I’m preparing to do a series of posts on CISA, the bill passed out of SSCI this week that, unlike most of the previous attempts to use cybersecurity to justify domestic spying, may well succeed (I’ve been using OTI’s redline version which shows how SSCI simply renamed things to be able to claim they’re addressing privacy concerns).
But — particularly given Richard Burr’s office’s assurances this bill is great because “business groups like the Financial Services Roundtable and the National Cable & Telecommunications Association have already expressed their support for the bill” — I wanted to raise a question I’ve been pondering.
To what extent have banks won themselves immunity by serving as intelligence partners for the federal government?
I ask for two reasons.
First, when asked why she, along with Main Justice’s Lanny Breuer, authorized the sweetheart deal for recidivist transnational crime organization HSBC, Attorney General nominee Loretta Lynch implied that there was insufficient admissible evidence to try any individuals associated with this recidivism.
I and the dedicated career prosecutors handling the investigation carefully considered whether there was sufficient admissible evidence to prosecute an individual and whether such a prosecution otherwise would have been consistent with the principles of federal prosecution contained in the United States Attorney’s Manual.
That’s surprising given that Carl Levin managed to come up with 300-some pages of evidence. Obviously, there are several explanations for this response: she’s lying, the evidence is inadmissible because HSBC provided it willingly thereby making it unusable for prosecution, or the evidence was collected in ways that makes it inadmissible.
It’s the last one I’ve been thinking about: is it remotely conceivable that all the abundant evidence against banksters their regulators have used to obtain serial handslaps is for some reason inadmissible in a criminal proceeding?
I started thinking about that as a real possibility when PCLOB revealed that Treasury’s Office of Intelligence and Analysis has never once — not in the 30-plus years since Ronnie Reagan told them they had to — come up with minimization procedures to protect US person privacy with data collected under EO 12333. Maybe that didn’t matter so much in 1981, but since 2004, Treasury has had an ever-increasing role in using intelligence (collected from where?) to impose judgments against people with almost no due process. And those judgements are, in turn, used to impose other judgments on Americans with almost no due process.
The thing is, you’d think banks might care that Treasury wasn’t complying with Executive Branch requirements on privacy protection. Not only because they care (ha!) about their customers, whether American or not, but because many of them are, themselves, US persons. US bank US person status should limit how much Treasury diddles with bank-related intelligence, but Treasury doesn’t appear bound by that.
Which leads me to suspect, at least, that there’s something in it for the banks, something that more than makes up for the serial handslaps for sanctions violations.
And one possibility is that because of the way this data is collected and shared, it can’t be used in a trial. Voila! Bank immunity.
All that’s just a wildarsed guess.
But one made all the more pressing given that Treasury is among the Appropriate Federal Entities that will be default intelligence recipients for cyber information under CISA.
(3) APPROPRIATE FEDERAL ENTITIES.—
The term ‘‘appropriate Federal entities’’ means the following:
(A) The Department of Commerce.
(B) The Department of Defense.
(C) The Department of Energy.
(D) The Department of Homeland Security.
(E) The Department of Justice.
(F) The Department of the Treasury.
(G) The Office of the Director of National Intelligence.
To some degree, this is not in the least bit surprising. After all, financial regulators have increasingly made cybersecurity a key regulatory concern of late, so it makes sense for Treasury to be in the loop.
But banksters rarely — never! — add regulatory exposure for themselves without a fight and, as Burr’s office has made clear, the banks love this bill.
One more datapoint, back to HSBC. As I noted when Lanny Breuer and Loretta Lynch announced that handslap, Breuer neglected to mention that HSBC was getting a handslap not just for helping cartels profit off drugs, but also helping terrorists fund their activities (at the time Pete Seda was being held without bail on charges the government insisted amounted to material support for terrorists for handing a check to Chechens using cash that had come indirectly from HSBC). The actual settlement, however, made mention of it by explaining that HSBC had “assisted the Government in investigations of certain individuals suspected of money laundering and terrorist financing.” By dint of that cooperation, in other words, HSBC went from being a material supporter of terrorism to being a deputy financial cop. And Breuer expanded that notion of banks serving as deputized financial cops thereafter.
