Richard Burr

Mitch McConnell and Richard Burr’s Authoritarian Power Grab Fails

Last night, Mitch McConnell dealt himself a humiliating defeat. As I correctly predicted a month before events played out, McConnell tried to create a panic that would permit him and Richard Burr to demand changes — including iMessage retention, among other things — to USA F-ReDux. That is, in fact, what Mitch attempted to do, as is evident from the authoritarian power grab Burr released around 8:30 last night (that is, technically after the Administration had already missed the FISA Court deadline to renew the dragnet).

Contrary to a lot of absolutely horrible reporting on Burr’s bill, it does not actually resemble USA F-ReDux.

As I laid out here, it would start by gutting ECPA, such that the FBI could resume using NSLs to do the bulky Internet collection that moved to Section 215 production in 2009.

It also vastly expanded the application of the call record function (which it very explicitly applied to electronic communications providers, meaning it would include all Internet production, though that is probably what USA F-ReDux does implicitly), such that it could be used against Americans for any counterterrorism or counterintelligence (which includes leaks and cybersecurity) function, and for foreigners (which would chain onto Americans) for any foreign intelligence purpose. The chaining function includes the same vague language from USA F-ReDux which, in the absence of the limiting language in the House Judiciary Committee bill report, probably lets the government chain on session identifying information (like location and cookies, but possibly even things like address books) to do pattern analysis on providers’ data. Plus, the bill might even permit the government to do this chaining in provider data, because it doesn’t define a key “permit access” term.

Burr’s bill applies EO 12333 minimization procedures (and notice), not the stronger Section 215 ones Congress mandated in 2006; while USA F-ReDux data will already be shared far more widely than it is now, this would ensure that no defendant ever gets to challenge this collection. It imposes a 3-year data retention mandate (which would be a significant new burden on both Verizon and Apple). It appears to flip the amicus provision on its head, such that if Verizon or Apple challenged retention or any other part of the program, the FISC could provide a lawyer for the tech companies and tell that lawyer to fight for retention. And in the piece de la resistance, the bill creates its very own Espionage Act imposing 10 year prison terms for anyone who reveals precisely what’s happening in this expanded querying function at providers.

It is, in short, the forced-deputization of the nation’s communications providers to conduct EO 12333 spying on Americans within America.

Had Mitch had his way, after both USA F-ReDux and his 2-month straight reauthorization failed to get cloture, he would have asked for a week extension, during which the House would have been forced to come back to work and accept — under threat of “going dark” — some of the things demanded in Burr’s bill.

It didn’t work out.

Sure, both USA F-ReDux (57-42) and the short-term reauthorization (45-54) failed cloture votes.

But as it was, USA F-ReDux had far more support than the short-term reauthorization. Both McConnell and Rand Paul voted against both, for very different reasons. The difference in the vote results, however, was that Joe Donnelly (D), Jeff Flake (R), Ron Johnson (R), James Lankford (R), Bill Nelson (D), Tim Scott (R), and Dan Sullivan (R) voted yes to both. McConnell’s preferred option didn’t even get a majority of the vote, because he lost a chunk of his members.

Then McConnell played the hand he believed would give himself and Burr leverage. The plan — as I stated — was to get a very short term reauthorization passed and in that period force through changes with the House (never mind that permitting that to happen might have cost Boehner his Speakership, that’s what McConnell and Burr had in mind).

First, McConnell asked for unanimous consent to pass an extension to June 8. (h/t joanneleon for making the clip) But Paul, reminding that this country’s founders opposed General Warrants and demanding 2 majority vote amendments, objected. McConnell then asked for a June 5 extension, to which Ron Wyden objected. McConnell asked for an extension to June 3. Martin Heinrich objected. McConnell asked for an extension to June 2. Paul objected.

McConnell’s bid failed. And he ultimately scheduled the Senate to return on Sunday afternoon, May 31.

By far the most likely outcome at this point is that enough Senators — likely candidates are Mark Kirk, Angus King, John McCain, Joni Ernst, or Susan Collins — flip their vote on USA F-ReDux, which will then be rushed to President Obama just hours before Section 215 (and with it, Lone Wolf and Roving Wiretaps) expires on June 1. But even that (because of when McConnell scheduled it) probably requires Paul to agree to an immediate vote.

But if not, it won’t be the immediate end of the world.

