Posts

The Dragnet Donald Trump Will Wield Is Not Just the Section 215 One

I’ve been eagerly anticipating the moment Rick Perlstein uses his historical work on Nixon to analyze Trump. Today, he doesn’t disappoint, calling Trump more paranoid than Nixon, warning of what Trump will do with the powerful surveillance machine laying ready for his use.

Revenge is a narcotic, and Trump of all people will be in need of a regular, ongoing fix. Ordering his people to abuse the surveillance state to harass and destroy his enemies will offer the quickest and most satisfying kick he can get. The tragedy, as James Madison could have told us, is that the good stuff is now lying around everywhere, just waiting for the next aspiring dictator to cop.

But along the way, Perlstein presents a bizarre picture of what happened to the Section 215 phone dragnet under Barack Obama.

That’s not to say that Obama hasn’t abused his powers: Just ask the journalists at the Associated Press whose phone records were subpoenaed by the Justice Department. But had he wanted to go further in spying on his enemies, there are few checks in place to stop him. In the very first ruling on the National Security Administration’s sweeping collection of “bulk metadata,” federal judge Richard Leon blasted the surveillance as downright Orwellian. “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary’ invasion than this collection and retention of personal data,” he ruled. “Surely, such a program infringes on ‘that degree of privacy’ that the founders enshrined in the Fourth Amendment.”

But the judge’s outrage did nothing to stop the surveillance: In 2015, an appeals court remanded the case back to district court, and the NSA’s massive surveillance apparatus—soon to be under the command of President Trump—remains fully operational. The potential of the system, as former NSA official William Binney has described it, is nothing short of “turnkey totalitarianism.”

There are several things wrong with this.

First, neither Richard Leon nor any other judge has reviewed the NSA’s “sweeping collection of ‘bulk metadata.'” What Leon reviewed — in Larry Klayman’s lawsuit challenging the collection of phone metadata authorized by Section 215 revealed by Edward Snowden — was just a small fraction of NSA’s dragnet. In 2013, the collection of phone metadata authorized by Section 215 collected domestic and international phone records from domestic producers, but even there, Verizon had found a way to exclude collection of its cell records.

But NSA collected phone records — indeed, many of the very same phone records, as they collected a great deal of international records — overseas as well. In addition, NSA collected a great deal of Internet metadata records, as well as financial and anything else records. Basically, anything the NSA can collect “overseas” (which is interpreted liberally) it does, and because of the way modern communications works, those records include a significant portion of the metadata of Americans’ everyday communications.

It is important for people to understand that the focus on Section 215 was an artificial creation, a limited hangout, an absolutely brilliant strategy (well done, Bob Litt, who has now moved off to retirement) to get activists to focus on one small part of the dragnet that had limitations anyway and NSA had already considered amending. It succeeded in pre-empting a discussion of just what the full dragnet entailed.

Assessments of whether Edward Snowden is a traitor or a saint always miss this, when they say they’d be happy if Snowden had just exposed the Section 215 program. Snowden didn’t want the focus to be on just that little corner of the dragnet. He wanted to expose the full dragnet, but Litt and others succeeded in pretending the Section 215 dragnet was the dragnet, and also pretending that Snowden’s other disclosures weren’t just as intrusive on Americans.

Anyway, another place where Perlstein is wrong is in suggesting there was just one Appeals Court decision. The far more important one is the authorized by Gerard Lynch in the Second Circuit, which ruled that Section 215 was not lawfully authorized. It was a far more modest decision, as it did not reach constitutional questions. But Lynch better understood that the principle involved more than phone records; what really scared him was the mixing of financial records with phone records, which is actually what the dragnet really is.

That ruling, on top of better understanding the import of dragnets, is important because it is one of the things that led to the passage of USA Freedom Act, a law that, contrary to Perlstein’s claim, did change the phone dragnet, both for good and ill.

The USA Freedom Act, by imposing limitations on how broadly dragnet orders (for communications but not for financial and other dragnets) can be targeted, adds a check at the beginning of the process. It means only people 2 degrees away from a terrorism suspect will be collected under this program (even while the NSA continues to collect in bulk under EO 12333). So the government will have in its possession far fewer phone records collected under Section 215 (but it will still suck in massive amounts of phone records via EO 12333, including massive amounts of Americans’ records).

All that said, Section 215 now draws from a larger collection of records. It now includes the Verizon cell records not included under the old Section 215 dragnet, as well as some universe of metadata records deemed to be fair game under a loose definition of “phone company.” At a minimum, it probably includes iMessage, WhatsApp, and Skype metadata, but I would bet the government is trying to get Signal and other messaging metadata (note, Signal metadata cannot be collected retroactively; it’s unclear whether it can be collected with standing daily prospective orders). This means the Section 215 collection will be more effective in finding all the people who are 2 degrees from a target (because it will include any communications that exist solely in Verizon cell or iMessage networks, as well as whatever other metadata they’re collecting). But it also means far more innocent people will be impacted.

To understand why that’s important, it’s important to understand what purpose all this metadata collection serves.

It was never the case that the collection of metadata, however intrusive, was the end goal of the process. Sure, identifying someone’s communications shows when you’ve been to an abortion clinic or when you’re conducting an affair.

But the dragnet (the one that includes limited Section 215 collection and EO 12333 collection limited only by technology, not law) actually serves two other primary purposes.

The first is to enable the creation of dossiers with the click of a few keys. Because the NSA is sitting on so much metadata — not just phone records, but Internet, financial, travel, location, and other data — it can put together a snapshot of your life as soon as they begin to correlate all the identifiers that make up your identity. One advantage of the new kind of collection under USAF, I suspect, is it will draw from the more certain correlations you give to your communications providers, rather than relying more heavily on algorithmic analysis of bulk data. Facebook knows with certainty what email address and phone number tie to your Facebook account, whereas the NSA’s algorithms only guess that with (this is an educated guess) ~95+% accuracy.

