Posts

Devin Nunes Will Let Dragnet Lapse So Mitch McConnell Can Save Face?!?!

/4 Comments/in /by

NYT has a remarkable article describing how a number of hawks are willing to risk letting PATRIOT Act authorities lapse so Mitch McConnell can save face.

Senior lawmakers are scrambling this week in rare recess negotiations to agree on a face-saving change to legislation that would rein in the National Security Agency’s dragnet of phone records, with time running out on some of the government’s domestic surveillance authority.

[snip]

If negotiators accept minor changes to the House bill, it will mark a significant retreat for Senator Mitch McConnell of Kentucky, the majority leader, and Senator Richard M. Burr of North Carolina, the chairman of the Senate Intelligence Committee.

Sadly, the NYT continues the typically credulous mainstream reporting on this topic. For example, Mitch McConnell never really wanted a straight reauthorization.

Mr. McConnell and Mr. Burr wanted a straight extension of the existing surveillance authority, although an appeals court judge ruled this month that such authority was illegal.

False. Burr revealed what they want Friday night. They want to move bulky Internet production back to NSLs. They want to expand the current dragnet to include Internet calls and even straight IP (and, oddly, documents!), and they want to expand it well beyond its counterterrorism focus to include all foreign intelligence. They want to criminalize whistleblowing about this law in particular. They want to eliminate all special privacy protections — over the standard NSA ones — for US persons.

And very importantly, they want to use the claim to need a 2-year transition period to finally obtain the authorities for NSA to conduct the bulk collection they actually want to do, in which place they’ll be well positioned to claim having the government retain the data is most efficient.

I could go on. But after Friday night no journalists with any self-respect should propagate Mitch’s “straight reauthorization” canard, which — it was clear over a month ago — was only ever a negotiating tactic.

NYT also falsely claims Burr wants just Lone Wolf and Roving Wiretap made permanent.

Mr. Burr wants the so-called lone wolf and roving authorities to be made permanent to avoid cliffhangers like the one Congress finds itself in now. The House bill would extend them to December 2019.

The title to that section of Burr’s bill reads,

PERMANENT AUTHORITY FOR ACCESS TO BUSINESS RECORDS, ROVING SURVEILLANCE, AND INDIVIDUAL TERRORISTS AS AGENTS OF FOREIGN POWERS UNDER THE FOREIGN INTELLIGENCE SURVEILLANCE ACT OF 1978 [my emphasis]

And the language of it repeals both parts of both laws that include a sunset.

But the really absurd part of this story — and to be fair, NYT has to report these arguments as if they’re serious, and I should be grateful they have been recorded in all their absurdity — is that Burr and Nunes are now claiming that the largest phone companies in the US don’t know how to 1) store data, or 2) “search stored phone data after a warrant [actually, a Reasonable Articulable Suspicion order, not a warrant] is issued, then communicate the results to the government.”

The two men have said phone companies, which would collect the data instead of the N.S.A. under the USA Freedom Act, are not equipped to handle the task.

[snip]

Leaders of the House Intelligence and Judiciary Committees from both parties, along with supporters in the Senate, said they could assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in.

Mr. Burr said he would like that period to be two years, a proposal not very likely to be accepted by the House.

“The question is whether the technology can be developed in time, over a six-month window,” Mr. Nunes said in an interview. “I think it can be. I was at N.S.A. reviewing this 10 days ago.”

He added: “We believe six months works, but it wouldn’t be bad to have a little longer.”

But even that change has irked lawmakers, who worked for months on the compromise that passed the House. Representative Adam B. Schiff of California, the ranking Democrat on the House Intelligence Committee, said the technology in question — the ability to search stored phone data after a warrant is issued, then communicate the results to the government — was “a pretty minor deal” that could easily meet a certification deadline.

The men overseeing our intelligence community claim to not understand that phone companies store this information — and respond to lawful government requests for it — every day.

In truth, this is likely another ploy to expand the role of providers down the road (as happened under PRISM), after we’ve all become less vigilant — beyond simply providing phone records (as these silly Congressmen claim) to doing far more analysis.

After all, the only way these claims make sense, is if the government expects to get real pushback from providers going forward — and that’s not going to happen if all they want is call records delivered to the government, which telecoms have been doing forever.

So that’s the likely play: to set up some mechanism whereby the hawks can claim — in 6 months time — that telecoms are unwilling or unable (the same standard they use for drones killing!) to do what the government will ask. At which point we’ll be fighting to get the government out of an expanded dragnet business.

