Posts

Shorter NSA: That We Discovered We Had No Fucking Clue How We Use Our Spying Is Proof Oversight Works

It’s fundraising week. Please donate if you can.

James Clapper’s office just released a bunch of documents pertaining to the Section 215 dragnet. It reveals a whole slew of violations which it attributes to this:

The compliance incidents discussed in these documents stemmed in large part from the complexity of the technology employed in connection with the bulk telephony metadata collection program, interaction of that technology with other NSA systems, and a lack of a shared understanding among various NSA components about how certain aspects of the complex architecture supporting the program functioned.  These gaps in understanding led, in turn, to unintentional misrepresentations in the way the collection was described to the FISC.  As discussed in the documents, there was no single cause of the incidents and, in fact, a number of successful oversight, management, and technology processes in place operated as designed and uncovered these matters.

More candidly it admits that no one at NSA understood how everything works. It appears they’re still not sure, as one Senior Official Who Refused to Back His Words admitted,

“I guess they have 300 people doing compliance at NSA.”

“I guess” is how they make us comfortable about their new compliance program.

Ultimately, this resulted them in running daily Section 215 collection on a bunch of numbers that–by their own admission–they did not have reasonable articulable suspicion had some time to terrorism. When they got caught, that number consisted of roughly 10 out of 11 of the numbers they were searching on.

The rest of this post will be a working thread.

Update: Here is the Wyden/Udall statement. It strongly suggests that the other thing the government lied about — as referenced in John Bates’ October 3, 2011 opinion — was the Internet dragnet.

With the documents declassified and released this afternoon by the Director of National Intelligence, the public now has new information about the size and shape of that iceberg. Additional information about these violations was contained in other recently-released court opinions, though some significant information – particularly about violations pertaining to the bulk email records collection program – remains classified.

 

In addition to providing further information about how bulk phone records collection came under great FISA Court scrutiny due to serious and on-going compliance violations, these documents show that the court actually limited the NSA’s access to its bulk phone records database for much of 2009. The court required the NSA to seek case-by-case approval to access bulk phone records until these compliance violations were addressed. In our judgment, the fact that the FISA Court was able to handle these requests on an individual basis is further evidence that intelligence agencies can get all of the information they genuinely need without engaging in the dragnet surveillance of huge numbers of law-abiding Americans.


The original order required NSA to keep the dragnet on “a secure private network that NSA exclusively will operate.” Yet on the conference call, the Secret-Officials-Whose-Word-Can’t-Be-Trusted admitted that some of the violations involved people wandering into the data without knowing where they were. And an earlier violation made it clear in 2012 they found a chunk of this data that tech people had put on their own server.

The order also requires an interface with security limitations. Again, we know tech personnel access the data outside of this structure.

That order also only approves 7 people to approve queries. That number is now 22.

(9) We need to see a copy of the first couple of reports NSA gave to FISC with its reapplications to see how things got so out of control.

(10) This approval was signed by Malcom Howard. Among other things he was in the White House during the Nixon-Ford transition period.


The original authorization for 215 was a hash. Reggie Walton got involved in 2008 and cleaned it up (though not convincingly) in this supplemental order. He relies, significantly, on the “any tangible thing” language passed in 2006. (2-3)

Read more

More Contractor Problems — And FISC Disclosure Problems?

In the updated minimization procedures approved in 2011, the NSA added language making clear that the procedures applied to everyone doing analysis for NSA.

For the purposes of these procedures, the terms “National Security Agency” and “NSA personnel” refer to any employees of the National Security Agency/Central Security Service (“NSA/CSS” or “NSA”) and any other personnel engaged in Signals Intelligence (SIGINT) operations authorized pursuant to section 702 of the Act if such operations are executed under the direction, authority, or control of the Director, NSA/Chief, CSS (DIRNSA).

It told the FISA Court it needed this language to make it clear that militarily-deployed NSA personnel also had to abide by them.

The government has added language to Section 1 to make explicit that the procedures apply not only to NSA employees, but also to any other persons engaged in Section 702-related activities that are conducted under the direction, authority or control of the Director of the NSA. NSA Minimization Procedures at 1. According to the government, this new language is intended to clarify that Central Security Service personnel conducting signals intelligence operations authorized by Section 702 are bound by the procedures, even when they are deployed with a military unit and subject to the military chain of command.

But to me both these passages rang alarms about contractors. Did they have to include this language, I wondered, because contractors in the past had claimed not to be bound by the same rules NSA’s direct employees were?

