Posts

How the Second Circuit, FISC, and the Telecoms Might Respond to McConnell’s USA F-ReDux Gambit

/5 Comments/in /by

Update: Jennifer Granick (who unlike me, is a lawyer) says telecoms will be subject to suit if they continue to comply with dragnet orders. 

Any company that breaches confidentiality except as required by law is liable for damages and attorneys’ fees under 47 U.S.C. 206. And there is a private right of action under 47 U.S.C. 207.

Note that there’s no good faith exception in the statute, no immunity for acting pursuant to court order. Rather, the company is liable unless it was required by law to disclose. So Verizon could face a FISC 215 dragnet order on one side and an order from the Southern District of New York enjoining the dragnet on the other. Is Verizon required by law to disclose in those circumstances? If not, the company could be liable. And did I mention the statute provides for attorneys’ fees?

Everything is different now than it was last week. Reauthorization won’t protect the telecoms from civil liability. It won’t enable the dragnet. As of last Thursday, the dragnet is dead, unless a phone company decides to put its shareholders’ money on the line to maintain its relationships with the intelligence community.

Last night, Mitch McConnell introduced a bill for a 2-month straight reauthorization of the expiring PATRIOT provisions as well as USA F-ReDux under a rule that bypasses Committee structure, meaning he will be able to bring that long-term straight reauthorization, that short term one, or USA F-ReDux to the floor next week.

Given that a short term reauthorization would present a scenario not envisioned in Gerard Lynch’s opinion ruling the Section 215 dragnet unlawful, it has elicited a lot of discussion about how the Second Circuit, FISC, and the telecoms might respond in case of a short term reauthorization. But these discussions are almost entirely divorced from some evidence at hand. So I’m going to lay out what we know about both past telecom and FISA Court behavior.

Because of the details I lay out below, I predict that so long as Congress looks like it is moving towards an alternative, both the telecoms and the FISC will continue the phone dragnet in the short term, and the Second Circuit won’t weigh in either.

The phone dragnet will continue for another six months even under USA F-ReDux

As I pointed out here, even if USA F-ReDux passed tomorrow, the phone dragnet would continue for another 6 months. That’s because the bill gives the government 180 days — two dragnet periods — to set up the new system.

(a) IN GENERAL.—The amendments made by sections 101 through 103 shall take effect on the date that is 180 days after the date of the enactment of this Act.

(b) RULE OF CONSTRUCTION.—Nothing in this Act shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 24 1861 et seq.) as in effect prior to the effective date described in subsection (a) during the period ending on such effective date.

The Second Circuit took note of USA F-ReDux specifically in its order, so it would be hard to argue that it doesn’t agree Congress has the authority to provide time to put an alternative in place. Which probably means (even though I oppose Mitch’s short-term reauth in most scenarios) that the Second Circuit isn’t going to balk — short of the ACLU making a big stink — at a short term reauth for the purported purpose of better crafting a bill that reflects the intent of Congress. (Though the Second Circuit likely won’t look all that kindly on Mitch’s secret hearing the other day, which violates the standards of debate the Second Circuit laid out.)

Heck, the Second Circuit waited 8 months — and one failed reform effort — to lay out its concerns about the phone dragnet’s legality that were, in large part, fully formed opinions at least September’s hearing. The Second Circuit wants Congress to deal with this and they’re probably okay with Congress taking a few more months to do so.

FISC has already asked for briefing on any reauthorization

A number of commentators have also suggested that the Administration could just use the grandfather clause in the existing sunset to continue collection or might blow off the Appeals Court decision entirely.

But the FISC is not sitting dumbly by, oblivious to the debate before Congress and the Courts. As I laid out here, in his February dragnet order, James Boasberg required timely briefing from the government in each of 3 scenarios:

  • A ruling from an Appellate Court
  • Passage of USA F-ReDux introduces new issues of law that must be considered
  • A plan to continue production under the grandfather clause

And to be clear, the FISC has not issued such an order in any of the publicly released dragnet orders leading up to past reauthorizations, not even in advance of the 2009-2010 reauthorizations, which happened at a much more fraught time from the FISC’s perspective (because FISC had had to closely monitor the phone dragnet production for 6 months and actually shut down the Internet dragnet in fall 2009). The FISC clearly regards this PATRIOT sunset different than past ones and plans to at least make a show of considering the legal implications of it deliberately.

FISC does take notice of other courts

Of course, all that raises questions about whether FISC feels bound by the Second Circuit decision — because, of course, it has its very own appellate court (FISCR) which would be where any binding precedent would come from.

There was an interesting conversation on that topic last week between (in part) Office of Director of National Intelligence General Counsel Bob Litt and ACLU’s Patrick Toomey (who was part of the team that won the Second Circuit decision). That conversation largely concluded that FISC would probably not be bound by the Second Circuit, but Litt’s boss, James Clapper (one of the defendants in the suit) would be if the Second Circuit ever issued an injunction.

Sunlight Foundation’s Sean Vitka: Bob, I have like a jurisdictional question that I honestly don’t know the answer to. The Court of Appeals for the Second Circuit. They say that this is unlawful. Obviously there’s the opportunity to appeal to the Supreme Court. But, the FISA Court of Review is also an Appeals Court. Does the FISC have to listen to that opinion if it stands?

Bob Litt: Um, I’m probably not the right person to ask that. I think the answer is no. I don’t think the Second Circuit Court of Appeals has direct authority over the FISA Court. I don’t think it’s any different than a District Court in Idaho wouldn’t have to listen to the Second Circuit’s opinion. It would be something they would take into account. But I don’t think it’s binding upon them.

Vitka: Is there — Does that change at all given that the harms that the Second Circuit acknowledged are felt in that jurisdiction?

Litt: Again, I’m not an expert in appellate jurisdiction. I don’t think that’s relevant to the question of whether the Second Circuit has binding authority over a court that is not within the Second Circuit. I don’t know Patrick if you have a different view on that?

