PCLOB

1 2 3 5

DEA’s Dragnet and David Headley

In a piece on the DEA dragnet the other day, Julian Sanchez made an important point. The existence of the DEA dragnet — and FBI’s use of it in previous terrorist attacks — destroys what little validity was left of the claim that NSA needed the Section 215 dragnet after 9/11 to close a so-called “gap” they had between a safe house phone in Yemen and plotters in the US (though an international EO 12333 database would have already proven that wrong).

First, the program’s defenders often suggest that had we only had some kind of bulk telephone database, the perpetrators of the 9/11 attacks could have been identified via their calls to a known safehouse in Yemen.  Now, of course, we know that there was such a database—and indeed, a database that had already been employed in other counterterror investigations, including the 1995 Oklahoma City bombing. It does not appear to have helped.

But the DEA dragnet is even more damning for another set of claims, and for another terrorist attack such dragnets failed to prevent: former DEA informant David Headley, one of the key planners of the 2008 Mumbai attack.

Headley provided DEA the phone data they would have needed to track him via their dragnet

As ProPublica extensively reported in 2013, Headley first got involved in Lashkar-e-Taiba while he remained on the DEA’s payroll, at a time when he was targeting Pakistani traffickers. Indeed, after 9/11, his DEA handler called him for information on al Qaeda. All this time, Headley was working phone based sources.

Headley returned to New York and resumed work for the DEA in early 2000. That April, he went undercover in an operation against Pakistani traffickers that resulted in the seizure of a kilo of heroin, according to the senior DEA official.

At the same time, Headley immersed himself in the ideology of Lashkar-i-Taiba. He took trips to Pakistan without permission of the U.S. authorities. And in the winter of 2000, he met Hafiz Saeed, the spiritual leader of Lashkar.

Saeed had built his group into a proxy army of the Pakistani security forces, which cultivated militant groups in the struggle against India. Lashkar was an ally of al Qaeda, but it was not illegal in Pakistan or the United States at the time.

[snip]

Headley later testified that he told his DEA handler about his views about the disputed territory of Kashmir, Lashkar’s main battleground. But the senior DEA official insisted that agents did not know about his travel to Pakistan or notice his radicalization.

On Sept. 6, 2001, Headley signed up to work another year as a DEA informant, according to the senior DEA official.

On Sept. 12, Headley’s DEA handler called him.

Agents were canvassing sources for information on the al Qaeda attacks of the day before. Headley angrily said he was an American and would have told the agent if he knew anything, according to the senior DEA official.

Headley began collecting counterterror intelligence, according to his testimony and the senior DEA official. He worked sources in Pakistan by phone, getting numbers for drug traffickers and Islamic extremists, according to his testimony and U.S. officials.

Even at this early stage, the FBI had a warning about Headley, via his then girlfriend who warned a bartender Headley had cheered the 9/11 attack; the bartender passed on the tip. And Headley was providing the DEA — which already had a dragnet in place — phone data on his contacts, including Islamic extremists, in Pakistan.

ProPublica’s sources provide good reason to believe DEA, possibly with the FBI, sent Headley to Pakistan even after that tip, and remained an informant until at least 2005.

So the DEA (or whatever agency had sent him) not only should have been able to track Headley and those he was talking to using their dragnet, but they were using him to get phone contacts they could track (and my understanding is that agreeing to be an informant amounts to consent to have your calls monitored, though see this post on the possible “defeat” of informant identifiers).

Did Headley’s knowledge of DEA’s phone tracking help the Mumbai plotters avoid detection?

Maybe. And/or maybe Headley taught his co-conspirators how to avoid detection.

Of course, Headley could have just protected some of the most interesting phone contacts of his associates (but again, DEA should have tracked who he was talking to if they were using him to collect telephony intelligence).

More importantly, he may have alerted Laskar-e-Taiba to phone-based surveillance.

In a December joint article with the NYT, ProPublica provided details on how one of Headley’s co-conspirators, Zarrar Shah, set up a New Jersey-based VOIP service so it would appear that their calls were originating in New Jersey.

Not long after the British gained access to his communications, Mr. Shah contacted a New Jersey company, posing online as an Indian reseller of telephone services named Kharak Singh, purporting to be based in Mumbai. His Indian persona started haggling over the price of a voice-over-Internet phone service — also known as VoIP — that had been chosen because it would make calls between Pakistan and the terrorists in Mumbai appear as if they were originating in Austria and New Jersey.

“its not first time in my life i am perchasing in this VOIP business,” Mr. Shah wrote in shaky English, to an official with the New Jersey-based company when he thought the asking price was too high, the GCHQ documents show. “i am using these services from 2 years.”

Mr. Shah had begun researching the VoIP systems, online security, and ways to hide his communications as early as mid-September, according to the documents.

[snip]

Eventually Mr. Shah did set up the VoIP service through the New Jersey company, ensuring that many of his calls to the terrorists would bear the area code 201, concealing their actual origin.

We have reason to believe that VOIP is one of the gaps in all domestic-international dragnets that agencies are just now beginning to close. And by proxying through the US, those calls would have been treated as US person calls (though given the clear foreign intelligence purpose, they would have met any retention guidelines, though may have been partly blocked in CIA’s dragnet). While there’s no reason to believe that Headley knew that, he likely knew what kind of phone records his handlers had been most interested in.

But it shouldn’t have mattered. As the article makes clear, GCHQ not only collected the VOIP communications, but Shah’s communications as he set them up.

Did FBI claim it tracked Headley using the NSA dragnet when it had actually used the DEA one?