Lo and behold the Bloomberg piece reporting that NSA’s IG undercounts deliberate violations by roughly 299 a year includes this:

The actions, said a second U.S. official briefed on them, were the work of overzealous NSA employees or contractors eager to prevent any encore to the Sept. 11, 2001, terrorist attacks.

It sure seems that at least some of the worst violations — the ones even NSA’s IG will call intentional — were committed by contractors. Which suggests I may be right about the inclusion of that language to make it clear it applies to contractors.

If that’s the case, then why did NSA tell the FISA Court this new language was about militarily-deployed NSA employees, and not about contractors?

 

Have There Been Significant Phone Dragnet Violations Since 2009?

As I laid out in more obscure fashion here, there are slight — but interesting — differences between how the 2009 Congressional notice, the 2011 Congressional notice, and the 2013 White Paper on the PATRIOT Act dragnet(s) describe the compliance problems. I’ve laid out all three below.

I’ll have more to say about the differences in a follow-up. But for the moment, note that the White Paper released 11 days ago doesn’t date the compliance issues.

Since the telephony metadata collection program under Section 215 was initiated, there have been a number of significant compliance and implementation issues that were discovered as a result of DOJ and ODNI reviews and internal NSA oversight.

The 2009 one doesn’t either — though it does reveal that the government was only just briefing the FISC that September on its compliance fixes when Silvestre Reyes first asked for this notice (they stalled almost 3 months in responding to him), at least suggesting the recentness of the discovery. The 2011 notice limits the compliance issues to 2009, though.

In 2009, a number of technical compliance problems and human implementation errors in these two bulk collection programs were discovered

Note, too, the different descriptions of the FISC response. Both the 2009 and 2011 assure Congress that the FISC, along with the Executive, found no evidence of bad-faith or intentional violations.

However, neither the Department, NSA nor the FISA Court has found any intentional or bad-faith violations.

The 2011 also reveals that the FISC imposed restrictions on the program — restrictions that surely were in place in March 2009, when Dianne Feinstein and Kit Bond tried to start the PATRIOT Reauthorization program  and may still have been in place in September 2009 (there were notices to Congress about the program on February 25, April 10, May 7, June 29, September 3, and September 10, 2009, and briefing materials sent to FISC on the program on September 1, September 18, and sometime in October).

Nice of DOJ to tell Congress that two years after the fact.

The White Paper, however, describes the FISC response — at times — quite differently. It makes no claim about whether FISC found intentional violations. And it reveals the FISC has, on occasion, “been critical” of both the compliance problems and the government’s court filings.

The FISC has on occasion been critical of the Executive Branch’s compliance problems as well as the Government’s court filings. However, the NSA and DOJ have corrected the problems identified to the Court, and the Court has continued to authorize the program with appropriate remedial measures.

Not only is there no claim that the FISC found no bad-faith problems, but it now reveals that “on occasion” the FISC has been critical — critical about both the problems and the the government’s claims about the problems.

There are several possible explanations for the difference in language.

Perhaps, for example, the government revealed FISC’s critical stance because it knew the FISC would read this White Paper, along with the rest of us, whereas the Congressional notifications would originally have never been seen by the FISC. Thus, the Administration would have reason to be far more frank about the FISC’s response than it did in the past.

But in conjunction with the silence about the date of these compliance problems, I do wonder whether FISC has grown more critical since 2011. After all, if there have been violations since this apparently extended effort in 2009 to fix compliance issues, wouldn’t it make the Court crankier?

One more thing to keep in mind. Read more

All Three Branches Conduct Vaunted NSA Oversight!

Today, we learned this is what the vaunted Congressional oversight of NSA spying looks like.

Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.), who did not receive a copy of the 2012 audit [showing thousands of violations] until The Post asked her staff about it, said in a statement late Thursday that the committee “can and should do more to independently verify that NSA’s operations are appropriate, and its reports of compliance incidents are accurate.”

We learned this is what the vaunted FISA Court oversight of NSA spying looks like.

The chief judge of the Foreign Intelligence Surveillance Court said the court lacks the tools to independently verify how often the government’s surveillance breaks the court’s rules that aim to protect Americans’ privacy. Without taking drastic steps, it also cannot check the veracity of the government’s assertions that the violations its staff members report are unintentional mistakes.

“The FISC is forced to rely upon the accuracy of the information that is provided to the Court,” its chief, U.S. District Judge Reggie Walton, said in a written statement to The Washington Post. “The FISC does not have the capacity to investigate issues of noncompliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders.”