One more thing.

The Republicans also claim that the telecoms have been harassed by privacy advocates.

Republicans have also expressed a desire to protect the phone companies against harassment from privacy activists over their participation in a new surveillance program.

This is likely a bid to do something to shroud the dragnets (it won’t be just telecom going forward) in secrecy from here on out. Probably not the act-specific Espionage Act, like Burr wants, but probably some other means to ensure that no one ever gets standing to challenge what will still be an unconstitutional program going forward.

I guess they hope we won’t notice because we’re laughing at their other batty excuses so hard?

I’m Shocked, Shocked, to Find that Lying Is Going on in the Senate

/3 Comments/in /by

As I noted here, given the content of the radical bill Richard Burr introduced on Friday, it appears likely that his claim Section 215 sIpported an IP dragnet was no misstatement, as he claimed when I called him on it. But that — and the misstatements Mitch McConnell made on Friday about the bill — are not the only lies the authoritarians have been telling.

Just after USA F-ReDux failed in the Senate Friday night and Barbara Boxer tried to call it back up for a vote, Mitch McConnell falsely claimed that Dianne Feinstein was involved in Burr’s radical bill. Senator Feinstein actually had to interrupt and point out that not only doesn’t she think Burr’s bill is the way to go, but that pushing for it might put all the expiring provisions at risk. (h/t Steven Aftergood for pulling Congressional Research Service records)

McCONNELL. Mr. President, the Senate has demonstrated that the House-passed bill lacks the support of 60 Senators. I would urge a “yes” vote on the 2-month extension. Senator Burr, the chairman of the Intelligence Committee, and Senator Feinstein, the ranking member, as we all know, have been working on a proposal that they think would improve the version that the Senate has not accepted that the House sent over. It would allow the committee to work on this bill, refine it, and bring it before us for consideration. So the 2-month extension, it strikes me, would be in the best interest of getting an outcome that is acceptable to both the Senate and the House and hopefully the President.

[snip]

Mrs. FEINSTEIN. Mr. President, if I may a point of personal privilege. Mr. President, I would like to correct the majority leader, regretfully. I did not support the Burr bill. I do not believe that is the way to go. I have taken a good look at this. For those who want reform and want to prevent the government from holding the data, the FREEDOM Act is the only way to do it. The House has passed it. The President wants it. All of the intelligence personnel have agreed to it, and I think not to pass that bill is really to throw the whole program–that whole section 215 as well as the whole business records, the “lone wolf,” the roving wiretaps–into serious legal jeopardy.

That is, of course, precisely what has happened. In his bid to ram through Burr’s expanded dragnet, Mitch has now made it increasingly likely that all the expiring provisions will lapse on June 1.

Mitch McConnell Suggests He Wants a Bulk Document Collection System

/2 Comments/in , /by

On May 7, the very same day the Second Circuit ruled that Congress has to say specifically what a surveillance bill means for the bill to mean that thing, Richard Burr engaged in a staged colloquy on the Senate floor where he claimed that the Section 215 bulk collection program collects IP addresses. After Andrew Blake alerted me to that and I wrote it up, Burr stuffed the claim into the memory hole and claimed, dubiously, to have made a misstatement in a planned colloquy.

Then, after Mitch McConnell created a crisis by missing the first Section 215 reauthorization deadlines, Burr submitted a bill that would immediately permit the bulk collection of IP addresses, plus a whole lot more, falsely telling reporters this was a “compromise” bill that would ensure a smooth transition between the current (phone) dragnet and its replacement system.

Which strongly suggests Burr’s initial “misstatement” was simply an attempt to create a legislative record approving a vast expansion of the current dragnet that, when he got caught, led Burr to submit a bill that actually would implement that in fact.

This has convinced me we’re going to need to watch these authoritarians like hawks, to prevent them from creating the appearance of authorizing vast surveillance systems without general knowledge that’s what’s happening.

So I reviewed the speech Mitch made on Friday (this appears after 4:30 to 15:00; unlike Burr’s speech, the congressional record does reflect what Mitch actually said; h/t Steve Aftergood for Congressional Record transcript). And amid misleading claims about what the “compromise” bill Burr was working on, Mitch suggested something remarkable: among the data he’s demanding be retained are documents, not just call data.