On this issue, too, the reporting has been horrible, even to almost universal misrepresentation of what Jim Comey said about the importance of expiring provisions — I’ve laid out what he really said and what it means here. Comey cares first and foremost about the other Section 215 uses, almost surely the bulky Internet collection that moved there in 2009. But those orders, because they’re tied to existing investigations (of presumably more focused subject than the standing counterterrorism investigation to justify the phone dragnet), they will be grand-fathered at least until whatever expiration date they have hits, if not longer. So FBI will be anxious to restore that authority (or move it back to NSLs as Burr’s bill would do), especially since unlike the phone dragnet, there aren’t other ways to get the data. But there’s some time left to do that.

Comey also said the Roving Wiretap is critical. I’m guessing that’s because they use it to target things like Tor relays. But if that’s the primary secretly redefined function, they likely have learned enough about the Tor relays they’re parked on to get individual warrants. And here, too, the FBI likely won’t have to detask until expiration days on these FISA orders come due.

As for the phone dragnet and the Lone Wolf? Those are less urgent, according to Comey.

Now, that might help the Republicans who want to jam through some of Burr’s demands, since most moderate reformers assume the phone dragnet is the most important function that expires. Except that McConnell and others have spent so long pretending that this is about a phone dragnet that in truth doesn’t really work, that skittish Republicans are likely to want to appear to do all they can to keep the phone dragnet afloat.

As I said, the most likely outcome is that a number of people flip their vote and help pass USA F-ReDux.

But as with last night’s “debate,” no one really knows for sure.

USA F-ReDux Is Non-Exclusive, but the Second Circuit Might Be

I’m still trying to figure out WTF Mitch McConnell is doing with his Senate machinations over USA F-ReDux. Currently, he has both his short-term reauthorization and USA F-ReDux prepped for a vote, which probably means he’ll bring USA F-ReDux up for cloture or a vote, show that it doesn’t have enough support, and then use that to scaremonger the short-term reauthorization through as a way to wring more concessions out of the House.

Still, given what a dead-ender he is on a bill, USA F-ReDux, that gives the Intelligence Community so many goodies, I can’t help but wonder if there’s another explanation for his intransigence. I can think of one other possibility.

The House Judiciary Committee made it clear USA F-ReDux would be the exclusive means to obtain prospective Call Detail Records under Section 215:

This new mechanism is the only circumstance in which Congress contemplates the prospective, ongoing use of Section 501 of FISA in this manner.

But it made it equally clear it is not the exclusive means to obtain Call Detail Records. That’s because the report envisions conducting federated queries including “metadata [the government] already lawfully possess.”

The government may require the production of up to two ‘‘hops’’—i.e., the call detail records associated with the initial seed telephone number and call detail records (CDRs) associated with the CDRs identified in an initial ‘‘hop.’’ Subparagraph (F)(iii) provides that the government can obtain the first set of CDRs using the specific selection term approved by the FISC. In addition, the government can use the FISC-approved specific selection term to identify CDRs from metadata it already lawfully possesses. Together, the CDRs produced by the phone companies and those identified independently by the government constitute the first ‘‘hop.’’

I suggested here that that other “lawfully possessed metadata” probably consisted of data collected under EO 12333 (and permissible for chaining on US persons under SPCMA) and PRISM metadata.

But maybe that’s not all it includes. Maybe, the government has devise a way by which AT&T (or some other backbone provider) will still provide phone records in bulk on a daily basis? Maybe — as Richard Burr claimed before he later unclaimed — the government secretly maintains an IP dragnet under some other authority?

If that was the plan (though keep in mind, USA F-ReDux passed the House after the Second Circuit decision), then the Second Circuit may have ruined that effort. The ruling should limit all collection under a “relevant to” standard, not just that conducted under Section 215. And, as Faiza Patel argued, the decision should also affect collection where the government has dodged Fourth Amendment issues by focusing on “searches” rather than “seizures.”

[A]s Jennifer Daskal explained last Friday, “collection matters.” The Second Circuit rejected the government’s contention that there was no cognizable injury until plaintiffs’ phone records were actually analyzed and reviewed. It ruled that collection is properly analyzed as “seizure,” which if unlawful constitutes a separate injury from the “search” that takes place when records are analyzed either by a human being or a computer.

As the Supreme Court has recognized, in Fourth Amendment cases the analysis of standing is intertwined with the merits question of whether there has been an invasion of a protected privacy interest. Thus, the Second Circuit’s position on collection could have serious implications for other government programs beyond the standing question.

I’ve already suggested the decision might create problems for the virgin birth DOJ secretly gave to EO 12333 data used in SPCMA.

But who knows what else it applies to?

