Posts

Working Thread, Internet Dragnet 4: Later 2009 Documents

/1 Comment/in /by

The early focus on the dragnet violations was on the phone dragnet. At the end of March, however, DOJ started preparing to look more closely at the PRTT program in late April 2009, which may be why some of the following violations got disclosed to Reggie Walton in conjunction with a May reauthorization application. The CIA, FBI, and NCTC access to the PRTT seems to have been a bigger issue than the BR  FISA data.

All that said, when the NSA completed its End-to-End report sometime in fall 2009, they didn’t report all that much beyond the violations noted in May (though they did note the NSA did not shut down some automatic process when it said it did), mostly by claiming they didn’t realize the original dragnet order meant what it said (in spite of the violation in the first dragnet order).

It was only after that that they noticed FISC NSA had been collecting content from the start of the program (see document O). Once they admitted that, NSA decided not to reapply for a Primary Order, and Reggie Walton issued a supplemental order (document E) ordering them not to collect any more, but also not to access the data they did have. Only after that did DOJ submit the End-to-End report, accompanied by DOJ and Keith Alexander reports that admitted the content violation.

See also Working Thread 1, Working Thread 2, Working Thread 3, and Internet Dragnet Timeline. No one else is doing this tedious work; if you find it useful, please support it.

Read more

WSJ Falsely Paints John “Bates Stamp” as Aggressive

/2 Comments/in /by

WSJ wrote a badly flawed article yesterday describing John Bates’ 2010 opinion reauthorizing the Internet dragnet, claiming the memo — which was released last November — was just declassified.

Newly declassified court documents show one of the National Security Agency’s key surveillance programs was plagued by years of “systemic overcollection” of private Internet communications.

[snip]

Some of the problems with Internet metadata previously were reported and have been part of a broad critique of the NSA’s surveillance activities since the Sept. 11, 2001, terror attacks. The new document from Judge Bates offers the most detailed accounting—even with more than a dozen pages blacked out—of what those problems were.

Sure, ODNI didn’t explain that the opinion — and three other documents released — had been released before, one on multiple occasions. But those of us who read the opinion with the first release, rather than offering up unrepresentative quotes, recognized Bates’ memo as one of the seminal releases from last year. And contrary to WSJ’s claim, the public record (including Claire Eagan’s opinion, which cites from it) shows the opinion to date to 2010.

Even in this supposed actual reading of the document, however, WSJ gets it wrong.

The judge’s order ultimately reauthorized the program, with more stringent conditions than the government had sought.

Sure, Bates didn’t permit NSA unrestricted access to illegally collected records. But Bates also approved what was described as an 11- to 24-fold increase in collection.

The current application, in comparison with prior dockets, seeks authority to acquire a much larger volume of metadata at a greatly expanded range of facilities, while also modifying — and in some ways relaxing — the rules governing the handling of metadata.

Best as we can tell given the redactions, Bates approved that part of the request. Aside from imposing a few more training requirements, his biggest denial pertained to some — but not all — of the Internet dragnet data the government collected since the beginning of the program.

So while it is true that Bates wrote a lot of scathing things about the conduct of the program, he also turned around and vastly expanded it.

I raise all this not to be an asshole (though it would be nice if the WSJ had issued a correction, as its author retweeted my tweeted correction). I raise it for two reasons.

First, the WSJ pitches this as “the Judge who doesn’t like FISA reform was very critical of the Administration’s performance.”

Judge Bates has been the designated spokesman for the judiciary opposing several proposed changes to the structure of the Foreign Intelligence Surveillance Court, particularly the addition of a special advocate to represent privacy interests.

By not reporting that Bates vastly expanded this program in spite of its persistent violations, WSJ wrongly pitches him as a credible judge of what makes the FISC effective, rather than as Exhibit One for why it should be abolished.

Moreover, the documents that actually were newly released the other day suggest a very different narrative for what happened between 2009 and 2010, for how Bates came to summarize the many failings of the program but expand the program.

They show, first of all, that Reggie Walton was dealing with the phone and Internet dragnets in tandem throughout; Bates had no discernible role — aside from his intervention on August 4, 2009, after Reggie Walton had already shut down part of the phone dragnet program. The documents released this week make it clear Walton, not Bates, was the fact-finder who discovered the Internet dragnet had never complied with FISC guidelines. Bates had to repeat that scathing language in his opinion, because Walton had already laid it out.

And then, after Walton shut down the Internet dragnet, at a time when NSA continued to ignore his orders, when orders were terse, things began to change.

That’s when we begin to see solicitous letters — “Let me once again thank both you and your staff for  your consideration” —  to Bates, now the decision-maker on whether or not the government could resume a program that had illegally wiretapped Americans for 5 years.

It’s that guy who capitulated to pretty talk, expanding both the Internet dragnet and the upstream 702 collection, even as he laid out how both had been illegally wiretapping Americans, who says an advocate actually speaking for privacy would ruin the FISC. That’s the narrative we should get from this recent document dump, not that Bates was in any way anything but a Bates stamp.

Walton was by no means a perfect steward of the secret court. But Bates demonstrates why it cannot and does not fulfill its function.

Working Thread, Internet Dragnet Dump 2: 2004 Documents

/1 Comment/in /by

This will be a closer working thread on documents released yesterday.

X: Initial Dragnet Application (prior to July 14, 2004)

(2) From the start, the government said they wanted to disseminate the dragnet info, perhaps to tag into FBI’s investigative authorities.

(2) The footnote defining metadata hides all the stuff not associated with “standard e-mails.”

(4) The application discusses the briefing I discussed here, attended by (among others) John Brennan.

(5) The application is not submitted by a lawyer, but by Michael Hayden.

(6) The government hasn’t released a Tenet submission; back in November it hid that this submission was from him.

(16) ODNI maintains that the fictional example of metadata is classified.

(18) Originally access was restricted by making the metadata accessible only by 2 admin login accounts. That’s probably a carry-over from the compartments of the illegal program.

(20) RAS approval assigned to the same 7 authorizers that were in place for the beginning of the phone dragnet in 2006.

(21) They’re hiding at least one kind of Internet metadata.

(23) Metadata originally accessible for only 18 months. Is that what they used for the illegal dragnet?