Third Way’s Mieke Eoyang: But the injunction would be, right? If they got to a point where they issued an injunction that would be binding…

Litt: It wouldn’t be binding on the FISA Court. It would be binding on the persons who received the —

Eoyong: On the program itself.

Patrick Toomey: The defendants in the case are the agency officials. And so an injunction issued by the Second Circuit would be directed at those officials.

But there is reason to believe — even beyond FISC’s request for briefing on this topic — that FISC will take notice of the Second Circuit’s decision, if not abide by any injunction it eventually issues.

That’s because, twice before, it has even taken notice of magistrate judge decisions.

The first known example came in the weeks before the March 2006 reauthorization of the PATRIOT Act would go into effect. During 2005, several magistrate judges had ruled that the government could not add a 2703(d) order to a pen register to obtain prospective cell site data along with other phone data. By all appearances, the government was doing the same with the equivalent FISA orders (this application of a “combined” Business Record and Pen Register order is redacted in the 2008 DOJ IG Report on Section 215, but contextually it’s fairly clear this is close to what happened). Those magistrate decisions became a problem when, in 2005, Congress limited Section 215 order production to that which could be obtained with a grand jury subpoena. Effectively, the magistrates had said you couldn’t get prospective cell site location with just a subpoena, which therefore would limit whether FBI could get cell site location with a Section 215 order.

While it is clear that FISC required briefing on this point, it’s not entirely clear what FISC’s response was. For a variety of reasons, it appears FISC stopped these combined application sometime in 2006 — the reauthorization went into effect in March 2006 — though not immediately (which suggests, in the interim, DOJ just found a new shell to put its location data collection under).

The other time FISC took notice of magistrate opinions pertained to Post Cut Through Dialed Digits (those are the things like pin and extension numbers you dial after your call or Internet connection has been established). From 2006 through 2009, some of the same magistrates ruled the government must set its pen register collection to avoid collecting PCTDD. By that point, FISC appears to have already ruled the government could collect that data, but would have to deal with it through minimization. But the FISC appears to have twice required the government to explain whether and how its minimization of PCTDD did not constitute the collection of content, though it appears that in each case, FISC permitted the government to go on collecting PCTDD under FISA pen registers. (Note, this is another ruling that may be affected by the Second Circuit’s focus on the seizure, not access, of data.)

In other words, even on issues not treating FISC decisions specifically, the FISC has historically taken notice of decisions made in courts that have no jurisdiction over its decisions (and in one case, FISC appears to have limited government production as a result). So it would be a pretty remarkable deviation from that past practice for FISC to completely blow off the Second Circuit decision, even if it may not feel bound by it.

Verizon responds to court orders, but in half-assed fashion

Finally, there’s the question of how the telecoms will react to the Second Circuit decision. And even there, we have some basis for prediction.

In January 2014, after receiving the Secondary Order issued in the wake of Judge Richard Leon’s decision in Klayman v. Obama that the dragnet was unconstitutional, Verizon made a somewhat half-assed challenge to the order.

Leon issued his decision December 16. Verizon did not ask the FISC for guidance (which makes sense because they are only permitted to challenge orders).

Verizon got a new Secondary Order after the January 3 reauthorization. It did not immediately challenge the order.

It only got around to doing so on January 22 (interestingly, a few days after ODNI exposed Verizon’s role in the phone dragnet a second time), and didn’t do several things — like asking for a hearing or challenging the legality of the dragnet under 50 USC 1861 as applied — that might reflect real concern about anything but the public appearance of legality. (Note, that timing is of particular interest, given that the very next day, on January 23, PCLOB would issue its report finding the dragnet did not adhere to Section 215 generally.)

Indeed, this challenge might not have generated a separate opinion if the government weren’t so boneheaded about secrecy.

Verizon’s petition is less a challenge of the program than an inquiry whether the FISC has considered Leon’s opinion.

It may well be the case that this Court, in issuing the January 3,2014 production order, has already considered and rejected the analysis contained in the Memorandum Order. [redacted] has not been provided with the Court’s underlying legal analysis, however, nor [redacted] been allowed access to such analysis previously, and the order [redacted] does not refer to any consideration given to Judge Leon’s Memorandum Opinion. In light of Judge Leon’s Opinion, it is appropriate [redacted] inquire directly of the Court into the legal basis for the January 3, 2014 production order,

As it turns out, Judge Thomas Hogan (who will take over the thankless presiding judge position from Reggie Walton next month) did consider Leon’s opinion in his January 3 order, as he noted in a footnote.

Screen Shot 2014-04-28 at 10.49.42 AM

And that’s about all the government said in its response to the petition (see paragraph 3): that Hogan considered it so the FISC should just affirm it.

Verizon didn’t know that Hogan had considered the opinion, of course, because it never gets Primary Orders (as it makes clear in its petition) and so is not permitted to know the legal logic behind the dragnet unless it asks nicely, which is all this amounted to at first.

Ultimately, Verizon asked to see proof that FISC had considered Leon’s decision. But it did not do any of the things people think might happen here — it did not immediately cease production, it did not itself challenge the legality of the dragnet, and it did not even ask for a hearing.

Verizon just wanted to make sure it was covered; it did not, apparently, show much concern about continued participation in it.

And this is somewhat consistent with the request for more information Sprint made in 2009.

So that’s what Verizon would do if it received another Secondary Order in the next few weeks. Until such time as the Second Circuit issues an injunction, I suspect Verizon would likely continue producing records, even though it might ask to see evidence that FISC had considered the Second Circuit ruling before issuing any new orders.

Will Verizon Challenge the Government’s Fishy Dragnet?

/9 Comments/in /by

Tim Edgar has a fascinating post on how the SCOTUS decision in Yates v US — in which a guy busted for throwing away undersized fish was let off because those fish do not constitute a tangible object under the law — might have repercussions for the phone dragnet.

