Posts

Did Trump Modify PPD-28 Last Year before Retaining It?

In a series of questions for the record about whether CIA will continue to publicly post its surveillance procedures, CIA Director nominee Gina Haspel suggested she wouldn’t note changes if doing so would expose sources and methods.

Yes, subject only to my duty to protect classified information and intelligence sources and methods.

One question to which she gave that answer pertained to PPD-28, the Obama directive that provided some protections to foreign citizens.

The CIA’s PPD-28 Section 4 policies and procedures are publicly available. Will you ensure that the CIA continues to post these procedures as well as any modifications, superseding policies and procedures, or significant interpretations?

When Wyden asked about the importance of PPD-28 to bilateral relationships, Haspel explained that the Trump Administration had reviewed and retained it last year (Mike Pompeo had floated ditching it in his confirmation hearing). But in discussions about modifications, she envisioned only substantial modifications might interest allies.

PPD-28 underlies the US commitment to the EU/US Privacy Shield. This administration reviewed PPD-28 last year and decided to retain it. If PPD-28 were substantially modified or eliminated, our European partners might re-evaluate their commitment to the Privacy Shield that support trans-Atlantic commercial data flows.

The answers certainly leave the possibility that, in reviewing PPD-28 last year, the Trump Administration did make classified modifications, but did not consider them major enough to tell our European friends about.

Ron Wyden Makes It Clear Gina Haspel Pushed for Torture to Continue in 2005

Among the many, many damning details of Gina Haspel’s confirmation hearing, one sticks out. Ron Wyden asked her whether, during the 2005 to 2007 period, whether she ever asked for the torture program to be continued or expanded. She didn’t answer. Instead, she dodged:

Haspel: Like all of us who were in the counterterrorism center and working at CIA in those years after 9/11, we all believed in our work, we were committed, we had been charged with making sure the country wasn’t attacked again. And we had been informed that the techniques in CIA’s program were legal and authorized by the highest legal authority in our country and also the President. So I believe, I and my colleagues in the counterterrorism center were working as hard as we could with the tools that we were given to make sure that we were successful in our mission.

Wyden: My time is short and that, respectfully, is not responsive to the question. That was a period where the agency was capturing fewer detainees, waterboarding was no longer approved, and especially in light of that Washington Post story, I would really like to have on the record whether you ever called for the program to be continued, which it sure sounds to me like your answer suggested. You said, well we were doing our job it ought to be continued.

This makes it clear that Haspel was involved in reauthorizing torture in 2005, in a process that was as rife with lies to DOJ as the original authorization process had been.

It also makes Haspel directly responsible for the torture of people like Abu Farj al-Lbi, which the torture report describes this way.

On May 2005, one day after al-Libi’s arrival at DETENTION SITE BLACK, CIA interrogators received CIA Headquarters approval for the use of the CIA’s enhanced interrogation techniques on Abu Faraj al-Libi. CIA interrogators began using the CIA’s enhanced interrogation techniques on Abu Faraj al-Libi on May 28, 2005, two days before the OLC issued its memorandum analyzing whether the techniques violated U.S. obligations under the Convention Against Torture.891

The CIA interrogated Abu Faraj al-Libi for more than a month using tlie CIA’s enhanced interrogation techniques. On a number of occasions, CIA interrogators applied the CIA’s enhanced interrogation techniques to Abu Faraj al-Libi when he complained of a loss of hearing,repeatedly telling him to stop pretending he could not hear well.892 Although the interrogators indicated that they believed al-Libi’s complaint was an interrogation resistance technique, Abu Faraj al-Libi was fitted for a hearing aid after his transfer to U.S. military custody at Guantanamo Bay in 2006.893 Despite the repeated and extensive use of the CIA’s enhanced interrogation techniques on AbuFaraj al-Libi, CIA Headquarters continued to insist throughout the summer and fall of 2005 that Abu Faraj al-Libi was withholding information and pressed for the renewed use of the techniques. The use of the CIA’s enhanced interrogation techniques against Abu Faraj al-Libi was eventually discontinued because CIA officers stated that they had no intelligence to demonstrate that Abu Faraj al-Libi continued to withhold information, and because CIA medical officers expressed concern that additional use of the CIA’s enhanced interrogation techniques “may come with unacceptable medical or psychological risks.894 After the discontinuation of the CIA’s enhanced interrogation techniques, the CIA asked Abu Faraj al-Libi about UBL facilitator Abu Ahmad al-Kuwaiti for the first time.895 Abu Faraj al-Libi denied knowledge of al-Kuwaiti.896

That Haspel appears to have pushed to use torture with al-Libi is significant for multiple reasons. First, as noted, the CIA tortured al-Libi immediately after taking him into custody. There was no show of seeing whether he would cooperate. The CIA used his claim of hearing problems — a claim that turned out to be true — as an excuse to do more torture. CIA apparently kept asking to resume torture with him, even though it didn’t work.

Really importantly for the legacy of the torture program, al-Libi not only didn’t reveal the identity of Abu Ahmad al-Kuwaiti while he was being tortured, he continued to lie about it after he was tortured.

But Haspel’s involvement in this might be most problematic given the timing of it. As noted, the CIA asked for custody of al-Libi while they were still getting torture reauthorized; the first two Bradbury memos, authorizing torture and then their use of them in combination, were approved on May 10. As further noted, however, CIA started torturing al-Libi before the last Bradbury memo was signed on May 30. We know from Jim Comey’s memos about that process that DOJ was pushed very hard to approve them. Critically important, however, is that Alberto Gonzales made a case against reapproving torture at the May 31 principals meeting. In spite of DOJ concerns, the principals committee reapproved all the techniques.

That’s because CIA had already started torturing al-Libi. Effectively, CIA (so, presumably, Haspel, among others), rushed to torture al-Libi so that the government would have no choice but to reauthorize it.

In 2017, the Government Withdrew Three FISA Collection Requests Rather than Face an Amicus Review

Last year’s Section 702 Reauthorization law included a bunch of technical fix language describing how appeals of FISA Court of Review decisions should work.

In this post on that technical language, I speculated that Congress may have added the language in response to a denial of a request by the FISCR, about the only thing that would have identified the need for such language.

As one piece of evidence to support that hypothesis, I noted that one of the times the FISC consulted with an amicus (probably Amy Jeffress), it did not make the topic or the result public.

There’s one other reason to think there must have been a significant denial: The report, in the 2015 FISC report, that an amicus curiae had been appointed four times.