I’ve been arguing for years that if dragnet champions want to claim they work, they need to explain why they point to Headley as a success story because they prevented his planned attack on a Danish newspaper, when they failed to prevent the even more complex Mumbai attack. Nevertheless, they did claim it — or at least strongly suggest it — as a success, as in FBI Acting Assistant Director Robert Holley’s sworn declaration in Klayman v. Obama.

In October 2009, David Coleman Headley, a Chicago businessman and dual U.S. and Pakistani citizen, was arrested by the FBI as he tried to depart from Chicago O’Hare airport on a trip to Pakistan. At the time of his arrest, Headley and his colleagues, at the behest of al-Qa’ida, were plotting to attack the Danish newspaper that published cartoons depicting the Prophet Mohammed. Headley was later charged with support for terrorism based on his involvement in the planning and reconnaissance for the 2008 hotel attack in Mumbai. Collection against foreign terrorists and telephony metadata analysis were utilized in tandem with FBI law enforcement authorities to establish Headley’s foreign ties and put them in context with his U.S. based planning efforts.

That said, note how Holley doesn’t specifically invoke Section 215 (or, for that matter, Section 702, which the FBI had earlier claimed they used against Headley)?

Now compare that to what the Privacy and Civil Liberties Oversight Board said about the use of Section 215 against Headley.

In October 2009, Chicago resident David Coleman Headley was arrested and charged for his role in plotting to attack the Danish newspaper that published inflammatory cartoons of the Prophet Mohammed. He was later charged with helping orchestrate the 2008 Mumbai hotel attack, in collaboration with the Pakistan-based militant group Lashkar-e-Taiba. He pled guilty and began cooperating with authorities.

Headley, who had previously served as an informant for the Drug Enforcement Agency, was identified by law enforcement as involved in terrorism through means that did not involve Section 215. Further investigation, also not involving Section 215, provided insight into the activities of his overseas associates. In addition, Section 215 records were queried by the NSA, which passed on telephone numbers to the FBI as leads. Those numbers, however, only corroborated data about telephone calls that the FBI obtained independently through other authorities.

Thus, we are aware of no indication that bulk collection of telephone records through Section 215 made any significant contribution to the David Coleman Headley investigation.

First, by invoking Headley’s role as an informant, PCLOB found reason to focus on DEA right before they repeatedly point to other authorities: Headley was IDed by “law enforcement” via means that did not involve 215, his collaborators were identified via means that did not involve 215, and when they finally did query 215, they only “corroborated data about telephone calls that the FBI had obtained independently through other authorities.”

While PCLOB doesn’t say any of these other authorities are DEA’s dragnet, all of them could be (though some of them could also be NSA’s EO 12333 dragnet, or whatever dragnet CIA runs, or GCHQ collection, or Section 702, or — some of them — FBI NSL-based collection, or tips). What does seem even more clear now than when PCLOB released this is that NSA was trying to claim credit for someone else’s dragnet, so much so that even the FBI itself was hedging claims when making sworn declarations.

Of course, whatever dragnet it was that identified Headley’s role in Laskar-e-Taiba, even the DEA’s own dragnet failed to identify him in the planning stage for the larger of the attacks.

If the DEA’s own dragnet can’t find its own informant plotting with people he’s identified in intelligence reports, how successful is any dragnet going to be?

 

PCLOB’s New Work: Examining “Activities” Taking Place in the Loopholes of EO 12333

On Wednesday, the Privacy and Civil Liberties Oversight Board met to approve its next project. They are just about completing a general overview of the Intelligence Community’s use of EO 12333 (as part of which they’ve been nagging agencies, notably DEA and Treasury, to comply with requirements imposed by Ronald Reagan). Next, they will move onto a deep dive of two programs conducted under EO 12333, one each for NSA and CIA. PCLOB has now posted materials from Wednesday’s meeting, though this overview is also useful.

Keeping in mind that PCLOB already has a pretty good sense of what the agencies are doing, consider this description of its deep dive into activities of NSA and CIA.

During the next stage of its inquiry, the Board will select two counterterrorism-related activities governed by E.O. 12333, and will then conduct focused, in-depth examinations of those activities. The Board plans to concentrate on activities of the CIA and NSA, and to select activities that involve one or more of the following: (1) bulk collection involving a significant chance of acquiring U.S. person information; (2) use of incidentally collected U.S. person information; (3) targeting of U.S. persons; and (4) collection that occurs within the United States or from U.S. companies. Both reviews will involve assessing how the need for the activity in question is balanced with the need to protect privacy and civil liberties. The reviews will result in written reports and, if appropriate, recommendations for the enhancement of civil liberties and privacy.

Some of this is unsurprising. If PCLOB were to conduct a review of SPCMA, it would be assessing NSA’s analysis of incidentally collected US person data collected in great volume as a result of collecting in bulk. Indeed, conducting such a review would get to a lot of the issues raised by John Napier Tye in PCLOB testimony.

But I’m more interested in bullets 3 and 4.

Bullet 3 suggests that CIA and/or NSA are targeting US persons under EO 12333.

There are certainly ways that’s permissible. For example, EO 12333 permits agencies to conduct physical surveillance of their employees.

(1) Physical surveillance of present or former employees, present or former intelligence element contractors or their present or former employees, or applicants for any such employment or contracting; and

(2) Physical surveillance of a military person employed by a non-intelligence element of a military service;

And it permits physical surveillance overseas if significant information can’t reasonably acquired by other means.

Physical surveillance of a United States person abroad to collect foreign intelligence, except to obtain significant information that cannot reasonably be acquired by other means.