The Supreme Court let Yates off the hook.  Five justices agreed that a fish is not a tangible object.  At first blush, this seems a bit implausible.  Justice Kagan certainly thought so.  Her eloquent dissent cites Dr. Seuss’s One Fish Two Fish Red Fish Blue Fish – for a time, my favorite book – as authority that fish are, indeed, tangible objects.  I expect it is the first use of any book by Dr. Seuss as legal authority in an opinion of the Supreme Court, and I must say that I found it squarely on point, if not ultimately persuasive.

Justice Ginsburg’s opinion for the plurality explains that fish are not tangible objects because “in law as in life . . . the same words, placed in different contexts, sometimes mean different things.”

[snip]

Surprisingly, Yates has real implications for national security surveillance.   The NSA’s bulk collection of telephone records is based on section 215 of the Patriot Act, which amended the business records provision of the Foreign Intelligence Surveillance Act (FISA).  That provision is titled “Access to certain business records for foreign intelligence and international terrorism investigations.”  It allows the government to obtain an order from the FISA court “requiring the production of any tangible things(including books, records, papers, documents, and other items)” in national security investigations.

Does this literally mean “any tangible things,” or is this just a catch-all ensuring that  all types of business records are covered?  While the provision is very broad even if limited to business records or data, until Yates it might have meant literally anything at all.  For example, it might be tempting for the government to use it to obtain, in national security investigations, the kind of physical items that would otherwise have required a physical search order.  As a FISA business records order requires only relevance, and not probable cause, that would be a dangerous loophole.  Yates closes it.

Perhaps more to the point, Yates also weakens the government’s bulk collection theory for telephone records.  While Yates is interpreting a different statute, the logic is clear: the words “any tangible things” should not be read literally.  Instead, they must be read in context, taking account of the words immediately surrounding it, the title of the section, the structure of the law, and its purpose.  Read in this way, it is clear that “tangible things” should not be read to encompass things far afield from the sorts of business records that Congress expected would be sought in national security investigations.

[snip]

Bulk collection is qualitatively, not just quantitatively, different from the sorts of requests for records, documents, or other “tangible things” ordinarily made by government both in law enforcement and intelligence investigations. 

Steve Vladeck made a similar observation on Twitter earlier today, so Edgar is not the only one raising this question.

As it happens, today is dragnet renewal day. Which not only means that some FISC judge will reapprove the dragnet, but that providers will get new Secondary Orders. And — as happened in January 2014, when Verizon challenged an order based on Richard Leon’s decision in Klayman v. Obama — that presents the providers with an opportunity to challenge the order based on new legal developments.

And it’s not just Verizon that has a new opportunity to challenge the government’s fishy dragnets.

I’ve long suspected that the government has, in limited fashion, used Section 215 to obtain DNA material (they have databases of DNA from Gitmo detainees, for example, and I can imagine that they’d love to obtain DNA samples where they exist).

More interestingly, we’ve been talking about the government’s use of Section 215 to obtain Internet data, probably in hacking investigations. If, as a number of people suspect, they’re using it to get data flow records, that may be deemed even further away from common definitions of “tangible things.” And the Internet companies are riled up.

So let’s have it, providers! Some challenges to the fishy dragnet!

Update: In the post announcing the reauthorization (yesterday, actually) of the dragnet, I Con the Record noted that this one expires on June 1. I suppose that’s designed to add pressure on the reauthorization fight.  I think that works out to be a 95 day dragnet.

The Verizon Publicity Stunt, Mosaic Theory, and Collective Fourth Amendment Rights

/19 Comments/in , /by

On Friday, I Con the Record revealed that a telecom — Ellen Nakashima confirms it was Verizon — asked the FISA Court to make sure its January 3 order authorizing the phone dragnet had considered Judge Richard Leon’s December 16 decision that it was unconstitutional. On March 20, Judge Rosemary Collyer issued an opinion upholding the program.

Rosemary Collyer’s plea for help

Ultimately, in an opinion that is less shitty than FISC’s previous attempts to make this argument, Collyer examines the US v. Jones decision at length and holds that Smith v. Maryland remains controlling, mostly because no majority has overturned it and SCOTUS has provided no real guidance as to how one might do so. (Her analysis raises some of the nuances I laid out here.)

The section of her opinion rejecting the “mosaic theory” that argues the cumulative effect of otherwise legal surveillance may constitute a search almost reads like a cry for help, for guidance in the face of the obvious fact that the dragnet is excessive and the precedent that says it remains legal.

A threshold question is which standard should govern; as discussed above, the court of appeals’ decision in Maynard and two concurrences in Jones suggest three different standards. See Kerr, “The Mosaic Theory of the Fourth Amendment,” 111 Mich. L. Rev. at 329. Another question is how to group Government actions in assessing whether the aggregate conduct constitutes a search.See id. For example, “[w]hich surveillance methods prompt a mosaic approach? Should courts group across surveillance methods? If so, how? Id. Still another question is how to analyze the reasonableness of mosaic searches, which “do not fit an obvious doctrinal box for determining reasonableness.” Id. Courts adopting a mosaic theory would also have to determine whether, and to what extent, the exclusionary rule applies: Does it “extend over all the mosaic or only the surveillance that crossed the line to trigger a search?”

[snip]

Any such overhaul of Fourth Amendment law is for the Supreme Court, rather than this Court, to initiate. While the concurring opinions in Jones may signal that some or even most of the Justices are ready to revisit certain settled Fourth Amendment principles, the decision in Jones itself breaks no new ground concerning the third-party disclosure doctrine generally or Smith specifically. The concurring opinions notwithstanding, Jones simply cannot be read as inviting the lower courts to rewrite Fourth Amendment law in this area.

As I read these passages, I imagined that Collyer was trying to do more than 1) point to how many problems overruling the dragnet would cause and 2) uphold the dignity of the rubber stamp FISC and its 36+ previous decisions the phone dragnet is legal.