Are the methods and terms by which we’re collecting all this financial intelligence to use against some bad guys precisely what prevents us from holding the even bigger bad guys — the ones affecting far more of us directly, in the form of the houses we own, the towns we live in, the opportunity costs paid to financial crime — accountable?
And will this system now be replicated under CISA (or has it, already) as banks turn into cyber crime deputized cops?
Back in January, PCLOB released a progress report on the reports it released, describing whether the government has taken up its recommendations. There’s a detail in it I’ve been meaning to call attention to:
Recommendation 5: Take Full Advantage of Existing Opportunities for Outside Legal and Technical Input in FISC Matters
The FISC should take full advantage of existing authorities to obtain technical assistance and expand opportunities for legal input from outside parties.
Discussion of Status: As noted in the Board’s report, prior to the issuance of the Board’s recommendation the FISC had on one occasion accepted an amicus brief from an outside party (relating to the legality of a publicly known FISA surveillance program), and the PCLOB is aware of specific instances in classified matters in which the FISC has since taken action consistent with this recommendation.
It was always clear (as the amicus permitted under In re Sealed Case showed) that FISC could ask for help. Apparently, having been called out for never seeking out opinions outside of the government (which repeatedly got caught being less than forthcoming), FISC has now sought help.
It might be additional legal views. It might be technical help. Who knows?
If I had to wildarseguess, I’d imagine FISC has considered what to do about location tracking programs in light of various circuit decisions over the last year. If that’s right (and it just a wildarseguess), it might be technical assistance.
But given the kind of people — like Michael Hayden — pitched as technical experts in DC, what good does that do? Unless the community can vet the technical expertise the FISC calls on for help, it doesn’t add to the Court’ legitimacy. Nor does it help FISC ensure it’s really getting what it needs when it seeks outside advice.
With almost no explanation, PCLOB just released this table ODNI compiled showing the status of procedures Agencies follow to protect US person information when using data obtained under EO 12333. This is something PCLOB has been pushing for since August 2013, when it sent a letter to Attorney General Holder pointing out that some agencies weren’t in compliance with the EO.
As you know, Executive Order 12333 establishes the overall framework for the conduct of intelligence activities by U.S. intelligence agencies. Under section 2.3 of the Executive Order, intelligence agencies can only collect, retain, and disseminate information about U.S. persons if the information fits within one of the enumerated categories under the Order and if it is permitted under that agency’s implementing guidelines approved by the Attorney General after consultation with the Director of National Intelligence.
The Privacy and Civil Liberties Oversight Board has learned that key procedures that form the guidelines to protect “information concerning United States person” have not comprehensively been updated, in some cases in almost three decades, despite dramatic changes in information use and technology.
So I assume the release of this table is designed to pressure the agencies that have been stalling this process.
The immediate takeaway from this table is that, 34 years after Ronald Reagan ordered agencies to have such procedures in Executive Order 12333 and 18 months after PCLOB pushed for agencies to follow the EO, several intelligence agencies still don’t have Attorney General approved procedures. Those agencies and the interim procedures they’re using are:
The Department of Homeland Security’s notoriously shoddy Office of Intelligence and Analysis: Pending issuance of final procedures, I&A is operating pursuant to Interim Intelligence Oversight Procedures, issued jointly by the Under Secretary for Intelligence and Analysis and the Associate General Counsel for Intelligence (April 3, 2008).
United States Coast Guard (USCG)- Intelligence and counterintelligence elements: Pending issuance of final procedures, operating pursuant to Commandant Instruction – COMDINST 3820.12, Coast Guard Intelligence Activities (August 28, 2003).
Department of Treasury Office of Intelligence and Analysis (OIA): Pending issuance of final procedures. While draft guidelines are being reviewed in the interagency approval process, the Office of Intelligence and Analysis conducts intelligence operations pursuant to EO 12333 and statutory responsibilities of the IC element, as advised by supporting legal counsel.
Drug Enforcement Administration, Office of National Security Intelligence (ONSI): Pending issuance of final procedures, operates pursuant to guidance of the Office of Chief Counsel, other guidance, and: Attorney General approved “Guidelines for Disclosure of Grand Jury and Electronic, Wire, and Oral Interception Information Identifying United States Persons” (September 23, 2002); Attorney General approved “Guidelines Regarding Disclosure to the Director of Central Intelligence and Homeland Security Officials of Foreign Intelligence Acquired in the Course of a Criminal Investigation” (September 23, 2002).