After all, USA F-ReDux was written so as to allow other dragnets (which is what EO 12333 is, after all). But the Second Circuit may pose problems for such dragnets that USA F-ReDux did not.

Going back to Richard Burr’s odd colloquy — which his office’s excuses simply cannot rationally explain — I think it (very remotely) possible the government is dragnetting IP addresses (perhaps for cybersecurity rather than counterterrorism purposes), but worries it has lost authority to do so with the Second Circuit decision. If so, it might be using this fight over counterterrorism data collection to lay congressional support for broader dragnet collection, to be able to sustain whatever other dragnets it has in place.

USA F-ReDux: The Risks Ahead

Sometime after 2 today, the House will pass USA F-ReDux by a large margin. Last night the Rules Committee rejected all amendments, including two (a version of the Massie-Lofgren amendment prohibiting back doors and a Kevin Yoder amendment that would improved ECPA protections) that have majority support in the House.

After the bill passes the House today it will go to the Senate where Mitch McConnell will have his way with it.

What happens in the Senate is anyone’s guess.

One reason no one knows what Mitch has planned is because most people haven’t figured out what Mitch really wants. I think there are 3 possibilities:

  • He actually wants USA F-ReDux with some tweaks (about which more below) and the threat of a straight reauthorization is just a tactic to push through those tweaks; this makes the most sense because USA F-ReDux actually gives the IC things they want and need that they don’t currently have
  • There is something the government is doing — a bulk IP program, for example — that Mitch and Burr plan to provide Congressional sanction for even while basically adopting USA F-ReDux as a limit on Section 215 (but not other authorities); the problem with this plan is that secret briefings like the Administration offered the Senate, but not the House, last night don’t seem to meet the terms of ratification described by the Second Circuit
  • The Second Circuit decision threatens another program, such as SPCMA (one basis for Internet chaining involving US persons right now), that the Senate believes it needs to authorize explicitly and that’s what the straight reauthorization is about
  • [Update] I’m reminded by Harley Geiger that Mitch might just be playing to let 215 sunset so he can create a panic that will let him push through a worse bill. That’s possible, but the last time such an atmosphere of panic reigned, after Congress failed to replace Protect American Act in 2008, it worked to reformers’ advantage, to the extent that any cosmetic reform can be claimed to be a win.

I think — though am not certain — that it’s the first bullet, though Burr’s so-called misstatement the other day makes me wonder. If so Mitch’s procedural move is likely to consist of starting with his straight reauthorization but permitting amendments, Patrick Leahy introducing USA F-ReDux as an amendment, Ron Wyden and Rand Paul unsuccessfully pushing some amendments to improve the bill, and Richard Burr adding tweaks to USA F-ReDux that will make it worse. After that, it’s not clear how the House will respond.

Which brings me to what I think Burr would want to add.

As I’ve said before, I think hawks in the Senate would like to have data mandates, rather than the data handshake that Dianne Feinstein keeps talking about. While last year bill supporters — including corporate backers — suggested that would kill the bill, I wonder whether everyone has grown inured to the idea of data retention, given that they’ve been silent about the data handshake since November.

I also suspect the IC would like to extend the CDR authority to non-terrorism functions, even including drug targets (because they probably were already using it as such).

The Senate may try to tweak the Specific Selection Term language to broaden it, but it’s already very very permissive.

I’m also wondering if the Senate will introduce language undermining the limiting language HJC put in its report.

Those are the predictable additions Burr might want. There are surely a slew more (and there will be very little time to review it to figure out the intent behind what they add).

The two big questions there are 1) are any of those things significant enough to get the House to kill it if and when it gets the bill back and 2) will the House get that chance at all?

Did the Second Circuit Decision ALSO Blow Up SPCMA?

In a post on last week’s Second Circuit opinion finding NSA’s Section 215 phone dragnet unlawful, Faiza Patel observed that the government may have problems with the court’s ruling that a seizure of metadata can constitute an injury. She points to DOD directive 5240.1-R as a rule that may be impacted.

Second, as Jennifer Daskal explained last Friday, “collection matters.” The Second Circuit rejected the government’s contention that there was no cognizable injury until plaintiffs’ phone records were actually analyzed and reviewed. It ruled that collection is properly analyzed as “seizure,” which if unlawful constitutes a separate injury from the “search” that takes place when records are analyzed either by a human being or a computer.

As the Supreme Court has recognized, in Fourth Amendment cases the analysis of standing is intertwined with the merits question of whether there has been an invasion of a protected privacy interest. Thus, the Second Circuit’s position on collection could have serious implications for other government programs beyond the standing question.