This creation of dossiers is the same kind of analysis Facebook does, but instead of selling you plane tickets the goal is government scrutiny of your life.

The Section 215 orders long included explicit permission to subject identifiers found via 2-degree collection to all the analytical tools of the NSA. That means, for any person — complicit or innocent — identified via Section 215, the NSA can start to glue together the pieces of dossier it already has in its possession. While not an exact analogue, you might think of collection under Section 215 as a nomination to be on the equivalent of J Edgar Hoover’s old subversives list. Only, poor J Edgar mostly kept his list on index cards. Now, the list of those the government wants to have a network analysis and dossier on is kept in massive server farms and compiled using supercomputers.

Note, the Section 215 collection is still limited to terrorism suspects — that was an important win in the USA Freedom fight — but the EO 12333 collection, with whatever limits on nominating US persons, is not. Plus, it will be trivial for Trump to expand the definition of terrorist; the groundwork is already being laid to do so with Black Lives Matter.

The other purpose of the dragnet is to identify which content the NSA will invest the time and energy into reading. Most content collected is not read in real time. But Americans’ communications with a terrorism suspect will probably be, because of the concern that those Americans might be plotting a domestic plot. The same is almost certainly true of, say, Chinese-Americans conversing with scientists in China, because of a concern they might be trading US secrets. Likewise it is almost certainly true of Iranian-Americans talking with government officials, because of a concern they might be dealing in nuclear dual use items. The choice to prioritize Americans makes sense from a national security perspective, but it also means certain kinds of people — Muslim immigrants, Chinese-Americans, Iranian-Americans — will be far more likely to have their communications read without a warrant than whitebread America, even if those whitebread Americans have ties to (say) NeoNazi groups.

Of course, none of this undermines Perlstein’s ultimate categorization, as voiced by Bill Binney, who created this system only to see the privacy protections he believed necessary get wiped away: the dragnet — both that authorized by USAF and that governed by EO 12333 — creates the structure for turnkey totalitarianism, especially as more and more data becomes available to NSA under EO 12333 collection rules.

But it is important to understand Obama’s history with this dragnet. Because while Obama did tweak the dragnet, two facts about it remain. First, while there are more protections built in on the domestic collection authorized by Section 215, that came with an expansion of the universe of people that will be affected by it, which must have the effect of “nominating” more people to be on this late day “Subversives” list.

Obama also, in PPD-28, “limited” bulk collection to a series of purposes. That sounds nice, but the purposes are so broad, they would permit bulk collection in any area of the world, and once you’ve collected in bulk, it is trivial to then call up that data under a more broad foreign intelligence purpose. In any case, Trump will almost certainly disavow PPD-28.

Which makes Perlstein’s larger point all the more sobering. J Edgar and Richard Nixon were out of control. But the dragnet Trump will inherit is far more powerful.

Guy Who Worked at White House When It Self-Authorized Dragnet Thinks Dragnets Are Cool

Eleven judges from the DC Circuit denied Larry Klayman’s request to overturn the stay that a panel put on Richard Leon’s injunction against the dragnet today.

Of those 11 judges, just one decided to weigh in on the legality of the dragnet Leon had ruled unconstitutional: Brett Kavanaugh. In doing so, he laid out a condensed version of the Special Needs search used by dragnet boosters.

I vote to deny plaintiffs’ emergency petition for rehearing en banc. I do so because, in my view, the Government’s metadata collection program is entirely consistent with the Fourth Amendment. Therefore, plaintiffs cannot show a likelihood of success on the merits of their claim, and this Court was right to stay the District Court’s injunction against the Government’s program.

[snip]

Even if the bulk collection of telephony metadata constitutes a search, cf. United States v. Jones, 132 S. Ct. 945, 954-57 (2012) (Sotomayor, J., concurring), the Fourth Amendment does not bar all searches and seizures. It bars only unreasonable searches and seizures. And the Government’s metadata collection program readily qualifies as reasonable under the Supreme Court’s case law. The Fourth Amendment allows governmental searches and seizures without individualized suspicion when the Government demonstrates a sufficient “special need” – that is, a need beyond the normal need for law enforcement – that outweighs the intrusion on individual liberty.

[snip]

The Government’s program for bulk collection of telephony metadata serves a critically important special need – preventing terrorist attacks on the United States. See THE 9/11 COMMISSION REPORT (2004). In my view, that critical national security need outweighs the impact on privacy occasioned by this program.

Kavanaugh, of course, served as a White House lawyer and as Staff Secretary during the period when George Bush kept self-authorizing such a dragnet. While there’s no reason to believe he was involved in the dubious theories used to justify Stellar Wind (which were largely a version of this Special Needs argument), he may well have been consulted — as he apparently was on detainee treatment, though he claimed not to have been during his confirmation. He may also have seen the paperwork authorizing the program.

No doubt Kavanaugh would espouse this view whether or not he had worked for a guy who might face real legal trouble if this theory didn’t hold sway. But as people cite from this language in the future, they should remember that of all the judges who reviewed this decision, only Kavanaugh had this kind of personal tie to the dragnet. And only Kavanaugh saw fit to weigh in.

The Government’s Bad Faith Arguments Demanding a Dragnet Stay

As expected, the government requested an immediate stay of Richard Leon’s decision yesterday to enjoin the dragnet from collecting JJ Little’s phone records.

Their argument is noteworthy for its stubbornness — reasserting many of the same arguments Leon just ruled against — and logical inconsistency. The brief claims, for example, that termination of the dragnet would cause the government irreparable harm, even while suggesting that it’s possible they’ve stopped collecting data from Verizon Business Network Services, which they’ve just claimed would cause irreparable harm.

But the brief also argues that the only way to comply with the injunction is to shut down the entire dragnet.