I’m not surprised about DHS I&A because — as I noted — most people who track it know that it has never managed to do what it claims it should be doing. And I’m not all that worried about the Coast Guard; how much US person spying are they really doing, after all?
One should always worry about the DEA, and the fact that DEA has only had procedures affecting some of its use of EO 12333 intelligence is par for the course. I mean, limits on what it can share with CIA, but no guidelines on what it can share with FBI? And no guidelines on what it has dragnet collected overseas, where it is very active?
But I’m most troubled by Treasury OIA. In part, that’s because it doesn’t have anything in place — it has just been operating on EO 12333, apparently, in spite of EO 12333’s clear requirement that agencies have more detailed procedures in place. But Treasury’s failure to develop and follow procedures to protect US persons is especially troubling given the more central role OIA has — which expanded in 2004 — in researching and designating terrorists, weapons proliferators, and drug kingpins.
OIA makes intelligence actionable by supporting designations of terrorists, weapons proliferators, and drug traffickers and by providing information to support Treasury’s outreach to foreign partners. OIA also serves as a unique and valuable source of information to the Intelligence Community (IC), providing economic analysis, intelligence analysis, and Treasury intelligence information reports to support the IC’s needs.
As it is, such designations and the criminalization of US person actions that might violation sanctions imposed pursuant to such designations are a black box largely devoid of due process (unless you’re a rich Saudi business man). But Treasury’s failure to establish procedures to protect US persons is especially troubling given how central these three topics — terrorists, weapons proliferation, and drugs — are in the intelligence communities overseas collection. This is where bulk collection happens. And yet any US persons suck up in the process and shared with Treasury have only ill-defined protections?
Treasury’s role in spying on Americans may be little understood. But it is significant. And apparently they’ve been doing that spying without the required internal controls.
Back when the WaPo published a quarterly NSA compliance audit from 2012, I caught the largest math organization in the world failing basic arithmetic. I’ve been comparing that report with the Intelligence Oversight Board report covering the same period, and I’m finding the numbers might, once again, not add up (though it’s hard to tell given the redactions).
According to NSA’s internal numbers, the organization had 865 violations in the first quarter of calendar year 2012 (670 EO 12333 violations and 195 FISA violations). Yet NSA described just 163 violations in depth (75 EO 12333 violations and 88 FISA violations, though further violations are likely hidden behind redactions in bulk descriptions).
Here’s how the numbers compare, broken down by category (I used the categories used in the IOB Report heading, unless the violation was clearly a roamer or a US Person).
Whereas some numbers are very close — such as for the illegal targeting of a US Person — there were other things, such as sharing a US person’s data or some fairly troubling unauthorized access violations not explicitly mentioned in the internal audit. Nor are unauthorized targeting and access mentioned as such.
And then there are all the “roamer” incidences, which apparently don’t all get reported to IOB (though you can definitely see an increase in them over the years), and which often look a lot less accidental when explained in the IOB report.
Then there are the rather measured descriptions the NSA gives IOB (which we’ve seen in other areas, as with the Internet dragnet, and which might be worst with the upstream violations).
Here’s what the NSA reported internally:
As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.
Here’s what NSA told the IOB about this violation:
[redacted] NSA determined that a technical service contained BR call detail records older than the approved five years. Approximately [redacted] records comprising approximately [fairly big redaction] records were retained for more than five years. The records were found on an access-controlled server that is used exclusively by technical personnel and is not accessible to intelligence analysts. [2 lines redacted]
Here’s what PCLOB had to say about this violation:
In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit. The technical server in question was not available to intelligence analysts.
While it appears NSA managed to give IOB (completely redacted) numbers for the files involved, it appears PCLOB never got a clear count of how many were involved. It’s not clear that NSA ever admitted this data may have gotten mixed in with Stellar Wind data. No one seems to care that this was a double violation, because techs are supposed to destroy data when they’re done with it.
Though, if you ask me, you should wait to figure out why so many records were lying around a tech server before you destroy them all. But I’m kind of touchy that way.