[snip]

Another set of programs for which “collection matters” are those conducted under Executive Order 12,333. Department of Defense directive 5240.1-R, which sets out procedures for intelligence activities that affect U.S. persons, states:

Information shall be considered as “collected” only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties … Data acquired by electronic means is “collected” only when it has been processed into intelligible form. (Emphasis added.)

Although the directive does not explain what constitutes an “intelligible form” of electronic data, another regulation (USSID 18) states that information becomes “intelligible” and is therefore “collected” when a NSA analyst “intentional[ly] task[s] or select[s]” a communication of interest for “inclusion in a report or retention as a file record.” This is a critical distinction because protections for US persons under Executive Order 12,333, Presidential Policy Directive 28, and subsidiary regulations are triggered when information is “collected” per the government’s definition.

All the caveats about not being a lawyer, I think there’s a subset of practices under 5240.1-R that may be particularly acutely affected: SPCMA, the authority that the NSA uses to contact (and, presumably, connection) chain on US person metadata collected overseas.

As I pointed out here, OIPR (during a period when it was headed by current FBI General Counsel James Baker) originally informally advised that NSA had to stop chaining when it hit a US person. But then, a rather suspiciously short period after Baker left in 2007, Steven Bradbury and Ken Wainstein came up with a theory whereby such data did not count as an acquisition — because it had already been collected — and therefore could be chained through.

The fourth definition of electronic surveillance involves “the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication …. ” 50 U.S.C. § 1802(f)(2). “Wire communication” is, in turn, defined as “any communication while it is being carried by a wire, cable, or other like connection furnished or operated by any person engaged as a common carrier …. ” !d. § 1801 (1). The data that the NSA wishes to analyze already resides in its databases. The proposed analysis thus does not involve the acquisition of a communication “while it is being carried” by a connection furnished or operated by a common carrier. (S//SI)

[snip]

The current DOD procedures and their Classified Annex may be read to restrict NSA’s ability to conduct the desired communications metadata analysis, at least with respect to metadata associated with United States persons. In particular, this analysis may fall within the procedures’ definitions of, and thus restrictions on, the “interception” and “selection” of communications.

Accordingly, the Supplemental Procedures that would govern NSA’s analysis of communications metadata expressly state that the DOD Procedures and the Classified Annex do not apply to the analysis of communications metadata. Specifically, the Supplemental Procedures would clarify that “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communications, nor do they qualify as ‘us[ing] a selection term,’ including using a selection term ‘intended to intercept a communication on the basis of. .. [some] aspect of the content of the communication.” Once approved, the Supplemental Procedures will clarify that the communications metadata analysis the NSA wishes to conduct is not restricted by the DOD procedures and their Classified Annex. (S//SI)

As I’ve previously explained, it works out to a kind of virgin birth, all to avoid the actual seizure moment that would implicate EO 12333.

That virgin birth theory led to this paragraph in supplemental procedures that amend 5240.1-R to treat metadata analysis (it doesn’t say it here, but it means, of US persons) as something other than an interception.

S//SI) For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”

I’m not sure, but Gerard Lynch’s opinion may pose real problems for this virgin birth theory. And oh, by the way, a lot of this data leads to data ending up in FBI’s hands which would be overseen by … James Baker, who may have had a problem with this argument in the past, even without the Second Circuit decision.

All of which is one way of saying that, in addition to creating some pressure on Congress to pass USA F-ReDux, this bill may have (though I await actual lawyers to consider this question) created far, far larger problems for SPCMA, which is understood to have been one of the places where the old domestic Internet dragnet went to (which might explain why Richard Burr was talking about Internet dragnets on the floor of the Senate the other day).

If so, the government has a far bigger headache than just the one created for the domestic phone metadata program.

Richard Burr’s IP Dragnet Disappears into the Memory Hole

As I noted yesterday, Richard Burr gave a planned colloquy on the Senate floor yesterday in which he said bulk collection included IP addresses.

Now what’s bulk data? Bulk data is storing telephone numbers and IP addresses — we have no idea who they belong to — that are domestic. And the whole basis behind this program is that as a cell phone is picked up in Syria, and you look at the phone numbers that phone talked to, if there’s some in the United States we’d like to know that — at least law enforcement would like to know it — so that we can understand if there’s a threat against us here in the homeland or somewhere else in the world. So Section 215 allows the NSA to collect in bulk telephone numbers and IP addresses with no identifier on it. We couldn’t tell you who that American might be. [my emphasis]

Here’s a CSPAN clip of that discussion.