We learned this is what the vaunted internal NSA oversight of NSA spying looks like.

The NSA uses the term “incidental” when it sweeps up the records of an American while targeting a foreigner or a U.S. person who is believed to be involved in terrorism. Official guidelines for NSA personnel say that kind of incident, pervasive under current practices, “does not constitute a . . . violation” and “does not have to be reported” to the NSA inspector general for inclusion in quarterly reports to Congress. Once added to its databases, absent other restrictions, the communications of Americans may be searched freely.

In one required tutorial, NSA collectors and analysts are taught to fill out oversight forms without giving “extraneous information” to “our FAA overseers.” FAA is a reference to the FISA Amendments Act of 2008, which granted broad new authorities to the NSA in exchange for regular audits from the Justice Department and the office of the Director of National Intelligence and periodic reports to Congress and the surveillance court.

Using real-world examples, the “Target Analyst Rationale Instructions” explain how NSA employees should strip out details and substitute generic descriptions of the evidence and analysis behind their targeting choices.

Vaunted. For well over 2 months. This is what they’ve been hailing.

Russ Feingold: Yahoo Didn’t Get the Info Needed to Challenge the Constitutionality of PRISM

The NYT has a story that solves a question some of us have long been asking: Which company challenged a Protect America Act order in 2007, only to lose at the district and circuit level?

The answer: Yahoo.

The Yahoo ruling, from 2008, shows the company argued that the order violated its users’ Fourth Amendment rights against unreasonable searches and seizures. The court called that worry “overblown.”

But the NYT doesn’t explain something that Russ Feingold pointed out when the FISA Court of Review opinion was made public in 2009 (and therefore after implementation of FISA Amendments Act): the government didn’t (and still didn’t, under the PAA’s successor, the FISA Amendments Act, Feingold seems to suggests) give Yahoo some of the most important information it needed to challenge the constitutionality of the program.

The decision placed the burden of proof on the company to identify problems related to the implementation of the law, information to which the company did not have access. The court upheld the constitutionality of the PAA, as applied, without the benefit of an effective adversarial process. The court concluded that “[t]he record supports the government. Notwithstanding the parade of horribles trotted out by the petitioner, it has presented no evidence of any actual harm, any egregious risk of error, or any broad potential for abuse in the circumstances of the instant case.” However, the company did not have access to all relevant information, including problems related to the implementation of the PAA. Senator Feingold, who has repeatedly raised concerns about the implementation of the PAA and its successor, the FISA Amendments Act (“FAA”), in classified communications with the Director of National Intelligence and the Attorney General, has stated that the court’s analysis would have been fundamentally altered had the company had access to this information and been able to bring it before the court.

In the absence of specific complaints from the company, the court relied on the good faith of the government. As the court concluded, “[w]ithout something more than a purely speculative set of imaginings, we cannot infer that the purpose of the directives (and, thus, of the surveillance) is other than their stated purpose… The petitioner suggests that, by placing discretion entirely in the hands of the Executive Branch without prior judicial involvement, the procedures cede to that Branch overly broad power that invites abuse. But this is little more than a lament about the risk that government officials will not operate in good faith.” One example of the court’s deference to the government concerns minimization procedures, which require the government to limit the dissemination of information about Americans that it collects in the course of its surveillance. Because the company did not raise concerns about minimization, the court “s[aw] no reason to question the adequacy of the minimization protocol.” And yet, the existence of adequate minimization procedures, as applied in this case, was central to the court’s constitutional analysis. [bold original, underline mine]

This post — which again, applies to PAA, though seems to be valid for the way the government has conducted FAA — explains why.

The court’s ruling makes it clear that PAA (and by association, FAA) by itself is not Constitutional. By itself, a PAA or FAA order lacks both probable cause and particularity.

The programs get probable cause from Executive Order 12333 (the one that John Yoo has been known to change without notice), from an Attorney General assertion that he has probable cause that the target of his surveillance is associated with a foreign power.

And the programs get particularity (which is mandated from a prior decision from the court, possibly the 2002 one on information sharing) from a set of procedures (the descriptor was redacted in the unsealed opinion, but particularly given what Feingold said, it’s likely these are the minimization procedures both PAA and FAA required the government to attest to) that give it particularity. The court decision makes it clear the government only submitted those — even in this case, even to a secret court — ex parte.

The petitioner’s arguments about particularity and prior judicial review are defeated by the way in which the statute has been applied. When combined with the PAA’s other protections, the [redacted] procedures and the procedures incorporated through the Executive Order are constitutionally sufficient compensation for any encroachments.

