Former Surveillance Lawyer Peter Keisler Pushes for Surveillance Limits

Screen Shot 2014-11-18 at 2.33.55 PMI’ve been laying low so supporters of USA Freedom can try to get a vote for cloture allowing debate for their bill in the Senate (and also trying to duck getting back into the arguments I made about Jonathan Gruber in 2009 and 2010). I’ve had my say on the former issue here and here.

But even as USA Freedom faces an uncertain future in the Senate, something interesting happened in the 11th Circuit.

I wrote in June about the 11th Circuit decision in US v. Quartavious Davis. In a decision written by David Sentelle (on loan from the DC Circuit) the Circuit overturned a conviction based almost entirely on stored cell site location information (CSLI).

The government filed for rehearing en banc which was granted.

AT&T just submitted an amicus brief generally supporting a higher standard for CSLI.

This is no hippie brief. Generally, it calls for more clarity for the providers, and ultimately concludes asking for one standard.

However the scope of the Fourth Amendment’s protection is resolved, a clear and categorical rule will benefit all parties involved in the application of Section 2703(d), including the technology companies subject to orders to produce information. Whatever standard the Court ultimately determines the government must satisfy, the third party records cases may provide an unsatisfactory basis for resolving this case. Smith and Miller rested on the implications of a customer’s knowing, affirmative provision of information to a third party and involved less extensive intrusions on personal privacy. Their rationales apply poorly to how individuals interact with one another and with information using modern digital devices. In particular, nothing in those decisions contemplated, much less required, a legal regime that forces individuals to choose between maintaining their privacy and participating in the emerging social, political, and economic world facilitated by the use of today’s mobile devices or other location based services.

But to support that stance, it argues that because of increasing accuracy, CSLI is probably more intrusive than the car-based GPS tracker found to require a warrant in US v. Jones.

CSLI at times may provide more sensitive and extensive personal information than the car tracking information at issue in Jones. Users typically keep their mobile devices with them during the entire day, potentially providing a much more extensive and continuous record of an individual’s movements and living patterns than that provided by tracking a vehicle; CSLI, therefore, is not limited to the largely public road system or to when the device user is in a vehicle.

More interesting still, it argues that the 3rd Party doctrine doesn’t work anymore.

The privacy and related social interests implicated by the use of modern mobile devices and by CSLI are fundamentally different and more significant than those evaluated in Miller and Smith. Miller, 425 U.S. at 443 (“We must examine the nature of the particular documents sought to be protected in order to determine whether there is a legitimate ‘expectation of privacy’ concerning their contents”); Smith, 442 U.S. at 741-42 (emphasizing the “limited capabilities” of pen registers). Use of mobile devices, as well as other devices or location based services, has become integral to most individuals’ participation in the new digital economy: those devices are a nearly ever-present feature of their most basic social, political, economic, and personal relationships. In recent years, this has become especially true of the data communications – from email and texting to video to social media connections – that occur on a nearly continuous basis whenever mobile devices are
turned on.


Nor does Miller or Smith address how individuals interact with one another and with different data and media using mobile devices in this digital age. Location enabled services of all types provide a range of information to their users. At the same time, mobile applications, vehicle navigation systems, mobile devices, or wireless services for mobile devices often collect and use data in the background.

As part of that, AT&T talks about CSLI shows interactions.

But perhaps my favorite part of the brief is this:

Screen Shot 2014-11-18 at 4.19.09 PM

The brief was written by Peter Keisler, a longtime telecom attorney but also — during his brief stint as Acting Attorney General in 2007 — the guy who signed at least Directives (and possibly 2 Certificates) in Protect America Act. See page 34 for where Keisler signed Directives to Yahoo on his last day as Acting AG, November 8, 2007.

Protect America Act Was Designed to Collect on Americans, But DOJ Hid that from the FISC

The government released a document in the Yahoo dump that makes it clear it intended to reverse target Americans under Protect America Act (and by extension, FISA Amendments Act). That’s the Department of Defense Supplemental Procedures Governing Communications Metadata Analysis.

The document — as released earlier this month and (far more importantly) as submitted belatedly to the FISC in March 2008 — is fairly nondescript. It describes what DOD can do once it has collected metadata (irrespective of where it gets it) and how it defines metadata. It also clarifies that, “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communcations, nor to they qualify as ‘us[ing] a selection term’.”