There is reason to believe she knows what we don’t, at least not officially: that even within the scope of the phone dragnet, the dragnet is part of more comprehensive mosaic surveillance, because it correlates across platforms and identities. And all that’s before you consider how, once dumped into the corporate store and exposed to NSA’s “full range of analytic tradecraft,” innocent Americans might be fingerprinted to include our lifestyles.

That is, not only doesn’t Collyer see a way (because of legal boundary concerns about the dragnet generally, and possibly because of institutional concerns about FISC) to rule the dragnet illegal, but I suspect she sees the reverberations that such a ruling would have on the NSA’s larger project, which very much is about building mosaics of intelligence.

No wonder the government is keeping that August 20, 2008 opinion secret, if it indeed discusses the correlations function in the dragnet, because it may well affect whether the dragnet gets assessed as part of the mosaic NSA uses it as.

Verizon’s flaccid but public legal complaint

Now, you might think such language in Collyer’s opinion would invite Verizon to appeal this decision. But given this lukewarm effort, it seems unlikely to do so. Consider the following details:

Leon issued his decision December 16. Verizon did not ask the FISC for guidance (which makes sense because they are only permitted to challenge orders).

Verizon got a new Secondary Order after the January 3 reauthorization. It did not immediately challenge the order.

It only got around to doing so on January 22 (interestingly, a few days after ODNI exposed Verizon’s role in the phone dragnet a second time), and didn’t do several things — like asking for a hearing or challenging the legality of the dragnet under 50 USC 1861 as applied — that might reflect real concern about anything but the public appearance of legality. (Note, that timing is of particular interest, given that the very next day, on January 23, PCLOB would issue its report finding the dragnet did not adhere to Section 215 generally.)

Indeed, this challenge might not have generated a separate opinion if the government weren’t so boneheaded about secrecy.

Verizon’s petition is less a challenge of the program than an inquiry whether the FISC has considered Leon’s opinion.

It may well be the case that this Court, in issuing the January 3,2014 production order, has already considered and rejected the analysis contained in the Memorandum Order. [redacted] has not been provided with the Court’s underlying legal analysis, however, nor [redacted] been allowed access to such analysis previously, and the order [redacted] does not refer to any consideration given to Judge Leon’s Memorandum Opinion. In light of Judge Leon’s Opinion, it is appropriate [redacted] inquire directly of the Court into the legal basis for the January 3, 2014 production order,

As it turns out, Judge Thomas Hogan (who will take over the thankless presiding judge position from Reggie Walton next month) did consider Leon’s opinion in his January 3 order, as he noted in a footnote.

Screen Shot 2014-04-28 at 10.49.42 AM

And that’s about all the government said in its response to the petition (see paragraph 3): that Hogan considered it so the FISC should just affirm it.

Verizon didn’t know that Hogan had considered the opinion, of course, because it never gets Primary Orders (as it makes clear in its petition) and so is not permitted to know the legal logic behind the dragnet unless it asks nicely, which is all this amounted to at first.

Note that the government issued its response (as set by Collyer’s scheduling order) on February 12, the same day it released Hogan’s order and its own successful motion to amend it. So ultimately this headache arose, in part, because of the secrecy with which it treats even its most important corporate spying partners, which only learn about these legal arguments on the same schedule as the rest of us peons.

Yet in spite of the government’s effort to dismiss the issue by referencing Hogan’s footnote, Collyer said because Verizon submitted a petition, “the undersigned Judge must consider the issue anew.” Whether or not she was really required to or could have just pointed to the footnote that had been made public, I don’t know. But that is how we got this new opinion.

Finally, note that Collyer made the decision to unseal this opinion on her own. Just as interesting, while neither side objected to doing so, Verizon specifically suggested the opinion could be released with no redactions, meaning its name would appear unredacted.

The government contends that certain information in these Court records (most notably, Petitioner’s identity as the recipient of the challenged production order) is classified and should remain redacted in versions of the documents that are released to the public. See Gov’t Mem. at 1. Petitioner, on the other hand, “request[s] no redactions should the Court decide to unseal and publish the specified documents.” Pet. Mem. at 5. Petitioner states that its petition “is based entirely on an assessment of [its] own equities” and not on “the potential national security effects of publication,” which it “is in no position to evaluate.” Id.

I’ll return to this. But understand that Verizon wanted this opinion — as well as its own request for it — public.

Read more

NSA’s Latest Claim: It Only Gets 30% of “Substantially All” the Hay in the Haystack

/10 Comments/in , /by

SIGINT and 215In December 2007, the FBI began intercepting MOALIN’s cell phone.

FBI search warrant affidavit seeking (among other things) additional cell phones, October 29, 2010

Yesterday, Siobhan Gorman reported that NSA’s “phone-data program” collects 20% or less of the phone data in the US. She explains that the program doesn’t collect cell phone data, and so has covered a decreasing percentage of US calls over the last several years.

The National Security Agency’s phone-data program, which has been at the center of controversy over the NSA’s surveillance operations, collects information from about 20% or less of all U.S. calls—much less than previously described by lawmakers.

The program had been described as collecting records on virtually every phone call placed in the U.S., but in fact, it doesn’t cover records for most cellphones, the fastest-growing sector in telephony and an area where the agency has struggled to keep pace, according to several people familiar with the program.

Ellen Nakashima’s report places the percentage between 20 and 30%, echoing Gorman’s claim about limits on cell data.

The actual percentage of records gathered is somewhere between 20 and 30 percent and reflects Americans’ increasing turn away from the use of land lines to cellphones. Officials also have faced technical challenges in preparing the NSA database to handle large amounts of new records without taking in data such as cell tower locations that are not authorized for collection.

[snip]

The bulk collection began largely as a land-line program, focusing on carriers such as AT&T and Verizon Business Network Services. At least two large wireless companies are not covered — Verizon Wireless and T-Mobile U.S., which was first reported by the Wall Street Journal.

Industry officials have speculated that partial foreign ownership has made the NSA reluctant to issue orders to those carriers. But U.S. officials said that was not a reason.