You’d think this would bump up against the FISA Amendments Act very quickly, but remember that this EO was updated in the days after FAA was completed, so everything in it likely accounts for FAA.

On that note, this useful post from Jonathan Mayer (click through for the handy graphic) describes how NSA’s classified EO 12333 permits the Attorney General to authorize the surveillance of US persons or entities for limited periods of time.

A third area of Executive Order 12333, on American soil, is the “Classified Annex Authority” or “CAA.” Its source is a classified addition to Executive Order 12333, set out in an NSA policy document.13 The most recent revision, from 2009, reads:

Communications of or concerning a United States person14 may be intercepted intentionally or selected deliberately . . .

with specific prior approval by the Attorney General based on a finding by the Attorney General that there is probable cause to believe the United States person is an agent of a foreign power and that the purpose of the interception or selection is to collect significant foreign intelligence. Such approvals shall be limited to a period of time not to exceed ninety days for individuals and one year for entities.

That provision appears to allow the Attorney General to unilaterally trump FISA. I’m notentirely confident that’s what it means, but it sure looks like it.15

I’m skeptical that the executive branch can just brush aside FISA, especially on American soil. In Justice Jackson’s famous phrasing, when the executive branch acts in clear violation of a legislative enactment, its “power is at its lowest ebb.” Nevertheless, the executive branch does appear to claim that Article II can override FISA, and it does appear to have invoked this Classified Annex Authority on occasion.16

Finally, remember that CIA has conducted investigations targeting Senate Intelligence Committee staffers, which suggests it interprets its ability to conduct counterintelligence investigations unbelievably broadly.

Then there’s bullet 4, which suggests CIA and/or NSA are collecting “within the United States or from U.S. companies.”

With regards collection “within the US,” Mayer’s post is helpful here too, pointing to loopholes for wireless and satellite communication.

The law that results is quite counterintuitive. If a communication is carried by radio waves, and it’s one-end foreign, it falls under Executive Order 12333. If that same communication were carried by a wire, though, it would fall under FISA. (Specifically, the Section 702 upstream program.)

As for how this Executive Order 12333 authority might be used beyond satellite surveillance, I could only speculate. Perhaps intercepting cellphone calls to or from foreign embassies?12 Or along the national borders? At any rate, the FISA-free domestic wireless authority appears to be even broader than the Transit Authority.

As far as collection outside the US, this may simply be a reference to providers voluntarily providing data under 18 U.S.C. § 2511(2)(f), as we know at least some of the telecoms do.

But we also know NSA and its partner GCHQ have stolen unencrypted US company data overseas. And while the theft off Google’s fiber has, hopefully, been stopped, there’s still quite a lot of ways NSA can steal this data.

In any case, the terms of PCLOB’s investigation sure seem to suggest that CIA and/or NSA are exploiting the holes in EO 12333 in significant enough ways to raise concerns for PCLOB.

Have the Banks Escaped Criminal Prosecution because They’re Spying Surrogates?

I’m preparing to do a series of posts on CISA, the bill passed out of SSCI this week that, unlike most of the previous attempts to use cybersecurity to justify domestic spying, may well succeed (I’ve been using OTI’s redline version which shows how SSCI simply renamed things to be able to claim they’re addressing privacy concerns).

But — particularly given Richard Burr’s office’s assurances this bill is great because “business groups like the Financial Services Roundtable and the National Cable & Telecommunications Association have already expressed their support for the bill” — I wanted to raise a question I’ve been pondering.

To what extent have banks won themselves immunity by serving as intelligence partners for the federal government?

I ask for two reasons.

First, when asked why she, along with Main Justice’s Lanny Breuer, authorized the sweetheart deal for recidivist transnational crime organization HSBC, Attorney General nominee Loretta Lynch implied that there was insufficient admissible evidence to try any individuals associated with this recidivism.

I and the dedicated career prosecutors handling the investigation carefully considered whether there was sufficient admissible evidence to prosecute an individual and whether such a prosecution otherwise would have been consistent with the principles of federal prosecution contained in the United States Attorney’s Manual.

That’s surprising given that Carl Levin managed to come up with 300-some pages of evidence. Obviously, there are several explanations for this response: she’s lying, the evidence is inadmissible because HSBC provided it willingly thereby making it unusable for prosecution, or the evidence was collected in ways that makes it inadmissible.

It’s the last one I’ve been thinking about: is it remotely conceivable that all the abundant evidence against banksters their regulators have used to obtain serial handslaps is for some reason inadmissible in a criminal proceeding?

I started thinking about that as a real possibility when PCLOB revealed that Treasury’s Office of Intelligence and Analysis has never once — not in the 30-plus years since Ronnie Reagan told them they had to — come up with minimization procedures to protect US person privacy with data collected under EO 12333. Maybe that didn’t matter so much in 1981, but since 2004, Treasury has had an ever-increasing role in using intelligence (collected from where?) to impose judgments against people with almost no due process. And those judgements are, in turn, used to impose other judgments on Americans with almost no due process.

The thing is, you’d think banks might care that Treasury wasn’t complying with Executive Branch requirements on privacy protection. Not only because they care (ha!) about their customers, whether American or not, but because many of them are, themselves, US persons. US bank US person status should limit how much Treasury diddles with bank-related intelligence, but Treasury doesn’t appear bound by that.

Which leads me to suspect, at least, that there’s something in it for the banks, something that more than makes up for the serial handslaps for sanctions violations.

And one possibility is that because of the way this data is collected and shared, it can’t be used in a trial. Voila! Bank immunity.

All that’s just a wildarsed guess.