As the Government Defendants have explained, however, the only practicable way for the NSA to comply with the Court’s preliminary injunction is immediately to cease all collection and queries of telephony metadata under the Section 215 program—that is, to shut the program down. That is so because the technical steps required in order to prevent the further collection of and to segregate the metadata associated with particular persons’ calls would take the NSA months to complete. Gov’t Defs.’ Opp. to Pls.’ Renewed Mot. for a Prelim. Inj. (ECF No. 150) (“Gov’t PI Opp.”) at 41-44, citing Potter Decl. (Gov’t PI Opp. Exh. 4) ¶¶ 20-27.

That’s not actually what the Potter declaration the discussion cites to says. Potter says there is a way to make Little’s records inaccessible — though it claims implausibly that it would take two weeks to accomplish.

With respect to a requirement that the NSA cease analytic access to any records about plaintiffs’ calls that may already have been collected under the Program, NSA has developed a process that can be used to prevent analytic access to metadata containing specified identifiers. This capability prevents the use of particular identifiers to conduct queries, and prevents analysts from accessing records containing those identifiers even if responsive to queries using different identifiers. NSA technical personnel estimate that eliminating analytic access to metadata associated with plaintiffs’ calls could be completed within approximately 2 weeks after receipt of the plaintiffs’ telephone numbers and the time-frames during which they were used.

This is the defeat list process I’ve discussed repeatedly, by which high volume numbers (like Verizon’s voice mail number and pizza joints) and other sensitive numbers (likely including Congress’ official numbers as well as informants) are made inaccessible to querying.

Consider me skeptical that it really takes 2 weeks to put something on a defeat list, as not doing so makes queries unusable. If it took 2 weeks, then the dragnet would frequently return crap for 2 weeks as techs tried to stay ahead of the defeat list numbers.

There’s one more thing that yesterday’s brief and the underlying declaration make clear though: The government is collecting records off telecom backbones, not off any billing system (contrary to what some reports still claim).

That’s true because the only way that the government wouldn’t be sure that Little’s records were collected under an order to VBNS is if they weren’t getting actual subscribers information. Moreover, Little’s records still show up on AT&T’s compliance, too (anytime his calls transit their backbone, not to mention any time he calls someone who uses AT&T).

That, of course, means that Larry Klayman and everyone else in the United States has standing if the Fourth Amendment injury comes with collection — because everyone’s records transit the major telecom backbones of the country. But the government has been claiming all this time they can’t be sure that’s the case.

The government will get their stay, and they will moot this decision (if not overturn it) at the end of the month. But not before engaging in some serious bad faith in claims to the court.

Richard Leon Halts the Dragnet for One Plaintiff

Judge Richard Leon has just issued an injunction on the NSA’s collection of the phone metadata of J.J. Little and his lawfirm. Little got added as a plaintiff to Larry Klayman’s suit (in which Leon earlier found the program unconstitutional but stayed his own injunction) so as to have a Verizon Business Services customer who could be certain his phone records had been collected.

The order will undoubtedly set off a bit of a scramble, not because pulling Little’s phone records really presents any difficulty for the NSA (they already defeat list so many records it’s clear they have the ability to at least make those records inaccessible to a search, though they don’t want to explain the full application of that process; hopefully this ruling will lead to more candor on this point). Rather, the NSA will want to ensure this program has constitutional sanction because it also collects so many other records of Americans (in his book, for example, Charlie Savage confirmed my earlier analysis that the Internet dragnet moved, in part, overseas rather than being shut down). And the DC Circuit is likely to respond to quickly override Leon.

That said, Leon’s order is most interesting for its analysis of the government’s claim it can carry out this program because of a Special Need. In it, he repeats efficacy arguments he made in his earlier ruling: rather than present any new evidence that the program has been useful, it has instead just said the threat environment requires it. But he also notes that this special need, unlike that of, say, a TSA check, does not have a deterrence effect. That’s interesting because the government’s own secrecy about how many calls are collected would make any deterrence uncertain (indeed, terrorists might be expected to move communications to the Internet, believing falsely that attracts less attention).

As I said, the DC Circuit is likely to overturn this. But it will give the government a few days of headaches until that point.

Delusional DOJ Claims Documents Declassified, Released Under FOIA Not Declassified, Not Authentic

Screen Shot 2015-08-28 at 11.22.34 AM
Back in March, NYT’s Charlie Savage sued to get the NSA to respond to a FOIA request asking for “copies of — and declassification review of, as necessary” a bunch of things, including IG reports on “bulk phone records collection activities under Section 215 of the PATRIOT Act.”

In late August, they delivered an installment of their response to that suit to him including a series of IG Reports on the 215 program. Among other things, the FOIA response included an August 2, 2010 letter to FISC Judge John Bates referring to a compliance violation in Docket BR 10-10 (the order is dated February 26, 2010). In referring to the caption of that docket (and the caption redactions in other dockets are consistent in size), it named Verizon Wireless.

As I pointed out at the time, this provides Larry Klayman and other Verizon Wireless subscribers challenging the phone dragnet basis to establish standing to sue. While in the Klayman suit, Judge Richard Leon invited Klayman just to add a plaintiff who subscribed to Verizon Business Services, in Northern CA, EFF requested the 9th Circuit take judicial notice of the document.

So now DOJ has gone a bit batshit. (Josh Gerstein first reported on this here.) It mocks that EFF head Cindy Cohn “apparently believes” it fair to conclude Verizon Wireless took part in the phone dragnet because of a reference to “a company name that includes the term ‘Verizon Wireless’ in the caption of a purported FISC filing” that happens to govern the entire phone dragnet. It suggests the accuracy of the document DOJ gave to Savage can be reasonably questioned, apparently disputing its own FOIA response to Savage. And it bitches that EFF “does not contend that this document was declassified,” even though it was given to Savage pursuant to his request for “declassification review [] as necessary.”