“They’re doing business in the United States; they’re required to comply with U.S. law,” said one senior U.S. official. “A court order is a court order.”

Rather, the official said, the drop in collection stems from several factors.

Apart from the decline in land-line use, the agency has struggled to prepare its database to handle vast amounts of cellphone data, current and former officials say. For instance, cellphone records may contain geolocation data, which the NSA is not permitted to receive.

These reports offer a more credible explanation than Geoffrey Stone’s multiple claims to this effect about why the program misses data. So they may be true.

But I think they instead point to the legal range of authorities NSA uses to collect phone records, not to what records they actually have in their possession.

These reports are commenting (though without specifying, or even seeming to be aware they need to specify) on what the government claims it collects under Section 215. These reports are not commenting on what NSA collects under all authorities.

In this post I will show why I believe these reports to be credible only in a very narrow sense. In a follow-up post I will point to the legal issues that underlie the Administration’s conflicting claims about what it collects.

Read more

NSA’s Bid for a 6 Month Delay in Protecting Larry Klayman’s Phone Records

/9 Comments/in , /by

The White House has announced they’re going to release the recommendations of the Committee to Make You Love the Dragnet today. Given that the report recommends putting the dragnet into someone else’s hands, I suspect the White House changed plans (It was going to release the report in mid-January) as a way to stave off the Klayman and other suits.

Given that we expect that recommendation — and that the government claims it’d take years to effect — I want to point to a claim that NSA Director of Signals Intelligence Division Theresa Shea made in her declaration in the Klayman suit. She claimed it would be an onerous process to take Larry Klayman’s call records out of the dragnet.

Beyond harming national security and the Government’s counterterrorism capabilities, plaintiffs’ proposed preliminary injunction would seriously burden the Government. While plaintiffs seek an order barring the Government from collecting metadata reflecting their calls, the Government does not know plaintiffs’ phone numbers, and would need plaintiffs to identify all numbers they use to even attempt to implement such an injunction. Ironically, as explained above, these numbers are not currently visible to NSA intelligence analysts unless they are within a three hopes of a call chain of a number that based on RAS is associated with a foreign terrorist organization.

Even if plaintiffs’ phone numbers were available, extraordinarily burdensome technical and logistical hurdles to compliance with a preliminary injunction order would remain. Technical experts would have to develop a solution such as removing the numbers from the system upon receipt of each batch of metadata or developing a capability whereby plaintiffs’ numbers would be received by NSA but would not be visible in response to an authorized query. To identify, design, build, and test the best implementation solution would potentially require the creation of new full-time positions and could take six months or more to implement. Once implemented, any potential solution could undermine the results of any authorized query of a phone number that based on RAS is associated with one of the identified foreign terrorist organizations by eliminating, or cutting off potential call chains. If this Court were to grant a preliminary injunction and the defendants were to later prevail on the merits of this litigation, it could prove extremely difficult to develop a solution to reinsert any quarantined records and would likely take considerable resources and several months to build, test, and implement a reinsertion capability suited to this task.

Judge Richard Leon treated this complaint as the obvious bullpuckey it clearly is.

[T]he Government says that it will be burdensome to comply with any order that requires the NSA to remove plaintiffs from its database. Of course, the public has no interest in saving the Government from the budens of complying with the Constitution! Then, the Government frets such an order “could ultimately have a degrading effect on the utility of the program if an injunction in this case precipitated successful requests for such relief by other litigants.” For reasons already explained, I am not convinced at this point in the litigation that the NSA’s database has ever truly served the purpose of rapidly identifying terrorists in time-sensitive investigations, and so I am certainly not convinced that the removal of two individuals from the database will “degrade” the program in any meaningful sense.68

[snip]

In [staying my order to destroy the plaintiffs’ metadata] I hereby give the Government fair notice that should my ruling be upheld, this order will go into effect forthwith. Accordingly, I fully expect that during the appellate process, which will consume at least the next six months, the Government will take whatever steps necessary to prepare itself to comply with this order when, and if, it is upheld. Suffice it to say, requesting further time to comply with this order months from now will not be well received and could result in collateral sanctions.

68 To the extent that removing plaintiffs from the database would create the risk of “eliminating, or cutting off potential call chains,” the Government concedes that the odds of this happening are miniscule. (“[O]nly a tiny fraction of the collected metadata is ever reviewed . . . .”) (“Only the tiny fraction of the telephony metadata records that are responsive to queries authorized under the RAS standard are extracted, reviewed, or disseminated. . . . “). [citations removed]

But the plea for time– when it’s crystal clear NSA could start treating Larry Klayman’s data like a high volume number they intentionally defeat on intake tomorrow — made me wonder what purpose this complaint was really meant to serve, especially given James Cole’s refusal the other day to answer whether the Leahy-Sensenbrenner bill would eliminate bulk collection, which Jennifer Granick likens to a coup.

Responding to a question at yesterday’s hearing on the bill, Cole said, “Right now the interpretation of the word ‘relevant’ is a broad interpretation. Adding ‘pertinent to a foreign agent’ or ‘somebody in contact with a foreign agent’ could be another way of talking about relevance as it is right now. We’d have to see how broadly the court interprets that or how narrowly.”  In other words, the FISA court might let us keep doing what we’re doing no matter what the law says and despite Congress’ intent.

All courts issue opinions about what the laws that legislatures pass mean. These opinions are called the “common law”. But common law interpretations of statutes are only legitimate if they are fair and reasonable interpretations.

The NSA has a great track record getting FISC judges to interpret even obviously narrow phrases in surprisingly broad ways.

[snip]

Time and again, the FISC accepts the Administration’s shockingly flimsy arguments. As a set, the few public FISC opinions we’ve seen suggest that the Executive Branch—in cahoots with a few selected judges—has replaced legitimate public statutes with secret, illegitimate common law.

