Sometimes, especially with PCLOB, there’s an exchange that I wildly imagine (emphasis on imagine–I’m not saying this is actually the case) is intended solely for my benefit.
Such is the case with an exchange at last week’s PCLOB hearing.
PCLOB Board Member Rachel Brand was trying — as she seemed to be doing exclusively with her questioning — to cue the government witnesses to pitch descriptions of programs in such a way as to make them less troubling. So she walked them through how NSA keeps upstream about collection for a shorter period than it keeps PRISM data. This gave NSA General Counsel Raj De an opportunity to make it sound like NSA, out of the generosity of its own heart, decided to throw out data sooner, and also gave him the opportunity to claim that collection FISC Judge John Bates found to be intentional collection of US person data was actually incidentally collected data.
MS. BRAND: Okay. So you said in an earlier round of questioning that upstream, collection from upstream is retained for a shorter period of time than collection from PRISM and you said that the reason for that distinction is that there’s a potentially greater privacy concern with respect to upstream collection. Can you elaborate on why, whether the additional privacy concerns that pertain to upstream.
MR. DE: Sure. And a lot of this is laid out in this court opinion that’s now public. This is from the fall of 2011. I think because of the nature of abouts collections, which we have discussed, there is potentially a greater likelihood of implicating incidental U.S. person communication or inadvertently collecting wholly domestic communications that therefore must need to be purged.
And for a variety of circumstances the court evaluated the minimization procedures we had in place and as a consequence of that evaluation the government put forth a shorter retention period to be sure that the court could reach comfort with the compliance of those procedures with the Fourth Amendment. And so two years was one element of the revised procedures that are now public.
It’s a nice benign way of describing how NSA got busted for violating the Fourth Amendment, and the FISC’s only response was to force the NSA to violate it for 2 years of retention rather than for 5 years.
From there, Brand invited the witnesses an opportunity to redefine the word “incidental” so it also includes this practice, which Bates judged to be intentional. ODNI General Counsel Bob Litt rose to the challenge of Orwellianism.
MS. BRAND: Okay. I want to use the word incidental collection there again, and your definition earlier seemed to be that by incidental you mean, by incidental U.S. person collection you mean that the person on the other end of the phone from the non-U.S. person abroad is a U.S. person. That’s your definition, right? Is there another definition that you’re aware of? Because you seem to be — okay. I think there’s been some frustration with the use the term incidental in that context because it’s not accidental, it’s intentional. It’s actually unavoidable. And so I just wanted to make sure that we’re all on the same page, that by incidental you mean not accidental, not unintentional, but this is actually what we’re doing.
MR. LITT: It is incidental to the collection on the target. It is not accidental, it is not inadvertent. Incidental is the appropriate term for it.
And by thus redefining incidental, Bob Litt gets to pretend that intentional wiretapping Americans in the US is not a violation of the laws — including Section 702 — prohibiting the intentional wiretapping of Americans in the US.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-03-23 02:48:432014-03-23 02:48:43Bob Litt and Rachel Brand Redefine “Incidental”
The Privacy and Civil Liberties Oversight Board has released the transcript of the first panel from its hearing on Wednesday.
And while I was concerned by the following exchange — between Principal Deputy Assistant Attorney General Brad Wiegmann and PCLOB Chair David Medine — in real time, I find it even more troubling on second pass.
MR. MEDINE: And could you address why the minimization procedures make it a reasonable form of collection under the Fourth Amendment?
[snip]
MR. WIEGMANN: You have retention rules. I believe in some cases, for NSA for example, you have a five year retention limit on how long the information can be retained. And so these are procedures that the courts have found protect U.S. privacy and make the collection reasonable for Fourth Amendment purposes.
MR. MEDINE: And under the minimization procedures I understand that the agency, the NSA, FBI, the CIA have their own minimization procedures and they’re not the same with each other?
MR. WIEGMANN: That’s right.
MR. MEDINE: Can you address why that shouldn’t be a concern that this information is not being subjected to the same minimization standards?
MR. WIEGMANN: So each of them have their own minimization procedures based on their unique mission, and the court reviews each of those for CIA, FBI, NSA, and it’s found them all reasonable for each different agency. They’re slightly different based on the operational needs, but they’re similar.
MR. MEDINE: Would it make more sense then if the same set of minimization procedures apply across the board for this kind of information?
MR. WIEGMANN: I don’t think. Again, just to contrast, for example, FBI and NSA that are using information in different ways. The FBI has a little more latitude with respect to U.S. person information in terms of criminal activity and evidence of a crime than NSA, which doesn’t have that law enforcement mission. So I think it is important to have some differences between the agencies in terms of how they handle the information.