One thing I realize is consistent between the internal audit and the IOB report. The NSA, probably the owner of the most powerful computing power in the world, consistently uses the term “glitch” to describe software that doesn’t do what it is designed to to keep people out of data they’re not supposed to have access to.
The glitches are letting us down.
While wandering through FBI’s Domestic Investigations and Operations Guide today, I realized that on January 10, 2008, DOJ changed its FISA use policy (at PDF 104) . In a memo announcing the new policy, Ken Wainstein explained that “this revised policy includes significant changes from current practice that will streamline the process for using FISA information in certain basic investigative processes, while still ensuring that important intelligence and law enforcement interests are protected.”
It then lists 4 (entirely redacted) investigative processes for which FISA information could be used.
While I’m sure this letter has been reported in the past, it has far greater significance given several newly disclosed facts.
First, just days earlier, Attorney General Michael Mukasey reversed existing policy by permitting NSA to contact chain on US person data in EO 12333-collected information. That decision would make it far easier to identify existing communications implicating Americans.
Even more importantly, this move took place just weeks before the government revamped the PRISM program, such that FBI had a much more central role in the process and obtained selected PRISM material directly. In effect, Mukasey made it easier to use FISA information just weeks before FBI started getting a lot more of it, and getting it directly.
This change adds to the already significant evidence that the FBI started back door searches on PRISM information with that change in January 2008.
It’s interesting, too, that FBI had already decided to make these changes before Colleen Kollar-Kotelly ruled the initial Protect America Act certifications met the statute on January 15, 2008. There’s growing evidence that DOJ long planned to involve FBI more centrally, but waited on her decision (and the day the PAA was originally scheduled to expire) to roll out the change formally.
One more critical detail: The letter indicated that the new policy would be tied to a new interpretation of information “derived from” FISA.
The revised policy requires that it be reviewed one year from its effective date and requires NSD to issue guidance on what constitutes information “derived from” FISA collections by March 31, 2008.
Note that that initial annual review date would mean Bush’s DOJ would conduct such a review in the last days before Obama came in.
In any case, the redacted parts of this letter are probably, arguably, unclassified and FOIAble at this point, since PCLOB has revealed that FBI uses its back door searches for assessments.
I wanted to explain why I think it’s such a big deal that James Clapper specifically highlighted the carve out for transparency reporting on FBI’s back door searches in Leahy’s version of Freedom Act’s in his letter supporting the bill.
As I described, the bill requires reporting on back door searches, but then exempts the FBI from that reporting.
But that’s not the part of the bill that disturbs me the most. It’s this language:
‘(3) FEDERAL BUREAU OF INVESTIGATION.—
Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.
The language refers, in part, to requirements that the government report to Congress:
(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—
(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and
(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;
These are back door searches on US person identifiers of Section 702 collected data — both content (iv) and metadata (v).
In other words, after having required the government to report how many back door searches of US person data it conducts, the bill then exempts the FBI.
In his letter, Clapper says,
[W]e are comfortable with the transparency provisions in this bill because, among other things, they recognize the technical limitations on our ability to report certain types of information.
FBI back door searches are the most obvious limit on transparency guidelines, and FBI told PCLOB they couldn’t count them for technical reasons.
So effectively, Clapper is suggesting that Congress has recognized that FBI is incapable — for technical reasons — of counting how often it conducts back door searches.
That technical claim is almost certainly bullshit.
As a reminder, here’s what the government told PCLOB about FBI’s back door searches.
Because they are not identified as such in FBI systems, the FBI does not track the number of queries using U.S. person identifiers. The number of such queries, however, is substantial for two reasons.
First, the FBI stores electronic data obtained from traditional FISA electronic surveillance and physical searches, which often target U.S. persons, in the same repositories as the FBI stores Section 702–acquired data, which cannot be acquired through the intentional targeting of U.S. persons. As such, FBI agents and analysts who query data using the identifiers of their U.S. person traditional FISA targets will also simultaneously query Section 702–acquired data.
Second, whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts. In the case of an assessment, an assessment may be initiated “to detect, obtain information about, or prevent or protect against federal crimes or threats to the national security or to collect foreign intelligence information.”254 If the agent or analyst conducting these queries has had the training required for access to unminimized Section 702–acquired data, any results from the Section 702 data would be returned in these queries. If an agent or analyst does not have access to unminimized Section 702–acquired data — typically because this agent or analyst is assigned to non-national security criminal matters only — the agent or analyst would not be able to view the unminimized data, but would be notified that data responsive to the query exists and could request that an agent or analyst with the proper training and access to review the unminimized Section 702–acquired data.