During the reporting period, on four occasions individuals were appointed to serve as amicus curiae under 50 U.S.C. § 1803(i). The names of the three individuals appointed to serve as amicus curiae are as follows:  Preston Burton, Kenneth T. Cuccinelli II  (with Freedom Works), and Amy Jeffress. All four appointments in 2015 were made pursuant to § 1803(i)(2)(B). Five findings were made that an amicus curiae appointment was not appropriate under 50 U.S.C. § 1803(i)(2)(A) (however, in three of those five instances, the court appointed an amicus curiae under 50 U.S.C. § 1803(i)(2)(B) in the same matter).

We know of three of those in 2015: Ken Cuccinelli serving as amicus for FreedomWorks’ challenge to the restarted dragnet in June 2015, Preston Burton serving as amicus for the determination of what to do with existing Section 215 data, and Amy Jeffress for the review of the Section 702 certifications in 2015. (We also know of the consultation with Mark Zwillinger in 2016 and Rosemary Collyer’s refusal to abide by USA Freedom Act’s intent on amici on this year’s reauthorization.) I’m not aware of another, fourth consultation that has been made public, but according to this there was one more. I say Jeffress was almost certainly the amicus used in that case because she was one of the people chosen to be a formal amicus in November 2015, meaning she would have been called on twice. If it was Jeffress, then it likely happened in the last months of the year.

I raise that background because of a detail in the FISC report released yesterday, showing its approvals for 2017. It revealed that FISC told the government on three occasions it might appoint an amicus. On all three occasions, the government withdrew the request rather than undergo a FISC review with even a limited adversary.

During the reporting period, no individual was appointed to serve as amicus curiae by the FISA courts. No findings were made in 2017, pursuant to 50 U.S.C. § 1803(i)(2)(A), that an amicus curiae appointment was not appropriate. There were three matters in which the Court advised the government that it was considering appointment of an amicus curiae to address a novel or significant question of law raised in proposed applications, but the government ultimately did not proceed with the proposed applications at issue, or modified the final applications such that they did not present a novel or significant question of law, thereby obviating a requirement for consideration as to the appropriateness of appointment of amicus. These matters are reflected in the table above as, respectively, a modification to a proposed order, an application denied in full, and an application denied in part. This is the first report including information about such occurrences. A similarly small number of such events occurred during prior reporting periods but were not discussed in the reports for those years.

In one case, the government withdrew an entire application after learning the FISC might appoint an amicus to review the proposed technique. In two others, the final order in one or another way did not include the requested practice.

These three instances are not the first time the government has withdrawn a request after learning FISC would invite adversarial review. While the court doesn’t reveal how many or in what years, it does say that a “similarly small number of such events occurred during prior reporting periods.” Given that there have been just two other reporting periods (the report for part of 2015 and the report covering all of 2016), the language seems to suggest it happened in both years.

That the government has been withdrawing requests rather than submitting them to the scrutiny of an amicus suggests several things.

First, it may be withdrawing such applications out of reluctance to share details of such techniques even with a cleared amicus, not even one of the three who served as very senior DOJ officials in the past. If that’s right, that would reflect some pretty exotic requests, because some of the available amici (most notably former Assistant Attorney General David Kris) have seen all that DOJ was approving with NatSec collection.

Second, remember that for at least one practice (the collection of location information), the government has admitted to opting to using criminal process rather than FISA where more lenient precedents exist in particular jurisdictions. That might happen, for example, if a target could be targeted in a state that didn’t require a warrant for some kinds of location data whereas FISC does.

Starting in 2017, the government would have the ability to share raw EO 12333 with the FBI, which might provide another alternative means to collect the desired data.

All of which is to say these withdrawals don’t necessarily mean the government gave up. Rather, past history has shown that the government often finds another way to get information denied by the FISC, and that may have happened with these three requests.

Finally, remember that as part of 702 reauthorization last year, Ron Wyden warned that reauthorization should include language preventing the government from demanding that companies provide technical assistance (which obviously includes, but is probably not limited to, bypassing or weakening encryption) as part of 702 directives. The threat the government might do so under 702 is particularly acute, because unlike with individual orders (which is what the withdrawn requests here are), the FISC doesn’t review the directives submitted under 702. Some of these withdrawn requests — which may number as many as nine — may reflect such onerous technical requests.

Importantly, one reason the government might withdraw such requests is to avoid any denials that would serve as FISC precedent for individualized  and 702 requests. That is, if the government believed the court might deny an individual request, it might withdraw it and preserve its ability to make the very same demand in a 702 context, where the FISC doesn’t get to review the techniques use.

Whatever the case, the government has clearly been bumping up against the limits of what it believes FISC will approve in individualized requests. But that doesn’t mean it hasn’t been surpassing those limits via one or another technical or legal means.

Cambridge Analytica Uncovered and More to Come

A little recap of events overnight while we wait for Channel 4’s next video. Channel 4 had already posted a video on March 17 which you can see here:

Very much worth watching — listen carefully to whistleblower Chris Wylie explain what data was used and how it was used. I can’t emphasize enough the problem of non-consensual use; if you didn’t explicitly consent but a friend did, they still swept up your data

David Carroll of Parsons School of Design (@profcarroll) offered a short and sweet synopsis last evening of the fallout after UK’s Channel 4 aired the first video of Cambridge Analytica Uncovered.

Facebook CTO Alex Stamos had a disagreement with management about the company’s handling of crisis; first reports said he had resigned. Stamos tweeted later, explaining:

“Despite the rumors, I’m still fully engaged with my work at Facebook. It’s true that my role did change. I’m currently spending more time exploring emerging security risks and working on election security.”

Other reports say Stamos is leaving in August. Both could be true: his job has changed and he’s eventually leaving.

I’m betting we will hear from him before Congress soon, whatever the truth.

Speaking of Congress, Sen. Ron Wyden has asked Mark Zuckerberg to provide a lot of information pronto to staffer Chris Sogohian. This ought to be a lot of fun.

A Facebook whistleblower has now come forward; Sandy Parkilas said covert harvesting of users’ data happened frequently, and Facebook could have done something about it.

Perhaps we ought to talk about nationalization of a citizens’ database?

2018 Senate Intelligence Global Threat Hearing Takeaways

Today was the annual Senate Intelligence Committee Global Threat Hearing, traditionally the hearing where Ron Wyden gets an Agency head to lie on the record.