Y. Memo of Law in Support of Original Dragnet Application, before July 14, 2004

(4) The government claims that only email metadata related to terrorism will be seen. By definition, that means anything returned in a query would be related to counterterrorism and therefore game for dissemination.

(4) This is the jist of the illegal use of PRTT for the dragnet:

Nevertheless, it involves nothing more than adapting the traditional tools of FISA to meet an unprecedented challenge and does so in a way that promotes both of the twin goals of FISA: facilitating the foreign-intelligence collection needed to protect American lives while at the same time providing judicial oversight to safeguard American freedoms.

This claim is followed by a 5-page redaction, which is mighty interesting as it would have to explain why this judicial review was so useful.

(9) Footnote 5 again makes it clear that this involves email and other online communications.

(12) This language is remarkable for a secret court document.

Collecting and archiving meta data is thus the best avenue for solving this fundamental problem: although investigators do know know exactly where the terrorists’ communications are hiding in the billions of bits of data flowing through the United States today, we do know that they are there, and if we archive the data now, we will be able to use it in a targeted way to find the terrorists tomorrow.

(20) This language is particularly important given debates about USA Freedom.

Nothing in the definitions of pen registers or trap and trace devices requires that the “instrument” or “facility” on which the device is placed carry the communications solely of a single user.

(20) This section really tries to constrain the Court.

Unlike certain other certifications made in other contexts under the statute, see, e.g., U.S.C. § 1805(a)(5), FISA does not subject the certification of relevance to any review by the Court.

Read more

Internet Dragnet Timeline

/5 Comments/in /by

This timeline provides known dates for the PRTT Internet dragnet, important related dates in the phone dragnet, upstream 702 collection, and SPCMA (overseas Internet dragnet). In addition, it provides links to the documents in this release; see this post for the listing of documents.

May 6, 2004: Jack Goldsmith opinion authorizes phone dragnet but not Internet dragnet.

Before July 14, 2004: Government applies for Internet dragnet. X. Application for Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes, Y. Memorandum of Law and Fact in Support of Application for Pen Registers and Trap and Trace Devices for Foreign Intelligence Purposes, Z. Declaration of General Michael V. Hayden, U.S Air Force, Director, NSA, in Support of Pen Register/Trap and Trace Application

July 14, 2004: Colleen Kollar-Kotelly approves Internet dragnet, specifies categories of metadata (Document A in 8/12 dump).

Before October 12, 2004: the government provides notice it exceeded scope included in first order, in follow-up declarations attributes overcollection to poor management (response probably includes Paul Wolfowitz, Michael Hayden, and Joel Brenner)

Around October 12, 2004: Government reapplies without some collection, promises monthly spot checks.

April 27, 2005: In briefing leading up to PATRIOT reauthorization, Alberto Gonzales makes no mention of PRTT Internet dragnet.

November 17, 2007: Executive begins (internal) approval process for contact chaining on already-collected data which will become SPCMA.

Read more

Internet Dragnet Materials, Working Thread 1

/3 Comments/in , , /by

I Con the Record just released some ridiculously overclassified Internet dragnet documents it claims shows oversight but which actually shows how they evaded oversight. I’ve added letters to ID each document (I’ll do a post rearranging them into a timeline tomorrow or soon thereafter).

For a timeline I did earlier of the Internet dragnet program see this post.

This will be the first of several working threads, starting with descriptions of what we’ve got.

8/12: Note I will be updating this as I can clarify dates and content.

So-called Judicial oversight

A. FISC Opinion and Order: This is the Kollar-Kotelly order that initially approved the dragnet on July 14, 2004. A searchable version is here.

B. FISC Primary Order: This is an Internet dragnet order signed by Reggie Walton, probably in 2008 or very early 2009. It shows that the Internet dragnet program, which was almost certainly illegal in any case, had less oversight than the phone dragnet program (though at this point also collected fewer records). It was turned over pursuant to FAA requirements on March 13, 2009.

C. FISC Primary Order: This is an Internet dragnet order probably from May 29, 2009 (as identified in document D), signed by Reggie Walton. It shows the beginning of his efforts to work through the Internet violations. It appears to have been provided to Congress on August 31, 2009.

D. FISC Order and Supplemental Order: This is a version of the joint June 22, 2009 order released on several occasions before. It shows Reggie Walton’s efforts to work through the Internet dragnet violations. Here’s one version.

E. FISC Supplemental Order: This appears to be the dragnet order shutting down dragnet production. It would date to fall 2009 (production was likely shut down in October 2009, though this might reflect the initial shut-down).

F. FISC Primary Order: I’m fairly sure this is an order from after Bates turned the Internet dragnet back on in 2010 (and is signed by him), though I will need to verify that. It does require reports on how the NSA will segregate previously violative records, which is consistent with it dating to 2011 sometime (as is the requirement that the data be XML tagged).

G. FISC Memorandum Opinion Granting in Part and Denying in Part Application to Reinitiate, in Expanded Form, Pen Register/Trap and Trace Authorization: This is the order, from sometime between July and October 2010, where John Bates turned back on and expanded the Internet dragnet. Here’s the earlier released version (though I think it is identical).

H. Declaration of NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency: This was a report Walton required in document C, above, and so would be in the May-June 2009 timeframe. Update: Likely date June 18, 2009.

I. Government’s Response to the FISC’s Supplemental Order: This is the government’s response to an order from Walton, probably in his May 29, 2009 opinion (see this order for background), or even earlier in May.Update: This response dates to June 18, 2009 or slightly before.

J. Declaration of NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency: This appears to be the declaration submitted in support of Response I and cited in several places. Update: likely date June 18, 2009.

K. Supplemental Declaration of Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency: This appears to be the declaration that led to document C above.

L. Government’s Response to the FISC’s Supplemental Order Requesting a Corrective Declaration: This is a declaration admitting dissemination outside the rules responding to 5/29 order.

M. Government’s Response to a FISC Order: This is the government’s notice that it was using automatic queries on Internet metadata, just as it also was with the phone dragnet. This notice was provided to Congress in March 2009.