We know what the NSA minimization procedures look like. Not only do they permit dissemination use of US person data in more than the examples described by Wiegmann, they’re frightfully permissive on other points (such as the retention of data for technical database purposes, or the limits on Attorney-Client privilege). Moreover, they permit the retention of data because of a threat to property, a clear expansion on the legal requirements.
But from Wiegmann’s description, it sounds like FBI’s minimization procedures (which are used as a basis for National Counterterrorism Center’s minimization procedures) are worse. Worse because they permit FBI even more leeway to use FISA authorized data in criminal investigations.
And worse because it’s not clear whether there’s even any retention time limits. Indeed, if you watch the clip above, it might be more accurate to punctuate that data retention sentence this way:
You have retention rules, I believe, in some cases. For NSA, for example, you have a five year retention limit.
In any case, the comment seems to suggest that in other cases — like, perhaps, the FBI and derivatively NCTC — you don’t have temporal limits. That would be consistent with FBI’s retention of many kinds of investigative data forever. But it would mean a great deal of data involving innocent Americans collected without a warrant remains in the FBI’s hands forever.
And all that’s before you consider that FBI has always, since the passage of FISA Amendments Act (or at least the first certifications later that year), been permitted to conduct backdoor searches on incidentally collected data. So they may not only be keeping this data forever, but performing warrantless back door searches on it.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-03-22 12:01:372014-03-22 12:32:08Does FBI EVER Age Off Its Section 702 Data?
While there wasn’t as much as I’d like, the Privacy and Civil Liberties Oversight Board hearing today focused somewhat on the issue of back door searches: which are when NSA searches on US person data on “incidentally” collected data under Section 702 of FISA.
DOJ National Security Director Deputy AAG Brad Wiegmann even suggested we should call them queries, perhaps to obscure all the obvious problems with them as searches under the Fourth Amendment.
The most telling exchange, however, came when PCLOB Board Member Patricia Wald suggested that the FISA Court conduct the same kind of oversight over these backdoor searches that it is now doing pursuant to the changes in Section 215 President Obama made in January. (CSPAN won’t let me embed this yet but here’s a link.) ODNI General Counsel Robert Litt shot that idea down aggressively, stating that is is not practicable.
Patricia Wald: The President required, or, I think he required in his January directive that went to 215 that at least temporarily, the selectors in 215 for questioning the databank of US telephone calls–metadata–had to be approved by the FISA Court. Why wouldn’t a similar requirement for 702 be appropriate in the case where US person indicators are used to search the PRISM database? What big difference do you see there?
Robert Litt: Well, I think from a theoretical perspective it’s the difference between a bulk collection and a targeted collection which is that–
Wald: But I would think that, sorry for interrupting, [cross-chatter] I would think that message since 702 has actually got the content.
Litt: Well, and the second point that I was going to make is that I think the operational burden in the context of 702 would far greater than in the context of 215.
Wald: But that would–
Litt: If you recall, the number of actual telephone numbers as to which a RAS–reasonable articulaable suspcion determination was made under Section 215 was very small. The number of times that we query the 702 database for information is considerably larger. I suspect that the Foreign Intelligence Surveillance Court would be extremely unhappy if they were required to approve every such query.
Wald: I suppose the ultimate question for us is whether or not the inconvenience to the agencies or even the unhappiness of the FISA Court would be the ultimate criteria.
Litt: Well I think it’s more than a question of convenience, I think it’s also a question of practicability.
NSA General Counsel Raj De, who has spent the better part of the last 9 months saying “it’s only metadata” went on to argue that somehow this “targeted” content program (which of course requires no advance review of selectors) is less intrusive than the metadata collection under Section 215.
Make up your damn mind!
To be fair, I suspect one of the issues is that after the Nidal Hasan attack (and this is just a very well educated guess), NSA rolled out a system whereby new communications between a targeted foreigner and an American automatically pulls up all previous communications involving that US person. That would count as a search, even though it would effectively feel like an automatic cross-referencing of all prior communications involving someone talking to a target, even if that is a US person.
Nevertheless, this means that NSA is conducting so many back door searches on US person data that it would be “impracticable” to actually give those searches some kind of review.
No wonder NSA refuses to give numbers on this practice to Ron Wyden.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-03-19 18:01:552014-08-03 13:31:24NSA Conducts So Many Back Door Searches on US Persons It Would Be Impracticable to Approve Those Queries
The first panel of an all-day Privacy and Civil Liberties Oversight Board hearing on Section 702 of FISA just finished.
It featured NSA General Counsel Raj De, ODNI General Counsel Robert Litt, Deputy AAG for National Security Brad Weigmann, and FBI General Counsel James Baker.
While there were a number of interesting disclosures — which I’ll get at in the future — the most striking aspect of the hearing was the tooth-pulling effort to get the panel to define the terms they use.
There were a slew of terms defined, among others including “minimization,” “bulk collection,” “PRISM,”
But the most interesting redefinitions were for “purge” and “search.”