That didn’t happen this time.

Instead, Wyden gave FBI Director Christopher Wray the opportunity to lay out the warnings the FBI had given the White House about Rob Porter’s spousal abuse problems, which should have led to Porter’s termination or at least loss of access to classified information.

The FBI submitted a partial report on the investigation in question in March. And then a completed background investigation in late July. That, soon thereafter, we received request for follow-up inquiry. And we did that follow-up and provided that information in November. Then we administratively closed the file in January. And then earlier this month we received some additional information and we passed that on as well.

That, of course, is the big takeaway the press got from the hearing.

A follow-up from Martin Heinrich shortly after Wyden’s question suggested he had reason to know of similar “areas of concern” involving Jared Kushner (which, considering the President’s son-in-law is under investigation in the Russian investigation, is not that surprising). Wray deferred that answer to closed session, so the committee will presumably learn some details of Kushner’s clearance woes by the end of the day.

Wray twice described the increasing reliance on “non-traditional collectors” in spying against the US, the second time in response to a Marco Rubio question about the role of Chinese graduate students in universities. Rubio thought the risk was from the Confucius centers that China uses to spin Chinese culture in universities. But not only did Wray say universities are showing less enthusiasm for Confucius centers of late, but made it clear he was talking about “professors, scientists, and students.” This is one of the reasons I keep pointing to the disproportionate impact of Section 702 on Chinese-Americans, because of this focus on academics from the FBI.

Susan Collins asked Mike Pompeo about the reports in The Intercept and NYT on CIA’s attempts to buy back Shadow Brokers tools. Pompeo claimed that James Risen and Matt Rosenberg were “swindled” when they got proffered the story, but along the way confirmed that the CIA was trying to buy stuff that “might have been stolen from the US government,” but that “it was unrelated to this idea of kompromat that appears in each of those two articles.” That’s actually a confirmation of the stories, not a refutation of them.

There was a fascinating exchange between Pompeo and Angus King, after the latter complained that, “until we have some deterrent capacity we are going to continue to be attacked” and then said right now there are now repercussions for Russia’s attack on the US.

Pompeo: I can’t say much in this setting I would argue that your statement that we have done nothing does not reflect the responses that, frankly, some of us at this table have engaged in or that this government has been engaged in both before and after, excuse me, both during and before this Administration.

King: But deterrence doesn’t work unless the other side knows it. The Doomsday Machine in Dr. Strangelove didn’t work because the Russians hadn’t told us about it.

Pompeo: It’s true. It’s important that the adversary know. It is not a requirement that the whole world know it.

King: And the adversary does know it, in your view?

Pompeo: I’d prefer to save that for another forum.

Pompeo later interjected himself into a Kamala Harris discussion about the Trump Administration’s refusal to impose sanctions by suggesting that the issue is Russia’s response to cumulative responses. He definitely went to some effort to spin the Administration’s response to Russia as more credible than it looks.

Tom Cotton made two comments about the dossier that Director Wray deferred answering to closed session.

First, he asked about Christopher Steele’s ties to Oleg Deripaska, something I first raised here and laid out in more detail in this Chuck Grassley letter to Deripaska’s British lawyer Paul Hauser. When Cotton asked if Steele worked for Deripaska, Wray said, “that’s not something I can answer.” When asked if they could discuss it in a classified setting, Wray said, “there might be more we could say there.”

Cotton then asked if the FBI position on the Steele dossier remains that it is “salacious and unverified” as he (misleadingly) quoted Comey as saying last year. Wray responded, “I think there’s maybe more we can talk about this afternoon on that.” It’s an interesting answer given that, in Chuck Grassley’s January 4 referral, he describes a “lack of corroboration for [Steele’s dossier] claims, at least at the time they were included in the FISA applications,” suggesting that Grassley might know of corroboration since. Yet in an interview by the even better informed Mark Warner published 25 days later, Warner mused that “so little of that dossier has either been fully proven or conversely, disproven.” Yesterday, FP reported that BuzzFeed had hired a former FBI cybersecurity official Anthony Ferrante to try to chase down the dossier in support of the Webzilla and Alfa bank suits against the outlet, so it’s possible that focused attention (and subpoena power tied to the lawsuit) may have netted some confirmation.

Finally, Richard Burr ended the hearing by describing what the committee was doing with regards to the Russian investigation. He (and Warner) described an effort to bring out an overview on ways to make elections more secure. But Burr also explained that SSCI will release a review of the ICA report on the 2016 hacks.

In addition to that, our review of the ICA, the Intel Committee Assessment, which was done in the F–December of 06, 16–we have reviewed in great detail, and we hope to report on what we found to support the findings where it’s appropriate, to be critical if in fact we found areas where we found came up short. We intend to make that public. Overview to begin with, none of this would be without a declassification process but we will have a public version as quickly as we can.

Finally, in the last dregs of the hearing, Burr suggested they would report on who colluded during the election.

We will continue to work towards conclusions  on any cooperation or collusion by any individual, campaign, or company with efforts to influence elections or create societal chaos in the United States.

My impression during the hearing was that this might refer to Cambridge Analytica, which tried to help Wikileaks organize hacked emails — and it might well refer to that. But I wonder if there’s not another company he has in mind.

The Timing of Mark Warner’s PseudoScandal Texts

By now, you’ve heard about Fox News’ scoop that Mark Warner made efforts last year to obtain testimony from two key figures in the Senate Intelligence Committee investigation into Russia’s involvement in the 2016 election via DC fixer Adam Waldman: Christopher Steele and Oleg Deripaska. (In my opinion, the news buried at the bottom of the story that Deripaska agreed to provide testimony if he could get immunity, but did not get it, is far more interesting than the rest of this, but I’m not a Fox News editor.)

“We have so much to discuss u need to be careful but we can help our country,” Warner texted the lobbyist, Adam Waldman, on March 22, 2017.

“I’m in,” Waldman, whose firm has ties to Hillary Clinton, texted back to Warner.

The story also includes this paragraph, which also has gotten less attention.

Warner began texting with Waldman in February 2017 about the possibility of helping to broker a deal with the Justice Department to get the WikiLeaks founder Julian Assange to the United States to potentially face criminal charges. That went nowhere, though a Warner aide told Fox News that the senator shared his previously undisclosed private conversations about WikiLeaks with the FBI.