Curiously, here’s how that passage looks in the Congressional Record. (h/t Steven Aftergood)

What is bulk data? Bulk data is storing telephone numbers–we have no idea to whom they belong–that are foreign and domestic. The whole basis behind this program is that as a cell phone is picked up in Syria and we look at the phone numbers that phone talked to, if it is someone in the United States, we would like to know that–at least law enforcement would like to know it–so we can understand if there is a threat against us here in the homeland or somewhere else in the world.

Section 215 allows the NSA to collect, in bulk, telephone numbers with no identifier on them. We couldn’t tell you who that American might be. [my emphasis]

Note, the Congressional record also added “foreign” on to the description of telephone numbers collected. We know NSA collects IP addresses overseas, so it may be that’s what Burr was thinking about (or it may be in this doctored Congressional record, he added foreign because that would be unsurprising).

I called Burr’s office yesterday to ask about this, but have thus far gotten no response.

Edward Snowden Richard Burr Exposes IP Address Dragnet on Senate Floor

Update: As I show in this post, the transcription of Burr’s speech in the Congressional record removed the reference to IP addresses. 

Update: While Burr’s office did not respond to my request for comment, they did respond to Buzzfeed (which sadly didn’t ask the obvious follow-up questions). His office claims he misspoke, though apparently didn’t explain why he would confuse Section 215 and PRTT, why he would tie the Internet dragnet to phone calls, or why, if the current dragnet doesn’t collect Internet data but USA F-ReDux would, why that would not then be a welcome return for the Senator given his stated desire to track such collection. I have asked for comment again from Burr’s office on those questions. 

Since last summer, I have been emphasizing that the bulk of Section 215 orders collect Internet data, not phone records under the phone dragnet. I pointed to evidence that that production included data flows and noted FBI claims they use it to conduct hacking investigations.   But I have assumed that was primarily bulky collection, not bulk collection.

Not so. Earlier today, noted whistleblower Edward Snowden Senate Intelligence Chair Richard Burr revealed that there is also an IP address bulk collection program. (h/t Andrew Blake, after 2:15)

Now what’s bulk data? Bulk data is storing telephone numbers and IP addresses — we have no idea who they belong to — that are domestic. And the whole basis behind this program is that as a cell phone is picked up in Syria, and you look at the phone numbers that phone talked to, if there’s some in the United States we’d like to know that — at least law enforcement would like to know it — so that we can understand if there’s a threat against us here in the homeland [sic] or somewhere else in the world. So Section 215 allows the NSA to collect in bulk telephone numbers and IP addresses with no identifier on it. We couldn’t tell you who that American might be.

I thought when you leaked details like this it helped our enemies? I thought if you did such things you were a traitor, deserving of an orange jumpsuit at Gitmo?

Apparently not.

So it appears it’s the IP dragnet, and not the phone dragnet, that the Republicans are trying to save?

It’s a little late for that, though, given that the Second Circuit just ruled such dragnets illegal.

The Burr Family USE to Assassinate People in Light of Day

At the end of a must-read article on how the people — whom it names — in charge of the CIA’s drone program are the same people who were in charge of the torture program, the NYT also reveals that Richard Burr joined Mike Rogers pressuring CIA to kill American citizen Mohanad Mahmoud Al Farekh — who recently got captured and charged in the US with material support for terrorism — be drone killed.

The Republican lawmakers, Senator Richard M. Burr of North Carolina and Representative Mike Rogers of Michigan, said during the closed sessions that the administration was being timid, and urged that [Mohanad Mahmoud Al] Farekh be hunted and killed.

Burr is, as he likes to point out, a relative of Aaron Burr, who killed Treasury Secretary Alexander Hamilton in a duel, a detail about which Burr reminded Treasury Secretary Jack Lew last year. It appears the Burr family no longer operates with the faux honor of dueling, but instead sits inside secret closets and demands CIA conduct assassination by remotely piloted drone.

And that’s why NYT’s decision to name names is so notable.

The C.I.A. asked that Mr. D’Andrea’s name and the names of some other top agency officials be withheld from this article, but The New York Times is publishing them because they have leadership roles in one of the government’s most significant paramilitary programs and their roles are known to foreign governments and many others.

The article names D’Andrea — the long-time head of CIA’s Counterterrorism Center, whom Gawker named last month but whom the WaPo continued to refer to under the pseudonym Roger last month, it named his replacement, Chris Wood, who has served in ALEC station and oversaw operations in Afghanistan and Pakistan, and it named the Operations Chief, Greg Vogel, who was Kabul Station Chief before leading the CIA’s paramilitary Special Activities Division.