But one made all the more pressing given that Treasury is among the Appropriate Federal Entities that will be default intelligence recipients for cyber information under CISA.

(3) APPROPRIATE FEDERAL ENTITIES.—

The term ‘‘appropriate Federal entities’’ means the following:

(A) The Department of Commerce.

(B) The Department of Defense.

(C) The Department of Energy.

(D) The Department of Homeland Security.

(E) The Department of Justice.

(F) The Department of the Treasury.

(G) The Office of the Director of National Intelligence.

To some degree, this is not in the least bit surprising. After all, financial regulators have increasingly made cybersecurity a key regulatory concern of late, so it makes sense for Treasury to be in the loop.

But banksters rarely — never! — add regulatory exposure for themselves without a fight and, as Burr’s office has made clear, the banks love this bill.

One more datapoint, back to HSBC. As I noted when Lanny Breuer and Loretta Lynch announced that handslap, Breuer neglected to mention that HSBC was getting a handslap not just for helping cartels profit off drugs, but also helping terrorists fund their activities (at the time Pete Seda was being held without bail on charges the government insisted amounted to material support for terrorists for handing a check to Chechens using cash that had come indirectly from HSBC). The actual settlement, however, made mention of it by explaining that HSBC had “assisted the Government in investigations of certain individuals suspected of money laundering and terrorist financing.” By dint of that cooperation, in other words, HSBC went from being a material supporter of terrorism to being a deputy financial cop. And Breuer expanded that notion of banks serving as deputized financial cops thereafter.

Are the methods and terms by which we’re collecting all this financial intelligence to use against some bad guys precisely what prevents us from holding the even bigger bad guys — the ones affecting far more of us directly, in the form of the houses we own, the towns we live in, the opportunity costs paid to financial crime — accountable?

And will this system now be replicated under CISA (or has it, already) as banks turn into cyber crime deputized cops?

If FISC Consults Technical Experts and Nobody Sees It, Does It Really Happen?

Back in January, PCLOB released a progress report on the reports it released, describing whether the government has taken up its recommendations. There’s a detail in it I’ve been meaning to call attention to:

Recommendation 5: Take Full Advantage of Existing Opportunities for Outside Legal and Technical Input in FISC Matters

[snip]

The FISC should take full advantage of existing authorities to obtain technical assistance and expand opportunities for legal input from outside parties.

[snip]

Discussion of Status: As noted in the Board’s report, prior to the issuance of the Board’s recommendation the FISC had on one occasion accepted an amicus brief from an outside party (relating to the legality of a publicly known FISA surveillance program), and the PCLOB is aware of specific instances in classified matters in which the FISC has since taken action consistent with this recommendation.

It was always clear (as the amicus permitted under In re Sealed Case showed) that FISC could ask for help. Apparently, having been called out for never seeking out opinions outside of the government (which repeatedly got caught being less than forthcoming), FISC has now sought help.

It might be additional legal views. It might be technical help. Who knows?

If I had to wildarseguess, I’d imagine FISC has considered what to do about location tracking programs in light of various circuit decisions over the last year. If that’s right (and it just a wildarseguess), it might be technical assistance.

But given the kind of people — like Michael Hayden — pitched as technical experts in DC, what good does that do? Unless the community can vet the technical expertise the FISC calls on for help, it doesn’t add to the Court’ legitimacy. Nor does it help FISC ensure it’s really getting what it needs when it seeks outside advice.

34 Years Later, Treasury Is Still Operating without Procedures to Protect Americans under EO 12333

With almost no explanation, PCLOB just released this table ODNI compiled showing the status of procedures Agencies follow to protect US person information when using data obtained under EO 12333. This is something PCLOB has been pushing for since August 2013, when it sent a letter to Attorney General Holder pointing out that some agencies weren’t in compliance with the EO.

As you know, Executive Order 12333 establishes the overall framework for the conduct of intelligence activities by U.S. intelligence agencies. Under section 2.3 of the Executive Order, intelligence agencies can only collect, retain, and disseminate information about U.S. persons if the information fits within one of the enumerated categories under the Order and if it is permitted under that agency’s implementing guidelines approved by the Attorney General after consultation with the Director of National Intelligence.

The Privacy and Civil Liberties Oversight Board has learned that key procedures that form the guidelines to protect “information concerning United States person” have not comprehensively been updated, in some cases in almost three decades, despite dramatic changes in information use and technology.

So I assume the release of this table is designed to pressure the agencies that have been stalling this process.

The immediate takeaway from this table is that, 34 years after Ronald Reagan ordered agencies to have such procedures in Executive Order 12333 and 18 months after PCLOB pushed for agencies to follow the EO, several intelligence agencies still don’t have Attorney General approved procedures. Those agencies and the interim procedures they’re using are:

The Department of Homeland Security’s notoriously shoddy Office of Intelligence and Analysis: Pending issuance of final procedures, I&A is operating pursuant to Interim Intelligence Oversight Procedures, issued jointly by the Under Secretary for Intelligence and Analysis and the Associate General Counsel for Intelligence (April 3, 2008).

United States Coast Guard (USCG)- Intelligence and counterintelligence elements: Pending issuance of final procedures, operating pursuant to Commandant Instruction – COMDINST 3820.12, Coast Guard Intelligence Activities (August 28, 2003).

Department of Treasury Office of Intelligence and Analysis (OIA): Pending issuance of final procedures. While draft guidelines are being reviewed in the interagency approval process, the Office of Intelligence and Analysis conducts intelligence operations pursuant to EO 12333 and statutory responsibilities of the IC element, as advised by supporting legal counsel.