Interestingly, the Fox story relies on texts that Warner and Richard Burr jointly requested in June (targeting Waldman’s phone, not Warner’s, apparently), and then turned over to the committee in October. I look forward to seeing how the notoriously anti-leak Burr deals with the apparent leak of committee sensitive materials to the right wing press.

Even while the story links to texts from SSCI, it comes a week after a woman duped the famously paranoid Julian Assange into exchanging texts with her fake Sean Hannity account promising news on Mark Warner.

[Dell] Gilliam, a technical writer from Texas, was bored with the flu when she created @SeanHannity__ early Saturday morning. The Fox News host’s real account was temporarily deleted after cryptically tweeting the phrase “Form Submission 1649 | #Hannity” on Friday night. Twitter said the account had been “briefly compromised,” according to a statement provided to The Daily Beast, and was back up on Sunday morning.

[snip]

Just minutes after @SeanHannity disappeared, several accounts quickly sprung up posing as the real Hannity, shouting from Twitter exile. None were as successful as Gilliam’s @SeanHannity__ account, which has since amassed over 24,000 followers.

Gilliam then used her newfound prominence to direct message Assange as Hannity within hours.

“I can’t believe this is happening. I mean… I can. It’s crazy. Nothing can be put past people,” Gilliam, posing as Hannity, wrote to Assange. “I’m exhausted from the whole night. What about you, though? You doing ok?”

“I’m happy as long as there is a fight!” Assange responded.

Gilliam reassured Assange that she, or Hannity, was also “definitely up for a fight” and set up a call for 9:30 a.m. Eastern, about six hours later.

“You can send me messages on other channels,” said Assange, the second reference to “other channels” he made since their conversation began.

“Have some news about Warner.”

With that in mind, I want to look at the timing of some security issues last year.

While the texts turned over to Congress date to February 14, the conversation pertaining to Steele started around March 22. That puts it not long after news of a massive hack involving T-Mobile, first reported March 16.

An unusual amount of highly suspicious cellphone activity in the Washington, D.C., region is fueling concerns that a rogue entity is surveying the communications of numerous individuals, likely including U.S. government officials and foreign diplomats, according to documents viewed by the Washington Free Beacon and conversations with security insiders.

A large spike in suspicious activity on a major U.S. cellular carrier has raised red flags in the Department of Homeland Security and prompted concerns that cellphones in the region are being tracked. Such activity could allow pernicious actors to clone devices and other mobile equipment used by civilians and government insiders, according to information obtained by the Free Beacon.

It remains unclear who is behind the attacks, but the sophistication and amount of time indicates it could be a foreign nation, sources said.

I would hope to hell that former cell company mogul and current Ranking Member on the Senate Intelligence Committee running an important counterintelligence investigation Mark Warner would be aware of the security problems with mobile phones. But what do I know? [Update: Not much. Looking more closely it looks like he was using Signal.] In the last several months we’ve learned that FBI’s investigators discuss the even more sensitive aspects of the more important side of counterintelligence investigation on SMS texts on their Samsung cell phones.

¯\_(ツ)_/¯

But who knows what Waldman (who apparently chats a lot with spies, mobbed up Russian oligarchs, and — as Mike Pompeo deemed Wikileaks — non-state hostile intelligence services) knows about cell phone security?

In any case, the day before that was reported publicly, Ron Wyden and Ted Lieu sent a letter to John Kelly (who, as a reminder, in spite of or because he ran DHS for a while, had his own cell phone compromised), stating in part,

We are also concerned that the government has not adequately considered the counterintelligence threat posed by SS7-enabled surveillance.

[snip]

What resources has DHS allocated to identifying and addressing SS7-related threats? Are these resources sufficient to protect U.S. government officials and the private sector.

If the government started considering such issues in March, they might have gotten around to discovering what kinds of problems were created by the T-Mobile hack in June, when Warner and Burr moved to get the texts for SSCI.

In any case, at around that point in time, APT 28 (one of the entities blamed for hacking the DNC the previous year) started a phishing campaign targeting the Senate’s email server.

Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017. The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.

Reporting at the time suggested this was an effort in advance of the 2018 election (which aside from minimizing the damage Russia might do in the interim, ignores the fact that staffers are ostensibly prohibited from using Senate resources for election related activities). But it always seemed to me it would more profitably target policy.

Or, maybe the only reasonable work Congress is doing to investigate the Russians?

Whether there’s a connection between these two compromises last year or not, and Julian Assange, and this Mark Warner story, it’s clear that DC remains ill-prepared to address the counterintelligence problems they’re faced with.

Asha Rangappa Demands Progressive Left Drop Bad Faith Beliefs in Op-Ed Riddled with Errors Demonstrating [FBI’s] Bad Faith

It’s my fault, apparently, that surveillance booster Devin Nunes attacked the FBI this week as part of a ploy to help Donald Trump quash the investigation into Russian involvement in his election victory. That, at least, is the claim offered by the normally rigorous Asha Rangappa in a NYT op-ed.

It’s progressive left privacy defenders like me who are to blame for Nunes’ hoax, according to Rangappa, because — she claims — “the progressive narrative” assumes the people who participate in the FISA process, people like her and her former colleagues at the FBI and the FISA judges, operate in bad faith.

But those on the left denouncing its release should realize that it was progressive and privacy advocates over the past several decades who laid the groundwork for the Nunes memo — not Republicans. That’s because the progressive narrative has focused on an assumption of bad faith on the part of the people who participate in the FISA process, not the process itself.

And then, Ragappa proceeds to roll out a bad faith “narrative” chock full of egregious errors that might lead informed readers to suspect FBI Agents operate in bad faith, drawing conclusions without doing even the most basic investigation to test her pre-conceived narrative.

Rangappa betrays from the very start that she doesn’t know the least bit about what she’s talking about. Throughout, for example, she assumes there’s a partisan split on surveillance skepticism: the progressive left fighting excessive surveillance, and a monolithic Republican party that, up until Devin Nunes’ stunt, “has never meaningfully objected” to FISA until now. As others noted to Rangappa on Twitter, the authoritarian right has objected to FISA from the start, even in the period Rangappa used what she claims was a well-ordered FISA process. That’s when Republican lawyer David Addington was boasting about using terrorist attacks as an excuse to end or bypass the regime. “We’re one bomb away from getting rid of that obnoxious [FISA] court.”