In short, in an effort to argue the document doesn’t say what it says (which may, I admit, not mean what it says, but such is the wackiness of the secret FISA Court and the secret phone dragnet), DOJ is saying that DOJ didn’t provide Charlie Savage authentic, declassified documents like he sued to get. DOJ uses words like “purported” to describe DOJ’s own FOIA response.

I mean, I’ll grant you, those of us outside DOJ often doubt the accuracy of their FOIA responses to us. But usually DOJ at least pretends they’re giving us authentic documents.

DOJ Threatens to Invoke State Secrets Over Something Released in FOIA

Screen Shot 2015-08-28 at 11.22.34 AM
In a hearing today, Judge Richard Leon said that Larry Klayman could pursue his dragnet challenge by adding a plaintiff who did business with Verizon Business Services. But as part of Klayman’s effort, he noted — weakly — that evidence got released showing Verizon Wireless was included in the dragnet. Klayman cited just the Charlie Savage article, not the document released under FOIA showing VZ Wireless on a FISC caption (though I presume his underlying 49 page exhibit includes the actual report — just not necessarily with the passage in question highlighted).

It was disclosed on August 12, 2015 by Charlie Savage of The New York Times that Verizon Wireless, as this Court had already ruled in its Order of December 16, 2013, at all material times was conducting and continuing to conduct unconstitutional and illegal dragnet “almost Orwellian” surveillance on Plaintiffs and millions of other American citizens. See Exhibit 1, which is a Government document evidencing this, incorporated herein by reference, and see Exhibit 2, the New York Times article.

Moreover, Klayman surely overstated what the inclusion of VZ Wireless in a phone dragnet Primary Order caption from 2010 showed. Which probably explains why DOJ said “The government has not admitted in any way, shape, or form that Verizon Wireless participated” in the Section 215 phone dragnet, according to Devlin Barrett.

The point is, they should have to explain why it is that, according to a document they’ve released, VZ Wireless was targeted under the program. Perhaps we’ll get that in Northern California, where EFF very competently pointed to what evidence there was.

Which is why the government’s threat to invoke state secrets was so interesting.

The Court should avoid discovery or other proceedings that would unnecessarily implicate classified national-security information, and the potential need to assert and resolve a claim of the state secrets privilege: Plaintiffs’ proposed amendments, in particular their new allegations regarding the asserted participation of Verizon Wireless in the Section 215 program, implicate matters of a classified nature. The Government has acknowledged that the program involves collection of data from multiple telecommunications service providers, and that VBNS (allegedly the Little Plaintiffs’ provider) was the recipient of a now-expired April 25, 2013, FISC Secondary Order. But otherwise the identities of the carriers participating in the program, now, or at any other time, remain classified for reasons of national security. See Klayman, 2015 WL 5058403, at *6 (Williams, S.J.).

At this time the Government Defendants do not believe that it would be necessary to assert the state secrets privilege to respond to a motion by Plaintiffs for expedited injunctive relief that is based on the allegations of the Little Plaintiffs, or even the proposed new allegations (and exhibit) regarding Verizon Wireless. Nor should it be necessary to permit discovery into matters that would risk or require the disclosure of classified national-security information and thus precipitate the need to assert the state secrets privilege. Nevertheless, if Plaintiffs were permitted to seek discovery on the question of whether Verizon Wireless is now or ever has been a participating provider in the Section 215 program, the discovery sought could call for the disclosure of classified national-security information, in which case the Government would have to consider whether to assert the state secrets privilege over that information.

As the Supreme Court has advised, the state secrets privilege “is not to be lightly invoked.” United States v. Reynolds, 345 U.S. 1, 7 (1953). “To invoke the . . . privilege, a formal claim of privilege must be lodged by the head of the department which has control over the matter after actual personal consideration by that officer.” Id. at 7-8. To defend an assertion of the privilege in court also requires the personal approval of the Attorney General. Policies and Procedures Governing Invocation of the State Secrets Privilege at 1-3, http://www.justice.gov/opa/documents/state-secret-privileges.pdf. The Government should not be forced to make so important a decision as whether or not to assert the state secrets privilege in circumstances where the challenged program is winding down and will end in a matter of weeks. Moreover, discovery into national-security information should be unnecessary to the extent the standing of the newly added Little Plaintiffs, and the appropriateness of injunctive relief, may be litigated without resort to such information.

If, however, discovery into national-security information is permitted, the Government must be allowed sufficient time to give the decision whether to assert the state secrets privilege the serious consideration it requires. And if a decision to assert the privilege is made, the Government must also be given adequate time to prepare the senior-level declarations and other materials needed to support the claim of privilege, to ensure that the national security interests at stake are appropriately protected. See, e.g., Mohamed v. Jeppesen Dataplan, Inc., 614 F.3d 1070, 1077, 1090 (9th Cir. 2009).

I think it’s quite possible that VZW was not turning over phone records under the Section 215 program in 2010 (which is quite another matter than suggesting NSA was not obtaining a great deal, if not most, of VZW phone records generally). I believe it quite likely NSA obtained some VZW records under Section 215 during the 2010 period.

But I also believe explaining the distinctions between those issues would be very illuminating.

Meanwhile, the threat of stalling, with all the attendant rigamarole, served to scare Leon — he wants this to move quickly as badly as Klayman does. After all, Leon will have much less ability to issue a ruling that will stand after November 28, when the current dragnet dies.

We shall see what happens in CA when DOJ attempts to make a similar argument.

Government Recently Released Information Proving Larry Klayman Has Standing

Screen Shot 2015-08-28 at 11.22.34 AM

As I noted, the DC Circuit Court reversed Judge Richard Leon’s injunction against the phone dragnet. The judges disagreed on whether Larry Klayman had standing — because he is a Verizon Wireless but not Verizon landline subscriber, which had been the only thing confirmed by the government. All agreed he had not shown he had the high certainty of standing required to uphold an injunction against the program. But the per curium opinion did agree that the case has not been mooted, because by immediately restarting the bulk program after the passage of USA F-ReDux, the government showed that the harm could recur.