On Tuesday, EFF told the tale of yet another government freak-out over purportedly classified information. The DOJ lawyer litigating their multiple dragnet challenges, Anthony Coppolino, accidentally uttered classified information in a hearing in June. So the government tried to take the classified information out of the transcript without admitting they did so. After Judge Jeffrey White let EFF have a say about all this, the government ultimately decided the information wasn’t classified after all. So the Court finally released the transcript.
My wildarseguess is that this is the passage in question:
Judge Bates never ultimately held that the acquisition violated the Constitution. The problem in that case was the minimization procedures were not sufficient to protect the Fourth Amendment interests of the people of the United States.
And so he ordered that they be changed, and they were changed. And he approved them. And in addition, in the process of not only approving the minimization procedures, NSA implemented new system architecture that did a better job at assuring that those communications were minimized and ultimately destroyed, which is the goal here. It’s part of the statutory framework not to collect on U.S. citizens and when you’ve incidentally done it, destroy it. [my emphasis]
According to the John Bates opinions relating to this incident, the NSA implemented a new system of ingesting this data, marking it, checking it before it gets moved into the general repository of data, and purging it if it includes entirely domestic commuincations. But does that count as new architecture? I’m not sure.
Meanwhile, the NSA has been upgrading their architecture. We learned that (among other places) in the most recent Theresa Shea declaration on NSA systems in EFF’s Jewel case. It doesn’t mention new architecture pertaining to upstream 702, though she does discuss a more general architecture upgrade and how it affects Section 215 specifically.
Then there’s this language, addressing the NSA’s inability to filter US person data reliably, from PCLOB.
The NSA’s acquisition of MCTs is a function of the collection devices it has designed. Based on government representations, the FISC has stated that the “NSA’s upstream Internet collection devices are generally incapable of distinguishing between transactions containing only a single discrete communication to, from, or about a tasked selector and transactions containing multiple discrete communications, not all of which are to, from, or about a tasked selector.”155 While some distinction between SCTs and MCTs can be made with respect to some communications in conducting acquisition, the government has not been able to design a filter that would acquire only the single discrete communications within transactions that contain a Section 702 selector. This is due to the constant changes in the protocols used by Internet service providers and the services provided.156 If time were frozen and the NSA built the perfect filter to acquire only single, discrete communications, that filter would be out-of-date as soon as time was restarted and a protocol changed, a new service or function was offered, or a user changed his or her settings to interact with the Internet in a different way. Conducting upstream Internet acquisition will therefore continue to result in the acquisition of some communications that are unrelated to the intended targets.
The fact that the NSA acquires Internet communications through the acquisition of Internet transactions, be they SCTs or MCTs, has implications for the technical measures, such as IP filters, that the NSA employs to prevent the intentional acquisition of wholly domestic communications. With respect to SCTs, wholly domestic communications that are routed via a foreign server for any reason are susceptible to Section 702 acquisition if the SCT contains a Section 702 tasked selector.157 With respect to MCTs, wholly domestic communications also may be embedded within Internet transactions that also contain foreign communications with a Section 702 target. The NSA’s technical means for filtering domestic communications cannot currently discover and prevent the acquisition of such MCTs.158
The footnotes in this section all cite to John Bates’ 2011 opinion (including, probably, some language that remains redacted in the public copy, such as on page 47). So we might presume it is out of date. Except that PCLOB has done independent work on these issues and the end of the first paragraph includes language not sourced at all.
That is, PCLOB seems to think there remain technical problems with sorting out US person data, the filtering problem cannot be solved. (Which makes the ridiculous John Bates more skeptical on this point than PCLOB.)
So do the data segregation techniques implemented in 2011 amount to new architecture? Does the larger architecture upgrade going on going to affect upstream collection in some more meaningful fashion?
I don’t know. One other reason I think this might be the language is because Coppolino was — as he frequently does — running his mouth. Bates did rule the US person data collected before 2011 violated the Fourth Amendment, even if the task before him was solely to judge whether the minimization procedures before him did. More importantly, Bates was quite clear that this US person collection was intentional, not incidental.