These are the men who invite people like Rogers and Burr and Dianne Feinstein (who is a champion of D’Andrea) and their staffers to watch a monthly snuff film of drone operations and with it convince them that CIA should remain in charge of assassinations.

As the NYT notes in explaining why it was refusing to cede to John Brennan’s demand that the paper hide these identities, others know who they are. It’s just the public, those who pay their salaries and in whose name those assassinations are conducted, that didn’t know.

That, of course, prevents anyone — the family of Warren Weinstein, for example — from holding them to legal account.

But it also prevents us from holding Feinstein accountable when she shields the same people who oversaw the torture program she claims to abhor.

Perhaps the NYT’s decision to break the spell of false secrecy will demonstrate that these men’s identities were’t really secrets. They were rather just a vacuum of accountability.

On Mitch’s PATRIOT Gambit

Mitch McConnell, as you’ve probably heard, has just introduced a bill to reauthorize the expiring provisions of the PATRIOT Act until 2020.

The move has elicited a bunch of outraged comments — as if anyone should ever expect anything but dickishness from Mitch McConnell. But few interesting analytical comments.

For example, Mitch is doing this under Rule 14, meaning it bypasses normal committee process. But that’s not as unusual, in ultimate effect, as people are making out. After all, last year the House Judiciary Committee was forced to adopt a much more conservative opening bill under threat of having its jurisdiction stripped entirely — something that Bob Goodlatte surely liked because it helped him rein in the reformers on his committee. Particularly given Chuck Grassley’s dawdling, I suspect something similar is at issue, an effort to give him leverage to rein in last year’s USA Freedom Act in order to undercut Mitch’s ploy.

Moreover, I think it would be utterly naive to believe Mitch and Richard Burr when they claim they would prefer straight reauthorization.

That’s because we know the IC can’t do everything they want to do under Section 215 right now. While reports that they only get 30% of calls are misleading (not least because NSA gets plenty of international calls into the US under EO 12333), for legal or technical or some other reason, the NSA isn’t currently getting all the records it needs to have full coverage. But it could get all or almost all if it worked with providers.

In addition — and this may be related — the NSA has never been able to turn its automated processes back on for US collected telephone data since they had to turn them off in 2009. They gave up trying last year, when Obama decided to move data to the providers. I suspect that the combination of mandated assistance, record delivery in optimal form, and immunity will permit NSA to dump this data into its existing automated system.

So while Mitch and Burr may pretend they’d love straight reauthorization, it is far, far more likely they’re using this gambit to demand changes to USAF that permit the IC to claim more authorities while pretending to reluctantly adopt reform.

And chief on that list is likely to be data retention, something reformers have been conspicuously silent about since Dianne Feinstein revealed USAF would have had a data retention handshake, but not a mandate. Data retention is why most SSCI members opposed USAF last year, it’s why Bill Nelson (working off his dated understanding of the program from when he served on SSCI) voted against it, and Bob Litt has renewed his emphasis on data retention.

Moreover, given the debates about encryption of the last year, especially Jim Comey’s concerns that Apple would have an unfair advantage over Verizon if it can shield iMessage data, I suspect that by data retention they also mean “forced retention of non-telephony messaging metadata.” I’m not sure whether they would be able to pull this off, but I wouldn’t be surprised if the IC plans to use “NSA reform” as an opportunity to force Apple to keep iMessage metadata.

So that’s what I expect this is about: I expect Mitch deliberately caused outright panic among those fighting straight reauthorization that even he doesn’t really want to demand more things from this “reform” bill.

 

CISA’s Terrorists Are Not Just Foreign Terrorists

In addition to hunting hackers, the Cybersecurity Information Security Act — the bill that just passed the Senate Intelligence Committee — collects information domestically to target terrorists if those so-called terrorists can be said to be hacking or otherwise doing damage to property.

Significantly, as written, the bill doesn’t limit itself to targeting terrorists with an international tie. That’s important, because it essentially authorizes intelligence collection domestically with no court review. Thus, the bill seems to be — at least in part — a way around Keith, the 1971 ruling that prohibited domestic security spying without a warrant.

It takes reading the bill closely to understand that, though.

The surveillance or counterhacking of a “terrorist” is permitted in three places in the bill. In the first of those, one might interpret the bill to associate the word “foreign” used earlier in the clause with the word terrorist. That clause authorizes the disclosure of cyber threat indicators for “(iii) the purpose of identifying a cybersecurity threat involving the use of an information system by a foreign adversary or terrorist.”