That’s important, because information proving that Klayman does have standing has recently been released in an official (albeit probably inadvertent) release.

Part of the IG Reports on the phone dragnet Charlie Savage obtained by suing shows that — at least in 2010 — the Primary Order for the phone dragnet went to AT&T, Sprint, Verizon’s subsidiaries (the former MCI part of Verizon’s business, which I believe is its backbone), and “Cellco Partnership d/b/a Verizon Wireless.”

I’ll say more about what I think this really means in a later post — and why I think the suit against bulk surveillance needs to be, and can be, tweaked somewhat to ensure standing.

But for the moment, know that for at least one 90 day period in 2010, Verizon Wireless as well as Verizon’s landline was ordered to turn over phone records.

The Section 215 Rap Sheet

Marco Rubio, who is running for President as an authoritarian, claims that “There is not a single documented case of abuse of this program.”

He’s not alone. One after another defender of the dragnet make such claims. FBI witnesses who were asked specifically about abuses in 2011 claimed FBI did not know of any abuses (even though FBI Director Robert Mueller had had to justify FBI’s use of the program to get it turned back on after abuses discovered in 2009).

Comment — Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

A — To the FBI’s knowledge, those authorities have not been abused.

Though Section 215 boosters tend to get sort of squishy on their vocabulary, changing language about whether this was illegal, unconstitutional, or abusive.

Here’s what we actually know about the abuses, illegality, and unconstitutionality of Section 215, both the phone dragnet program and Section 215 more generally.

Judges

First, here’s what judges have said about the program:

1) The phone dragnet has been reapproved around 41 times by at least 17 different FISC judges

The government points to this detail as justification for the program. It’s worth noting, however, that FISC didn’t get around to writing an opinion assessing the program legally until 10 judges and 34 orders in.  Since Snowden exposed the program, the FISC appears to have made a concerted effort to have new judges sign off on each new opinion.

2) Three Article III courts have upheld the program:

Judges William Pauley and Lynn Winmill upheld the constitutionality of the program (but did not asses the legality of it); though Pauley was reversed on statutory, not constitutional grounds. Judge Jeffrey Miller upheld the use of Section 215 evidence against Basaaly Moalin on constitutional grounds.

3) One Article III court — Judge Richard Leon in Klayman v. Obama — found the program unconstitutional.

4) The Second Circuit (along with PCLOB, including retired Circuit Court judge Patricia Wald, though they’re not a court), found the program not authorized by statute.

The latter decision, of course, is thus far the binding one. And the 2nd Circuit has suggested that if it has to consider the program on constitution grounds, it might well find it unconstitutional as well.

Statutory abuses

1) As DOJ’s IG confirmed yesterday, for most of the life of the phone dragnet (September 2006 through November 2013), the FBI flouted a mandate imposed by Congress in 2006 to adopt Section 215-specific minimization procedures that would give Americans additional protections under the provision (note–this affects all Section 215 programs, not just the phone dragnet). While, after a few years, FISC started imposing its own minimization procedures and reporting requirements (and rejected proposed minimization procedures in 2010), it nevertheless kept approving Section 215 orders.

In other words, in addition to being illegal (per the 2nd Circuit), the program also violated this part of the law for 7 years.

2) Along with all the violations of minimization procedures imposed by FISC discovered in 2009, the NSA admitted that it had been tracking roughly 3,000 presumed US persons against data collected under Section 215 without first certifying that they weren’t targeted on the basis of First Amendment protected activities, as required by the statute.

Between 24 May 2006 and 2 February 2009, NSA Homeland Mission Coordinators (HMCs) or their predecessors concluded that approximately 3,000 domestic telephone identifiers reported to Intelligence Community agencies satisfied the RAS standard and could be used as seed identifiers. However, at the time these domestic telephone identifiers were designated as RAS-approved, NSA’s OGC had not reviewed and approved their use as “seeds” as required by the Court’s Orders. NSA remedied this compliance incident by re-designating all such telephone identifiers as non RAS-approved for use as seed identifiers in early February 2009. NSA verified that although some of the 3,000 domestic identifiers generated alerts as a result of the Telephony Activity Detection Process discussed above, none of those alerts resulted in reports to Intelligence Community agencies.

NSA did not fix this problem by reviewing the basis for their targeting; instead, it simply moved these US person identifiers back onto the EO 12333 only list.

While we don’t have the background explanation, in the last year, FISC reiterated that the government must give First Amendment review before targeting people under Emergency Provisions. If so, that would reflect the second time where close FISC review led the government to admit it wasn’t doing proper First Amendment reviews, which may reflect a more systematic problem. That would not be surprising, since the government has already been chipping away at that First Amendment review via specific orders.

Minimization procedure abuses

1) The best known abuses of minimization procedures imposed by the FISC were disclosed to the FISC in 2009. The main item disclosed involved the fact that NSA had been abusing the term “archive” to create a pre-archive search against identifiers not approved for search. While NSA claimed this problem arose because no one person knew what the requirements were, in point of fact, NSA’s Inspector General warned that this alert function should be disclosed to FISC, and it was a function from the Stellar Wind program that NSA simply did not turn off when FISC set new requirements when it rubber-stamped the program.

But there were a slew of other violations of FISC-imposed minimization procedures disclosed at that time, almost all arising because NSA treated 215 data just like it treats EO 12333, in spite of FISC’s clear requirements that such data be treated with additional protections. That includes making query results available to CIA and FBI, the use of automatic search functions, and including querying on any “correlated” identifiers. These violations, in sum, are very instructive for the USA F-ReDux debate because NSA has never managed to turn these automated processes back on since, and one thing they presumably hope to gain out of moving data to the providers is to better automate the process.

2) A potentially far more egregious abuse of minimization procedures was discovered (and disclosed) in 2012, when NSA discovered that raw data NSA’s techs were using over 3,000 files of phone dragnet data on their technical server past the destruction date.