After much tooth-pulling, James Dempsey got De to admit that NSA’s definition of the word “search” is different from the one used in the Fourth Amendment. Actually, that may not be entirely true: Sometimes the actual collection of data counts as a search, sometimes only the querying of it does. NSA gets to decide which is which, best as I can tell, in secret or in legal filings where it will serve to deprive someone of standing.
Then there’s “purge,” which I can’t hear anymore without seeing a pink speech bubble and scare quotes surrounding the word. Purge does not mean — as you might expect — “destroy.” Rather, it means only “remove from NSA systems in such a way that it cannot be used.” Which, best as I understand it, means they’re not actually destroying this data.
I do hope EFF figures that out before they argue the protection order for Section 215 today, as on those terms it seems increasingly clear NSA is not complying with the Jewel protection order.
“Purge.” To keep. Somewhere else.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-03-19 10:59:112014-03-19 18:43:12Rosencrantz and Guildenstern Visit Pee-Clob
Yesterday, the Senate Armed Services Committee held a hearing for Vice Admiral Mike Rogers to serve as head of Cyber Command (see this story from Spencer about how Rogers’ confirmation as Cyber Command chief serves as proxy for his role as Director of National Security Agency because the latter does not require Senate approval).
Many of the questions were about Cyber Command (which was, after all, the topic of the hearing), but a few Senators asked questions about the dragnet that affects us all.
In one of those exchanges — with Mark Udall — Rogers made it clear that he intends to continue to hide the answers to very basic questions about how NSA conducts warrantless surveillance of Americans, such as whether the NSA conducts back door searches on American people.
Udall: If I might, in looking ahead, I want to turn to the 702 program and ask a policy question about the authorities under Section 702 that’s written into the FISA Amendments Act. The Committee asked your understanding of the legal rationale for NASA [sic] to search through data acquired under Section 702 using US person identifiers without probable cause. You replied the NASA–the NSA’s court approved procedures only permit searches of this lawfully acquired data using US person identifiers for valid foreign intelligence purposes and under the oversight of the Justice Department and the DNI. The statute’s written to anticipate the incidental collection of Americans’ communications in the course of collecting the communications of foreigners reasonably believed to be located overseas. But the focus of that collection is clearly intended to be foreigners’ communications, not Americans. But declassified court documents show that in 2011 the NSA sought and obtained the authority to go through communications collected under Section 702 and conduct warrantless searches for the communications of specific Americans. Now, my question is simple. Have any of those searches been conducted?
Rogers: I apologize Sir, I’m not in a position to answer that as the nominee.
Udall: You–yes.
Rogers: But if you would like me to come back to you in the future if confirmed to be able to specifically address that question I will be glad to do so, Sir.
Udall: Let me follow up on that. You may recall that Director Clapper was asked this question in a hearing earlier this year and he didn’t believe that an open forum was the appropriate setting in which to discuss these issues. The problem that I have, Senator Wyden’s had, and others is that we’ve tried in various ways to get an unclassified answer — simple answer, yes or no — to the question. We want to have an answer because it relates — the answer does — to Americans’ privacy. Can you commit to answering the question before the Committee votes on your nomination?
Rogers: Sir, I believe that one of my challenges as the Director, if confirmed, is how do we engage the American people — and by extension their representatives — in a dialogue in which they have a level of comfort as to what we are doing and why. That is no insignificant challenge for those of us with an intelligence background, to be honest. But I believe that one of the takeaways from the situation over the last few months has been as an intelligence professional, as a senior intelligence leader, I have to be capable of communicating in a way that we are doing and why to the greatest extent possible. That perhaps the compromise is, if it comes to the how we do things, and the specifics, those are perhaps best addressed in classified sessions, but that one of my challenges is I have to be able to speak in broad terms in a way that most people can understand. And I look forward to that challenge.
Udall: I’m going to continue asking that question and I look forward to working with you to rebuild the confidence. [my emphasis]
The answer to the question Rogers refused to answer is clearly yes. We know that’s true because the answer is always yes when Wyden, and now Udall, ask such questions.
But we also know the answer is yes because declassified parts of last August’s Semiannual Section 702 Compliance Report state clearly that oversight teams have reviewed the use of this provision, which means there’s something to review.
As reported in the last semiannual assessment, NSA minimization procedures now permit NSA to query its databases containing telephony and non-upstream electronic communications using United States person identifiers in a manner designed to find foreign intelligence information. Similarly, CIA’s minimization procedures have been modified to make explicit that CIA may also query its databases using United States person identifiers to yield foreign intelligence information. As discussed above in the descriptions of the joint oversight team’s efforts at each agency, the joint oversight team conducts reviews of each agency’s use of its ability to query using United States person identifiers. To date, this review has not identified any incidents of noncompliance with respect to the use of United States person identifiers; as discussed in Section 4, the agencies’ internal oversight programs have, however, identified isolated instances in which Section 702 queries were inadvertently conducted using United States person identifiers. [my emphasis]
It even obliquely suggests there have been “inadvertent” violations, though this seems to entail back door searches on US person identifiers without realizing they were US person identifiers, not violations of the procedures for using back door searches on identifiers known to be US person identifiers.