So Coppolino was making claims about one of the practices (the PRTT collection is another) that is most likely to help EFF win their suit, upstream collection, which actually does entail domestic wiretapping of US person content. He made a claim that suggested — with the fancy word “architecture” — that NSA had made technical fixes. But PCLOB, at least, doesn’t believe they’ve gotten to the real issue.
Who knows? It’s just a guess. What’s not a guess is that Coppolino seems to recognize upstream 702 presents a real problem in this suit.
Honest. I started writing about this David Cole column asking, “Can Congress rein in the spies?” before John Brennan admitted that, contrary to his earlier assurances, his spooks actually had been spying on their Congressional overseers and also before President Obama announced that, nevertheless, he still has confidence in Brennan.
Cole’s column isn’t about the the Senate Intelligence Committee’s struggles to be able to document CIA torture, however. It’s about how Patrick Leahy introduced his version of USA Freedom Act “not a moment too soon.”
I don’t want to gripe with the column’s presentation of Leahy’s version of Freedom; with a few notable exceptions (one which I’ll get to), it accurately describes how Leahy’s bill improves on the bill the spies gutted in the House.
I first wanted to point to why Cole says Leahy’s bill comes not a moment too soon.
Leahy’s bill comes not a moment too soon. Two reports issued on Monday bring into full view the costs of a system that allows its government to conduct dragnet surveillance without specific suspicions of wrongdoing. In With Liberty to Monitor All, Human Rights Watch and the ACLU make a powerful case that mass surveillance has already had a devastating effect on journalists’ ability to monitor and report on national security measures, and on lawyers’ ability to represent victims of government overreaching. And the same day, the New America Foundation issued Surveillance Costs, a report noting the widespread economic harm to US tech companies that NSA surveillance has inflicted, as potential customers around the world take their business elsewhere.
Together, these reports make concrete the damaging effects of out-of-control surveillance, even to those with “nothing to hide.” Our democracy has long rested on a vibrant and vigorous press and open legal system. On matters of national security, journalists probably serve as a more important check on the executive than even the courts or Congress.
And, it turns out, tech companies also need to be able to promise confidentiality. Customers of Internet services or cloud computing storage programs, for example, expect and need to be certain that their messages and stored data will be private. Snowden’s revelations that the NSA has been collecting vast amounts of computer data, and has exploited vulnerabilities in corporate encryption programs, have caused many to lose confidence in the security of American tech companies in particular.
Cole describes the great costs out-of-control surveillance imposes on journalists, lawyers, and cloud providers, and implies we cannot wait to reverse those costs.
Then he embraces a bill that would not protect journalists’ conversations with whistleblowers (Leahy’s Freedom still permits the traditional access of metadata for counterintelligence purposes as well as the Internet dragnet conducted overseas) or alleged terrorists, would not protect lawyers’ discussions with their clients (the known attorney-client protected collections happened under traditional FISA, EO 12333, and possibly Section 702, none of which get changed in this bill), and would expose American companies’ clouds even further to assisted government access under the new Call Detail Record provision.
Cole does admit the bill does not address Section 702; he doesn’t mention EO 12333 at all, even though both the HRW and NAF reports did.
Senator Leahy’s bill is not a cure-all. It is primarily addressed to the collection of data within the United States, and does little to reform Section 702, the statute that authorizes the PRISM program and allows the government to collect the content of electronic communications of noncitizens abroad, even if they are communicating with US citizens here. And it says nothing about the NSA’s deeply troubling practice of inserting vulnerabilities into encryption programs that can be exploited by any hacker. It won’t, therefore, solve all the problems that the HRW and New American Foundation reports identify. But it would mark an important and consequential first step.
But he doesn’t admit the bill does little to address the specific sources of the costs identified in the two reports. It’s not a minute too soon to address these costs, he says, but then embraces a bill that doesn’t really address the actual sources of the costs identified in the reports.
That is mostly besides the point of whether Leahy’s bill is a fair apples-to-oranges trade-off with the status quo as to represent an improvement — an answer to which I can’t yet give, given some of the obvious unanswered questions about the bill. It is, however, a testament to how some of its supporters are overselling this bill and with it anyone’s ability to rein in the intelligence community.