As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.

But rather than investigate this violation — rather than clarify how much data this entailed, whether it had been mingled with Stellar Wind data, whether any other violations had occurred — NSA destroyed the data.

In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit. The technical server in question was not available to intelligence analysts.

From everything we’ve seen the tech and research functions are not audited, not even when they’re playing with raw data (which is, I guess, why SysAdmin Edward Snowden could walk away with so many records). So not only does this violation show that tech access to raw data falls outside of the compliance mechanisms laid out in minimization procedures (in part, with explicit permission), but that NSA doesn’t try very hard to track down very significant violations that happen.

Overall sloppiness

Finally, while sloppiness on applications is not a legal violation, it does raise concerns about production under the statute. The IG Report reviewed just six case files which used Section 215 orders. Although the section is heavily redacted, there are reasons to be significantly concerned about four of those.

  • An application made using expedited approval that made a material misstatement about where FBI obtained a tip about the content of a phone call. The FBI agent involved “is no longer with the FBI.” The target was prosecuted for unlawful disclosure of nuke information, but the Section 215 evidence was not introduced into trial and therefore he did not have an opportunity to challenge any illegal investigative methods.
  • A 2009 application involving significant minimization concerns and for which FBI rolled out a “investigative value” exception for access limits on Section 215 databases. This also may involve FBI’s secret definition of US person, which I suspect pertains to treating IP addresses as non-US persons until they know it is a US person (this is akin to what they do under 702 MPs). DOJ’s minimization report to FISC included inaccuracies not fixed until June 13, 2013.
  • A 2009 application for a preliminary investigation that obtained medical and education records from the target’s employer. FBI ultimately determined the target “had no nexus to terrorism,” though it appears FBI kept all information on the target (meaning he will have records at FBI for 30 years). The FBI’s minimization report included an error not fixed until June 13, 2013, after the IG pointed it out.
  • A cyber-investigation for which the case agent could not locate the original production, which he claims was never placed in the case file.

And that’s just what can be discerned from the unredacted bits.

Remember, too: the inaccuracies (as opposed to the material misstatement) were on minimization procedures. Which suggests FBI was either deceitful — or inattentive — to how it was complying with FISC-mandated minimization procedures designed to protect innocent Americans’ privacy.

And remember — all this is just Section 215. The legal violations under PRTT were far more egregious, and there are other known violations and misstatements to FISC on other programs.

This is a troubling program, one that several judges have found either unconstitutional or illegal.

 

How the Second Circuit, FISC, and the Telecoms Might Respond to McConnell’s USA F-ReDux Gambit

Update: Jennifer Granick (who unlike me, is a lawyer) says telecoms will be subject to suit if they continue to comply with dragnet orders. 

Any company that breaches confidentiality except as required by law is liable for damages and attorneys’ fees under 47 U.S.C. 206. And there is a private right of action under 47 U.S.C. 207.

Note that there’s no good faith exception in the statute, no immunity for acting pursuant to court order. Rather, the company is liable unless it was required by law to disclose. So Verizon could face a FISC 215 dragnet order on one side and an order from the Southern District of New York enjoining the dragnet on the other. Is Verizon required by law to disclose in those circumstances? If not, the company could be liable. And did I mention the statute provides for attorneys’ fees?

Everything is different now than it was last week. Reauthorization won’t protect the telecoms from civil liability. It won’t enable the dragnet. As of last Thursday, the dragnet is dead, unless a phone company decides to put its shareholders’ money on the line to maintain its relationships with the intelligence community.

Last night, Mitch McConnell introduced a bill for a 2-month straight reauthorization of the expiring PATRIOT provisions as well as USA F-ReDux under a rule that bypasses Committee structure, meaning he will be able to bring that long-term straight reauthorization, that short term one, or USA F-ReDux to the floor next week.

Given that a short term reauthorization would present a scenario not envisioned in Gerard Lynch’s opinion ruling the Section 215 dragnet unlawful, it has elicited a lot of discussion about how the Second Circuit, FISC, and the telecoms might respond in case of a short term reauthorization. But these discussions are almost entirely divorced from some evidence at hand. So I’m going to lay out what we know about both past telecom and FISA Court behavior.

Because of the details I lay out below, I predict that so long as Congress looks like it is moving towards an alternative, both the telecoms and the FISC will continue the phone dragnet in the short term, and the Second Circuit won’t weigh in either.

The phone dragnet will continue for another six months even under USA F-ReDux

As I pointed out here, even if USA F-ReDux passed tomorrow, the phone dragnet would continue for another 6 months. That’s because the bill gives the government 180 days — two dragnet periods — to set up the new system.

(a) IN GENERAL.—The amendments made by sections 101 through 103 shall take effect on the date that is 180 days after the date of the enactment of this Act.

(b) RULE OF CONSTRUCTION.—Nothing in this Act shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 24 1861 et seq.) as in effect prior to the effective date described in subsection (a) during the period ending on such effective date.

The Second Circuit took note of USA F-ReDux specifically in its order, so it would be hard to argue that it doesn’t agree Congress has the authority to provide time to put an alternative in place. Which probably means (even though I oppose Mitch’s short-term reauth in most scenarios) that the Second Circuit isn’t going to balk — short of the ACLU making a big stink — at a short term reauth for the purported purpose of better crafting a bill that reflects the intent of Congress. (Though the Second Circuit likely won’t look all that kindly on Mitch’s secret hearing the other day, which violates the standards of debate the Second Circuit laid out.)

Heck, the Second Circuit waited 8 months — and one failed reform effort — to lay out its concerns about the phone dragnet’s legality that were, in large part, fully formed opinions at least September’s hearing. The Second Circuit wants Congress to deal with this and they’re probably okay with Congress taking a few more months to do so.