I’ve placed the key part of Mitch’s comments below the rule, with my interspersed comments. As I show, one thing Mitch does is accuse providers of an unwillingness to provide data when in fact what he means is far more extensive cooperation. But I’m particularly interested in what he says about data retention:

The problem, of course, is that the providers have made it abundantly clear that they will not commit to retaining the data for any period of time as contemplated by the House-passed bill unless they are legally required to do so. There is no such requirement in the bill. For example, one provider said the following: “[We are] not prepared to commit to voluntarily retain documents for any particular period of time pursuant to the proposed USA FREEDOM Act if not otherwise required by law.”

Now, one credulous journalist told me the other day that telecoms were refusing to speak to the Administration at all, which he presumably parroted from sources like Mitch. That’s funny, because not only did the telecom key to making the program work — Verizon — provide testimony to Congress (which is worth reviewing, because Verizon Associate General Counsel — and former FBI lawyer — Michael Woods pointed to precisely what the dragnet would encompass under Burr’s bill, including VOIP, peer-to-peer, and IP collection), but Senator Feinstein has repeatedly made clear the telecoms have agreed with the President to keep data for two years.

Furthermore, McConnell’s quotation of this line from a (surely highly classified letter) cannot be relied on. Verizon at first refused to retain data before it made its data handshake with the President. So when did this provider send this letter, and does their stance remain the same? Mitch doesn’t say, and given how many other misleading comments he made in his speech, it’s unwise to trust him on this point.

Most curiously, though, look at what they’re refusing to keep. Not phone data! But documents.

Both USA F-ReDux and Burr’s bill only protect messaging contents, not other kinds of content (and Burr’s excludes anything that might be Dialing, Routing Addressing and Signaling data from his definition of content, which is the definition John Bates adopted in 2010 to be able to permit NSA to resume collecting Internet metadata in bulk). Both include remote computing services (cloud services) among the providers envisioned to be included not just under the bill, but under the “Call Detail Record” provision.

Perhaps there’s some other connotation for this use of the word “documents.” Remember, I think the major target of data retention mandates is Apple, because Jim Comey wants iMessage data that would only be available from their cloud.

But documents? What the hell kind of “Call Detail Records” is Mitch planning on here?

One more thing is remarkable about this. Mitch is suggesting it will take longer for providers to comply with this system than it took them to comply with Protect America Act. Yahoo, for example, challenged its orders and immediately refused to comply on November 8, 2007. Yet, even in spite of challenging that order and appealing, Yahoo started complying with it on May 5, 2008, that same 180-time frame envisioned here. And virtually all of the major providers already have some kind of compliance mechanism in place, either through PRISM (Apple, Google, and Microsoft) or upstream 702 compliance (AT&T and Verizon).
Read more

Mitch McConnell and Richard Burr’s Authoritarian Power Grab Fails

/6 Comments/in , /by

Last night, Mitch McConnell dealt himself a humiliating defeat. As I correctly predicted a month before events played out, McConnell tried to create a panic that would permit him and Richard Burr to demand changes — including iMessage retention, among other things — to USA F-ReDux. That is, in fact, what Mitch attempted to do, as is evident from the authoritarian power grab Burr released around 8:30 last night (that is, technically after the Administration had already missed the FISA Court deadline to renew the dragnet).

Contrary to a lot of absolutely horrible reporting on Burr’s bill, it does not actually resemble USA F-ReDux.

As I laid out here, it would start by gutting ECPA, such that the FBI could resume using NSLs to do the bulky Internet collection that moved to Section 215 production in 2009.

It also vastly expanded the application of the call record function (which it very explicitly applied to electronic communications providers, meaning it would include all Internet production, though that is probably what USA F-ReDux does implicitly), such that it could be used against Americans for any counterterrorism or counterintelligence (which includes leaks and cybersecurity) function, and for foreigners (which would chain onto Americans) for any foreign intelligence purpose. The chaining function includes the same vague language from USA F-ReDux which, in the absence of the limiting language in the House Judiciary Committee bill report, probably lets the government chain on session identifying information (like location and cookies, but possibly even things like address books) to do pattern analysis on providers’ data. Plus, the bill might even permit the government to do this chaining in provider data, because it doesn’t define a key “permit access” term.