But the very next clause authorizes information sharing to mitigate “a terrorist act,” with no modifier “foreign” in sight. It authorizes information sharing for “(iv) the purpose of responding to, or otherwise preventing or mitigating, an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction;”

And the last mention of terrorists — reserving the authority of the Secretary of Defense to conduct cyberattacks in response to malicious cyber activity — includes the article “a” that makes it clear the earlier use of “foreign” doesn’t apply to “terrorist organization” in this usage.

(m) AUTHORITY OF SECRETARY OF DEFENSE TO RESPOND TO CYBER ATTACKS.—Nothing in this Act shall be construed to limit the authority of the Secretary of Defense to develop, prepare, coordinate, or, when authorized by the President to do so, conduct a military cyber operation in response to a malicious cyber activity carried out against the United States or a United States person by a foreign government or an organization sponsored by a foreign government or a terrorist organization.

Frankly, I’m of the belief that the distinction that has by and large applied for the last 14 years of spying betrays the problem with our dragnet targeted on Muslims. America in general seems perfectly willing to treat some deaths — even 168 deaths — perpetrated by terrorists as criminal attacks so long as they are white Christian terrorists. If white Christian terrorists can be managed as the significant law enforcement problem they are without a dragnet, then so, probably, can FBI handle the losers it entraps in dragnets and then stings.

But here, that distinction has either apparently been scrapped or Richard Burr’s staffers are just bad at drafting surveillance bills. It appears that whatever anyone wants to call a terrorist — whether it be Animal Rights activists, Occupy Wall Street members, Sovereign Citizen members, or losers who started following ISIL on Twitter — appears to be fair game. Which is particularly troubling given that CISA makes explicit what NSA used to accomplish only in secret — the expansion of “imminent threat of death or serious bodily harm” to incorporate harm to property. How much harm to a movie studio or some other IP owner does it take before someone is branded a “terrorist” engaged in the “act” of doing “serious economic harm,” I wonder?

Note, too, that according to OTI’s redlined version of this bill, most of the application of this surveillance to foreign and domestic terrorists is new, added even as SSCI dawdles in the face of imminent Section 215 sunset.

As I’ll show in a later post, one function of this bill may be to move production that currently undergoes or might undergo FISC  or other court scrutiny out from under a second branch of government, making a mockery out of what used to be called minimization procedures. If that’s right, it would also have the effect of avoiding court scrutiny on just whether this surveillance — renamed “information sharing” — complies with Supreme Court prohibition on warrantless spying on those considered domestic security threats.

Have the Banks Escaped Criminal Prosecution because They’re Spying Surrogates?

I’m preparing to do a series of posts on CISA, the bill passed out of SSCI this week that, unlike most of the previous attempts to use cybersecurity to justify domestic spying, may well succeed (I’ve been using OTI’s redline version which shows how SSCI simply renamed things to be able to claim they’re addressing privacy concerns).

But — particularly given Richard Burr’s office’s assurances this bill is great because “business groups like the Financial Services Roundtable and the National Cable & Telecommunications Association have already expressed their support for the bill” — I wanted to raise a question I’ve been pondering.

To what extent have banks won themselves immunity by serving as intelligence partners for the federal government?

I ask for two reasons.

First, when asked why she, along with Main Justice’s Lanny Breuer, authorized the sweetheart deal for recidivist transnational crime organization HSBC, Attorney General nominee Loretta Lynch implied that there was insufficient admissible evidence to try any individuals associated with this recidivism.

I and the dedicated career prosecutors handling the investigation carefully considered whether there was sufficient admissible evidence to prosecute an individual and whether such a prosecution otherwise would have been consistent with the principles of federal prosecution contained in the United States Attorney’s Manual.

That’s surprising given that Carl Levin managed to come up with 300-some pages of evidence. Obviously, there are several explanations for this response: she’s lying, the evidence is inadmissible because HSBC provided it willingly thereby making it unusable for prosecution, or the evidence was collected in ways that makes it inadmissible.

It’s the last one I’ve been thinking about: is it remotely conceivable that all the abundant evidence against banksters their regulators have used to obtain serial handslaps is for some reason inadmissible in a criminal proceeding?

I started thinking about that as a real possibility when PCLOB revealed that Treasury’s Office of Intelligence and Analysis has never once — not in the 30-plus years since Ronnie Reagan told them they had to — come up with minimization procedures to protect US person privacy with data collected under EO 12333. Maybe that didn’t matter so much in 1981, but since 2004, Treasury has had an ever-increasing role in using intelligence (collected from where?) to impose judgments against people with almost no due process. And those judgements are, in turn, used to impose other judgments on Americans with almost no due process.