Drug Enforcement Administration, Office of National Security Intelligence (ONSI): Pending issuance of final procedures, operates pursuant to guidance of the Office of Chief Counsel, other guidance, and: Attorney General approved “Guidelines for Disclosure of Grand Jury and Electronic, Wire, and Oral Interception Information Identifying United States Persons” (September 23, 2002); Attorney General approved “Guidelines Regarding Disclosure to the Director of Central Intelligence and Homeland Security Officials of Foreign Intelligence Acquired in the Course of a Criminal Investigation” (September 23, 2002).

I’m not surprised about DHS I&A because — as I noted — most people who track it know that it has never managed to do what it claims it should be doing. And I’m not all that worried about the Coast Guard; how much US person spying are they really doing, after all?

One should always worry about the DEA, and the fact that DEA has only had procedures affecting some of its use of EO 12333 intelligence is par for the course. I mean, limits on what it can share with CIA, but no guidelines on what it can share with FBI? And no guidelines on what it has dragnet collected overseas, where it is very active?

But I’m most troubled by Treasury OIA. In part, that’s because it doesn’t have anything in place — it has just been operating on EO 12333, apparently, in spite of EO 12333’s clear requirement that agencies have more detailed procedures in place. But Treasury’s failure to develop and follow procedures to protect US persons is especially troubling given the more central role OIA has — which expanded in 2004 — in researching and designating terrorists, weapons proliferators, and drug kingpins.

OIA makes intelligence actionable by supporting designations of terrorists, weapons proliferators, and drug traffickers and by providing information to support Treasury’s outreach to foreign partners. OIA also serves as a unique and valuable source of information to the Intelligence Community (IC), providing economic analysis, intelligence analysis, and Treasury intelligence information reports to support the IC’s needs.

As it is, such designations and the criminalization of US person actions that might violation sanctions imposed pursuant to such designations are a black box largely devoid of due process (unless you’re a rich Saudi business man). But Treasury’s failure to establish procedures to protect US persons is especially troubling given how central these three topics — terrorists, weapons proliferation, and drugs — are in the intelligence communities overseas collection. This is where bulk collection happens. And yet any US persons suck up in the process and shared with Treasury have only ill-defined protections?

Treasury’s role in spying on Americans may be little understood. But it is significant. And apparently they’ve been doing that spying without the required internal controls.

 

The NSA’s Funny Numbers, Again

Back when the WaPo published a quarterly NSA compliance audit from 2012, I caught the largest math organization in the world failing basic arithmetic. I’ve been comparing that report with the Intelligence Oversight Board report covering the same period, and I’m finding the numbers might, once again, not add up (though it’s hard to tell given the redactions).

According to NSA’s internal numbers, the organization had 865 violations in the first quarter of calendar year 2012 (670 EO 12333 violations and 195 FISA violations). Yet NSA described just 163 violations in depth (75 EO 12333 violations and 88 FISA violations, though further violations are likely hidden behind redactions in bulk descriptions).

Here’s how the numbers compare, broken down by category (I used the categories used in the IOB Report heading, unless the violation was clearly a roamer or a US Person).

Screen Shot 2015-01-05 at 5.12.52 PM

Whereas some numbers are very close — such as for the illegal targeting of a US Person — there were other things, such as sharing a US person’s data or some fairly troubling unauthorized access violations not explicitly mentioned in the internal audit. Nor are unauthorized targeting and access mentioned as such.

And then there are all the “roamer” incidences, which apparently don’t all get reported to IOB (though you can definitely see an increase in them over the years), and which often look a lot less accidental when explained in the IOB report.

Then there are the rather measured descriptions the NSA gives IOB (which we’ve seen in other areas, as with the Internet dragnet, and which might be worst with the upstream violations).

Here’s what the NSA reported internally:

As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.

Here’s what NSA told the IOB about this violation:

[redacted] NSA determined that a technical service contained BR call detail records older than the approved five years. Approximately [redacted] records comprising approximately [fairly big redaction] records were retained for more than five years. The records were found on an access-controlled server that is used exclusively  by technical personnel and is not accessible to intelligence analysts. [2 lines redacted]

Here’s what PCLOB had to say about this violation:

In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit. The technical server in question was not available to intelligence analysts.

While it appears NSA managed to give IOB (completely redacted) numbers for the files involved, it appears PCLOB never got a clear count of how many were involved. It’s not clear that NSA ever admitted this data may have gotten mixed in with Stellar Wind data. No one seems to care that this was a double violation, because techs are supposed to destroy data when they’re done with it.

Though, if you ask me, you should wait to figure out why so many records were lying around a tech server before you destroy them all. But I’m kind of touchy that way.

One thing I realize is consistent between the internal audit and the IOB report. The NSA, probably the owner of the most powerful computing power in the world, consistently uses the term “glitch” to describe software that doesn’t do what it is designed to to keep people out of data they’re not supposed to have access to.

The glitches are letting us down.

 

DOJ Changed Its FISA Disclosure Policy on January 10, 2008

While wandering through FBI’s Domestic Investigations and Operations Guide today, I realized that on January 10, 2008, DOJ changed its FISA use policy (at PDF 104) . In a memo announcing the new policy, Ken Wainstein explained that “this revised policy includes significant changes from current practice that will streamline the process for using FISA information in certain basic investigative processes, while still ensuring that important intelligence and law enforcement interests are protected.”

It then lists 4 (entirely redacted) investigative processes for which FISA information could be used.

While I’m sure this letter has been reported in the past, it has far greater significance given several newly disclosed facts.