But it’s one testament to that that bugs me most about Cole’s column. As I noted, he does mention Leahy’s failure to do anything about Section 702. Nowhere in his discussion of 702, however, does he mention that it permits warrantless access to Americans’ content, one which FBI uses when conducting mere assessments of Americans. Which of course means Cole doesn’t mention the most inexcusable part of the bill — its exemption on already soft reporting requirements to provide the numbers for how many Americans get exposed to these back door searches.
I’m not a fancy Georgetown lawyer, but I strongly believe the back door searches — conducted as they are with no notice to anyone ultimately prosecuted based off such information — are illegal, and probably unconstitutional. When retired DC Circuit Court judge Patricia Wald raised these problems with the practice, Director of National Intelligence Counsel Bob Litt simply said it would be “impracticable” to add greater oversight to back door searches. And in spite of the fact that both the President’s Review Group and PCLOB advised significant controls on this practice (which implicates the costs identified in both the HRW and NAF reports), the version of USA Freedom Act crafted by the head of the Senate Judiciary Committee — the Committee that’s supposed to ensure the government follows the law — not only doesn’t rein in the practice, but it exempts the most egregious part of the practice from the transparency applauded by people like Cole, thereby tacitly endorsing the worst part of the practice.
And all that’s before you consider that the IC also conducts back door searches of EO 12333 collected information — as first reported by me, but recently largely confirmed by John Napier Tye. And before you consider the IC’s explicit threat — issued during the passage of the Protect America Act — that if they don’t like any regulation Congress passes, they’ll just move the program to EO 12333.
The point is, Congress can’t rein in the IC, and that’s only partly because (what I expect drives the Senate’s unwillingness to deal with back door searches) many members of Congress choose not to. The have not asserted their authority over the IC, up to and including insisting that the protections for US persons under FISA Amendments Act actually get delivered.
In response to the news that Brennan’s spies had been spying on its Senate overseers, Patrick Leahy (who of course got targeted during the original PATRIOT debate with a terrorist anthrax attack) issued a statement insisting on the importance of Congressional oversight.
Congressional oversight of the executive branch, without fear of interference or intimidation, is fundamental to our Nation’s founding principle of the separation of powers.
Yet his bill — which is definitely an improvement over USA Freedumber but not clearly, in my opinion, an improvement on the status quo — tacitly endorses the notion that FBI can conduct warrantless searches on US person communications without even having real basis for an investigation.
That’s not reining in the spies. That’s blessing them.
I’ve written several posts about Leahy’s USA Freedom already. To recap:
My last new concern about the bill pertains to a measure that means well, but might backfire.
The bill includes language designed to provide for appeals of significant issues, first to the FISA Court of Review, and then to SCOTUS.
(j) REVIEW OF FISA COURT DECISIONS.—After issuing an order, a court established under subsection (a) shall certify for review to the court established under subsection (b) any question of law that the court determines warrants such review because of a need for uniformity or because consideration by the court established under subsection (b) would serve the interests of justice. Upon certification of a question of law under this paragraph, the court established under subsection (b) may give binding instructions or require the entire record to be sent up for decision of the entire matter in controversy.
(k) REVIEW OF FISA COURT OF REVIEW DECISIONS.—
(1) CERTIFICATION.—For any decision issued by the court of review established under subsection (b) approving, in whole or in part, an application by the Government under this Act, such court may certify at any time, including after a decision, a question of law to be reviewed by the Supreme Court of the United States.
(2) SPECIAL ADVOCATE BRIEFING.—Upon certification of an application under paragraph (1), the court of review established under subsection (b) may designate a special advocate to provide briefing as prescribed by the Supreme Court.
(3) REVIEW.—The Supreme Court may review any question of law certified under paragraph (1) by the court of review established under subsection (b) in the same manner as the Supreme Court reviews questions certified under section 1254(2) of title 28, United States Code.
That is, it provides a way for FISC to ask FISCR to review their work, and for FISCR to ask SCOTUS to review their work.
To some degree, the more eyes that look at these novel decisions, the better.