The thing is, you’d think banks might care that Treasury wasn’t complying with Executive Branch requirements on privacy protection. Not only because they care (ha!) about their customers, whether American or not, but because many of them are, themselves, US persons. US bank US person status should limit how much Treasury diddles with bank-related intelligence, but Treasury doesn’t appear bound by that.

Which leads me to suspect, at least, that there’s something in it for the banks, something that more than makes up for the serial handslaps for sanctions violations.

And one possibility is that because of the way this data is collected and shared, it can’t be used in a trial. Voila! Bank immunity.

All that’s just a wildarsed guess.

But one made all the more pressing given that Treasury is among the Appropriate Federal Entities that will be default intelligence recipients for cyber information under CISA.

(3) APPROPRIATE FEDERAL ENTITIES.—

The term ‘‘appropriate Federal entities’’ means the following:

(A) The Department of Commerce.

(B) The Department of Defense.

(C) The Department of Energy.

(D) The Department of Homeland Security.

(E) The Department of Justice.

(F) The Department of the Treasury.

(G) The Office of the Director of National Intelligence.

To some degree, this is not in the least bit surprising. After all, financial regulators have increasingly made cybersecurity a key regulatory concern of late, so it makes sense for Treasury to be in the loop.

But banksters rarely — never! — add regulatory exposure for themselves without a fight and, as Burr’s office has made clear, the banks love this bill.

One more datapoint, back to HSBC. As I noted when Lanny Breuer and Loretta Lynch announced that handslap, Breuer neglected to mention that HSBC was getting a handslap not just for helping cartels profit off drugs, but also helping terrorists fund their activities (at the time Pete Seda was being held without bail on charges the government insisted amounted to material support for terrorists for handing a check to Chechens using cash that had come indirectly from HSBC). The actual settlement, however, made mention of it by explaining that HSBC had “assisted the Government in investigations of certain individuals suspected of money laundering and terrorist financing.” By dint of that cooperation, in other words, HSBC went from being a material supporter of terrorism to being a deputy financial cop. And Breuer expanded that notion of banks serving as deputized financial cops thereafter.

Are the methods and terms by which we’re collecting all this financial intelligence to use against some bad guys precisely what prevents us from holding the even bigger bad guys — the ones affecting far more of us directly, in the form of the houses we own, the towns we live in, the opportunity costs paid to financial crime — accountable?

And will this system now be replicated under CISA (or has it, already) as banks turn into cyber crime deputized cops?

Emptywheel Twitterverse
bmaz RT @BtBScore: Barry Bonds is 8th in position player fWAR since 2001. Bonds hasn't played since 2007.
1hreplyretweetfavorite
bmaz Blatter would win easily. And Bernie Ecclestone would kill both. https://t.co/oRmFDT66C2
1hreplyretweetfavorite
emptywheel @shu_steve And starve...
3hreplyretweetfavorite
emptywheel @joepabike I was sort of curious which would exhibit enough human competence to best the other.
3hreplyretweetfavorite
emptywheel @AngelaMilanese And wouldn't that make great TV, in a way?
3hreplyretweetfavorite
emptywheel Wonder what would happen if you had a reality show w/Sepp Blatter and Roger Goodell trying to stay alive by themselves on desert island?
3hreplyretweetfavorite
emptywheel Kind of surprising no one has asked Tammy Duckworth about McConnell (and Mark Kirk) playing chicken with phone dragnet.
4hreplyretweetfavorite
bmaz @DickCheneyFacts @JesselynRadack @JohnKiriakou Uh, you might talk to David Passaro about that statement.
5hreplyretweetfavorite
bmaz RT @deray: An NBA Player Is Missing the Playoffs Because the NYPD Broke His Leg—Why the Sports-Media Silence? http://t.co/gmjW0rwoKq
5hreplyretweetfavorite
JimWhiteGNV RT @GatorZoneBB: Peter Alonso gives the #Gators a 2-0 lead in the 1st with a 2-out RBI single to bring home Buddy Reed
6hreplyretweetfavorite
JimWhiteGNV RT @GatorZoneBB: Harrison Bader leads off with a home run - No. 13 for Bader - 1-0 #Gators
7hreplyretweetfavorite
May 2015
S M T W T F S
« Apr    
 12
3456789
10111213141516
17181920212223
24252627282930
31