N. Declaration of Lieutenant General Keith B. Alexander, U.S. Army, Director, NSA, Concerning NSA’s Compliance with a FISC Order: After Walton demanded declarations in response to the initial phone dragnet violation, he ordered NSA to tell him whether the Internet dragnet also had the same problems. This is Keith Alexander’s declaration describing the auto scan for that program too. It was provided to Congress in March 2009.

O. Preliminary Notice of Potential Compliance Incident: This is the first notice of the categorical violations that ultimately led to the temporary shutdown of the dragnet, in advance of order E.

P. Notice of Filing: This is notice of a filing in response to inquiry from Judge Walton. It could be from any time during David Kris’ 2009 to early 2011 tenure.

Q: Government’s Application for Use of Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes: This appears to be the application following Order E, above. I don’t think it’s the 2010 application that led to the reauthorization of the dragnet, because it refers to facilities whereas the 2010 order authorized even broader collection. (Remember Bates’ 2010 order said the government applied, but then withdrew, an application.) Update and correction: this application must post-date December 2009, because that’s when NSA changed retention dates from 4.5 years to 5. Also note reference to change in program and request to access illegally collected data from before 10/09.

R. Memorandum of Law and Fact in Support of Application for Pen Registers and Trap and Trace Devices for Foreign Intelligence Purposes: This appears to be the memorandum of law accompanying application Q.

S. Declaration of General Keith B. Alexander, U.S. Army, Director, NSA, in Support of Pen Register/Trap and Trace Application: This is Alexander’s declaration accompanying Q.

T. Exhibit D in Support of Pen Register/Trap and Trace Application: This is a cover letter. I’m not sure whether it references prior communications or new ones.

U. First Letter in Response to FISC Questions Concerning NSA bulk Metadata Collection Using Pen Register/Trap and Trace Devices: This is the first of several letters in support of reinitiation of the program. The tone has changed dramatically here. For that reason, and because so much of it is redacted, I think this was part of the lead-up to the 2010 reauthorization.

V. Second Letter in Response to FISC Questions concerning NSA bulk Metadata Collection Using Pen Register/Trap and Trace Devices: This second letter is entirely redacted except for the sucking up to Bates stuff.

W. Third Letter in Response to FISC Questions Concerning NSA Bulk Metadata Collection Using Pen Register/Trap and Trace Devices: More sucking up. Some language about trying to keep access to the existing illegally collected data. 

X. Application for Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes: This is the first application for the Internet dragnet, from 2004. Very interesting. Note it wasn’t turned over until July 2009, after Congress was already learning of the new problems with it.

Y. Memorandum of Law and Fact in Support of Application for Pen Registers and Trap and Trace Devices for Foreign Intelligence Purposes: The memorandum of law accompanying X. Also turned over to Congress in 2009.

Z. Declaration of General Michael V. Hayden, U.S Air Force, Director, NSA, in Support of Pen Register/Trap and Trace Application: This goes with the initial application. NSA has left stuff unredacted that suggests they were access less bandwith than they, in the end, were. Also remember NSA violated this from the very beginning.

AA. Application for Use of Pen Register/Trap and Trace Devices for Foreign Intelligence PurposesThis appears to be the application for the second PRTT order. I’ll return to this tomorrow, but I don’t think it reflects the violation notice it should.

BB. Declaration of NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate: This is NSA’s declaration in conjunction with the first reapplication for the dragnet. This should have declared violations. It was turned over to Congress in March 2009. [update: these appear to be early 2009 application]

CC. Declaration Lieutenant General Keith B. Alexander, U.S. Army, Director, NSA, Concerning NSA’s Implementation of Authority to Collect Certain Metadata: This is Alexander’s declaration accompanying the End-to-End report, from sometime in fall 2009.

DD: NSA’s Pen Register Trap and Trace FISA Review Report: The end-to-end report itself. it was provided to Congress in January 2010.

EE: DOJ Report to the FISC NSA’s Program to Collect Metadata: DOJ’s accompaniment to the end-to-end report.

FF: Government’s First Letter to Judge Bates to Confirm Understanding of Issues Relating to the FISC’s Authorization to Collect Metadata: After Bates raauthorized the Internet dragnet, DOJ realized they might not be on the same page as him. Not sure if this was in the 2009 attempt or the 2010 reauthorization.

GG: Government’s Second Letter to Judge Bates to Confirm Understanding of Issues Relating to the FISC’s Authorization to Collect Metadata: A follow-up to FF.

HH: Tab 1 Declaration of NSA Chief, Special Oversight and Processing, Oversight and Compliance, Signals Intelligence: This appears to be the 90-day report referenced in document C. Update: Actually it is referenced in Document A: note the paragraphs describing the chaining that were discontinued before the dragnet approval.

II: Verified Memorandum of Law in Response to FISC Supplemental Order: This is one of the most fascinating documents of all. It’s a 2009-2011 (I think August 17, 2009, though the date stamp is unclear) document pertaining to 3 PRTT targets, relying on criminal PRTT law and a 2006 memo that might be NSA’s RAS memo (though the order itself is FBI, which makes me wonder whether it seeds the FBI program). It may have been what they used to claim that Internet content counted as metadata.

JJ: Memorandum of Law in Response to FISC Order: A September 25, 2006 response to questions from the FISC, apparently regarding whether rules from criminal pen registers apply to PATRIOT PRTT. While I think this addresses the application to Internet, I also think this language may be being used for location.

So-called Congressional oversight

KK: Government’s Motion to Unseal FISC Documents in Order to Brief Congressional Intelligence and Judiciary Committees: This is a request to unseal an order — I suspect document E — so it could be briefed to Congress.

LL:  Order Granting the Government’s Motion to Unseal FISC Documents in Order to Brief Congressional Intelligence and Judiciary Committees: Walton’s order to unseal KK for briefing purposes. 

MM: April 27, 2005 Testimony of the Attorney General and Director, FBI Before the Senate Select Committee on Intelligence: This is the 2005 testimony in which — I pointed out before — Alberto Gonzales did not brief Congress about the Internet dragnet.

So-called Internal oversight

NN: NSA IG Memo Announcing its Audit of NSA’s Controls to Comply with the FISA Court’s Order Regarding Pen Register/Trap and Trace Devices: This lays out an audit with PRTT compliance, noting that the audit also pertains to BR FISA (phone dragnet). It admits the audit was shut down when the order was not renewed. It’s unclear whether this was the 2009 or the 2011 shutdown, but the implication is it got shut down because it would not pass audit. 