Burr’s bill applies EO 12333 minimization procedures (and notice), not the stronger Section 215 ones Congress mandated in 2006; while USA F-ReDux data will already be shared far more widely than it is now, this would ensure that no defendant ever gets to challenge this collection. It imposes a 3-year data retention mandate (which would be a significant new burden on both Verizon and Apple). It appears to flip the amicus provision on its head, such that if Verizon or Apple challenged retention or any other part of the program, the FISC could provide a lawyer for the tech companies and tell that lawyer to fight for retention. And in the piece de la resistance, the bill creates its very own Espionage Act imposing 10 year prison terms for anyone who reveals precisely what’s happening in this expanded querying function at providers.

It is, in short, the forced-deputization of the nation’s communications providers to conduct EO 12333 spying on Americans within America.

Had Mitch had his way, after both USA F-ReDux and his 2-month straight reauthorization failed to get cloture, he would have asked for a week extension, during which the House would have been forced to come back to work and accept — under threat of “going dark” — some of the things demanded in Burr’s bill.

It didn’t work out.

Sure, both USA F-ReDux (57-42) and the short-term reauthorization (45-54) failed cloture votes.

But as it was, USA F-ReDux had far more support than the short-term reauthorization. Both McConnell and Rand Paul voted against both, for very different reasons. The difference in the vote results, however, was that Joe Donnelly (D), Jeff Flake (R), Ron Johnson (R), James Lankford (R), Bill Nelson (D), Tim Scott (R), and Dan Sullivan (R) voted yes to both. McConnell’s preferred option didn’t even get a majority of the vote, because he lost a chunk of his members.

Then McConnell played the hand he believed would give himself and Burr leverage. The plan — as I stated — was to get a very short term reauthorization passed and in that period force through changes with the House (never mind that permitting that to happen might have cost Boehner his Speakership, that’s what McConnell and Burr had in mind).

First, McConnell asked for unanimous consent to pass an extension to June 8. (h/t joanneleon for making the clip) But Paul, reminding that this country’s founders opposed General Warrants and demanding 2 majority vote amendments, objected. McConnell then asked for a June 5 extension, to which Ron Wyden objected. McConnell asked for an extension to June 3. Martin Heinrich objected. McConnell asked for an extension to June 2. Paul objected.

McConnell’s bid failed. And he ultimately scheduled the Senate to return on Sunday afternoon, May 31.

By far the most likely outcome at this point is that enough Senators — likely candidates are Mark Kirk, Angus King, John McCain, Joni Ernst, or Susan Collins — flip their vote on USA F-ReDux, which will then be rushed to President Obama just hours before Section 215 (and with it, Lone Wolf and Roving Wiretaps) expires on June 1. But even that (because of when McConnell scheduled it) probably requires Paul to agree to an immediate vote.

But if not, it won’t be the immediate end of the world.

On this issue, too, the reporting has been horrible, even to almost universal misrepresentation of what Jim Comey said about the importance of expiring provisions — I’ve laid out what he really said and what it means here. Comey cares first and foremost about the other Section 215 uses, almost surely the bulky Internet collection that moved there in 2009. But those orders, because they’re tied to existing investigations (of presumably more focused subject than the standing counterterrorism investigation to justify the phone dragnet), they will be grand-fathered at least until whatever expiration date they have hits, if not longer. So FBI will be anxious to restore that authority (or move it back to NSLs as Burr’s bill would do), especially since unlike the phone dragnet, there aren’t other ways to get the data. But there’s some time left to do that.

Comey also said the Roving Wiretap is critical. I’m guessing that’s because they use it to target things like Tor relays. But if that’s the primary secretly redefined function, they likely have learned enough about the Tor relays they’re parked on to get individual warrants. And here, too, the FBI likely won’t have to detask until expiration days on these FISA orders come due.

As for the phone dragnet and the Lone Wolf? Those are less urgent, according to Comey.

Now, that might help the Republicans who want to jam through some of Burr’s demands, since most moderate reformers assume the phone dragnet is the most important function that expires. Except that McConnell and others have spent so long pretending that this is about a phone dragnet that in truth doesn’t really work, that skittish Republicans are likely to want to appear to do all they can to keep the phone dragnet afloat.

As I said, the most likely outcome is that a number of people flip their vote and help pass USA F-ReDux.

But as with last night’s “debate,” no one really knows for sure.