The rule of law is a basic democratic principle meaning that all members of a society—individuals, organizations, and government officials—must obey publicly disclosed legal codes and processes. If Cole is right that, try as it might, Congress cannot end bulk collection because the secret FISA court may defer to the NSA’s interpretation of the rules, there is no rule of law.  The NSA is in charge, the FISA court process is just a fig leaf, and this is no longer a democracy. There’s been a coup d’etat.

But it appears that not even the FISC judges are always in on the game. After all, at the moment when Judges Walton and Bates started reining in the Internet dragnet in the US, NSA started rolling out an expanded Internet dragnet program — which made it easier to pick up US person data and presumably easier to disseminate it — overseas. With that 6 month delay, would NSA just be figuring out how to maintain the dragnet function, but beyond the reach of meddling judges like Richard Leon?

The NSA suggested it would need 6 months notice to take just two people out of the dragnet. I can imagine no feasible technical reason that’s true.

So why were they implying they’d need that 6 months?

The Purpose(s) of the Dragnet, Revisited

/4 Comments/in , /by

As I noted the other day, one basis Judge Richard Leon used to find that the dragnet was likely unconstitutional was that it wasn’t all that useful. But I was particularly interested in the evidence he points to to establish that (see page 61 of his ruling), because it and the underlying basis for it reveal far more about how the government uses the dragnet than we’ve seen.

Leon points to the three cases in which the phone dragnet was supposed to be useful, which he gets from the declaration of FBI Acting Assistant Director Robert Holley. Holley claims the dragnet was useful in the Khalid Ouazzani, David Headley, and Najibullah Zazi cases (though Holley does not mention Ouazzani by name), using the following language.

In January 2009, using authorized collection under Section 702 of the Foreign Intelligence Surveillance Act to monitor the communications of an extremist overseas with ties to al-Qa’ida, NSA discovered a connection with an individual based in Kansas City. NSA tipped the information to the FBI, which during the course of its investigation discovered that there had been a plot in its early stages to attack the New York Stock Exchange. After further investigation, NSA queried the telephony metadata to ensure that all potential connections were identified, which assisted the FBI in running down leads.

[snip]

At the time of his arrest, Headley and his colleagues, at the behest of al-Qa’ida, were plotting to attack the Danish newspaper that published cartoons depicting the Prophet Mohammed. Headley was later charged with support for terrorism based on his involvement in the planning and reconnaissance for the 2008 hotel attack in Mumbai. Collection against foreign terrorists and telephony metadata analysis were utilized in tandem with FBI law enforcement authorities to establish Headley’s foreign ties and them in context with his U.S. based planning efforts.

[snip]

NSA received Zazi’s telephone number from the FBI and ran it against the Section 215 telephony metadata, identifying and passing additional leads back to the FBI for investigation. One of these leads revealed a previously unknown number  for co-conspirator Adis Medunjanin and corroborated his connection to Zazi as well as to other U.S.-based extremists.

First, note what’s missing? Any mention of Basaaly Moalin, the only defendant for which the government claims the phone dragnet was critical to his identification. Holley may have left Moalin out because of the timing: DOJ submitted his declaration on November 12, the day before the hearing on Moalin’s bid for a new trial and two days before Jeffrey Miller’s ruling rejecting that. Did DOJ think they might lose that argument, and so left it out out of fear it would make them more likely to lose this one (Leon does acknowledge Miller’s ruling in his own). Or was the case just so dated they chose not to mention it?

Whatever the reason, they’re left describing three cases in which even Keith Alexander admits the dragnet was at best only helpful.

But note the other thing: Up until now, the government has only described how the dragnet was useful in the Zazi case. While in its propaganda about 54 plots or maybe just terrorist events thwarted, it has implicitly suggested that only those with a US-nexus could involve the dragnet, I know of no other instance where they made it clear that they sort of used it in the Headley and Ouazzani cases (I’m going to check the declarations in the parallel suits later).

In both cases, it appears, the government only used it after the fact (which is how they used it in the Boston Marathon attack, which bizarrely also goes unmentioned).

Read more

Dianne Feinstein Glosses Jeffrey Miller Phone Dragnet Decision

/12 Comments/in , /by

Dianne Feinstein just released a statement effectively saying she likes the FISA Court phone dragnet decisions and the one Judge Jeffrey Miller made in the Moalin case better than the one Richard Leon issued yesterday.

Clearly we have competing decisions from those of at least three different courts (the FISA Court, the D.C. District Court and the Southern District of California). I have found the analysis by the FISA Court, the Southern District of California and the position of the Department of Justice, based on the Supreme Court decision in Smith, to be compelling.

But I’m particularly interested in the way she describes the Miller decision.

It should be noted that last month Judge Jeffrey Miller of the Southern District of California found the NSA business records program to be constitutional.

Judge Miller was ruling on a real world terrorist case involving the February 2013 conviction of Basaaly Moalin and three others for conspiracy and providing material support to the Somali terrorist organization Al-Shabaab. In that case, the NSA provided the FBI with information gleaned from an NSA query (under Section 215) of the call records database that established a connection between a San Diego-based number and a number known to be used by a terrorist with ties to al Qaeda.

In upholding these convictions, Judge Miller cited Smith v. Maryland (1979) the controlling legal precedent and held the defendants had ‘no legitimate expectation of privacy’ over the type of telephone metadata acquired by the government—which is the ‘to’ and ‘from’ phone numbers of a call, its time, its date and its duration. There is no content, no names and no locational information acquired.

As a threshold matter, Judge Miller did not decide last month that the phone dragnet was constitutional. He decided sometime around June 5, 2012, and that decision remains sealed in its entirety. He treated Moalin’s bid for a new trial as a reconsideration of his earlier decision, stating he had,”already considered and addressed many of the FISA and CIPA arguments from a federal and constitutional law perspective.” He deliberated just one day after the hearing on a new trial before rejecting the motion. Which means that his decision rests primarily on whatever representations the government made in secret — and none of us have gotten to see that decision.

