTT program (if it still exists — it existed and was sharing data with the NSA at least until 2012); I suspect — this is a wildarseguess — that is a bulky, not bulk, use of Stingrays to get location, which also would be exempted from reporting. There’s absolutely no reason to believe that the bill would affect other PRTT or NSL programs, because the ones included are all currently bulky, not bulk, programs. So it will eliminate the ability for the government to get every phone record in the US, but it will leave other non-phone dragnets intact and largely hidden by deceptive “transparency” provisions.

USAF would eliminate any pushback from providers

USAF provides providers — and 2nd level contractors — expansive immunity. So long as they are ordered to do something, whether they believe it is legal or not, they cannot be held liable. In addition, the bill compensates providers, which the existing Section 215 cannot do (the government even had to stop compensating telecoms after the first 2 dragnet orders). Finally, the bill requires assistance of providers, whereas the existing law can only collect existing business records (I believe the absence of all three things explains the big gaps in the government’s cell phone coverage). These three provisions are designed, I strongly suspect, to overcome Verizon’s disinterest in being an affirmative spy wing of the government, which is probably the real point of this bill. Possibly, they’re designed to get Verizon — the most important mobile provider — to do the kind of affirmative analysis for the government that AT&T currently does.

USAF may have the effect of weakening existing minimization procedures

In at least 3 areas, I worry that USAF will actually weaken existing minimization procedures. Under both the PRTT and Section 215 authority, the FISC currently imposes minimization procedures. For the former, the bill would put the authority to devise “privacy procedures” in the hands of the Attorney General (though says it doesn’t change the law; thing is, FISC minimization procedures aren’t in the law). The bill mandates minimization procedures for bulky collection, but it’s not clear whether those procedures are even as good as what the FISC currently imposes (they’re probably very similar). Most troubling of all, the bill doesn’t provide the FISC authority to require the government to destroy records collected under the emergency provision if found to have been improperly collected, a significant deterioration from the status quo, and one that it appears the FISC may have already needed to use.

USAF’s transparency provisions are bullshit

I don’t mean to be an asshole on this point, but I actually think many of USAF’s “transparency” provisions are counter-productive, because they are very obviously designed to hide the programs that we know exist, but that won’t be affected by USAF’s selection term provisions, because only communications dragnets get counted, sort of; financial dragnets won’t get counted and location dragnets won’t get counted. That will make it very very difficult to organize to eliminate any of the residual bulk programs (because the bill champions will have assured people they don’t exist and they won’t show up in transparency provisions). In addition, they tacitly permit the NSA and FBI to pretend they’re not conducting fairly bulky domestic wiretapping by providing them ways to avoid counting that illegal wiretapping. In addition, the FBI will be permitted to hide how much spying they’re doing on Americans (though for some, not all, provisions, their collection will be reported misleadingly as foreign collection). And the introduction of ranges will hide still more of they spying. See this post for my estimate of how the bill hides millions of Americans affected.

Other laudable provisions — like the Advocate — will easily be undercut

My other big warning about the bill is not meant to disqualify it, but is meant to suggest supporters are vastly overestimating its impact. James Clapper has made it very clear that he intends to ensure the Advocate (or amicus, as Clapper calls it) remains powerless. And the Yahoo documents make it clear that precedent at the FISCR says the ex parte procedures in FISA will be used to prevent the Advocate from reviewing materials she needs to do her job. As I said here, though, that’s not reason to oppose the bill; if PCLOB is any indication, the bill will start us down a 9-year process at the end of which we might have a functioning advocate. But it’s reason to be honest about how leaving ex parte provisions intact in FISA will make this Advocate very weak.

All this is before the things the bill doesn’t even claim to address: back door searches, EO 12333, spying on foreigners.

The bill will get phone records out of the hands of the government. But from that point on, I’m not sure how much of an improvement it is.

Emergency Dragnet Chaining, Now with First Amendment Protections!