Still, it is an unclassified fact that NSA uses these back door searches.
Yet the nominee to head the NSA refuses to answer a question on whether or not NSA uses these back door searches.
And it’s not just in response to this very basic question that Rogers channeled the dishonest approach of James Clapper and Keith Alexander.
As Udall alluded, at the end of a long series of questions about Cyber Command, the committee asked a series of questions about back door searches and other dragnet issues. They asked (see pages 42-43):
Whether NSA can conduct back door searches on data acquired under EO 12333 and if so under what legal rationale
Whether NSA can conduct back door searches on data acquired pursuant to traditional FISA and if so under what legal rationale
What the legal rationale is for back door searches on data acquired under FISA Amendments Act
What the legal rationale is for searches on the Section 215 query results in the “corporate store”
I believe every single one of Rogers’ answers — save perhaps the question on traditional FISA — involves some level of obfuscation. (See this post for further background on what NSA’s Raj De and ODNI’s Robert Litt have admitted about back door searches.)
Consider his answer on searches of the “corporate store” as one example.
What is your understanding of the legal rationale for searching through the “Corporate Store” of metadata acquired under section 215 using U.S. Persons identifiers for foreign intelligence purposes?
The section 215 program is specifically authorized by orders issued by the Foreign Intelligence Surveillance Court pursuant to relevant statutory requirements. (Note: the legality of the program has been reviewed and approved by more than a dozen FISC judges on over 35 occasions since 2006.) As further required by statute, the program is also governed by minimization procedures adopted by the Attorney General an d approved by the FISC. Those orders, and the accompanying minimization procedures, require that searches of data under the program may only be performed when there is a Reasonable Articulable Suspicion that the identifier to be queried is associated with a terrorist organization specified in the Court’s order.
Remember, not only do declassified Primary Orders make it clear NSA doesn’t need Reasonable Articulable Suspicion to search the corporate store, but PCLOB has explained the possible breadth of “corporate store” searches plainly.
According to the FISA court’s orders, records that have been moved into the corporate store may be searched by authorized personnel “for valid foreign intelligence purposes, without the requirement that those searches use only RAS-approved selection terms.”71 Analysts therefore can query the records in the corporate store with terms that are not reasonably suspected of association with terrorism. They also are permitted to analyze records in the corporate store through means other than individual contact-chaining queries that begin with a single selection term: because the records in the corporate store all stem from RAS-approved queries, the agency is allowed to apply other analytic methods and techniques to the query results.72 For instance, such calling records may be integrated with data acquired under other authorities for further analysis. The FISA court’s orders expressly state that the NSA may apply “the full range” of signals intelligence analytic tradecraft to the calling records that are responsive to a query, which includes every record in the corporate store.73
There is no debate over whether NSA can conduct back door searches in the “corporate store” because both FISC and PCLOB say they can.
Which is probably why SASC did not ask whether this was possible — it is an unclassified fact that it is — but rather what the legal rationale for doing so is.
And Rogers chose to answer this way:
By asserting that the phone dragnet must comply with statutory requirements
By repeating tired boilerplate about how many judges have approved this program (ignoring that almost all of these approvals came before FISC wrote its first legal opinion on the program)
By pointing to AG-approved minimization procedures (note–it’s not actually clear that NSA’s — as distinct from FBI’s — dragnet specific procedures are AG-approved, though the more general USSID 18 ones are)
By claiming FISA orders and minimization procedures “require that searches of data under the program may only be performed when there is a Reasonable Articulable Suspicion that the identifier to be queried is associated with a terrorist organization”
The last part of this answer is either downright ignorant (though I find that unlikely given how closely nominee responses get vetted) or plainly non-responsive. The question was not about queries of the dragnet itself — the “collection store” of all the data. The question was about the “corporate store” — the database of query results based off those RAS approved identifiers. And, as I said, there is no dispute that searches of the corporate store do not require RAS approval. In fact, the FISC orders Rogers points to say as much explicitly.
And yet the man Obama has picked to replace Keith Alexander, who has so badly discredited the Agency with his parade of lies, refused to answer that question directly. Much less explain the legal rationale used to conduct RAS-free searches on phone query results showing 3rd degree connections to someone who might have ties to terrorist groups, which is what the question was.