The [redacted] procedures [redacted] are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. [redacted] Although the PAA itself does not mandate a showing of particularity, see 50 USC 1805b(b), this pre-surveillance procedure strikes us as analogous to and in conformity with the particularity showing contemplated by Sealed Case.

In other words, even the court ruling makes it clear that Yahoo saw only generalized descriptions of these procedures that were critical to its finding the order itself (but not the PAA in isolation from them) was constitutional.

Incidentally, while Feingold suggests the company (Yahoo) had to rely on the government’s good faith, to a significant extent, so does the court. During both the PAA and FAA battles, the government successfully fought efforts to give the FISA Court authority to review the implementation of minimization procedures.

The NYT story suggests that the ruling which found the program violated the Fourth Amendment pertained to FAA.

Last year, the FISA court said the minimization rules were unconstitutional, and on Wednesday, ruled that it had no objection to sharing that opinion publicly. It is now up to a federal court.

I’m not positive that applies to FAA, as distinct from the 215 dragnet or the two working in tandem.

But other reporting on PRISM has made one thing clear: the providers are still operating in the dark. The WaPo reported from an Inspector General’s report (I wonder whether this is the one that was held up until after FAA renewal last year?) that they don’t even have visibility into individual queries, much less what happens to the data once the government has obtained it.

But because the program is so highly classified, only a few people at most at each company would legally be allowed to know about PRISM, let alone the details of its operations.

[snip]

According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process. [my emphasis]

This gets to the heart of the reason why Administration claims that “the Courts” have approved this program are false. In a signature case where an Internet provider challenged it — which ultimately led the other providers to concede they would have to comply — the government withheld some of the most important information pertaining to constitutionality from the plaintiff.

The government likes to claim this is constitutional, but that legal claim has always relied on preventing the providers and, to some extent, the FISA Court itself from seeing everything it was doing.

Shorter Neal Katyal: Please Appoint Me Judge!

If it weren’t for this line, disdaining what judges do,

But judges should be left to what they know.

I would be convinced that this op-ed from Neal Katyal, arguing against a Drone and/or Targeted Killing Court, was a transparent attempt to curry favor with the man who gets to nominate people for lifetime appointments to federal courts.

Because it strikes me as a dishonest argument, one made by someone who almost surely knows better, repeating the AUMF fallacy.

But there is no true precedent for interposing courts into military decisions about who, what and when to strike militarily. Putting aside the serious constitutional implications of such a proposal, courts are simply not institutionally equipped to play such a role.

While the Bush Administration didn’t read Ted Olson into its worst OLC opinions when he was Solicitor General — and so it’s possible (though unlikely) that Katyal was likewise not read into the June 2010 opinion that authorized the CIA to kill Anwar al-Awlaki during the time he was Acting Solicitor General — he was almost certainly part of the legal strategy to respond to the ACLU/CCR suit hoping to enjoin the President from killing Awlaki unless he represented an imminent threat, which also occurred while he was Acting SG.

Neal Katyal almost certainly knows the CIA was cleared to carry out that killing (though he had left the Administration by the time Awlaki was ultimately killed), and that this was a covert op.

To argue for a star chamber within the Executive Branch, he paints the judges who serve on the FISA Court as generalists who have no clue about national security issues.

There are many reasons a drone court composed of generalist federal judges will not work. They lack national security expertise, they are not accustomed to ruling on lightning-fast timetables, they are used to being in absolute control, their primary work is on domestic matters and they usually rule on matters after the fact, not beforehand.

[snip]

What reason does the FISA Court give us to think that judges are better than specialists at keeping executive power in check?

The FISA Court includes judges like Thomas Hogan (who has been a District Court judge in DC since Katyal was 12) and is now led by Reggie Walton (who joined DC District back when President Obama was still a State Senator). While they’ve seen their share of DC drug cases, they’ve also presided over some high profile national security cases (both had a part in the Libby case, both have issued key rulings in Gitmo habeas cases).  But Katyal thinks they’re just not capable of reviewing whether an American should be killed by his government with no due process.

There’s more that’s laugh out loud funny in Katyal’s op-ed, such as the suggestion that targeted killing of an American (as far as I know, no one is even considering using a FISA process with non-citizens) presents no Constitutional issues.

Even the questions placed before the FISA Court aren’t comparable to what a drone court would face; they involve more traditional constitutional issues — not rapidly developing questions about whether to target an individual for assassination by a drone strike.