First, just days earlier, Attorney General Michael Mukasey reversed existing policy by permitting NSA to contact chain on US person data in EO 12333-collected information. That decision would make it far easier to identify existing communications implicating Americans.

Even more importantly, this move took place just weeks before the government revamped the PRISM program, such that FBI had a much more central role in the process and obtained selected PRISM material directly. In effect, Mukasey made it easier to use FISA information just weeks before FBI started getting a lot more of it, and getting it directly.

This change adds to the already significant evidence that the FBI started back door searches on PRISM information with that change in January 2008.

It’s interesting, too, that FBI had already decided to make these changes before Colleen Kollar-Kotelly ruled the initial Protect America Act certifications met the statute on January 15, 2008. There’s growing evidence that DOJ long planned to involve FBI more centrally, but waited on her decision (and the day the PAA was originally scheduled to expire) to roll out the change formally.

One more critical detail: The letter indicated that the new policy would be tied to a new interpretation of information “derived from” FISA.

The revised policy requires that it be reviewed one year from its effective date and requires NSD to issue guidance on what constitutes information “derived from” FISA collections by March 31, 2008.

Note that that initial annual review date would mean Bush’s DOJ would conduct such a review in the last days before Obama came in.

In any case, the redacted parts of this letter are probably, arguably, unclassified and FOIAble at this point, since PCLOB has revealed that FBI uses its back door searches for assessments.

Clapper’s Claim that FBI Cannot Count Back Door Searches for Technical Reasons Probably Bullshit

I wanted to explain why I think it’s such a big deal that James Clapper specifically highlighted the carve out for transparency reporting on FBI’s back door searches in Leahy’s version of Freedom Act’s in his letter supporting the bill.

As I described, the bill requires reporting on back door searches, but then exempts the FBI from that reporting.

But that’s not the part of the bill that disturbs me the most. It’s this language:

‘(3) FEDERAL BUREAU OF INVESTIGATION.—

Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

The language refers, in part,  to requirements that the government report to Congress:

(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—

(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and

(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;

These are back door searches on US person identifiers of Section 702 collected data — both content (iv) and metadata (v).

In other words, after having required the government to report how many back door searches of US person data it conducts, the bill then exempts the FBI.

In his letter, Clapper says,

[W]e are comfortable with the transparency provisions in this bill because, among other things, they recognize the technical limitations on our ability to report certain types of information.

FBI back door searches are the most obvious limit on transparency guidelines, and FBI told PCLOB they couldn’t count them for technical reasons.

So effectively, Clapper is suggesting that Congress has recognized that FBI is incapable — for technical reasons — of counting how often it conducts back door searches.

That technical claim is almost certainly bullshit.

As a reminder, here’s what the government told PCLOB about FBI’s back door searches.

Because they are not identified as such in FBI systems, the FBI does not track the number of queries using U.S. person identifiers. The number of such queries, however, is substantial for two reasons.

First, the FBI stores electronic data obtained from traditional FISA electronic surveillance and physical searches, which often target U.S. persons, in the same repositories as the FBI stores Section 702–acquired data, which cannot be acquired through the intentional targeting of U.S. persons. As such, FBI agents and analysts who query data using the identifiers of their U.S. person traditional FISA targets will also simultaneously query Section 702–acquired data.

Second, whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts. In the case of an assessment, an assessment may be initiated “to detect, obtain information about, or prevent or protect against federal crimes or threats to the national security or to collect foreign intelligence information.”254 If the agent or analyst conducting these queries has had the training required for access to unminimized Section 702–acquired data, any results from the Section 702 data would be returned in these queries. If an agent or analyst does not have access to unminimized Section 702–acquired data — typically because this agent or analyst is assigned to non-national security criminal matters only — the agent or analyst would not be able to view the unminimized data, but would be notified that data responsive to the query exists and could request that an agent or analyst with the proper training and access to review the unminimized Section 702–acquired data.

Continue reading

Did Anthony Coppolino Fib about NSA’s New Architecture?

On Tuesday, EFF told the tale of yet another government freak-out over purportedly classified information. The DOJ lawyer litigating their multiple dragnet challenges, Anthony Coppolino, accidentally uttered classified information in a hearing in June. So the government tried to take the classified information out of the transcript without admitting they did so. After Judge Jeffrey White let EFF have a say about all this, the government ultimately decided the information wasn’t classified after all. So the Court finally released the transcript.

My wildarseguess is that this is the passage in question:

Judge Bates never ultimately held that the acquisition violated the Constitution. The problem in that case was the minimization procedures were not sufficient to protect the Fourth Amendment interests of the people of the United States.

And so he ordered that they be changed, and they were changed. And he approved them. And in addition, in the process of not only approving the minimization procedures, NSA implemented new system architecture that did a better job at assuring that those communications were minimized and ultimately destroyed, which is the goal here. It’s part of the statutory framework not to collect on U.S. citizens and when you’ve incidentally done it, destroy it. [my emphasis]

According to the John Bates opinions relating to this incident, the NSA implemented a new system of ingesting this data, marking it, checking it before it gets moved into the general repository of data, and purging it if it includes entirely domestic commuincations. But does that count as new architecture? I’m not sure.

Meanwhile, the NSA has been upgrading their architecture. We learned that (among other places) in the most recent Theresa Shea declaration on NSA systems in EFF’s Jewel case. It doesn’t mention new architecture pertaining to  upstream  702, though she does discuss a more general architecture upgrade and how it affects Section 215 specifically.

Then there’s this language, addressing the NSA’s inability to filter US person data reliably, from PCLOB.