Which, I suppose, tells us all we need to know about whether anyone plans to improve the credibility or transparency of the NSA.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-03-12 12:08:302014-04-01 14:26:28In Nomination Hearing, DIRNSA Nominee Mike Rogers Continues James Clapper and Keith Alexander’s Obfuscation about Back Door Searches
Since Obama’s speech on the dragnet, I’ve been skeptical the promise to obtain court review before conducting phone dragnet searches means anything. There’s nothing — not a thing — in the actual speech or the White House fact sheet accompanying it distinguishes the allegedly new court review from the review that already exists.
The President has directed the Attorney General to work with the Foreign Intelligence Surveillance Court so that during this transition period, the database can be queried only after a judicial finding, or in a true emergency.
After all, the FISC quarterly approves which terror (and Iranian) groups NSA can target in the dragnet. That’s a judicial finding! Without more specificity, there’s no reason to believe this is any further review than already occurs.
In off-the-record briefing before speech (I didn’t listen in but saw a transcript), anonymous Senior Administration Officials did insist this meant an individualized review of each identifier to be queried (though there were no details about whether the court had to approve each query using that identifier; also, the SAOs indicated no limits would be put on using Section 215 to engage in bulk collection or querying of other items). Though one reason Executive Branch officials like to do off the record briefings is so their credibility can’t be challenged if their secret assurances prove to be hollow. And how would anyone prove these claims to be hollow, in any case, given that all of these reviews are secret?
That background is one reason I’m intrigued by Siobhan Gorman’s tick-tock of how the White House included this review as a very last minute sop to the Review Group, in response to pushback in a January 15 meeting.
Top White House officials, including National Security Adviser Susan Rice, met the afternoon of Jan. 15 with the members of the NSA review panel, which had issued an influential report a month earlier calling for an overhaul of key surveillance programs. The meeting turned tense, though not combative.
The panel had proposed a restructuring that would store telephone data outside the U.S. government and require NSA to obtain approval from the secret Foreign Intelligence Surveillance Court to conduct a search of the database. Currently, NSA searches are governed by an internal process.
White House officials told panel members at the meeting that they were inclined to move the phone data out of the NSA’s hands. But they didn’t mention judicial review of the searches.
The panel’s response was “that’s half” of their recommendation, according to a person close to the review panel. Some panel members interpreted the White House officials’ failure to mention judicial review as a sign that the recommendation wouldn’t be adopted, said several people familiar with the talks.
Appealing to the White House officials, panel members said that without judicial approval, “there’s no way you can restore trust” from the public, said a person familiar with the talks.
[snip]
White House officials appeared “rattled” by the pushback, the person said. “It caused them to regroup.”
The next day—the day before Mr. Obama’s speech—White House officials inserted a new section into the speech that required judicial approval of a search from the secret court, which oversees many of NSA’s surveillance programs.
But even that evening, White House officials were struggling with whether the president could singlehandedly impose such requirements on another branch of government. They sought late-night advice from the Justice Department on how to structure the rule, trying to make it more collaborative than compulsory, a U.S. official said.
Which is how, Gorman goes on, they came up with language that on its face doesn’t impose any new review.
But there are several things that don’t make sense with this story.
First, the NSA Review Group didn’t recommend this kind of individualized review for Section 215, though they did say the intent of the law was to permit the government to query providers on individual orders after getting FISC authorization, suggesting such review is implicit.
As originally envisioned when section 215 was enacted, the government can query the information directly from the relevant service providers after obtaining an order from the FISC.
They did recommend judicial review for National Security Letters (and Gorman’s story makes it clear this discussion was wrapped up in a discussion of the Review Group’s recommendations for NSLs). But the Review Group’s recommendations focused on ending bulk collection and moving whatever remained out of government hands. Obama outright rejected the first recommendation and punted the second to a Congress that won’t adopt it.
PCLOB, on the other hand, did recommend something much closer to individualized review for the transition period (though they recommended it come after queries were made).
(c) submit the NSA’s “reasonable articulable suspicion” determinations to the FISC for review after they have been approved by NSA and used to query the database;
Though their last meeting with the White House was on January 8, well before this last-minute addition.
In any case, this last minute changed is pitched — by someone described as a “person familiar with the intelligence-agency discussions” — as central to a Goldilocks “just right” solution that left both privacy advocates and the intelligence community placated.
The White House strategy appears to have muted major criticism, both from privacy advocates and intelligence officials.
While privacy advocates said they had wanted Mr. Obama to require more privacy safeguards, their primary message has been that the true effect of the overhauls can’t be known until they are implemented.
Among the spy agencies, there’s relief that Mr. Obama’s speech didn’t criticize the surveillance operations.
“Nobody lost, nobody won,” said one person familiar with the intelligence-agency discussions. “That’s the nature of our government.”