If Senator Feinstein would like to use her position on the Senate Intelligence and Judiciary Committees to liberate that decision given that she’s relying on it, by all means let’s have some transparency!

Now look at how Feinstein characterizes the issue before Miller:

[T]he NSA provided the FBI with information gleaned from an NSA query (under Section 215) of the call records database that established a connection between a San Diego-based number and a number known to be used by a terrorist with ties to al Qaeda.

That is, she characterizes Miller’s review as weighing whether using an (at least) second-degree hop in a database to establish probable cause is Constitutional.

But that’s most definitely not what Miller did. Instead, he ignored the database entirely (the word “database” doesn’t appear in his ruling), and assessed the use of what Feinstein describes as a database query as two separate pen registers.

Defendants argue that the collection of telephony metadata violated Defendant Moalin’s First and Fourth Amendment rights. At issue are two distinct uses of telephone metadata obtained from Section 215. The first use involves telephony metadata retrieved from communications between third parties, that is, telephone calls not involving Defendants. Clearly, Defendants have no reasonable expectation of privacy to challenge any use of telephony metadata for calls between third parties. See Steagald v. United States, 451 U.S. 204, 219 (1981) (Fourth Amendment rights are personal in nature); Rakas v. Illinois, 439 U.S. 128, 133-34 (1978) (“Fourth Amendment rights are personal rights which, like some other constitutional rights, may not be vicariously asserted.”); United States v. Verdugo-Uriquidez, 494 U.S. 259, 265 (1990) (the term “people” described in the Fourth Amendment are persons who are part of the national community or may be considered as such). As noted in Steagald, “the rights [] conferred by the Fourth Amendment are personal in nature, and cannot bestow vicarious protection on those who do not have a reasonable expectation of privacy in the place to be searched.” 451 U.S. at 219. As individuals other than Defendants were parties to the telephony metadata, Defendants cannot vicariously assert Fourth Amendment rights on behalf of these individuals. To this extent, the court denies the motion for new trial.

The second use of telephony metadata involves communications between individuals in Somalia (or other countries) and Defendant Moalin. The following discusses whether Defendant Moalin, and other Defendants through him, have any reasonable expectation of privacy in telephony metadata between Moalin and third parties, including co-defendants. [my emphasis]

I believe that in documents that have been released since Miller’s ruling, the government distinguished this from pen registers (digging up those references now). But one thing’s clear: Miller didn’t approve the use of a database to show that his two-degree link between Moalin and Aden Ayro amounted to probable cause that he was an agent of a foreign power. He approved of two or more discrete pen registers.

That may or may not amount to a legal difference (Leon didn’t consider the database as such either). But I find it mighty telling that Feinstein describes the dragnet in terms her favored criminal ruling does not.

The Pre-Dragnet Cold War Contact Chaining

/12 Comments/in /by

I’m still working through some things from Judge Richard Leon’s injunction against the phone dragnet.

But for the moment I wanted to point to something the government claimed in the FBI’s declaration in the case, by Acting Assistant Director Robert Holley. He says,

For decades reaching back to the Cold-War era, the FBI has relied on contact chaining as a method of detecting foreign espionage networks and operatives, both in the United States and abroad, and disrupting their plans.

The language here seems somewhat forced. “Decades reaching back to the Cold War-era” might only mean 1988.

Moreover, the fact that FBI claims they’ve been doing this for “decades” suggests they’ve been doing it for decades before they put together the phone dragnet, even decades before they required telecoms to keep phone records for 18 months.

Doesn’t that mean it’s possible to do successfully without the dragnet and without 5 years of data?

If the technique, absent the dragnet, was effective against the Soviet Union, why do we need a dragnet against a less powerful adversary now?

Richard Leon: A Phone Dragnet Is Not a Special Need

/10 Comments/in , /by

As I noted briefly in this post, Judge RIchard Leon ruled that Judicial Watch’s Larry Klayman is very likely to succeed in his suit challenging the phone dragnet on Constitutional grounds. He issued an injunction requiring NSA to take out Klayman’s data, but stayed that decision pending appeal.

While many civil liberties lawyers are hailing the decision, the its strength might be measured by the fact that Mark Udall and Jim Sensenbrenner both used it as a call to pass Leahy-Sensenbrenner; they did not celebrate the demise of the dragnet itself. That is, it is almost certain that this decision will not, by itself, end the dragnet.

I suspect this ruling will serve to break the ice for other judges (there are several other suits, a number of them launched by entities — like the ACLU — that I expect to have better command of the details of the dragnet and the reasons it is unconstitutional, which may lead to a stronger opinion). And to the extent it stands (don’t hold your breath) it will begin to chip away at NSA’s claims that searches don’t happen on collection, but on database access.

And on one point, I think Leon’s ruling provides a really important baseline on the matter of special needs.

As Orin Kerr sketches out roughly here (and I agree with much of what he says about Leon’s ruling), Leon basically held that Smith v. Maryland didn’t apply in the era of smart phones. From there, he moved onto Fourth Amendment analysis, which involves an analysis of whether the special need of hunting terrorists merits the huge privacy infringement of collecting all phone records in the US. After reviewing the precedents on special needs, Leon writes,

To my knowledge, however, no court has ever recognized a special need sufficient to justify continuous, daily searches  of virtually every American citizen without any particularized suspicion. In effect, the Government urges me to be the first non-FISC judge to sanction such a dragnet.

Then Leon goes on to challenge the government’s claims about the need involved.

The Government asserts that the Bulk Telephony Metadata Program serves the “programmatic purpose” of “identifying unknown terrorist operatives and preventing terrorist attacks.”

[snip]

A closer examination of the record, however, reveals the Government’s interest is a bit more nuanced–it is not merely to investigate potential terrorists, but rather, to do so faster than other investigative methods might allow.

Which brings him to the same issue Ron Wyden and Mark Udall keep pointing to: the NSA simply doesn’t have evidence of this actually having worked.