The NSA’s acquisition of MCTs is a function of the collection devices it has designed. Based on government representations, the FISC has stated that the “NSA’s upstream Internet collection devices are generally incapable of distinguishing between transactions containing only a single discrete communication to, from, or about a tasked selector and transactions containing multiple discrete communications, not all of which are to, from, or about a tasked selector.”155 While some distinction between SCTs and MCTs can be made with respect to some communications in conducting acquisition, the government has not been able to design a filter that would acquire only the single discrete communications within transactions that contain a Section 702 selector. This is due to the constant changes in the protocols used by Internet service providers and the services provided.156 If time were frozen and the NSA built the perfect filter to acquire only single, discrete communications, that filter would be out-of-date as soon as time was restarted and a protocol changed, a new service or function was offered, or a user changed his or her settings to interact with the Internet in a different way. Conducting upstream Internet acquisition will therefore continue to result in the acquisition of some communications that are unrelated to the intended targets.

The fact that the NSA acquires Internet communications through the acquisition of Internet transactions, be they SCTs or MCTs, has implications for the technical measures, such as IP filters, that the NSA employs to prevent the intentional acquisition of wholly domestic communications. With respect to SCTs, wholly domestic communications that are routed via a foreign server for any reason are susceptible to Section 702 acquisition if the SCT contains a Section 702 tasked selector.157 With respect to MCTs, wholly domestic communications also may be embedded within Internet transactions that also contain foreign communications with a Section 702 target. The NSA’s technical means for filtering domestic communications cannot currently discover and prevent the acquisition of such MCTs.158 

The footnotes in this section all cite to John Bates’ 2011 opinion (including, probably, some language that remains redacted in the public copy, such as on page 47). So we might presume it is out of date.  Except that PCLOB has done independent work on these issues and the end of the first paragraph includes language not sourced at all.

That is, PCLOB seems to think there remain technical problems with sorting out US person data, the filtering problem cannot be solved. (Which makes the ridiculous John Bates more skeptical on this point than PCLOB.)

So do the data segregation techniques implemented in 2011 amount to new architecture? Does the larger architecture upgrade going on going to affect upstream collection in some more meaningful fashion?

I don’t know. One other reason I think this might be the language is because Coppolino was — as he frequently does — running his mouth. Bates did rule the US person data collected before 2011 violated the Fourth Amendment, even if the task before him was solely to judge whether the minimization procedures before him did. More importantly, Bates was quite clear that this US person collection was intentional, not incidental.

So Coppolino was making claims about one of the practices (the PRTT collection is another) that is most likely to help EFF win their suit, upstream collection, which actually does entail domestic wiretapping of US person content. He made a claim that suggested — with the fancy word “architecture” — that NSA had made technical fixes. But PCLOB, at least, doesn’t believe they’ve gotten to the real issue.

Who knows? It’s just a guess. What’s not a guess is that Coppolino seems to recognize upstream 702 presents a real problem in this suit.

USA Freedom Does Not Rein in the Spies

Honest. I started writing about this David Cole column asking, “Can Congress rein in the spies?” before John Brennan admitted that, contrary to his earlier assurances, his spooks actually had been spying on their Congressional overseers and also before President Obama announced that, nevertheless, he still has confidence in Brennan.

Cole’s column isn’t about the the Senate Intelligence Committee’s struggles to be able to document CIA torture, however. It’s about how Patrick Leahy introduced his version of USA Freedom Act “not a moment too soon.”

I don’t want to gripe with the column’s presentation of Leahy’s version of Freedom; with a few notable exceptions (one which I’ll get to), it accurately describes how Leahy’s bill improves on the bill the spies gutted in the House.

I first wanted to point to why Cole says Leahy’s bill comes not a moment too soon.

Leahy’s bill comes not a moment too soon. Two reports issued on Monday bring into full view the costs of a system that allows its government to conduct dragnet surveillance without specific suspicions of wrongdoing. In With Liberty to Monitor All, Human Rights Watch and the ACLU make a powerful case that mass surveillance has already had a devastating effect on journalists’ ability to monitor and report on national security measures, and on lawyers’ ability to represent victims of government overreaching. And the same day, the New America Foundation issued Surveillance Costs, a report noting the widespread economic harm to US tech companies that NSA surveillance has inflicted, as potential customers around the world take their business elsewhere.

Together, these reports make concrete the damaging effects of out-of-control surveillance, even to those with “nothing to hide.” Our democracy has long rested on a vibrant and vigorous press and open legal system. On matters of national security, journalists probably serve as a more important check on the executive than even the courts or Congress.

[snip]

And, it turns out, tech companies also need to be able to promise confidentiality. Customers of Internet services or cloud computing storage programs, for example, expect and need to be certain that their messages and stored data will be private. Snowden’s revelations that the NSA has been collecting vast amounts of computer data, and has exploited vulnerabilities in corporate encryption programs, have caused many to lose confidence in the security of American tech companies in particular.

Cole describes the great costs out-of-control surveillance imposes on journalists, lawyers, and cloud providers, and implies we cannot wait to reverse those costs.

Then he embraces a bill that would not protect journalists’ conversations with whistleblowers (Leahy’s Freedom still permits the traditional access of metadata for counterintelligence purposes as well as the Internet dragnet conducted overseas) or alleged terrorists, would not protect lawyers’ discussions with their clients (the known attorney-client protected collections happened under traditional FISA, EO 12333, and possibly Section 702, none of which get changed in this bill), and would expose American companies’ clouds even further to assisted government access under the new Call Detail Record provision.