OO: NSA IG Memo Suspending its Audit of NSA after the NSA’s PRTT Metadata Program Expired: the formal announcement they were shutting down the IG report. Again, it’s not clear whether this was the 2009 or the 2011 shutdown.

If you find this work valuable, please consider donating to support the work.  

NSA’s Disingenuous Claims about EO 12333 and the First Amendment

/5 Comments/in , /by

SIGINT and 215Thanks to John Napier Tye’s Sunday op-ed, some surveillance watchers are just now discovering EO 12333, which I’ve written some 50 posts about over the last year.

Back in January, I focused on one of the most alarming disclosures of the 2009 phone dragnet problems, that 3,000 presumed US person identifiers were on an alert list checked against each day’s incoming phone dragnet data. That problem — indeed, many of the problems reported at the beginning of 2009 — arose because the NSA dumped their Section 215 phone dragnet data in with all the rest of their metadata, starting at least as early as January 4, 2008. It took at least the better part of 2009 for the government to start tagging data, so the NSA could keep data collected under different authorities straight, though once they did that, NSA trained analysts to use those tags to bypass the more stringent oversight of Section 215.

One thing that episode revealed is that US person data gets collected under EO 12333 (that’s how those 3,000 identifiers got on the alert list), and there’s redundancy between Section 215 and EO 12333. That makes sense, as the metadata tied to the US side of foreign calls would be collected on collection overseas, but it’s a detail that has eluded some of the journalists making claims about the scope of phone dragnet.

Since I wrote that early January post, I’ve been meaning to return to a remarkable exchange from the early 2009 documents between FISC Judge Reggie Walton and the government. In his order for more briefing, Walton raised questions about tasking under NSA’s SIGNIT (that is, EO 12333) authority.

The preliminary notice from DOJ states that the alert list includes telephone identifiers that have been tasked for collection in accordance with NSA’s SIGINT authority. What standard is applied for tasking telephone identifiers under NSA’s SIGINT authority? Does NSA, pursuant to its SIGINT authority, task telephone identifiers associated with United States persons? If so, does NSA limit such identifiers to those that were not selected solely upon the basis of First Amendment protected activities?

The question reveals how little Walton — who had already made the key judgments on the Protect America Act program 2 years earlier — knew about EO 12333 authority.

I’ve put NSA’s complete response below the rule (remember “Business Records” in this context is the Section 215 phone dragnet authority). But basically, the NSA responded,

  • Even though the alert list included IDs that had not been assessed or did not meet Reasonable Articulable Suspicion of a tie to one of the approved terrorist groups, they at least had to have foreign intelligence value. And occasionally NSA’s counterterrorism people purge the list of non-CT IDs.
  • Usually, NSA can only task (a form of targeting!) a US person under a FISA authority.
  • Under EO 12333 and other related authorities, NSA can collect SIGINT information for foreign and counterintelligence purposes; its collection, retention, and dissemination of US person is governed by Department of Defense Regulation 5240.1-R and a classified annex. (see page 45 for the unclassified part of this)
  • Since 2008, if the NSA wants to target a US person overseas they need to get and comply with a FISA order.
  • NSA provides First Amendment protection in two ways — first, by training analysts to spy “with full consideration of the rights of United States persons.”
  • NSA provides First Amendment protection under EO 12333 by prohibiting NSA “from collecting or disseminating information concerning US persons’ ‘domestic activities’ which are defined as ‘activities that take place in the domestic United States that do not involve a significant connection to a foreign power, organization, or person.'”

The First Amendment claims in the last two bullets are pretty weak tea, as they don’t actually address First Amendment issues and contact chaining is, after all, chaining on associations.

That’s all the more true given what we know had already been approved by DOJ. In the last months of 2007, they approved the contact chaining through US person identifiers of already-collected data (including FISA data). They did so by modifying DOD 5240.1 and its classified annex so as to treat what they defined (very broadly) as metadata as something other than interception.

The current DOD procedures and their Classified Annex may be read to restrict NSA’s ability to conduct the desired communications metadata analysis, at least with respect to metadata associated with United States persons. In particular, this analysis may fall within the procedures’ definition of, and thus restrictions on, the “interception” and “selection” of communications. Accordingly, the Supplemental Procedures that would govern NSA’s analysis of communications metadata expressly state that the DOD Procedures and the Classified Annex do not apply to the analysis of communications metadata. Specifically, the Supplemental Procedures would clarify that “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communications, nor do they qualify as ‘us[ing] a selection term,’ including using a selection term ‘intended to intercept a communication on the basis of. .. [some] aspect of the content of the communication.” Once approved, the Supplemental Procedures will clarify that the communications metadata analysis the NSA wishes to conduct is not restricted by the DOD procedures and their Classified Annex.

Michael Mukasey approved that plan just as NSA was dumping all the Section 215 data in with EO 12333 data at the beginning of 2008 (though they did not really roll it out across the NSA until later in 2009).

Nowhere in the government’s self-approval of this alternate contact chaining do they mention First Amendment considerations (or even the domestic activities language included in their filing to Walton). And in the rollout, they explicitly permitted starting chains with identifiers of any nationality (therefore presumably including US person) and approved the use of such contact chaining for purposes other than counterterrorism. More importantly, they expanded the analytical function beyond simple contact chaining, including location chaining.

All with no apparent discussion of the concerns a FISC judge expressed when data from EO 12333 had spoiled Section 215 data.

We will, I expect, finally start discussing how NSA has been using EO 12333 authorities — and how they’ve represented their overlap with FISA authorized collection. This discussion is an important place to start. Read more

Why Is DOJ Hiding Three Phone Dragnet Orders in Plain Sight?

/1 Comment/in , /by

The ACLU and EFF FOIAs for Section 215 documents are drawing to a head. Later this week, EFF will have a court hearing in their suit. And last Friday, the government renewed its bid for summary judgment in the ACLU case.