Yet, turning to the efficacy prong, the Government does not cite a single instance in which analysis of the NSA’s bulk metadata collection actually stopped an imminent attack, or otherwise aided the Government in achieving any objective that was time-sensitive in nature. In fact, none of the three “recent episodes” cited by the Government that supposedly “illustrate the role that telephony metadata analysis can play in preventing and protecting against terrorist attack” involved any urgency.

Now, I actually think the NSA and FBI declarants in this case begin to hint at the real purpose of the dragnet — I’ll come back to that once PACER recovers from what everyone jokes is NSA retaliation for this ruling.

But with regards to accomplishing the purpose the NSA claims the dragnet serves, there’s no evidence to show. Leon finds that absent real proof that the dragnet works, Klayman’s privacy interests outweigh the Government’s need.

Given the limited record before me at this point in the litigation–most notably, the utter lack of evidence that a terrorist attack has ever been prevented because searching the NSA database was faster than other investigative tactics–I have serious doubts about the efficacy of the metadata collection program as a means of conducting time-sensitive investigations in cases involving imminent threats of terrorism.

[snip]

Thus, plaintiffs have a substantial likelihood of showing that their privacy interests outweigh the Government’s interest in collecting and analyzing build telephony metadata and therefore the NSA’s bulk collection program is indeed an unreasonable search under the Fourth Amendment.

Now, to be clear, before Leon gets here, he has to get by Smith v. Maryland, and I agree with Kerr that his argument there isn’t all that strong (though I disagree with Kerr that it couldn’t be).

But one big takeaway from this ruling –whether the DC Circuit overturns it or not — is that it will be very hard for the government to make the case that the need the dragnet serves outweighs the privacy cost.

Probably not with this ruling, but it may not be long before the government has to face up to the fact that its dragnet really hasn’t shown any results.

Update: New Yorker’s Amy Davidson writes, “But what his ruling does is deprive the N.S.A. of the argument of obviousness: the idea that what it is doing is plainly legal, plainly necessary, and nothing for decent people to worry about.” That’s about what I mean by Leon breaking the ice.

That Pirate May Be the Missing Link We Should Drone Kill

/16 Comments/in , , , /by

As I mocked last night, 60 Minutes decided to use pirate data collected under EO 12333 to demonstrate how it conducts call chaining on US citizen data collected under Section 215. But the exchange is rather interesting for the way the NSA analyst, Stephen Benitez, describes finding a potentially key player in a network of pirates.

Metadata has become one of the most important tools in the NSA’s arsenal. Metadata is the digital information on the number dialed, the time and date, and the frequency of the calls.  We wanted to see how metadata was used at the NSA.  Analyst Stephen Benitez showed us a technique known as “call chaining” used to develop targets for electronic surveillance in a pirate network based in Somalia.

Stephen Benitez: As you see here, I’m only allowed to chain on anything that I’ve been trained on and that I have access to. Add our known pirate. And we chain him out.

John Miller: Chain him out, for the audience, means what?

Stephen Benitez: People he’s been in contact to for those 18 days.

Stephen Benitez: One that stands out to me first would be this one here. He’s communicated with our target 12 times.

Stephen Benitez: Now we’re looking at Target B’s contacts.

John Miller: So he’s talking to three or four known pirates?

Stephen Benitez: Correct. These three here. We have direct connection to both Target A and Target B. So we’ll look at him, too, we’ll chain him out. And you see, he’s in communication with lots of known pirates. He might be the missing link that tells us everything. [my emphasis]

Compare the language Benitez uses here with that which Gregory McNeal used to describe drone targeting back in February.

Networked based analysis looks at terrorist groups as nodes connected by links, and assesses how components of that terrorist network operate together and independently of one another.  Those nodes and links, once identified will be targeted with the goal of disrupting and degrading their functionality.  To effectively pursue a network based approach, bureaucrats rely in part on what is known as “pattern of life analysis” which involves connecting the relationships between places and people by tracking their patterns of life. This analysis draws on the interrelationships among groups “to determine the degree and points of their interdependence.” It assesses how activities are linked and looks to “determine the most effective way to influence or affect the enemy system.”

[snip]

Viewing targeting in this way demonstrates how seemingly low level individuals such as couriers and other “middle-men” in decentralized networks such as al Qaeda are oftentimes critical to the successful functioning of the enemy organization. Targeting these individuals can “destabilize clandestine networks by compromising large sections of the organization, distancing operatives from direct guidance, and impeding organizational communication and function.” Moreover, because clandestine networks rely on social relationships to manage the trade-off between maintaining secrecy and security, attacking key nodes can have a detrimental impact on the enemy’s ability to conduct their operations. [my emphasis]

That is, the language describing the process behind signature strikes closely matches the language describing NSA’s targeting for wiretapping. Both these analyses are doing the same thing: trying to find the key nodes in networks of people (though the drone targeting appears to draw in additional intelligence about someone’s observed actions and locations).

Now, as I said, when Benitez used the word “target,” he was presumably discussing only targeting for surveillance, not for drone killing (besides, thus far we haven’t drone killed any pirates I know of).

But it is very easy to see what kind of role metadata analysis would play in the early stages of targeting a signature strike, because that’s precisely how the intelligence community identify the nodes that, McNeal tells us, they’re often targeting when they conduct signature strikes. Wiretap the person at that node and you may learn a lot (that’s also probably the same kind of targeting they do to select potential informants, as we know they do with metadata), kill that person and you may damage the operational capabilities of a terrorist (or pirate) organization.

When the WaPo reported on NSA’s role in drone killing, it focused on how NSA collected content associated with a known target — Hassan Ghul — to pinpoint his location for drone targeting.

But NSA probably plays a role in the far more controversial targeting of people we don’t know for death, with precisely the kind of contact chaining it uses on US persons.

Note, in related news, Richard Leon has just ruled for Larry Klayman in one of the first suits challenging the phone dragnet (with the injunction stayed pending appeal). I’ll have analysis on that later.