I’m more peeved, however, that Rangappa is utterly unaware that for over a decade, the libertarian right and the progressive left she demonizes have worked together to try to rein in the most dangerous kinds of surveillance. There’s even a Congressional caucus, the Fourth Amendment Caucus, where Republicans like Ted Poe, Justin Amash, and Tom Massie work with Rangappa’s loathed progressive left on reform. Amash, Mike Lee, and Rand Paul, among others, even have their name on legislative attempts to reform surveillance, partnering up with progressives like Zoe Lofgren, John Conyers, Patrick Leahy, and Ron Wyden. This has become an institutionalized coalition that someone with the most basic investigative skills ought to be able to discover.

Since Rangappa has not discovered that coalition, however, it is perhaps unsurprising she has absolutely no clue what the coalition has been doing.

In criticizing the FISA process, the left has not focused so much on fixing procedural loopholes that officials in the executive branch might exploit to maximize their legal authority. Progressives are not asking courts to raise the probable cause standard, or petitioning Congress to add more reporting requirements for the F.B.I.

Again, there are easily discoverable bills and even some laws that show the fruits of progressive left and libertarian right efforts to do just these things. In 2008, the Democrats mandated a multi-agency Inspector General on Addington’s attempt to blow up FISA, the Stellar Wind program. Progressive Pat Leahy has repeatedly mandated other Inspector General reports, which forced the disclosure of FBI’s abusive exigent letter program and that FBI flouted legal mandates regarding Section 215 for seven years (among other things). In 2011, Ron Wyden started his thus far unsuccessful attempt to require the government to disclose how many Americans are affected by Section 702. In 2013, progressive left and libertarian right Senators on the Senate Judiciary Committee tried to get the Intelligence Community Inspector General to review how the multiple parts of the government’s surveillance fit together, to no avail.

Rangappa’s apparent ignorance of this legislative history is all the more remarkable regarding the last several surveillance fights in Congress, USA Freedom Act and this year’s FISA Amendments Act reauthorization (the latter of which she has written repeatedly on). In both fights, the bipartisan privacy coalition fought for — but failed — to force the FBI to comply with the same kind of reporting requirements that the bill imposed on the NSA and CIA, the kind of reporting requirements Rangappa wishes the progressive left would demand. When a left-right coalition in the House Judiciary Committee tried again this year, the FBI stopped negotiating with HJC’s staffers, and instead negotiated exclusively with Devin Nunes and staffers from HPSCI.

With USAF, however, the privacy coalition did succeed in a few reforms (including those reporting requirements for NSA and CIA). Significantly, USAF included language requiring the FISA Court to either include an amicus for issues that present “a novel or significant interpretation of the law,” or explain why it did not. That’s a provision that attempts to fix the “procedural loophole” of having no adversary in the secret court, though it’s a provision of law the current presiding FISC judge, Rosemary Collyer, blew off in last year’s 702 reauthorization. (Note, as I’ve said repeatedly, I don’t think Collyer’s scofflaw behavior is representative of what FISC judges normally do, and so would not argue her disdain for the law feeds a “progressive narrative” that all people involved in the FISA process operated in bad faith.)

Another thing the progressive left and libertarian right won in USAF is new reporting requirements on FISA-related approvals for FISC, to parallel those DOJ must provide. Which brings me to Rangappa’s most hilarious error in an error-ridden piece (it’s an error made by multiple civil libertarians earlier in the week, which I corrected on Twitter, but Rangappa appears to mute me so wouldn’t have seen it).

To defend her claim that the FISC judge who approved the surveillance of Carter Page was operating, if anything, with more rigor than in past years, Rangappa points to EPIC’s tracker of FISA approvals and declares that the 2016 court rejected the highest number of applications in history.

We don’t know whether the memo’s allegations of abuse can be verified. It’s worth noting, however, that Barack Obama’s final year in office saw the highest number of rejected and modified FISA applications in history. This suggests that FISA applications in 2016 received more scrutiny than ever before.

Here’s why this is a belly-laughing error. As noted, USAF required the FISA Court, for the first time, to release its own record of approving applications. It released a partial report (for the period following passage of USAF) covering 2015, and its first full report for 2016. The FISC uses a dramatically different (and more useful) counting method than DOJ, because it counts what happens to any application submitted in preliminary form, whereas DOJ only counts applications submitted in final form. Here’s how the numbers for 2016 compare.

Rangappa relies on EPIC’s count, which for 2016 not only includes an error in the granted number, but adopts the AOUSC counting method just for 2016, making the methodology of its report invalid (it does have a footnote that explains the new AOUSC numbers, but not why it chose to use that number rather than the DOJ one or at least show both).

Using the only valid methodology for comparison with past years, DOJ’s intentionally misleading number, FISC rejected zero applications, which is consistent or worse than other years.

It’s not the error that’s the most amusing part, though. It’s that, to make the FISC look good, she relies on data made available, in significant part, via the efforts of a bipartisan coalition that she claims consists exclusively of lefties doing nothing but demonizing the FISA process.

If anyone has permitted a pre-existing narrative to get in the way of understanding the reality of how FISA currently functions, it’s Rangappa, not her invented progressive left.

Let me be clear. In spite of Rangappa’s invocation (both in the body of her piece and in her biography) of her membership in the FBI tribe, I don’t take her adherence to her chosen narrative in defiance of facts that she made little effort to actually learn to be representative of all FBI Agents (which is why I bracketed FBI in my title). That would be unfair to a lot of really hard-working Agents. But I can think of a goodly number of cases, some quite important, where that has happened, where Agents chased a certain set of leads more vigorously because they fit their preconceptions about who might be a culprit.

That is precisely what has happened here. A culprit, Devin Nunes — the same guy who helped the FBI dodge reporting requirements Rangappa thinks the progressive left should but is not demanding — demonized the FISA process by obscuring what really happens. And rather than holding that culprit responsible, Rangappa has invented some other bad guy to blame. All while complaining that people ever criticize her FBI tribe.

Incidental Collection Under Section 702 Has Probably Contributed to Trump’s Downfall, Too

As you’ve no doubt heard, the House passed the bad reauthorization to Section 702 yesterday. The Senate will vote on cloture on Tuesday — though both Rand Paul and Ron Wyden have threatened to filibuster it — and will almost certainly be voted into law after that.

I’ll have comment later on the rising costs, for politicians, for mindlessly reauthorizing these bills in a follow-up post.