Both suits pivot on whether the government’s past withholdings on Section 215 were in good faith. Both NGOs are arguing they weren’t, and therefore the government’s current claims — that none of the remaining information may be released — cannot be treated in good faith. (Indeed, the government likely released the previously sealed NSA declaration to substantiate its claim that it had to treat all documents tying NSA to the phone dragnet with a Glomar because of the way NSA and DOJ respectively redact classification mark … or something like that.)

But the government insists it is operating in good faith.

Instead, the ACLU speculates, despite the government’s declarations to the contrary, that there must be some non-exempt information contained in these documents that could be segregated and released. In an attempt to avoid well-established law requiring courts to defer to the government’s declarations, especially in the area of national security, the ACLU accuses the government of bad faith and baldly asserts that the government’s past assertions regarding segregability—made before the government’s discretionary declassification of substantial amounts of information regarding its activities pursuant to Section 215— “strip the government’s present justifications of the deference due to them in ordinary FOIA cases.” ACLU Br. at 25. The ACLU’s allegations are utterly unfounded. For the reasons set forth below, the government’s justifications for withholding the remaining documents are “logical and plausible,”

EFF and ACLU have focused closely on a August 20, 2008 FISC order describing a method to conduct queries; I have argued it probably describes how NSA makes correlations to track correlations.

The government is refusing to identify 3 orders it has already identified

But — unless I am badly mistaken, or unless the government mistakenly believes it has turned over some of these orders, which is possible! — I think there are three other documents being withheld (ones the government hasn’t even formally disclosed to EFF, even while pretending they’ve disclosed everything to EFF) that raise questions about the government’s good faith even more readily: the three remaining phone dragnet Primary Orders from 2009. All three have been publicly identified, yet the government is pretending they haven’t been. They are:

BR 09-09, issued on July 8, 2009. Not only was this Primary Order identified in paragraph 3 of the next Primary Order, but it was discussed extensively in the government’s filing accompanying the end-to-end report. In addition, the non-approval of one providers’ metadata  (I increasingly suspect Sprint is the provider) for that period is reflected in paragraph 1(a) of that next Primary Order.

BR 09-15, issued on October 30, 2009. The docket number and date are both identified on the first page of this supplemental order.

BR 09-19, issued on December 16, 2009. It is mentioned in paragraph 3 of the next Primary Order. The docket number and the date are also referred to in the documents pertaining to Sprint’s challenge recently released. (See paragraph 1 and paragraph 5 for the date.)

Thus, the existence of all three Primary Orders has been declassified, even while the government maintains it can’t identify them in the context of the FOIAs where they’ve already been declassified.

The government has segregated a great deal of the content of BR 09-09

The government’s withholding of BR 09-09 is particularly ridiculous, given how extensively the end-to-end motion details it. From that document, we learn:

  • Pages 5-7 approve a new group for querying. (see footnote 2)
  • Pages 9-10 require those accessing the dragnet be briefed on minimization procedures tied to the dragnet (see PDF 22); this is likely the language that appears in paragraph G of the subsequent order. This specifically includes technical personnel. (see PDF 49)
  • Pages 10-11 require weekly reporting on disseminations. (see PDF 23) This is likely the information that appears in paragraph H in the subsequent order.
  • Page 12 affirmatively authorizes the data integrity search to find “certain non user specific numbers and [redacted] identifiers for purposes of metadata reduction and management” (see footnote 19 and PDF 55)
  • Page 8 and 13-14 lay out new oversight roles, especially for DOJ’s National Security Division (see PDF 22); these are likely the requirements laid out in paragraphs M through R in subsequent orders. Those same pages also require DOJ to share the details of NSD’s meeting with NSA in new FISC applications. (see PDF 23)
  • BR 09-09 included the same reporting requirements as laid out in BR 09-01 and BR 09-06 (see PDF 5)
  • Pages 16 -17 also included these new reporting requirements: (see PDFs 6 and 29 – 30)
    • a full explanation of why the government has permitted dissemination outside NSA of U.S. person information in violation of the Court’s Orders in this matter;
    • a full explanation of the extent to which NSA has acquired call detail records of foreign-to-foreign communications from [redacted] pursuant to orders of the FISC, and whether the NSA’s storage, handling, and dissemination of information in those records, or derived therefrom, complied with the Court’s orders; and
    • either (i) a certification that any overproduced information, as described in footnote 11 of the government’s application [i.e. credit card information), has been destroyed, and that any such information acquired pursuant to this Order is being destroyed upon recognition; or (ii) a full explanation as to why it is not possible or otherwise feasible to destroy such information.
  • BR 09-09 specifically mentioned that NSA had generally been disseminating BR FISA data according to USSID 18 and not the more restrictive dissemination provisions of the Court’s Orders. (see footnote 12)
  • BF 09-09 approved Chief, Information Sharing Services, the Senior Operations Officer, the Signals Intelligence
    Directorate (So) Director, the Deputy Director of NSA, and the Director of NSA to authorize US person disseminations. (see footnote 22 and PDF 28)

Significant parts of at least 13 pages of the Primary Order (the next Primary Order is 19 pages long) have already been deemed segregable and released. Yet the government now appears to be arguing, while claiming it is operating in good faith, that none of these items would be segregable if released with the order itself!

Wildarse speculation about why the government is withholding these orders

Which raises the question of why. Why did the government withhold these 3 orders, alone among all the known regular Primary Orders from the period of EFF and ACLU’s FOIAs? (See this page for a summary of the known orders and the changes implemented in each.)

The reason may not be the same for all three orders. BR 09-09 deals with two sensitive issues — the purging of credit card information and tech personnel access — that seem to have been resolved with that order (at least until the credit card problems returned in March 2011).

But there are two things that all three orders might have in common.

First, BR 09-09 deals closely with dissemination problems — the ability of CIA and FBI to access NSA results directly, and the unfettered sharing of information within NSA. BR 09-15 lays out new dissemination rules, with the supplement in November showing NSA to still be in violation. So it’s likely all 3 orders deal with dissemination violations (and therefore with poison fruit of inappropriate dissemination that may still be in the legal system), and that the government is hiding one of the more significant aspects of the dragnet violations by withholding those orders.