Thursday, I Con the Record quietly released the most recent phone dragnet order, BR-125, dated September 11, 2014 (curiously, I Con the Record went back to correct its original release to indicate the order had been reauthorized on 9/11, not 9/12; I think FISC has been setting deadlines such that they are a Friday, but this one was approved on a Thursday).

Congratulations, Raymond Dearie! The government will point to your approval of this order as yet more proof of the soundness of the program.

There is one intriguing new addition to the order (the change shows up in two places). Both footnote 6 and footnote 7 add a requirement to the emergency provision for a First Amendment review. Footnote 7, which is more extensive, reads:

Before an emergency query is performed under this authority, NSA’s Office of General Counsel (OGC), in consultation with the Director or Acting Director shall confirm that any selection term reasonably believed to be used by a United States (U.S.) person is not regarded as associated with [redacted–description of terrorist groups acceptably included in this program] solely on the basis of activities that are protected by the First Amendment of the Constitution.

Such a requirement was not in the emergency procedures as originally proposed by the government nor in the orders issued since. (Update: Though of course, First Amendment review is required by the law; ultimately, the order for NSA to do a First Amendment review is tantamount to a reminder that it has to follow the law even when doing emergency queries.)

While we can’t know whether this got added because NSA used the emergency provisions to chain on someone for their speech, most changes to dragnet orders have historically been a response to some kind of problem.

And whether or not this language arose out of some issue or just intelligent caution, it provides yet another reason why the emergency provision of USA Freedom Act should not be passed as written.

As I have laid out, one of the ways in which Leahy’s emergency provision is notably worse than this emergency provision is because it puts the Attorney General in charge of compliance. It does not — as the current emergency provisions do — give broad authority to the FISC to remedy any collection conducted under the emergency provision that should not have been. As adopted, the current provisions even permit the FISC to order “destroying the results of the emergency query and recalling any reports or other disseminations based on those results”).

Under USA Freedom, if the FISC caught the government using an emergency authorization to identify the communications network of someone who engaged in protected speech, it would not have the explicit authority to demand the Attorney General destroy the records collected as a result. It has that authority right now.

And the latest dragnet order at least raises questions about whether it has already had to exercise that authority.

1 2 3 8
Emptywheel Twitterverse
emptywheel @NathanielDWhite Only thing that would matter for 5P deadline is USAF, and only if there were 60 w/UC. So maybe there's UC? @dnvolz
3mreplyretweetfavorite
emptywheel @dnvolz I think FISC. The detasking probably involves NSA people and AT&T people who don't have enough power to demand their weekend.
4mreplyretweetfavorite
emptywheel @dnvolz That's 116 minutes away, McConnell.
6mreplyretweetfavorite
emptywheel Sanders calling for a review of impact of surveillance.
6mreplyretweetfavorite
emptywheel Bernie Sanders talking about badass librarians on the floor now.
8mreplyretweetfavorite
emptywheel RT @onekade: Cops aren't likely to drop prosecution of people accused of shooting a cop, so we might have a stingray challenge! https://t.c…
11mreplyretweetfavorite
emptywheel @Seamusin_Reilly He more so than I.
19mreplyretweetfavorite
emptywheel @Seamusin_Reilly 87% Irish descent, and an Irish citizen via my Offaly spouse.
20mreplyretweetfavorite
emptywheel McConnell deserves to be commended for making GOP-led House look competent by comparison w/Senate under his leadership. Takes some doing.
25mreplyretweetfavorite
emptywheel @davidgreene Senate rushes POTUS autopen to sign from (where is he, Hawaii) and DOJ includes all the OTHER Boasberg has required w/new law?
31mreplyretweetfavorite
emptywheel BREAKING: Mitch McConnell has missed first big deadline to Keep the Country Safe™ he faced as Majority Leader.
32mreplyretweetfavorite
emptywheel Sen will not START voting on PATRIOT F-ReDux until after FISC has closed up shop for night, meaning they will have ALREADY missed deadline
34mreplyretweetfavorite
May 2015
S M T W T F S
« Apr    
 12
3456789
10111213141516
17181920212223
24252627282930
31