Paul Ryan told President Trump Section 702 hasn’t affected his people

But for the moment, I want to comment on the debate that took place in response to Trump’s two tweets. The first tweet, which was clearly a response to a Judge Napolitano piece on Fox News yesterday morning, complaining about FISA.

Then, after a half hour lesson from Paul Ryan on the different FISA regimes (note, for some reason Devin Nunes was conspicuously absent from much of this process yesterday, both the coddling of the President and managing debate on the bill), a follow-up tweet hailing Section 702’s utility for “foreign surveillance of foreign bad guys on foreign land.”

In response to those tweets, many commenters stated, as a matter of fact, that Trump hasn’t been impacted by Section 702, that only traditional FISA intercepts drove key developments in the Russian investigation.

That’s unlikely to be true, and I suspect we already have evidence that that’s not the case.

It is true that incidental collection on a Title I got Mike Flynn in trouble

To defend the case that incidental collection off a traditional FISA order has impacted Trump’s administration, people point to the December 29, 2016 intercepts of communications between Sergey Kislyak and Mike Flynn which were cited in Flynn’s guilty plea. It is true that those intercepts were done under a traditional FISA order. Admiral Mike Rogers as much as confirmed that last March in his efforts to explain basic FISA law to the House Intelligence Committee Republicans who are supposed to oversee it.

Rogers: FISA collection on targets in the United States has nothing to do with 702, I just want to make sure we’re not confusing the two things here. 702 is collection overseas against non US persons.

And Speaker Ryan, fresh off his efforts to teach the President basic surveillance law, yesterday clarified — inaccurately — that,

Title 1 of the FISA law is what you see in the news that applies to U.S. citizens. That’s not what we’re talking about here. This is Title 7, Section 702. This is about foreign terrorists on foreign soil.

Whatever the facts about FISA orders targeting Carter Page and Paul Manafort, the intercepts that have done the most known damage to the Trump Administration so far targeted a foreigner on US soil, Sergey Kislyak, and Flynn just got picked up incidentally.

Papadopoulos’ affidavit and statement of offense make different claims about his false claims and obstruction

But as I said, I suspect it is highly likely the Trump Administration has also been brought down by an American being caught up incidentally in a Section 702 tasking. That’s because of several details pertaining to the George Papadopoulos plea which I nodded to here; they strongly suggest that Papadopoulos’ Facebook communications with Joseph Mifsud were first obtained by the FBI via Section 702, and only subsequently parallel constructed using a warrant. It’s further likely that the FBI obtained a preservation order on Papadopoulos’ Facebook account before he deleted it because of what they saw via Section 702. [Update: KC has alerted me that they may not have gotten a preservation order, but instead were able to access the Facebook account because that content doesn’t all go away when you deactivate an account, which is what the October 5 document describes as happening.]

Compare the two descriptions of how Papadopoulos obstructed justice. The July 28, 2017 affidavit supporting Papadopoulos’ arrest describes Papadopoulos destroying his Facebook account to hide conversations he had with Timofeev.

The next day, on or about February 17, 2017, however, GEORGE PAPADOPOULOS, the defendant, shut down his Facebook account, which he had maintained since approximately August 2005. Shortly after he shut down his account, PAPADOPOULOS created a new Facebook account.

The Facebook account that PAPADOPOULOS shut down the day after his interview with the FBI contained information about communications he had with Russian nationals and other foreign contacts during the Campaign, including communications that contradicted his statements to the FBI. More specifically, the following communications, among others, were contained in that Facebook account, which the FBI obtained through a judicially authorized search warrant.

The affidavit makes it clear that Papadopoulos attempted to hide “his interactions during the Campaign with foreign contacts, including Russian nationals.” The descriptions of the communications that Papadopoulos attempted to hide are described as “a Facebook account identified with Foreign Contact 2,” Timofeev.

The FBI recorded both interviews, suggesting they already by January 27 they had reason to worry that Papadopoulos might not tell the truth.

The October 5 statement of the offense describes one of Papadopoulos’ false statements this way:

PAPADOPOULOS failed to inform investigators that the Professor had introduced him to the Russian MFA Connection [Timofeev], despite being asked if he had met with Russian nationals or “[a]nyone with a Russian accent” during the Campaign. Indeed, while defendant PAPADOPOULOS told the FBI that he was involved in meetings and did “shuttle diplomacy” with officials from several other countries during the Campaign, he omitted the entire course of conduct with the Professor and the Russian MFA Connection regarding his efforts to establish meetings between the Campaign and Russian government officials.

And it describes his obstruction this way:

The next day, on or about February 17, 2017, defendant PAPADOPOULOS deactivated his Facebook account, which he had maintained since approximately August 2005 and which contained information about communications he had with the Professor and the Russian MFA Connection. Shortly after he deactivated his account, PAPADOPOULOS created a new Facebook account that did not contain the communications with the Professor and the Russian MFA Connection.

On or about February 23, 2017, defendant PAPADOPOULOS ceased using his cell phone number and began using a new number.

In neither document does FBI mention having the content of Papadopoulos’ April 2016 Skype calls with Timofeev and neither one cites data — such as texts — that might have been on his cell phone.

What FBI (probably) learned when

While we can’t be sure — after all, the government may simply be withholding more information from other suspects — the differences between the two legal filings and other public information suggest the following evolution in what the government knew of Papadopoulous’ communications with his interlocutors when. Most importantly, the FBI had learned of Papadopoulos’ communications with Joseph Mifsud and Olga Vinogradova before his two interviews, but they had not learned of his communications with Ivan Timofeev.

Late July 2016

In a drunken conversation in May 2016, Papadopoulos told the Australian Ambassador Alexander Downer that he had been told (by Joseph Mifsud, but it’s not clear Papadopoulos would have revealed that) the Russians had dirt on Hillary in the form of emails.