Cole does admit the bill does not address Section 702; he doesn’t mention EO 12333 at all, even though both the HRW and NAF reports did.

Senator Leahy’s bill is not a cure-all. It is primarily addressed to the collection of data within the United States, and does little to reform Section 702, the statute that authorizes the PRISM program and allows the government to collect the content of electronic communications of noncitizens abroad, even if they are communicating with US citizens here. And it says nothing about the NSA’s deeply troubling practice of inserting vulnerabilities into encryption programs that can be exploited by any hacker. It won’t, therefore, solve all the problems that the HRW and New American Foundation reports identify. But it would mark an important and consequential first step.

But he doesn’t admit the bill does little to address the specific sources of the costs identified in the two reports. It’s not a minute too soon to address these costs, he says, but then embraces a bill that doesn’t really address the actual sources of the costs identified in the reports.

That is mostly besides the point of whether Leahy’s bill is a fair apples-to-oranges trade-off with the status quo as to represent an improvement — an answer to which I can’t yet give, given some of the obvious unanswered questions about the bill. It is, however, a testament to how some of its supporters are overselling this bill and with it anyone’s ability to rein in the intelligence community.

But it’s one testament to that that bugs me most about Cole’s column. As I noted, he does mention Leahy’s failure to do anything about Section 702. Nowhere in his discussion of 702, however, does he mention that it permits warrantless access to Americans’ content, one which FBI uses when conducting mere assessments of Americans. Which of course means Cole doesn’t mention the most inexcusable part of the bill — its exemption on already soft reporting requirements to provide the numbers for how many Americans get exposed to these back door searches.

I’m not a fancy Georgetown lawyer, but I strongly believe the back door searches — conducted as they are with no notice to anyone ultimately prosecuted based off such information — are illegal, and probably unconstitutional. When retired DC Circuit Court judge Patricia Wald raised these problems with the practice, Director of National Intelligence Counsel Bob Litt simply said it would be “impracticable” to add greater oversight to back door searches. And in spite of the fact that both the President’s Review Group and PCLOB advised significant controls on this practice (which implicates the costs identified in both the HRW and NAF reports), the version of USA Freedom Act crafted by the head of the Senate Judiciary Committee — the Committee that’s supposed to ensure the government follows the law — not only doesn’t rein in the practice, but it exempts the most egregious part of the practice from the transparency applauded by people like Cole, thereby tacitly endorsing the worst part of the practice.

And all that’s before you consider that the IC also conducts back door searches of EO 12333 collected information — as first reported by me, but recently largely confirmed by John Napier Tye. And before you consider the IC’s explicit threat — issued during the passage of the Protect America Act — that if they don’t like any regulation Congress passes, they’ll just move the program to EO 12333.

The point is, Congress can’t rein in the IC, and that’s only partly because (what I expect drives the Senate’s unwillingness to deal with back door searches) many members of Congress choose not to. The have not asserted their authority over the IC, up to and including insisting that the protections for US persons under FISA Amendments Act actually get delivered.

In response to the news that Brennan’s spies had been spying on its Senate overseers, Patrick Leahy (who of course got targeted during the original PATRIOT debate with a terrorist anthrax attack) issued a statement insisting on the importance of Congressional oversight.

Congressional oversight of the executive branch, without fear of interference or intimidation, is fundamental to our Nation’s founding principle of the separation of powers.

Yet his bill — which is definitely an improvement over USA Freedumber but not clearly, in my opinion, an improvement on the status quo — tacitly endorses the notion that FBI can conduct warrantless searches on US person communications without even having real basis for an investigation.

That’s not reining in the spies. That’s blessing them.

1 2 3 5
Emptywheel Twitterverse
bmaz @walterwkatz We had this conversation some time back. Still true, and bonkers that anybody, including dopey legislators, think otherwise
9mreplyretweetfavorite
bmaz RT @walterwkatz: Massively frustrated at any policies or bills that allow cops to see video of force before writing report. More to come on…
11mreplyretweetfavorite
bmaz @Will_Bunch @rickperlstein I double checked to be sure. RFK announced March16 (though it was expected by then); LBJ recused on March 31.
29mreplyretweetfavorite
bmaz @JasonLeopold Get out!
43mreplyretweetfavorite
bmaz @JasonLeopold Wait, they found time to cover it in between their food and pot taped programming??
54mreplyretweetfavorite
bmaz @Will_Bunch @rickperlstein Nice piece. The only thing might add was that was likely RFK as much or more than McCarthy that ejected LBJ.
1hreplyretweetfavorite
bmaz Baltimore, Bernie, and the coming 'Nixonland' http://t.co/yeinu9qpxc via @phillydotcom Fascinating thoughts by @Will_Bunch Important read.
1hreplyretweetfavorite
bmaz @Johngcole Check out the feed of @DaveedGR His info is not completely confirmed, but looks solid.
2hreplyretweetfavorite
bmaz @joanwalsh -urg!
2hreplyretweetfavorite
bmaz RT @Popehat: .@nycjim May you require a patient, careful doctor with a flashlight to retrieve your scare quotes.
2hreplyretweetfavorite
emptywheel @april_anita Hmm. Well, admittedly, spouse didn't get roped into kilt for the wedding in inland Brazil. So I get your point.
3hreplyretweetfavorite
bmaz Pamela Geller, Breitbarters+their little show in Dallas are all loathsome. But their free speech gets protected too; stop the schadenfreude.
3hreplyretweetfavorite
May 2015
S M T W T F S
« Apr    
 12
3456789
10111213141516
17181920212223
24252627282930
31