The procedures do not once mention US persons.

There are two things that should have raised suspicions at FISC about this document. First, DOJ did not submit the procedures to FISC in a February 20, 2008 collection of documents they submitted after being ordered to by Judge Walton after he caught them hiding other materials; they did not submit them until March 14, 2008.

The signature lines should have raised even bigger suspicions.

Gates Mukasey

First, there’s the delay between the two dates. Robert Gates, signing as Secretary of Defense, signed the document on October 17, 2007. That’s after at least one of the PAA Certifications underlying the Directives submitted to Yahoo (the government is hiding the date of the second Certification for what I suspect are very interesting reasons), but 6 days after Judge Colleen Kollar-Kotelly submitted questions as part of her assessment of whether the Certifications were adequate. Michael Mukasey, signing as Attorney General, didn’t sign the procedures until January 3, 2008, two weeks before Kollar-Kotelly issued her ruling on the certifications, but long after it started trying to force Yahoo to comply and even after the government submitted its first ex parte submission to Walton. That was also just weeks before the government redid the Certifications (newly involving FBI in the process) underlying PAA on January 29. I’ll come back to the dates, but the important issue is they didn’t even finalize these procedures until they were deep into two legal reviews of PAA and in the process of re-doing their Certifications.

Moreover, Mukasey dawdled two months before he signed them; he started at AG on November 9, 2007.

Then there’s the fact that the title for his signature line was clearly altered, after the fact.

Someone else was supposed to sign these procedures. (Peter Keisler was Acting Attorney General before Mukasey was confirmed, including on October 17, when Gates signed these procedures.) These procedures were supposed to be approved back in October 2007 (still two months after the first PAA Certifications) but they weren’t, for some reason.

The backup to those procedures — which Edward Snowden leaked in full — may explain the delay.

Those procedures were changed in 2008 to reverse earlier decisions prohibiting contact chaining on US person metadata. 

NSA had tried to get DOJ to approve that change in 2006. But James Baker (who was one of the people who almost quit over the hospital confrontation in 2004 and who is now FBI General Counsel) refused to let them.

After Baker (and Alberto Gonzales) departed DOJ, and after Congress passed the Protect America Act, the spooks tried again. On November 20, 2007, Ken Wainstein and Steven Bradbury tried to get the Acting Deputy Attorney General Craig Morford (not Mukasey, who was already AG!) to approve the procedures. The entire point of the change, Wainstein’s memo makes clear, was to permit the contact chaining of US persons.

The Supplemental Procedures, attached at Tab A, would clarify that the National Security Agency (NSA) may analyze communications metadata associated with United States persons and persons believed to be in the United States.

What the government did, after passage of the PAA, was make it permissible for NSA to figure out whom Americans were emailing.

And this metadata was — we now know — central to FISCR’s understanding of the program (though perhaps not FISC’s; in an interview today I asked Reggie Walton about this document and he simply didn’t remember it).

The new declassification of the FISCR opinion makes clear, the linking procedures (that is, contact chaining) NSA did were central to FISCR’s finding that Protect America Act, as implemented in directives to Yahoo, had sufficient particularity to be reasonable.

The linking procedures — procedures that show that the [redacted] designated for surveillance are linked to persons reasonably believed to be overseas and otherwise appropriate targets — involve the application of “foreign intelligence factors” These factors are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. As attested by affidavits  of the Director of the National Security Agency (NSA), the government identifies [redacted] surveillance for national security purposes on information indicating that, for instance, [big redaction] Although the FAA itself does not mandate a showing of particularity, see 50 U.S.C. § 1805(b). This pre-surveillance procedure strikes us as analogous to and in conformity with the particularly showing contemplated by Sealed Case.

In fact, these procedures were submitted to FISC and FISCR precisely to support their discussion of particularity! We know they were using these precise procedures with PAA because they were submitted to FISC and FISCR in defense of a claim that they weren’t targeting US persons.

Except, by all appearances, the government neglected to tell FISC and FISCR that the entire reason these procedures were changed, subsequent to the passage of the PAA, was so NSA could go identify the communications involving Americans.

And this program, and the legal authorization for it? It’s all built into the FISA Amendments Act.