Before January 27, 2017

  • Papadopoulos might lie and so should be recorded
  • Papadopoulos had interesting communications with Joseph Mifsud and Olga Vinogradova
  • Since Timofeev did not come up in the interview, FBI appears not to have learned of those conversations yet

Before February 16, 2017

  • Papadopoulos’ Facebook was interesting enough to sustain a preservation request but (because FBI still didn’t know about Timofeev) FBI had not yet accessed its content via Papadopoulos [Though see update above]
  • FBI had not yet accessed Skype, which would have shown call records between Timofeev and Papadopoulos
  • FBI did not have a warrant on Papadopoulos’ phone and never obtained one before February 23

By July 28, 2017

  • FBI had obtained a warrant for Papadopoulos’ email
  • FBI had read the Facebook content Papadopoulos tried to delete, discovering the communications (and the relationship) with Timofeev
  • FBI had identified the Skype conversations that had taken place, but not in time to collect them using 702

By October 5, 2017

  • FBI had obtained far more email from the campaign side
  • FBI had discovered that, in addition to destroying his Facebook account, Papadopoulos had also gotten a new phone number (and, I suspect, a new phone), thereby destroying any stored texts on the phone

FBI probably tracked Papadopoulos’ Facebook communications with Mifsud before February 16

Again, this is just a guess, but given the evolution of FBI’s understanding about Papadopoulos laid out above, it seems highly likely that FBI had obtained some (but not all) of Mifsud’s communications before February 16, had submitted preservation requests to Papadopoulos’ providers, but had not yet obtained any legal process for content via Papadopoulos. Given that Papadopoulos’ Facebook content was preserved even in spite of his effort to destroy it, it seems clear the government had reason to know its content was of interest, but it did not yet know about his Facebook communications with Timofeev. This is how FBI routinely launders Section 702 information through criminal process, by getting a warrant for the very same content available at PRISM providers that they already obtained via PRISM. They key detail is that they appear to have known about the content of some but not all of Papadopoulos’ Facebook messages in time to preserve the account before February 16.

This strongly suggests the FBI had obtained Mifsud’s Facebook content, but not Papadopoulos’.

Once FBI opened a full investigation into the Russian ties — which we know they did in late July, in part because of that Papadopoulos conversation about the Mifsud comments — it could task and obtain a raw feed of any known PRISM account for any foreigner overseas associated with that investigation. Once it identified Mifsud as Papadopoulos’ interlocutor — and they would have been able to identify their common relationship from their common front organization, the London Centre of International Law Practice — they would have tasked Mifsud on any identifier they could collect.

And collecting on Facebook would be child’s play — just ask nicely. So it would be shocking if they hadn’t done it as soon as they identified that Mifsud was Papadopoulos’ interlocutor and that he had a Facebook account.

Incidental collection under 702 may have led to the preservation of evidence about the Timofeev relationship Papadopoulos tried to destroy

If all this is right — and it is admittedly just a string of well-educated guesses — then it means FBI’s ability to incidentally collect on Papapdopoulos by targeting Mifsud may have been what led them to take action to preserve Papadopoulos’ Facebook content, and with it evidence of ongoing communications with Timofeev that he had tried to hide.

And the fact that he did try to hide it is what led to Mueller flipping his first cooperating witness.

So if all this is right, then incidental collection on Papadopoulos under Section 702 may be every bit as central to Trump’s legal jeopardy right now as the incidental collection on Flynn under Title I. They’re both critical pieces in proving any hypothetical case that Trump traded policy considerations for the release of Hillary emails.

This is how Section 702 is supposed to work, and could be done under USA Rights

Let me be clear: I’m not saying the discovery of Papadopoulos’ Facebook communications with Mifsud and through them his Facebook communications with Timofeev is an abuse. On the contrary, this is how 702 is supposed to work.

If we’re going to have this program, it should be used to target suspect agents of a foreign power located overseas, as Mifsud clearly was. If he was targeted under 702, he was targeted appropriately.

But there is no reason to believe doing so required any of the more abusive uses of 702 that USA Rights would limit. Unless Mifsud was already tasked at FBI when they opened the investigation in July 2016, there’s no reason to believe this account could have been found off of a back door search at FBI. Mifsud may have been tasked at NSA or even CIA, but if he was, searching on Papadopoulos because the government suspected he was being recruited by a foreign power would fall under known justifications for back door searches at those foreign intelligence agencies (especially at CIA).

USA Rights would permit the use of this 702 information to support the criminal case against Papadopoulos, because it’s clearly a case of foreign government spying.

And no use of the Tor exception would be implicated with this search.

In other words, Section 702 as Ron Wyden and Rand Paul and Justin Amash and Zoe Lofgren would have it would still permit the use of Section 702 as a tool to — ultimately — lead FBI to figure out that Papadopoulos was hiding his contacts with Ivan Timofeev.

As it turns out, the kinds of people Trump’s foreign policy advisor George Papadopoulos was chatting up on Facebook — Joseph Mifsud and Ivan Timofeev — are precisely the kind of people the FBI considers “foreign bad guys on foreign land” for the purposes of Section 702, meaning the Bureau could get their Facebook account quite easily.

And the incidental collection of Americans of such conversations can be — may well have been — as dangerous to Donald Trump as the incidental collection of Americans under Title I.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

What HPSCI Wants to Protect in 702: Back Doors, the Tor Exception, and a Dysfunctional FISC

The House is revving up to vote on 702 reauthorization, offering either the shitty bill drafted by Devin Nunes, Adam Schiff, and Devin Nunes or the Amash amendment (which is the Wyden-Paul USA Rights bill). As I noted in a piece at The New Republic,

Congress is, in an apparently serious attempt at surveillance reform, about to make it easier for the FBI to spy on those whom it has zero evidence of wrongdoing than those whom it has probable cause to suspect of illegal behavior. This bill would protect a very small subset of suspected criminals—perhaps just one a year, based on reporting from 2016. But it would do nothing to prevent the FBI from reading the communications of any innocent American who is named in a tip.

HPSCI has come out with a one pager making shite up about USA Rights. And I’m interested in three things HPSCI prioritizes:

  • Ensuring that NSA can order companies to bypass encryption
  • Sustaining the Tor domestic spying exception
  • Coddling the dysfunction of the FISA Court

Ensuring that NSA can order companies to bypass encryption

The HPSCI flyer complains that USA Rights,

Significantly limit[s] the Government’s ability to obtain Section 702 information on foreign terrorists by unnecessarily restricting when the Government may ask for technical assistance from electronic communication service providers;

At issue is language in USA Rights that limits government requests for technical assistance to things that are necessary, narrowly tailored, and would not pose an undue burden.

(B) LIMITATIONS.—The Attorney General or the Director of National Intelligence may not request assistance from an electronic communication service provider under subparagraph (A) without demonstrating, to the satisfaction of the Court, that the assistance sought—

(i) is necessary;

(ii) is narrowly tailored to the surveillance at issue; and

(iii) would not pose an undue burden on the electronic communication service provider or its customers who are not an intended target of the surveillance.