But neither the FISCR review nor the SCOTUS review requires even the Special Advocate. While FISCR has, in the past, permitted amici, they (and Yahoo, in the case where Yahoo appealed FISC’s 2007 recision on Protect America Act) were shooting in the dark. the new advocate, such as it exists, would be able to argue before FISCR if the court wanted it.
So to a significant extent that would result in the same people (the government and the Court’s permanent staff, on one side, and the unproven advocate on the other) arguing the same issue over and over. with the courts themselves choosing to have their own decisions certified by the higher courts.
With the potential result that you’d have appellate decisions or even a SCOTUS instruction without ever giving a real adversary a shot at the issue. If FISC responded to the phone dragnet question before the way they have since Snowden leaked details of it, they would have gotten it certified to confirm their authority.
One addition to Leahy’s bill could exacerbate that. His bill requires the FISC to consult with PCLOB on appointees as Advocates. With today’s PCLOB, that’d be a good thing. But if Republicans win back the Senate — especially if Mitch McConnell retains his seat — you’d see another PCLOB member the likes of Elisabeth Collins Cook and Rachel Brand. Both are really smart. But both were architects of the surveillance regime while serving as DOJ Policy AAGs. Add a third of that ilk, and PCLOB could load up the Advocates corp with people like Steven Bradbury.
Moreover, for the foreseeable future, Justice John Roberts will be handpicking these judges, which doesn’t give me a lot of confidence.
I just think the Advocate system is unproven right now. It may work out, it may be gamed to reinforce the dysfunction of the court. And the record of the FISCR — especially Laurence Silberman’s efforts to rule FISA illegal in 2002 — give me no confidence this kind of self-appeal would do anything but sanction bad decisions.
Mind you, the Leahy bill also permits the government to go on denying aggrieved people of review of Section 215 collection, so it’s not clearly anyone else will get standing to challenge this program in particular.
But it seems like the FISC system is so dysfunctional, there’s no reason to pre-empt the possibility of real adversarial court function.
Update: Orin Kerr thinks this is unconstitutional.
This will be a minor point, but one that should be made.
The Privacies and Civil Liberties Oversight Board report on Section 702 included this little detail:
In 2013, the DOJ undertook a review designed to assess how often the foreignness determinations that the NSA made under the targeting procedures as described above turned out to be wrong — i.e., how often the NSA tasked a selector and subsequently realized after receiving collection from the provider that a user of the tasked selector was either a U.S. person or was located in the United States. The DOJ reviewed one year of data and determined that 0.4% of NSA’s targeting decisions resulted in the tasking of a selector that, as of the date of tasking, had a user in the United States or who was a U.S. person. As is discussed in further detail below, data from such taskings in most instances must be purged. The purpose of the review was to identify how often the NSA’s foreignness determinations proved to be incorrect. Therefore, the DOJ’s percentage does not include instances where the NSA correctly determined that a target was located outside the United States, but post-tasking, the target subsequently traveled to the United States.
0.4% of NSA’s targeting decisions falsely determine someone is a foreigner who is in fact a US person.
That’s a pretty low amount. Though based on ODNI’s number — showing 89,138 people were targeted in 2013 — that means 356 US persons get wrongly targeted each year. Again, still not a huge number, but it compares rather interestingly with the 1,144 people targeted under FISA each year. Those wrongly targeted under Section 702 actually make up 24% of those targeted in a year.
Just as interesting is comparing the NSA’s internal audit (see page 6) with DOJ’s results. For a period presumably covering some of the same time period, NSA discovered 20 US persons tasked (for some reason there was a big increase in this number for the last quarter of the report) and 191 incidences of “other inadvertent” tasking violations, which are described as, “situations where targets were believed to be foreign but who later turn out to be U.S. persons and other incidents that do not fit into the previously identified categories” (my emphasis). Not all of those 191 incidents should be counted as wrongly targeted US persons — the description includes other inadvertent targeting. But even counting them all as such, that means NSA only found 211 of the potential wrongly targeted US persons in a year, while DOJ found 356.
Again, in a country of 310 million people, these numbers are small, particularly as compared to the collection of US person communications under upstream collection, which is thousands of times higher.
But it does say that NSA’s internal reviews don’t find all the Americans who get wrongly targeted.
Correction: I originally mistranscribed DOJ’s number as .o4%–though I had calculated using .4%.