USA F-ReDux Is Non-Exclusive, but the Second Circuit Might Be

/6 Comments/in , /by

I’m still trying to figure out WTF Mitch McConnell is doing with his Senate machinations over USA F-ReDux. Currently, he has both his short-term reauthorization and USA F-ReDux prepped for a vote, which probably means he’ll bring USA F-ReDux up for cloture or a vote, show that it doesn’t have enough support, and then use that to scaremonger the short-term reauthorization through as a way to wring more concessions out of the House.

Still, given what a dead-ender he is on a bill, USA F-ReDux, that gives the Intelligence Community so many goodies, I can’t help but wonder if there’s another explanation for his intransigence. I can think of one other possibility.

The House Judiciary Committee made it clear USA F-ReDux would be the exclusive means to obtain prospective Call Detail Records under Section 215:

This new mechanism is the only circumstance in which Congress contemplates the prospective, ongoing use of Section 501 of FISA in this manner.

But it made it equally clear it is not the exclusive means to obtain Call Detail Records. That’s because the report envisions conducting federated queries including “metadata [the government] already lawfully possess.”

The government may require the production of up to two ‘‘hops’’—i.e., the call detail records associated with the initial seed telephone number and call detail records (CDRs) associated with the CDRs identified in an initial ‘‘hop.’’ Subparagraph (F)(iii) provides that the government can obtain the first set of CDRs using the specific selection term approved by the FISC. In addition, the government can use the FISC-approved specific selection term to identify CDRs from metadata it already lawfully possesses. Together, the CDRs produced by the phone companies and those identified independently by the government constitute the first ‘‘hop.’’

I suggested here that that other “lawfully possessed metadata” probably consisted of data collected under EO 12333 (and permissible for chaining on US persons under SPCMA) and PRISM metadata.

But maybe that’s not all it includes. Maybe, the government has devise a way by which AT&T (or some other backbone provider) will still provide phone records in bulk on a daily basis? Maybe — as Richard Burr claimed before he later unclaimed — the government secretly maintains an IP dragnet under some other authority?

If that was the plan (though keep in mind, USA F-ReDux passed the House after the Second Circuit decision), then the Second Circuit may have ruined that effort. The ruling should limit all collection under a “relevant to” standard, not just that conducted under Section 215. And, as Faiza Patel argued, the decision should also affect collection where the government has dodged Fourth Amendment issues by focusing on “searches” rather than “seizures.”

[A]s Jennifer Daskal explained last Friday, “collection matters.” The Second Circuit rejected the government’s contention that there was no cognizable injury until plaintiffs’ phone records were actually analyzed and reviewed. It ruled that collection is properly analyzed as “seizure,” which if unlawful constitutes a separate injury from the “search” that takes place when records are analyzed either by a human being or a computer.

As the Supreme Court has recognized, in Fourth Amendment cases the analysis of standing is intertwined with the merits question of whether there has been an invasion of a protected privacy interest. Thus, the Second Circuit’s position on collection could have serious implications for other government programs beyond the standing question.

I’ve already suggested the decision might create problems for the virgin birth DOJ secretly gave to EO 12333 data used in SPCMA.

But who knows what else it applies to?

After all, USA F-ReDux was written so as to allow other dragnets (which is what EO 12333 is, after all). But the Second Circuit may pose problems for such dragnets that USA F-ReDux did not.

Going back to Richard Burr’s odd colloquy — which his office’s excuses simply cannot rationally explain — I think it (very remotely) possible the government is dragnetting IP addresses (perhaps for cybersecurity rather than counterterrorism purposes), but worries it has lost authority to do so with the Second Circuit decision. If so, it might be using this fight over counterterrorism data collection to lay congressional support for broader dragnet collection, to be able to sustain whatever other dragnets it has in place.

USA F-ReDux: The Risks Ahead

/4 Comments/in /by

Sometime after 2 today, the House will pass USA F-ReDux by a large margin. Last night the Rules Committee rejected all amendments, including two (a version of the Massie-Lofgren amendment prohibiting back doors and a Kevin Yoder amendment that would improved ECPA protections) that have majority support in the House.

After the bill passes the House today it will go to the Senate where Mitch McConnell will have his way with it.

What happens in the Senate is anyone’s guess.