It is clear this is Wyden’s effort to prohibit the government from using individual directives (which are not reviewed by the FISA Court) to back door or circumvent a company’s encryption. While the government says it has not yet asked the FISC to force companies to do this (which is different from saying they haven’t asked and gotten companies to willingly do so), it has dodged whether it has asked companies to circumvent their own encryption.

So basically, one of the big things HPSCI thinks is wrong with USA Rights is that it won’t let NSA back door your phone.

Sustaining the Tor domestic spying exception

The HPSCI flyer claims that USA Rights,

Mandat[es] a flat prohibition on the use of Section 702 information in prosecuting dangerous criminals, including murderers and child abusers;

That flips reality on its head. What HPSCI is trying to protect, here, is its carve-out permitting the use of 702 information for anything that,

“Affects, involves, or is related to” the national security of the United States (which will include proceedings used to flip informants on top of whatever terrorism, proliferation, or espionage and hacking crimes that would more directly fall under national security) or involves,

  • Death
  • Kidnapping
  • Serious bodily injury
  • Specified offense against a minor
  • Incapacitation or destruction of critical infrastructure (critical infrastructure can include even campgrounds!)
  • Cybersecurity, including violations of CFAA
  • Transnational crime, including transnational narcotics trafficking
  • Human trafficking (which, especially dissociated from transnational crime, is often used as a ploy to prosecute prostitution; the government also includes assisting undocumented migration to be human trafficking)

[snip]

Importantly, the bill does not permit judicial review on whether the determination that something “affects, involves, or is related to” national security. Meaning Attorney General Jeff Sessions could decide tomorrow that it can collect the Tor traffic of BLM or BDS activists, and no judge can rule that’s an inappropriate use of a foreign intelligence program.

As I have noted, the carve out, taken in conjunction with the 2014 exception letting the NSA collect on location obscuring servers (like VPNs and Tor) used by Americans, effectively makes 702 a domestic spying bill (on top of permitting its use for anything else Jeff Sessions claims is related to national security).

In other words, HPSCI doesn’t so much want 702 to spy on the terrorists, spies, and proliferators included in USA Rights: it wants to spy domestically.

Coddling the dysfunction of the FISA Court

Finally, the HPSCI flyer complains that USA Freedom,

Subvert[s] the authority and expediency of the Foreign Intelligence Surveillance Court by requiring an amicus review during every Section 702 authorization; and

This is a complaint about a number of common sense measures that make the FISA Court more credible, most notably requiring each 702 authorization to include an amicus review. The bill also includes measures to make the amicus review more robust, like enough advance involvement to be useful.

For a body of Congress to guard “the authority and expediency” of the FISC — especially in the wake of last year’s debacle of a ruling from Rosemary Collyer, who stubbornly refused to follow the law and either appoint an amicus or explain why she chose not to do so, is an outright abdication of congressional authority.

The FISC just defied Congressional intent as reflected in USA Freedom Act. USA Rights would make it harder for the FISC to continue to do so. And HPSCI’s response to that is to whimper that Congress is “subverting the authority” of another branch by demanding that it follow the law?

Update: DemandProgress did a fact check of this flyer that’s quite good.

“Circumventing” Encryption Is Different than “Weakening” or “Altering” It

I’m still catching up to the Questions for the Record that ODNI submitted to the Senate Intelligence Committee after its June hearing on 702. So I’d like to look more closely at something from the QFRs first reported by Zack Whittaker on encryption.

It has to do with a response to a Ron Wyden question about whether 702 provides authority to “circumvent or weaken” encryption.

Whittaker notes what I pointed out here — because of the way 702 works, “the court is never going to review the individual directives which is where the specific technical assistance gets laid out (unless a provider is permitted to challenge those directives).” That’s the headline point of his piece, one I agree with.

The US government does not need the approval of its secret surveillance court to ask a tech company to build an encryption backdoor.

Whittaker also notes that this language falls far short of denying (or confirming) whether it has asked for a back door. Meaning, it’s possible they asked a provider for a back door, and the provider complied without being forced to.

That said, I wanted to point out the limits to this claim from Whittaker.

In its answers, the government said it has “not to date” needed to ask the FISC to issue an order to compel a company to backdoor or weaken its encryption.

It is true that the government says it has not asked an ECSP to “alter the encryption provided by a service or product it offers.”

But that answer is non-responsive to the totality of Wyden’s question, which asks if the government ordered a provider to “circumvent or weaken” encryption. The government only addresses the latter question, whether the government has altered (presumably by weakening) encryption. It hasn’t answered, at all, whether it has ordered a provider to “circumvent” encryption.

That’s an important point regardless. These QFRs are always carefully crafted, particularly in responses to Wyden (or the few other people who actually exercise oversight).

I think it’s particularly important given something that happened with iOS in the last year: rather than just answering, yes or no, before a phone trusts a computer (meaning it will share its contents with iTunes and therefore potentially with Apple), iOS 11 now requires you to enter your password before a phone will trust a computer.

A different and more significant change is requiring the passcode to “trust” a new computer. Currently, when the police wish to search a phone, they unlock it either with the fingerprint reader, by convincing the suspect to unlock the phone (e.g. to look up a phone number), or they simply seize the phone while it is unlocked. None of these avenues directly implicate suspects’ constitutional rights. Once the unlocked phone is obtained, officials connect the device to a computer running forensics software, or even just iTunes, direct the device to “trust” the new computer when prompted, and download a backup that contains almost all of the relevant information stored on the phone. Requiring the passcode in order to sync the device with a new machine means that, even with an unlocked device, a party that wants access is now limited to searching the phone manually for visible items and can only perform that search while the phone remains unlocked.

I had already been thinking trusted backups provided a way the government could, through Apple, obtain contents from phones that would otherwise be hard to decrypt (I believe it would require altering iTunes, not the encryption itself). Such an approach would be particularly useful for NatSec investigations, where collecting contents wasn’t so much about solving an already committed crime (which is what all the iPhones the government hasn’t been able to break into were collected for), but to prevent one or otherwise collect prospective data.

I don’t even know if this is technically feasible. Nor do I know whether someone would be better sticking with iOS 10 and just rigorously refusing to trust a given computer or upgrading to iOS 11 and never entering that password.

But I do know this passage on encryption is — with respect to whether the government has ever ordered a company to circumvent encryption — a non-denial.

And I have learned that non-denials, especially in response to Wyden, generally should be closely scrutinized.