Except the privacy advocate view portrayed here (with no source) doesn’t resemble the view I’m hearing from privacy advocates, who are focusing on Congress and on more pressure. That is, at least the Goldilocks conclusion, that this represents a happy middle, seems to be IC propaganda, perhaps designed to hide how little has actually changed (and unless we can trust Administration officials who would not speak on the record, this last minute solution is useless). It takes a story that claims the Review Group recommendation was to provide judicial review — not to end bulk collection –and declares the Review Group got what they wanted.
They didn’t.
All of this in an article published in the news hole of a Friday night.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-02-01 11:54:182014-02-01 11:57:39Goldilocks Porridge of NSA Reform
Politico has an article predicting civil liberties will become a big issue this year. I’m skeptical (I say that as someone whose Rep the GOP is trying to take out largely because of his defense of civil liberties).
But I am interested in what Susan Collins had to say about Democratic challenger Shenna Bellows’ criticism of her stance on civil liberties.
In a phone interview from Maine, Collins rebutted criticism that she has not done enough to protect against civil liberties, highlighting legislation she co-sponsored in 2004 that created the independent Privacy and Civil Liberties Board and her support for recent proposals to tighten oversight over the surveillance programs. But, she said, doing away with the ability of the government to collect phone records would cause great harm to the country’s ability to root out terrorism.
“We know that there were plots thwarted solely or partially by the programs, so doing away with it altogether would mean a less safe America,” said Collins, who sits on the Senate Select Committee on Intelligence and has supported the PATRIOT Act and legislation codifying broader electronic surveillance.
You see, it was only 4 days ago that Collins was disowning her infant creation, PCLOB, because it had presented a hard-hitting report that said the dragnet was not just bad policy, but against the law.
“As the mother of this board, that [split decision] is not what I’m looking for,” said Sen. Susan Collins (R., Maine), who co-wrote the post-Sept. 11 legislation creating the Privacy and Civil Liberties Oversight Board. The split in the board’s first major report “really weakens its recommendations and undermines the role that we envisioned it would play,” she said.
At the moment when Collins’ self-described offspring took its first step, the Senator felt it had not chosen bipartisanship over stating the truth. I guess we understand what role Collins felt it could play.
And as for her purported efforts to tighten oversight over the dragnet (which includes measures to strengthen PCLOB she probably now regrets), while she did support some improvements to DiFi’s Fake FISA Fix, she not only cast a decisive vote against limiting dragnet retention to 3 years, but even backed a failed Tom Coburn amendment to “eliminate restrictions on the retention of bulk metadata.”
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-01-27 12:48:402014-01-27 12:48:40Susan Collins Can’t Decide Whether to Abandon Her Infant, PCLOB
In an important post the other day, Steve Vladeck described what he believed to be the most important lesson Edward Snowden has taught us.
They miss the single most important lesson we’ve learned — or should have learned — from Snowden, i.e., that the grand bargain has broken down. Intelligence oversight just ain’t what it used to be, and the FISA Court, as an institution, seemed to have been far better suited to handle individualized warrant applications under the pre-2001 FISA regime than it has been to reviewing mass and programmatic surveillance under section 215 of the USA PATRIOT Act and section 702, as added by the FISA Amendments Act of 2008.
Thus, even if one can point to specific individual programs the disclosure of which probably has not advanced the ongoing public policy conversation, all of the disclosures therefore illuminate a more fundamental issue of public concern — and one that should be (and, arguably, has been) driving the reform agenda: Whatever surveillance authorities the government is going to have going forward, we need to rethink the structure of oversight, both internally within the Executive Branch, and externally via Congress and the courts. That’s not because the existing oversight and accountability mechanisms have been unlawful; it’s because so many of these disclosures have revealed them to be inadequate and/or ineffective. And inasmuch as such reforms may strengthen not just mechanisms of democratic accountability for our intelligence community, but also their own confidence in the propriety and forward-looking validity of their authorities, they will make all of us — including the NSA — stronger in the long term.
While I agree with Vladeck that’s an important lesson from Snowden, I don’t think it has been admitted by those who most need the lesson: most members of Congress (most of all, the Intelligence Committees) and the FISA Court, as well as the other Article III judges who are quickly becoming dragnet experts.
But I’m hopeful PCLOB — which is already under attack even from Susan Collins for having the audacity to conduct independent oversight — will press the issue.
As I have noted in the past, PCLOB has a better understanding of how the Executive uses EO 12333 than any other entity I’ve seen (I think the Review Group may have a similar understanding, but they won’t verbalize it).
That’s why I find their treatment of FISA as a compromise to put questions about separation of powers on hold so interesting.