One reason no one knows what Mitch has planned is because most people haven’t figured out what Mitch really wants. I think there are 3 possibilities:

  • He actually wants USA F-ReDux with some tweaks (about which more below) and the threat of a straight reauthorization is just a tactic to push through those tweaks; this makes the most sense because USA F-ReDux actually gives the IC things they want and need that they don’t currently have
  • There is something the government is doing — a bulk IP program, for example — that Mitch and Burr plan to provide Congressional sanction for even while basically adopting USA F-ReDux as a limit on Section 215 (but not other authorities); the problem with this plan is that secret briefings like the Administration offered the Senate, but not the House, last night don’t seem to meet the terms of ratification described by the Second Circuit
  • The Second Circuit decision threatens another program, such as SPCMA (one basis for Internet chaining involving US persons right now), that the Senate believes it needs to authorize explicitly and that’s what the straight reauthorization is about
  • [Update] I’m reminded by Harley Geiger that Mitch might just be playing to let 215 sunset so he can create a panic that will let him push through a worse bill. That’s possible, but the last time such an atmosphere of panic reigned, after Congress failed to replace Protect American Act in 2008, it worked to reformers’ advantage, to the extent that any cosmetic reform can be claimed to be a win.

I think — though am not certain — that it’s the first bullet, though Burr’s so-called misstatement the other day makes me wonder. If so Mitch’s procedural move is likely to consist of starting with his straight reauthorization but permitting amendments, Patrick Leahy introducing USA F-ReDux as an amendment, Ron Wyden and Rand Paul unsuccessfully pushing some amendments to improve the bill, and Richard Burr adding tweaks to USA F-ReDux that will make it worse. After that, it’s not clear how the House will respond.

Which brings me to what I think Burr would want to add.

As I’ve said before, I think hawks in the Senate would like to have data mandates, rather than the data handshake that Dianne Feinstein keeps talking about. While last year bill supporters — including corporate backers — suggested that would kill the bill, I wonder whether everyone has grown inured to the idea of data retention, given that they’ve been silent about the data handshake since November.

I also suspect the IC would like to extend the CDR authority to non-terrorism functions, even including drug targets (because they probably were already using it as such).

The Senate may try to tweak the Specific Selection Term language to broaden it, but it’s already very very permissive.

I’m also wondering if the Senate will introduce language undermining the limiting language HJC put in its report.

Those are the predictable additions Burr might want. There are surely a slew more (and there will be very little time to review it to figure out the intent behind what they add).

The two big questions there are 1) are any of those things significant enough to get the House to kill it if and when it gets the bill back and 2) will the House get that chance at all?

Did the Second Circuit Decision ALSO Blow Up SPCMA?

/5 Comments/in , /by

In a post on last week’s Second Circuit opinion finding NSA’s Section 215 phone dragnet unlawful, Faiza Patel observed that the government may have problems with the court’s ruling that a seizure of metadata can constitute an injury. She points to DOD directive 5240.1-R as a rule that may be impacted.

Second, as Jennifer Daskal explained last Friday, “collection matters.” The Second Circuit rejected the government’s contention that there was no cognizable injury until plaintiffs’ phone records were actually analyzed and reviewed. It ruled that collection is properly analyzed as “seizure,” which if unlawful constitutes a separate injury from the “search” that takes place when records are analyzed either by a human being or a computer.

As the Supreme Court has recognized, in Fourth Amendment cases the analysis of standing is intertwined with the merits question of whether there has been an invasion of a protected privacy interest. Thus, the Second Circuit’s position on collection could have serious implications for other government programs beyond the standing question.

[snip]

Another set of programs for which “collection matters” are those conducted under Executive Order 12,333. Department of Defense directive 5240.1-R, which sets out procedures for intelligence activities that affect U.S. persons, states:

Information shall be considered as “collected” only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties … Data acquired by electronic means is “collected” only when it has been processed into intelligible form. (Emphasis added.)

Although the directive does not explain what constitutes an “intelligible form” of electronic data, another regulation (USSID 18) states that information becomes “intelligible” and is therefore “collected” when a NSA analyst “intentional[ly] task[s] or select[s]” a communication of interest for “inclusion in a report or retention as a file record.” This is a critical distinction because protections for US persons under Executive Order 12,333, Presidential Policy Directive 28, and subsidiary regulations are triggered when information is “collected” per the government’s definition.

All the caveats about not being a lawyer, I think there’s a subset of practices under 5240.1-R that may be particularly acutely affected: SPCMA, the authority that the NSA uses to contact (and, presumably, connection) chain on US person metadata collected overseas.

As I pointed out here, OIPR (during a period when it was headed by current FBI General Counsel James Baker) originally informally advised that NSA had to stop chaining when it hit a US person. But then, a rather suspiciously short period after Baker left in 2007, Steven Bradbury and Ken Wainstein came up with a theory whereby such data did not count as an acquisition — because it had already been collected — and therefore could be chained through.