FISC has already asked for briefing on any reauthorization

A number of commentators have also suggested that the Administration could just use the grandfather clause in the existing sunset to continue collection or might blow off the Appeals Court decision entirely.

But the FISC is not sitting dumbly by, oblivious to the debate before Congress and the Courts. As I laid out here, in his February dragnet order, James Boasberg required timely briefing from the government in each of 3 scenarios:

  • A ruling from an Appellate Court
  • Passage of USA F-ReDux introduces new issues of law that must be considered
  • A plan to continue production under the grandfather clause

And to be clear, the FISC has not issued such an order in any of the publicly released dragnet orders leading up to past reauthorizations, not even in advance of the 2009-2010 reauthorizations, which happened at a much more fraught time from the FISC’s perspective (because FISC had had to closely monitor the phone dragnet production for 6 months and actually shut down the Internet dragnet in fall 2009). The FISC clearly regards this PATRIOT sunset different than past ones and plans to at least make a show of considering the legal implications of it deliberately.

FISC does take notice of other courts

Of course, all that raises questions about whether FISC feels bound by the Second Circuit decision — because, of course, it has its very own appellate court (FISCR) which would be where any binding precedent would come from.

There was an interesting conversation on that topic last week between (in part) Office of Director of National Intelligence General Counsel Bob Litt and ACLU’s Patrick Toomey (who was part of the team that won the Second Circuit decision). That conversation largely concluded that FISC would probably not be bound by the Second Circuit, but Litt’s boss, James Clapper (one of the defendants in the suit) would be if the Second Circuit ever issued an injunction.

Sunlight Foundation’s Sean Vitka: Bob, I have like a jurisdictional question that I honestly don’t know the answer to. The Court of Appeals for the Second Circuit. They say that this is unlawful. Obviously there’s the opportunity to appeal to the Supreme Court. But, the FISA Court of Review is also an Appeals Court. Does the FISC have to listen to that opinion if it stands?

Bob Litt: Um, I’m probably not the right person to ask that. I think the answer is no. I don’t think the Second Circuit Court of Appeals has direct authority over the FISA Court. I don’t think it’s any different than a District Court in Idaho wouldn’t have to listen to the Second Circuit’s opinion. It would be something they would take into account. But I don’t think it’s binding upon them.

Vitka: Is there — Does that change at all given that the harms that the Second Circuit acknowledged are felt in that jurisdiction?

Litt: Again, I’m not an expert in appellate jurisdiction. I don’t think that’s relevant to the question of whether the Second Circuit has binding authority over a court that is not within the Second Circuit. I don’t know Patrick if you have a different view on that?

Third Way’s Mieke Eoyang: But the injunction would be, right? If they got to a point where they issued an injunction that would be binding…

Litt: It wouldn’t be binding on the FISA Court. It would be binding on the persons who received the —

Eoyong: On the program itself.

Patrick Toomey: The defendants in the case are the agency officials. And so an injunction issued by the Second Circuit would be directed at those officials.

But there is reason to believe — even beyond FISC’s request for briefing on this topic — that FISC will take notice of the Second Circuit’s decision, if not abide by any injunction it eventually issues.

That’s because, twice before, it has even taken notice of magistrate judge decisions.

The first known example came in the weeks before the March 2006 reauthorization of the PATRIOT Act would go into effect. During 2005, several magistrate judges had ruled that the government could not add a 2703(d) order to a pen register to obtain prospective cell site data along with other phone data. By all appearances, the government was doing the same with the equivalent FISA orders (this application of a “combined” Business Record and Pen Register order is redacted in the 2008 DOJ IG Report on Section 215, but contextually it’s fairly clear this is close to what happened). Those magistrate decisions became a problem when, in 2005, Congress limited Section 215 order production to that which could be obtained with a grand jury subpoena. Effectively, the magistrates had said you couldn’t get prospective cell site location with just a subpoena, which therefore would limit whether FBI could get cell site location with a Section 215 order.

While it is clear that FISC required briefing on this point, it’s not entirely clear what FISC’s response was. For a variety of reasons, it appears FISC stopped these combined application sometime in 2006 — the reauthorization went into effect in March 2006 — though not immediately (which suggests, in the interim, DOJ just found a new shell to put its location data collection under).

The other time FISC took notice of magistrate opinions pertained to Post Cut Through Dialed Digits (those are the things like pin and extension numbers you dial after your call or Internet connection has been established). From 2006 through 2009, some of the same magistrates ruled the government must set its pen register collection to avoid collecting PCTDD. By that point, FISC appears to have already ruled the government could collect that data, but would have to deal with it through minimization. But the FISC appears to have twice required the government to explain whether and how its minimization of PCTDD did not constitute the collection of content, though it appears that in each case, FISC permitted the government to go on collecting PCTDD under FISA pen registers. (Note, this is another ruling that may be affected by the Second Circuit’s focus on the seizure, not access, of data.)

In other words, even on issues not treating FISC decisions specifically, the FISC has historically taken notice of decisions made in courts that have no jurisdiction over its decisions (and in one case, FISC appears to have limited government production as a result). So it would be a pretty remarkable deviation from that past practice for FISC to completely blow off the Second Circuit decision, even if it may not feel bound by it.

Verizon responds to court orders, but in half-assed fashion

Finally, there’s the question of how the telecoms will react to the Second Circuit decision. And even there, we have some basis for prediction.

In January 2014, after receiving the Secondary Order issued in the wake of Judge Richard Leon’s decision in Klayman v. Obama that the dragnet was unconstitutional, Verizon made a somewhat half-assed challenge to the order.

Leon issued his decision December 16. Verizon did not ask the FISC for guidance (which makes sense because they are only permitted to challenge orders).

Verizon got a new Secondary Order after the January 3 reauthorization. It did not immediately challenge the order.