In essence, FISA represented an agreement between the executive and legislative branches to leave that debate aside 600 and establish a special court to oversee foreign intelligence collection . While the statute has required periodic updates, national security officials have agreed that it created an appropriate balance among the interests at stake, and that judicial review provides an important mechanism regulating the use of very powerful and effective techniques vital to the protection of the country. 601
600 “[T]he bill does not recognize, ratify, or deny the existence of any Presidential power to authorize warrantless surveillance in the United States n the absence of the legislation. It would, rather, moot the debate over the existence or non – existence of this power[.]” HPSCI Report at 24. This agreement between Congress and the executive branch to involve the judiciary in the regulation of intelligence collection activities did not and could not resolve constitutional questions regarding the relationship between legislative and presidential powers in the area of national security . See In re: Sealed Case , 310 F.3d 717, 742 (FISA Ct. Rev. 2002) (“We take for granted that the President does have that authority [inherent authority to conduct warrantless searches to obtain foreign intelligence information] and, assuming that is so, FISA could not encroach on the President ’ s constitutional power.”).
When NSA chose to avoid First Amendment review on the 3,000 US persons it had been watch-listing by simply moving them onto a new list, when it refused to tell John Bates how much US person content it collects domestically off telecom switches, when it had GCHQ break into Google’s cables to get content it ought to be able to obtain through FISA 702, when it rolled out an Internet dragnet contact-chaining program overseas in part because it gave access to US person data it couldn’t legally have here, NSA made it clear it will only fulfill its side of the compromise so long as no one dares to limit what it can do.
That is, Snowden has made it clear that the “compromise” never was one. It was just a facade to make Congress and the Courts believe they had salvaged some scrap of separation of powers.
NSA has made it clear it doesn’t much care what its overseers in Congress or the Court think. It’ll do what it wants, whether it’s in the FISC or at a telecom switch just off the US shore. And thus far, Obama seems to agree with them.
Which means we’re going to have to start talking about whether this country believes the Executive Branch should have relatively unfettered ability to spy on Americans. We’re going to have to take a step back and talk about separation of powers again.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-01-24 12:23:532014-01-24 12:25:27The Impasse on Executive Spying
I’ll have a much longer post later on what PCLOB has to say about the efficacy of the dragnet, which is actually far more interesting than I’ve seen reported thus far. But I want to look in detail at the passage in which they treat Basaaly Moalin.
And we believe that in only one instance over the past seven years has the program arguably contributed to the identification of an unknown terrorism suspect. In that case, moreover, the suspect was not involved in planning a terrorist attack and there is reason to believe that the FBI may have discovered him without the contribution of the NSA’s program.
Note the verb: “may have,” not “might have” or “could have.” Thus, the passage has a (presumably intentionally) ambiguous meaning which could suggest either that the FBI did find Moalin on their own or they had the ability to.
But in conjunction with the adverb “arguably,” the use of “may” here sure seems to suggest PCLOB thinks a case could be made that FBI did, in fact, find Moalin on their own. Without the dragnet.
That is, PCLOB seems to suggest that even the claim that the dragnet helped find a cab driver giving $8,500 to al-Shabaab in hopes of protecting his tribal lands against US-backed invaders may be false.
Does the fact that DOJ didn’t include Moalin in its claims of success to the 3 lawsuits against the dragnet reflect growing questions within DOJ about how they really rediscovered Moalin?
As I see it, there are two obvious ways that FBI might have discovered Moalin on their own, and a third that would be even more interesting.
Recall that Moalin was actually prosecuted with the help of his hawala, who also happened to be in contact with people close to Aden Ayro, the warlord Moalin is presumed to be a second hop from (the case against the hawala is largely sealed). It’s possible the FBI found Moalin through the investigation of the hawala.That’s particularly likely given PCLOB’s later comment that Moalin “was the user of a telephone number already linked to pending FBI investigations.”
Alternately, it’s possible the FBI got a tip off content related to Ayro and investigated using NSLs and found Moalin (though I think this is less likely because NSA has so few Somali translators). It’s also worth considering that at one point NSA contacted FBI because they had lost Ayro, asking if FBI had seen a new number for Ayro in Moalin’s calls. Which suggests, at least after they got a tap on Moalin, FBI may had an easier time of tracking Ayro than NSA did.
More interesting still, it’s possible FBI found Moalin in October 2007 by accessing dragnet results directly (as was possible for FBI to do until NSA shut this access down in June 2009), without having received a formal report from NSA reporting the link. If that’s the case, it’d be interesting for a slew of reasons, because it’d be a patently illegal lead, but it would technically come from the dragnet. If that were the case, I can see everyone wanting to lie about it, which might lead to … the kind of seemingly conflicting and increasingly cautious statements we’re seeing now (as well as DOJ’s silence on this “success” in recent court filings).