The fourth definition of electronic surveillance involves “the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication …. ” 50 U.S.C. § 1802(f)(2). “Wire communication” is, in turn, defined as “any communication while it is being carried by a wire, cable, or other like connection furnished or operated by any person engaged as a common carrier …. ” !d. § 1801 (1). The data that the NSA wishes to analyze already resides in its databases. The proposed analysis thus does not involve the acquisition of a communication “while it is being carried” by a connection furnished or operated by a common carrier. (S//SI)

[snip]

The current DOD procedures and their Classified Annex may be read to restrict NSA’s ability to conduct the desired communications metadata analysis, at least with respect to metadata associated with United States persons. In particular, this analysis may fall within the procedures’ definitions of, and thus restrictions on, the “interception” and “selection” of communications.

Accordingly, the Supplemental Procedures that would govern NSA’s analysis of communications metadata expressly state that the DOD Procedures and the Classified Annex do not apply to the analysis of communications metadata. Specifically, the Supplemental Procedures would clarify that “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communications, nor do they qualify as ‘us[ing] a selection term,’ including using a selection term ‘intended to intercept a communication on the basis of. .. [some] aspect of the content of the communication.” Once approved, the Supplemental Procedures will clarify that the communications metadata analysis the NSA wishes to conduct is not restricted by the DOD procedures and their Classified Annex. (S//SI)

As I’ve previously explained, it works out to a kind of virgin birth, all to avoid the actual seizure moment that would implicate EO 12333.

That virgin birth theory led to this paragraph in supplemental procedures that amend 5240.1-R to treat metadata analysis (it doesn’t say it here, but it means, of US persons) as something other than an interception.

S//SI) For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”

I’m not sure, but Gerard Lynch’s opinion may pose real problems for this virgin birth theory. And oh, by the way, a lot of this data leads to data ending up in FBI’s hands which would be overseen by … James Baker, who may have had a problem with this argument in the past, even without the Second Circuit decision.

All of which is one way of saying that, in addition to creating some pressure on Congress to pass USA F-ReDux, this bill may have (though I await actual lawyers to consider this question) created far, far larger problems for SPCMA, which is understood to have been one of the places where the old domestic Internet dragnet went to (which might explain why Richard Burr was talking about Internet dragnets on the floor of the Senate the other day).

If so, the government has a far bigger headache than just the one created for the domestic phone metadata program.

Richard Burr’s IP Dragnet Disappears into the Memory Hole

/6 Comments/in , /by

As I noted yesterday, Richard Burr gave a planned colloquy on the Senate floor yesterday in which he said bulk collection included IP addresses.

Now what’s bulk data? Bulk data is storing telephone numbers and IP addresses — we have no idea who they belong to — that are domestic. And the whole basis behind this program is that as a cell phone is picked up in Syria, and you look at the phone numbers that phone talked to, if there’s some in the United States we’d like to know that — at least law enforcement would like to know it — so that we can understand if there’s a threat against us here in the homeland or somewhere else in the world. So Section 215 allows the NSA to collect in bulk telephone numbers and IP addresses with no identifier on it. We couldn’t tell you who that American might be. [my emphasis]

Here’s a CSPAN clip of that discussion.

Curiously, here’s how that passage looks in the Congressional Record. (h/t Steven Aftergood)

What is bulk data? Bulk data is storing telephone numbers–we have no idea to whom they belong–that are foreign and domestic. The whole basis behind this program is that as a cell phone is picked up in Syria and we look at the phone numbers that phone talked to, if it is someone in the United States, we would like to know that–at least law enforcement would like to know it–so we can understand if there is a threat against us here in the homeland or somewhere else in the world.

Section 215 allows the NSA to collect, in bulk, telephone numbers with no identifier on them. We couldn’t tell you who that American might be. [my emphasis]

Note, the Congressional record also added “foreign” on to the description of telephone numbers collected. We know NSA collects IP addresses overseas, so it may be that’s what Burr was thinking about (or it may be in this doctored Congressional record, he added foreign because that would be unsurprising).

I called Burr’s office yesterday to ask about this, but have thus far gotten no response.

Edward Snowden Richard Burr Exposes IP Address Dragnet on Senate Floor

/12 Comments/in , /by

Update: As I show in this post, the transcription of Burr’s speech in the Congressional record removed the reference to IP addresses. 