I also think it’s possible the later two (potentially all three, but more likely the later two) orders combine the phone and Internet dragnets. That’s largely because of timing: A June 22, 2009 order — the first one to deal with the dissemination problems formally addressed in BR 09-09 — dealt with both dragnets. There is evidence the Internet dragnet data got shut down (or severely restricted) on October 30, 2009, the date of BR 09-15. And according to the 2010 John Bates Internet dragnet opinion, NSA applied to restart the dragnet in late 2009 (so around the time of BR 09-19). So I think it possible the later orders, especially, deal with both programs,  thereby revealing details about the legal problems with PRTT the government would like to keep suppressed. (Note, if BR 09-15 and BR 09-19 are being withheld because they shut down Internet production, it would mean all three orders shut down some production, as BR 09-09 shut down one provider’s telephone production.)

Another possibility has to do with the co-mingling of EO 12333 and Section 215 data. These three orders all deal with the fact that providers (at least Verizon, but potentially the other two as well) had included foreign-to-foreign phone records along with the production of their domestic ones.That’s the reason production from one provider got shut down in BR 09-09. And immediately after the other withheld records, the Primary Orders always included a footnote on what to do with EO 12333 data turned over pursuant to BR FISA orders (see footnote 7 and footnote 10 for examples). Also, starting in March 2009, the Orders all contain language specifically addressing Verizon. So we know the FISC was struggling to come up with a solution for the fact that NSA had co-mingled data obtainable under EO 12333 and data the telecoms received PATRIOT Act orders from. (I suspect this is why Sprint insisted on legal cover, ultimately demanding the legal authorization of the program with the December order.) So it may be that all these orders reveal too much about the EO 12333 dragnet — and potential additional violations — to be released.

Whatever the reason, there is already so much data in the public domain, especially on BR 09-09, it’s hard to believe withholding it is entirely good faith.

Snowden’s Emailed Question Addresses One Abuse Revealed by His Leaks

/34 Comments/in , /by

In an effort to rebut Edward Snowden’s claims that he raised concerns via proper channels, NSA just released an email Snowden sent to NSA’s Office of General Counsel. The email reveals their own training is not clear about something central to Snowden’s leaks: whether laws passed by Congress take precedence over EO 12333.

In the email, Snowden describes a training program on USSID 18, NSA’s internal guidelines on protecting US person data. Snowden’s email reads, in part,

Hello, I have a question regarding the mandatory USSID 18 training.

The training states the following:

________

(U) The Hierarchy of Governing Authorities and Documents is displayed from the highest authority to the lowest authority as follows:

U.S. Constitution

Federal Statutes/Presidential Executive Orders (EO)

[snip]

________

I’m not entirely certain, but this does not seem correct, as it seems to imply Executive Orders have the same precedence as law. My understanding is that EOs may be superseded by federal statute, but EOs may not override statute.

An NSA lawyer wrote back (in part),

Executive Orders (E.O.s) have the “force and effect of law.” That said, you are correct that E.O.s cannot override a statute.

The NSA has not revealed whether Snowden called the lawyer with further questions, as he invited Snowden to do. Nor have they said this email to Office of General Counsel is the only email Snowden sent (only that it’s the only one he sent to OGC).

Nevertheless, the email is really suggestive, particularly as it took place when Snowden had already started downloading a slew of information.

That’s because Snowden’s documents (and documents released in response to his leaks) reveal NSA has repeatedly used EO 12333 to push the limits of laws passed by Congress, if not to evade the law altogether.

Here are just two of numerous examples:

NSA Avoids Stricter Minimization Procedures Under the Phone Dragnet: The NSA has fairly strict minimization procedures under the Section 215-authorized phone dragnet, but only NSA’s internal rules (USSID 18) for the EO 12333-authorized phone dragnet. Nevertheless, for the first 3 years of the FISA-authorized program, NSA didn’t follow their Section 215 rules, instead applying the less stringent rules of USSID 18 (effectively letting a DOD Directive supersede the PATRIOT Act). In one of their most egregious violations discovered in 2009, they watch listed 3,000 US persons without giving those people the required First Amendment review, as required by minimization procedures written to fulfill the law. But instead of purging those records upon discovery (or even stopping the watchlisting), they just moved them into the EO 12333-only category. They just kept spying on the US persons using only data collected under EO 12333.

And these 2009 violations are not isolated. At least as recently as 2011, the NSA was still engaging in this authority arbitrage; a training program from that year makes it clear NSA trained analysts to re-run queries under EO 12333, if possible, to get around the dissemination requirements of Section 215. (Update: I’m not saying this particular arbitrage is illegal; it’s not. But it does show how NSA games these authorities.)

NSA Collects US Person Content by Getting It Overseas: Because of the structure of the Internet, a great deal of US person data exists overseas. We’ve seen discussion of this US person data overseas including at least email content, address books, videocam images, and location. But because NSA collects this via dragnet, not targeted collection, it claims it is not targeting any American, even though it permits the searching of EO 12333 data for US person content, apparently without even Reasonable Articulable Suspicion. And because it is not targeting Americans under their dragnet and back door loopholes, it does not apply FISA Amendment Act restrictions on collecting US person data overseas under Sections 703, 704, and 705. Effectively, it has the ability to avoid those restrictions entirely by using EO 12333 as a dodge.

I’m not the only one concerned about this: at a hearing in February, both Dianne Feinstein and (at more length) Mark Udall raised concerns with National Security Division Assistant Attorney General John Carlin, suggesting some of this EO 12333 data should be treated according to FISA. Carlin — who is supposed to be a key player in overseeing NSA — showed no interest in doing so.

In both these questions, NSA did not allow laws to take precedence over EO 12333. On the contrary, NSA just created ways that it could apply EO 12333 and ignore the law that should have or might have applied.

Not only does Snowden’s question make it clear that the NSA doesn’t make the precedence of law over EO 12333 clear in training, but the lawyer’s response was rather ambiguous on this point as well.

One thing we’ve learned from Snowden’s leaks is that the Executive is (at a minimum) evading the intent of Congress on some of its treatment of US person data. And by releasing this email as part of a pissing contest with Snowden, NSA has made it clear that’s by design, even in their most core training program.

NSA is not telling its analysts that laws passed by Congress — even those offering protection to US person data — must take precedence over the looser protections under EO 12333. Which may be why they’re comfortable collecting so much US person data under EO 12333.

Update: According to Snowden, I’m absolutely right.

Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. It also did not include concerns about how indefensible collection activities – such as breaking into the back-haul communications of major US internet companies – are sometimes concealed under E.O. 12333 to avoid Congressional reporting requirements and regulations.

David Barron’s ECPA Memo

/4 Comments/in , /by

Last week, I laid out the amazing coinkydink that DOJ provided Sprint a bunch of FISA opinions — including the December 12, 2008 Reggie Walton opinion finding that the phone dragnet did not violate ECPA — on the same day, January 8, 2010, that OLC issued a memo finding that providers could voluntarily turn over phone records in some circumstances without violating ECPA.

Looking more closely at what we know about the opinion, I’m increasingly convinced it was not a coinkydink at all. I suspect that the memo not only addresses FBI’s exigent letter program, but also the non-Section 215 phone dragnet.

As a reminder, we first learned of this memo when, in January 2010, DOJ’s Inspector General issued a report on FBI’s practice of getting phone records from telecom provider employees cohabiting at FBI with little or no legal service. The report was fairly unique in that it was released in 3 versions: the public unclassified but heavily redacted version, a Secret version, and a Top Secret/SCI version. Given how closely parallel the onsite telecom provider program was with the phone dragnet, that always hinted the report may have touched on other issues.

Roughly a year after the IG Report came out, EFF FOIAed the memo (see page 30). Over the course of the FOIA litigation — the DC Circuit rejected their appeal for the memo in January — DOJ provided further detail about the memo.

Here’s how OLC Special Counsel Paul Colborn described the memo (starting at 25):

The document at issue in this case is a January 8, 2010 Memorandum for Valerie Caproni, General Counsel of the Federal Bureau of Investigation (the “FBI”), from David J. Barron, Acting Assistant Attorney General for the Office of Legal Counsel (the “Opinion”). The OLC Opinion was prepared in response to a November 27, 2009 opinion request from the FBI’s General Counsel and a supplemental request from Ms. Caproni dated December 11, 2009. These two requests were made in order to obtain OLC advice that would assist FBI’s evaluation of how it should respond to a draft Report by the Office of Inspector General at the Department of Justice (the “OIG”) in the course of a review by the OIG of the FBI’s use of certain investigatory procedures.In the context of preparing the Opinion, OLC, as is common, also sought and obtained the views of other interested agencies and components of the Department. OIG was aware that the FBI was seeking legal advice on the question from OLC, but it did not submit its views on the question.

The factual information contained in the FBI’s requests to OLC for legal advice concerned certain sensitive techniques used in the context of national security and law enforcement investigations — in particular, significant information about intelligence activities, sources, and methodology.

Later in his declaration, Colborn makes it clear the memo addressed not just FBI, but also other agencies.

The Opinion was requested by the FBI and reflects confidential communications to OLC from the FBI and other agencies. In providing the Opinion, OLC was serving an advisory role as legal counsel to the Executive Branch. In the context of the FBI’s evaluation of its procedures, the general counsel at the FBI sought OLC advice regarding the proper interpretation of the law with respect to information-gathering procedures employed by the FBI and other Executive Branch agencies. Having been requested to provide counsel on the law, OLC stood in a special relationship of trust with the FBI and other affected agencies.

And FBI Record/Information Dissemination Section Chief David Hardy’s declaration revealed that an Other Government Agency relied on the memo too. (starting at 46)

This information was not examined in isolation. Instead, each piece of information contained in the FBI’s letters of November 27, 2009 and December 11, 2009, and OLC’s memorandum of January 8, 2010, was evaluated with careful consideration given to the impact that disclosure of this information will have on other sensitive information contained elsewhere in the United States intelligence community’s files, including the secrecy of that other information.

[snip]

As part of its classification review of the OLC Memorandum, the FBI identified potential equities and interests of other government agencies (“OGAs”) with regard to the OLC memo. … FBI referred the OLC Memo for consultation with those OGAs. One OGA, which has requested non-attribution, affirmatively responded to our consultation and concurs in all of the classification markings.

Perhaps most remarkably, the government’s response to EFF’s appeal even seems to suggest that what we’ve always referred to as the Exigent Letters IG Report is not the Exigent Letters IG Report!

Comparing EFF’s claims (see pages 11-12) with the government’s response to those claims (see pages 17-18), the government appears to deny the following:

  • The Exigent Letters IG Report was the 3rd report in response to reporting requirements of the USA PATRIOT reauthorization
  • FBI responded to a draft of the IG Report by asserting a new legal theory defending the way it had obtained certain phone records in national security investigations, which resulted in the January 8, 2010 memo
  • The report didn’t describe the exception to the statute involved and IG Glenn Fine didn’t recommend referring the memo to Congress
  • In response to a Marisa Taylor FOIA, FBI indicated that USC 2511(2)(f) was the exception relied on by the FBI to say it didn’t need legal process to obtain voluntary disclosure of phone records

Along with these denials, the government reminded that the report “contained significant redactions to protect classified information and other sensitive information.” And with each denial (or non-response to EFF’s characterizations) it “respectfully refer[red] the Court to the January 2010 OIG report itself.”

The Exigent Letters IG Report is not what it seems, apparently.

With all that in mind, consider two more details. First, as David Kris (who was the Assistant Attorney General during this period) made clear in his paper on the phone (and Internet) dragnet, in addition to Section 215, the government obtained phone records from the telecoms under USC 2511(2)(f), the clause in question.

And look at how the chronology maps.