I have suggested that the timing of Moalin’s prosecution at least hints that they pursued it to have a first Section 215 success in time for PATRIOT reauthorization in 2011. Certainly, they were quick to roll out his case as a “dragnet success” last June. But if he wasn’t found via the dragnet, or if DOJ misrepresented precisely how he was found back in court filings in 2012 to hide that FBI had direct access to databases at NSA they weren’t legally entitled to have, then it’d put DOJ in a tight spot now, as Moalin appeals to the 9th Circuit. At least in September, they claimed to Judge Jeffrey Miller Moalin had been caught by the dragnet, and Miller didn’t think it harmed their case (though even there, Miller’s language made it clear he learned new information in those filings he hadn’t been told on the first FISA review). But if he wasn’t — or if FBI had legally impermissible access to the dragnet results — then Moalin’s appeal might get more interesting, either because DOJ misrepresented to the District what happened and/or because there’s something funky about the use of the dragnet with Moalin.
Of course, all that assumes Moalin would ever get to see the FISA related evidence against him, which PCLOB may have but which no FISA-related defendants ever have been able to do. Which is unlikely to happen.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-01-24 08:33:362014-01-24 09:30:55Are Even the Basaaly Moalin Claims Falling Apart Now?
PCLOB’s report confirms something ACLU’s Patrick Toomey and I have been harping on. One of the biggest risks of the phone dragnet stems not from the initial queries themselves, but from NSA’s storage of query results in the “corporate store,” permanently, where they can be accessed without the restrictions required for access to the full database, and exposed to all the rest of NSA’s neat toys.
According to the FISA court’s orders, records that have been moved into the corporate store may be searched by authorized personnel “for valid foreign intelligence purposes, without the requirement that those searches use only RAS-approved selection terms.”71 Analysts therefore can query the records in the corporate store with terms that are not reasonably suspected of association with terrorism. They also are permitted to analyze records in the corporate store through means other than individual contact-chaining queries that begin with a single selection term: because the records in the corporate store all stem from RAS-approved queries, the agency is allowed to apply other analytic methods and techniques to the query results.72 For instance, such calling records may be integrated with data acquired under other authorities for further analysis. The FISA court’s orders expressly state that the NSA may apply “the full range” of signals intelligence analytic tradecraft to the calling records that are responsive to a query, which includes every record in the corporate store.73
PCLOB doesn’t say it, but NSA’s SID Director Theresa Shea has: those other authorities include content collection, which means coming up in a query can lead directly to someone reading your content.
Section 215 bulk telephony metadata complements other counterterrorist-related collection sources by serving as a significant enabler for NSA intelligence analysis. It assists the NSA in applying limited linguistic resources available to the counterterrorism mission against links that have the highest probability of connection to terrorist targets. Put another way, while Section 215 does not contain content, analysis of the Section 215 metadata can help the NSA prioritize for content analysis communications of non-U.S. persons which it acquires under other authorities. Such persons are of heightened interest if they are in a communication network with persons located in the U.S. Thus, Section 215 metadata can provide the means for steering and applying content analysis so that the U.S. Government gains the best possible understanding of terrorist target actions and intentions. [my emphasis]
Plus, those authorities will include datamining, including with other data collected by NSA, like a user’s Internet habits and financial records.
Then, PCLOB does some math to estimate how many numbers might be in the corporate store.
If a seed number has seventy-five direct contacts, for instance, and each of these first-hop contact has seventy-five new contacts of its own, then each query would provide the government with the complete calling records of 5,625 telephone numbers. And if each of those second-hop numbers has seventy-five new contacts of its own, a single query would result in a batch of calling records involving over 420,000 telephone numbers.
[snip]
If the NSA queries around 300 seed numbers a year, as it did in 2012, then based on the estimates provided earlier about the number of records produced in response to a single query, the corporate store would contain records involving over 120 million telephone numbers.74
74 While fewer than 300 identifiers were used to query the call detail records in 2012, that number “has varied over the years.” Shea Decl. ¶ 24.
Some might quibble with these numbers: other estimates use 40 contacts per person (though remember, there’s 5 years of data), and the estimate doesn’t seem to account for mutual contacts. Plus, remember this is unique phone numbers: we should expect it to include fewer people, because people — especially people trying to hide — change phones regularly. Further, remember a whole lot of foreign numbers will be in there.
But other things suggest it might be conservative. As a recent Stanford study showed, if the NSA isn’t really diligent about removing high volume numbers, then queries could quickly include everyone; certainly, NSA could have deliberately populated the corporate store by leaving such identifiers in. We know there were 27,000 people cleared for RAS in 2008 and 17,000 on an alert list in 2009, meaning the query numbers for earlier years are effectively much much higher (which seems to be the point of footnote 74).
Plus, remember that PCLOB gave their descriptive sections to the NSA to review for accuracy. So I assume NSA did not object to the estimate.
So 120 million phone numbers might be a reasonable estimate.
That’s a lot of Americans exposed to the level of data analysis permissible in the corporate store.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-01-23 14:54:182014-01-24 11:13:07PCLOB Estimates 120 Million Phone Numbers in Corporate Store