Update: While Burr’s office did not respond to my request for comment, they did respond to Buzzfeed (which sadly didn’t ask the obvious follow-up questions). His office claims he misspoke, though apparently didn’t explain why he would confuse Section 215 and PRTT, why he would tie the Internet dragnet to phone calls, or why, if the current dragnet doesn’t collect Internet data but USA F-ReDux would, why that would not then be a welcome return for the Senator given his stated desire to track such collection. I have asked for comment again from Burr’s office on those questions. 

Since last summer, I have been emphasizing that the bulk of Section 215 orders collect Internet data, not phone records under the phone dragnet. I pointed to evidence that that production included data flows and noted FBI claims they use it to conduct hacking investigations.   But I have assumed that was primarily bulky collection, not bulk collection.

Not so. Earlier today, noted whistleblower Edward Snowden Senate Intelligence Chair Richard Burr revealed that there is also an IP address bulk collection program. (h/t Andrew Blake, after 2:15)

Now what’s bulk data? Bulk data is storing telephone numbers and IP addresses — we have no idea who they belong to — that are domestic. And the whole basis behind this program is that as a cell phone is picked up in Syria, and you look at the phone numbers that phone talked to, if there’s some in the United States we’d like to know that — at least law enforcement would like to know it — so that we can understand if there’s a threat against us here in the homeland [sic] or somewhere else in the world. So Section 215 allows the NSA to collect in bulk telephone numbers and IP addresses with no identifier on it. We couldn’t tell you who that American might be.

I thought when you leaked details like this it helped our enemies? I thought if you did such things you were a traitor, deserving of an orange jumpsuit at Gitmo?

Apparently not.

So it appears it’s the IP dragnet, and not the phone dragnet, that the Republicans are trying to save?

It’s a little late for that, though, given that the Second Circuit just ruled such dragnets illegal.

The Burr Family USE to Assassinate People in Light of Day

/16 Comments/in /by

At the end of a must-read article on how the people — whom it names — in charge of the CIA’s drone program are the same people who were in charge of the torture program, the NYT also reveals that Richard Burr joined Mike Rogers pressuring CIA to kill American citizen Mohanad Mahmoud Al Farekh — who recently got captured and charged in the US with material support for terrorism — be drone killed.

The Republican lawmakers, Senator Richard M. Burr of North Carolina and Representative Mike Rogers of Michigan, said during the closed sessions that the administration was being timid, and urged that [Mohanad Mahmoud Al] Farekh be hunted and killed.

Burr is, as he likes to point out, a relative of Aaron Burr, who killed Treasury Secretary Alexander Hamilton in a duel, a detail about which Burr reminded Treasury Secretary Jack Lew last year. It appears the Burr family no longer operates with the faux honor of dueling, but instead sits inside secret closets and demands CIA conduct assassination by remotely piloted drone.

And that’s why NYT’s decision to name names is so notable.

The C.I.A. asked that Mr. D’Andrea’s name and the names of some other top agency officials be withheld from this article, but The New York Times is publishing them because they have leadership roles in one of the government’s most significant paramilitary programs and their roles are known to foreign governments and many others.

The article names D’Andrea — the long-time head of CIA’s Counterterrorism Center, whom Gawker named last month but whom the WaPo continued to refer to under the pseudonym Roger last month, it named his replacement, Chris Wood, who has served in ALEC station and oversaw operations in Afghanistan and Pakistan, and it named the Operations Chief, Greg Vogel, who was Kabul Station Chief before leading the CIA’s paramilitary Special Activities Division.

These are the men who invite people like Rogers and Burr and Dianne Feinstein (who is a champion of D’Andrea) and their staffers to watch a monthly snuff film of drone operations and with it convince them that CIA should remain in charge of assassinations.

As the NYT notes in explaining why it was refusing to cede to John Brennan’s demand that the paper hide these identities, others know who they are. It’s just the public, those who pay their salaries and in whose name those assassinations are conducted, that didn’t know.

That, of course, prevents anyone — the family of Warren Weinstein, for example — from holding them to legal account.

But it also prevents us from holding Feinstein accountable when she shields the same people who oversaw the torture program she claims to abhor.

Perhaps the NYT’s decision to break the spell of false secrecy will demonstrate that these men’s identities were’t really secrets. They were rather just a vacuum of accountability.