November 5, 2008: OLC releases opinion ruling sneak peak and hot number requests (among other things) impermissible under NSLs

December 12, 2008: Reggie Walton rules that the phone dragnet does not violate ECPA

Throughout 2009: DOJ confesses to multiple violations of Section 215 program, including:

  • An alert function that serves the same purpose as sneak peaks and also violates Section 215 minimization requirements
  • NSA treated Section 215 derived data with same procedures as EO 12333 data; that EO 12333 data included significant US person data
  • One provider’s (which I originally thought was Sprint, then believed was Verizon, but could still be Sprint) production got shut down because it included foreign-to-foreign data (the kind that, according to the OLC, could be obtained under USC 2511(2)(f)

Summer and Fall, 2009: Sprint meets with government to learn how Section 215 can be used to require delivery of “all” customer records

July 9, 2009: Sprint raises legal issues regarding the order it was under; Walton halts production from provider which had included foreign-to-foreign production

October 30, 2009: Still unreleased primary order BR 09-15

November 27, 2009: Valerie Caproni makes first request for opinion

December 11, 2009: Caproni supplements her request for a memo

December 16, 2009: Application and approval of BR 09-19

December 30, 2009: Sprint served with secondary order

January 7, 2010: Motion to unseal records

January 8, 2010: FISC declassifies earlier opinions; DOJ and Sprint jointly move to extend time when Sprint can challenge order; and OLC releases OLC opinion; FISC grants motion (John Bates approves all these motions)

January 11, 2010: DOJ moves (in a motion dated January 8) to amend secondary order to incorporate language on legality; this request is granted the following day (though we don’t get that order)

January 20, 2010: IG Report released, making existence of OLC memo public

This memo is looking less and less like a coinkydink after all, and more and more a legal justification for the provision of foreign-to-foreign records to accompany the Section 215 provision. And while FBI said it wasn’t going to rely on the memo, it’s not clear whether NSA said the same.

Golly. It’d sure be nice if we got to see that memo before David Barron got to be a lifetime appointed judge.

January 8, 2010: A Remarkably Busy Day in Telecom Law

/8 Comments/in /by

I Con the Record has just released a bunch of new documents, showing how (according to Ellen Nakashima) Sprint challenged a dragnet order, and in response got to see the FISA Court opinions authorizing the program. (Well, not really the telecom opinion; rather they mostly authorize the PRTT program.)

The official story goes like this:

In early 2009, Sprint received an order saying that all customer call records had to be turned over to the government, current and former officials said. Over the summer and fall, the company’s executives met several times with Justice Department officials to understand how Section 215, which compelled companies to turn over records relevant to investigations, could be used to mandate the transfer of all call records.

Dissatisfied with their answers, Sussmann, the Sprint attorney, wrote a detailed petition to challenge the order. In late 2009, shortly before the petition was to be filed, Robert S. Litt, the top intelligence official for the U.S. intelligence community, pressed officials to provide the legal rationale to the company, according to a former administration official.

Intelligence officials then furnished several court rulings, in particular, a 2004 opinion written by Colleen Kollar-Kotelly, then chief judge of the surveillance court, according to the documents released Wednesday. While the opinion related to the collection of e-mail addressing information, the legal rationale was identical.

But there are a few more details I find exceedingly interesting.

First, here’s what the government declassified in response to Sprint’s challenge:

  • Colleen Kollar-Kotelly’s July 24 [14], 2004 opinion (the government is only now admitting the date)
  • Response to Orders for Additional Briefing (it’s unclear whether this is PRTT or phone dragnet, but given the order, I’m guessing PRTT)
  • Opinion (again, it’s unclear whether this is PRTT or phone dragnet)
  • The original application for the dragnet, including all exhibits, and the original dragnet order (note, we’ve not seen all the exhibits)
  • The application, including all exhibits, the Primary Order, and Reggie Walton’s supplemental order finding the phone dragnet did not violate ECPA

That is, not only the opinions authorizing the “relevant to” bullshit used to justify the program, but also the opinion stating that the dragnet did not violate ECPA.

And here’s the other thing I find so interesting. The motion to unseal the records is dated January 7, 2010. The motion for more time, the order granting it, and the order approving the unsealing of the records were all dated January 8, 2010.

January 8, 2010, January 8, 2010, January 8, 2010.

On January 8, 2010, DOJ’s OLC issued an order finding that ECPA permitted telecoms to hand over toll records to the government voluntarily for certain kinds of investigations. OLC wrote that opinion because DOJ Inspector General Glenn Fine had been investigating National Security Letters (and, oh by the way, Section 215) for years, and found big problems, at least, with the paperwork FBI handed 3 telecoms who were living onsite at FBI. We found out about the order almost immediately, when Fine issued his report later that month.

I’ve long suspected that Reggie Walton only considered the ECPA question both because of Fine’s ongoing NSL investigation but, probably, also because of whatever conclusions Fine drew in his examination of the illegal wiretap program (I suspect FISC only considered financial records for the same reason, Fine’s 215 investigation in 2010) and potentially his ongoing investigations of Section 215.

And now we know that just as Fine was raising real questions about the legality of the incestuous record-sharing the government and the telecoms had been engaged in for years (one that’s about to start again with the new “reformed” dragnet), Sprint not only demanded the underlying records authorizing the dragnet, but even the supplemental opinion finding the dragnet didn’t violate ECPA.

Here’s what I wrote 4 years ago about that OLC opinion.

  • As I will explain at length later, this OLC opinion may not relate exclusively to the use of exigent letters, not least because Inspector General Glenn Fine appears worried the FBI will use it prospectively, not just to retroactively rationalize abuses from the past.
  • Fine appears to disagree whether the FBI has represented what it was doing with exigent letters honestly in its request for an opinion to the OLC. This is at least the second time they have done so, Fine alleges, in their attempts to justify these practices. In this case, the dispute may pertain to whose phone records they were, what was included among them, and whether they pertained to an ongoing investigation.
  • My guess is that the OLC opinion addresses whether section 2701 of the Stored Communications Act allows electronic communication providers to voluntarily provide data to someone above and beyond the narrow statutory permission to do so in 2702 and 2709 of the Act.
  • Whatever the loophole FBI is exploiting, it appears to be a use that would have no protections for First Amendment activity, no requirement that the data relate to open investigations, and no minimization or reporting requirements. That is, through its acquisition of this OLC opinion, the FBI appears to have opened up a giant, completely unlimited loophole to access phone data that it could use prospectively (though the FBI claims it doesn’t intend to). Much of Fine’s language here is an attempt to close this loophole.

In January, EFF lost its bid to obtain that memo in the DC Circuit.

Now, what are the chances that Sprint also didn’t get a looksee at the OLC memo authorizing not just what the FISC had approved, but also the violative Section 215 collection that had been in place until early 2009?

What are the chances that that OLC opinion, dated January 8, 2010 and pertaining to ECPA, is unrelated to the decision to declassify the FISC opinion assessing whether the phone dragnet violated ECPA?