And the suggestion that the Executive can be trusted to hand over its own analysis on targeted killing to Congress.

The adjudicator would be a panel of the president’s most senior national security advisers, who would issue decisions in writing if at all possible. Those decisions would later be given to the Congressional intelligence committees for review.

Not to mention that a “court” which the President was free to overrule amounts to any kind of due process.

Crucially, the president would be able to overrule this court, and take whatever action he thought appropriate, but would have to explain himself afterward to Congress.

Mind you. I, like Katyal, think the idea of turning FISA into a Drone and/or Targeted Killing court is terrible. But I’m not arguing that’s because an actual court would infringe too much on the President’s claimed authority to kill Americans at will.

Do Bloggers Suck or Does TradMed Just Suck More?

Above the Law, reporting on a speech 9th Circuit Court Chief Judge Alex Kozinski gave at Fordham Law, summarized his argument as, “A New Argument in Favor of Cameras in the Courtroom: Bloggers Suck.”

Now, for the record, I’m all in favor of cameras in the courtroom and have long been, particularly once I discovered that TradMed journalists look for different things at hearings than I do. And particularly today, as I’m deciding whether I have time to get to the closing arguments in Perry v. Schwarzenegger, drink some beers with bmaz, and be back here in time to drive to Syracuse for my mom’s 70th, I’d love the option of sitting at home and streaming the trial (though beers with bmaz might still win the day).

But I wanted to look more closely at the argument Kozinski seems to be making (assuming, of course, that the blogger at Above the Law competently replicated it, because there’s always the possibility he’s just being loud and biased).

Kozinski started his talk by going over some of the arguments he has made before [PDF] in support of cameras (e.g., studies show cameras don’t affect the proceedings, quoting his “old boss” Warren Burger — “People in an open society do not demand infallibility from their institutions, but it is difficult for them to accept what they are prohibited from observing.”).

It wouldn’t be like the O.J. trial, which decidedly set the cameras-in-the-courtroom movement back. Kozinski advocates stationary cameras that would not zoom in, zoom out, or otherwise overly dramatize the courtroom events. Kozinski acknowledged that if you were to choose between a O.J. media circus or reports from informed journalists like Nina Totenberg or Linda Greenhouse, one might be happy to live without cameras.

But that’s not usually the choice one has. Kozinski pointed to the “long, slow decline of the newspaper industry” and the “rise of a much more diffuse style of coverage” as a major reason why cameras should be brought into courtrooms. Increasingly, the public is relying on “pseudo-journalists” (aka bloggers) for their instantaneous legal news.

“On the Internet, the loudest voice gets the most attention,” said Kozinski, who said that tends to lead to a distortion of the coverage of a case. He also raised the risks of relying on unknown bloggers, pointing to the case of “Dr. Flea.”

[snip]

“The days of obscurity for judges and reliable, informed journalists are gone and gone forever,” said Kozinski. “If courts don’t change with the times, change will be forced upon them.”

Kozinski’s arguing, apparently, that we need cameras in the courtroom because trials are no longer covered with the skill that Nina Totenberg and Linda Greenhouse bring to their work. Furthermore, Kozinski seems to be arguing, the public is fooled into following “loud” chroniclers of trials, rather than competent ones. And, it seems, Kozinski believes readers (the blogger here doesn’t specify what kind of reader) risk … something … if they rely on pseudonymous bloggers.

As some of you no doubt recall, a blog named “FireDogLake” actually once covered a trial–the Scooter Libby trial–also covered by Nina Totenberg. FDL’s coverage was undoubtedly biased and at times even delved into heavy snark (since then, in fact, one of the bloggers has developed a bit of a reputation for a potty mouth). Nevertheless, FDL’s liveblog–written under the pseudonyms “emptywheel,” “Swopa,” and “Pachacutec”– became the standard “instantaneous” news from the trial. Two of the TradMed journalists in the courtroom–including one whose beat was the Court–followed the stream, not to mention an unknown number of journalists who chose to stay away from the court house and follow along the thread. The General Counsel for the Washington Post chose to follow FDL’s liveblog, rather than the superb work of Washington Post reporter Carol Leonnig, because with five reporters testifying in the trial, he needed up-to-the-minute near transcription rather than twice-daily analysis of the events. When it was all said and done, Jay Rosen declared that in most categories of coverage “FDL was tops.” I assume Rosen even considered Nina Totenberg’s coverage of the trial when he said that.

Read more