It only got around to doing so on January 22 (interestingly, a few days after ODNI exposed Verizon’s role in the phone dragnet a second time), and didn’t do several things — like asking for a hearing or challenging the legality of the dragnet under 50 USC 1861 as applied — that might reflect real concern about anything but the public appearance of legality. (Note, that timing is of particular interest, given that the very next day, on January 23, PCLOB would issue its report finding the dragnet did not adhere to Section 215 generally.)

Indeed, this challenge might not have generated a separate opinion if the government weren’t so boneheaded about secrecy.

Verizon’s petition is less a challenge of the program than an inquiry whether the FISC has considered Leon’s opinion.

It may well be the case that this Court, in issuing the January 3,2014 production order, has already considered and rejected the analysis contained in the Memorandum Order. [redacted] has not been provided with the Court’s underlying legal analysis, however, nor [redacted] been allowed access to such analysis previously, and the order [redacted] does not refer to any consideration given to Judge Leon’s Memorandum Opinion. In light of Judge Leon’s Opinion, it is appropriate [redacted] inquire directly of the Court into the legal basis for the January 3, 2014 production order,

As it turns out, Judge Thomas Hogan (who will take over the thankless presiding judge position from Reggie Walton next month) did consider Leon’s opinion in his January 3 order, as he noted in a footnote.

Screen Shot 2014-04-28 at 10.49.42 AM

And that’s about all the government said in its response to the petition (see paragraph 3): that Hogan considered it so the FISC should just affirm it.

Verizon didn’t know that Hogan had considered the opinion, of course, because it never gets Primary Orders (as it makes clear in its petition) and so is not permitted to know the legal logic behind the dragnet unless it asks nicely, which is all this amounted to at first.

Ultimately, Verizon asked to see proof that FISC had considered Leon’s decision. But it did not do any of the things people think might happen here — it did not immediately cease production, it did not itself challenge the legality of the dragnet, and it did not even ask for a hearing.

Verizon just wanted to make sure it was covered; it did not, apparently, show much concern about continued participation in it.

And this is somewhat consistent with the request for more information Sprint made in 2009.

So that’s what Verizon would do if it received another Secondary Order in the next few weeks. Until such time as the Second Circuit issues an injunction, I suspect Verizon would likely continue producing records, even though it might ask to see evidence that FISC had considered the Second Circuit ruling before issuing any new orders.

Will Verizon Challenge the Government’s Fishy Dragnet?

Tim Edgar has a fascinating post on how the SCOTUS decision in Yates v US — in which a guy busted for throwing away undersized fish was let off because those fish do not constitute a tangible object under the law — might have repercussions for the phone dragnet.

The Supreme Court let Yates off the hook.  Five justices agreed that a fish is not a tangible object.  At first blush, this seems a bit implausible.  Justice Kagan certainly thought so.  Her eloquent dissent cites Dr. Seuss’s One Fish Two Fish Red Fish Blue Fish – for a time, my favorite book – as authority that fish are, indeed, tangible objects.  I expect it is the first use of any book by Dr. Seuss as legal authority in an opinion of the Supreme Court, and I must say that I found it squarely on point, if not ultimately persuasive.

Justice Ginsburg’s opinion for the plurality explains that fish are not tangible objects because “in law as in life . . . the same words, placed in different contexts, sometimes mean different things.”

[snip]

Surprisingly, Yates has real implications for national security surveillance.   The NSA’s bulk collection of telephone records is based on section 215 of the Patriot Act, which amended the business records provision of the Foreign Intelligence Surveillance Act (FISA).  That provision is titled “Access to certain business records for foreign intelligence and international terrorism investigations.”  It allows the government to obtain an order from the FISA court “requiring the production of any tangible things(including books, records, papers, documents, and other items)” in national security investigations.

Does this literally mean “any tangible things,” or is this just a catch-all ensuring that  all types of business records are covered?  While the provision is very broad even if limited to business records or data, until Yates it might have meant literally anything at all.  For example, it might be tempting for the government to use it to obtain, in national security investigations, the kind of physical items that would otherwise have required a physical search order.  As a FISA business records order requires only relevance, and not probable cause, that would be a dangerous loophole.  Yates closes it.

Perhaps more to the point, Yates also weakens the government’s bulk collection theory for telephone records.  While Yates is interpreting a different statute, the logic is clear: the words “any tangible things” should not be read literally.  Instead, they must be read in context, taking account of the words immediately surrounding it, the title of the section, the structure of the law, and its purpose.  Read in this way, it is clear that “tangible things” should not be read to encompass things far afield from the sorts of business records that Congress expected would be sought in national security investigations.

[snip]

Bulk collection is qualitatively, not just quantitatively, different from the sorts of requests for records, documents, or other “tangible things” ordinarily made by government both in law enforcement and intelligence investigations. 

Steve Vladeck made a similar observation on Twitter earlier today, so Edgar is not the only one raising this question.

As it happens, today is dragnet renewal day. Which not only means that some FISC judge will reapprove the dragnet, but that providers will get new Secondary Orders. And — as happened in January 2014, when Verizon challenged an order based on Richard Leon’s decision in Klayman v. Obama — that presents the providers with an opportunity to challenge the order based on new legal developments.

And it’s not just Verizon that has a new opportunity to challenge the government’s fishy dragnets.

I’ve long suspected that the government has, in limited fashion, used Section 215 to obtain DNA material (they have databases of DNA from Gitmo detainees, for example, and I can imagine that they’d love to obtain DNA samples where they exist).

More interestingly, we’ve been talking about the government’s use of Section 215 to obtain Internet data, probably in hacking investigations. If, as a number of people suspect, they’re using it to get data flow records, that may be deemed even further away from common definitions of “tangible things.” And the Internet companies are riled up.

So let’s have it, providers! Some challenges to the fishy dragnet!

Update: In the post announcing the reauthorization (yesterday, actually) of the dragnet, I Con the Record noted that this one expires on June 1. I suppose that’s designed to add pressure on the reauthorization fight.  I think that works out to be a 95 day dragnet.