Posts

“Circumventing” Encryption Is Different than “Weakening” or “Altering” It

I’m still catching up to the Questions for the Record that ODNI submitted to the Senate Intelligence Committee after its June hearing on 702. So I’d like to look more closely at something from the QFRs first reported by Zack Whittaker on encryption.

It has to do with a response to a Ron Wyden question about whether 702 provides authority to “circumvent or weaken” encryption.

Whittaker notes what I pointed out here — because of the way 702 works, “the court is never going to review the individual directives which is where the specific technical assistance gets laid out (unless a provider is permitted to challenge those directives).” That’s the headline point of his piece, one I agree with.

The US government does not need the approval of its secret surveillance court to ask a tech company to build an encryption backdoor.

Whittaker also notes that this language falls far short of denying (or confirming) whether it has asked for a back door. Meaning, it’s possible they asked a provider for a back door, and the provider complied without being forced to.

That said, I wanted to point out the limits to this claim from Whittaker.

In its answers, the government said it has “not to date” needed to ask the FISC to issue an order to compel a company to backdoor or weaken its encryption.

It is true that the government says it has not asked an ECSP to “alter the encryption provided by a service or product it offers.”

But that answer is non-responsive to the totality of Wyden’s question, which asks if the government ordered a provider to “circumvent or weaken” encryption. The government only addresses the latter question, whether the government has altered (presumably by weakening) encryption. It hasn’t answered, at all, whether it has ordered a provider to “circumvent” encryption.

That’s an important point regardless. These QFRs are always carefully crafted, particularly in responses to Wyden (or the few other people who actually exercise oversight).

I think it’s particularly important given something that happened with iOS in the last year: rather than just answering, yes or no, before a phone trusts a computer (meaning it will share its contents with iTunes and therefore potentially with Apple), iOS 11 now requires you to enter your password before a phone will trust a computer.

A different and more significant change is requiring the passcode to “trust” a new computer. Currently, when the police wish to search a phone, they unlock it either with the fingerprint reader, by convincing the suspect to unlock the phone (e.g. to look up a phone number), or they simply seize the phone while it is unlocked. None of these avenues directly implicate suspects’ constitutional rights. Once the unlocked phone is obtained, officials connect the device to a computer running forensics software, or even just iTunes, direct the device to “trust” the new computer when prompted, and download a backup that contains almost all of the relevant information stored on the phone. Requiring the passcode in order to sync the device with a new machine means that, even with an unlocked device, a party that wants access is now limited to searching the phone manually for visible items and can only perform that search while the phone remains unlocked.

I had already been thinking trusted backups provided a way the government could, through Apple, obtain contents from phones that would otherwise be hard to decrypt (I believe it would require altering iTunes, not the encryption itself). Such an approach would be particularly useful for NatSec investigations, where collecting contents wasn’t so much about solving an already committed crime (which is what all the iPhones the government hasn’t been able to break into were collected for), but to prevent one or otherwise collect prospective data.

I don’t even know if this is technically feasible. Nor do I know whether someone would be better sticking with iOS 10 and just rigorously refusing to trust a given computer or upgrading to iOS 11 and never entering that password.

But I do know this passage on encryption is — with respect to whether the government has ever ordered a company to circumvent encryption — a non-denial.

And I have learned that non-denials, especially in response to Wyden, generally should be closely scrutinized.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

A Dragnet of emptywheel’s Most Important Posts on Surveillance, 2007 to 2017

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten this week.

To celebrate, the emptywheel team has been sharing some of our favorite work from the last decade. This is my massive dragnet of surveillance posts.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2007

Whitehouse Reveals Smoking Gun of White House Claiming Not to Be Bound by Any Law

Just days after opening the new digs, I noticed Sheldon Whitehouse entering important details into the Senate record — notably, that John Yoo had pixie dusted EO 12333 to permit George Bush to authorize the Stellar Wind dragnet. In the ten years since, both parties worked to gradually expand spying on Americans under EO 12333, only to have Obama permit the sharing of raw EO 12333 data in its last days in office, completing the years long project of restoring Stellar Wind’s functionalities. This post, from 2016, analyzes a version of the underlying memo permitting the President to change EO 12333 without providing public notice he had done so.

2008

McConnell and Mukasey Tell Half Truths

In the wake of the Protect America Act, I started to track surveillance legislation as it was written, rather than figure out after the fact how the intelligence community snookered us. In this post, I examined the veto threats Mike McConnell and Michael Mukasey issued in response to some Russ Feingold amendments to the FISA Amendments Act and showed that the government intended to use that authority to access Americans’ communication via both what we now call back door searches and reverse targeting. “That is, one of the main purposes is to collect communications in the United States.”

9 years later, we’re still litigating this (though, since then FISC has permitted the NSA to collect entirely domestic communications under the 2014 exception).

2009

FISA + EO 12333 + [redacted] procedures = No Fourth Amendment

The Government Sez: We Don’t Have a Database of All Your Communication

After the FISCR opinion on what we now know to be the Yahoo challenge to Protect American Act first got declassified, I identified several issues that we now have much more visibility on. First, PAA permitted spying on Americans overseas under EO 12333. And it didn’t achieve particularity through the PAA, but instead through what we know to be targeting procedures, including contact chaining. Since then we’ve learned the role of SPCMA in this.

In addition, to avoid problems with back door searches, the government claimed it didn’t have a database of all our communication — a claim that, narrowly parsed might be true, but as to the intent of the question was deeply misleading. That claim is one of the reasons we’ve never had a real legal review of back door searches.

Bush’s Illegal Domestic Surveillance Program and Section 215

On PATRIOTs and JUSTICE: Feingold Aims for Justice

During the 2009 PATRIOT Act reauthorization, I continued to track what the government hated most as a way of understanding what Congress was really authorizing. I understood that Stellar Wind got replaced not just by PAA and FAA, but also by the PATRIOT authorities.

All of which is a very vague way to say we probably ought to be thinking of four programs–Bush’s illegal domestic surveillance program and the PAA/FAA program that replaced it, NSLs, Section 215 orders, and trap and trace devices–as one whole. As the authorities of one program got shut down by exposure or court rulings or internal dissent, it would migrate to another program. That might explain, for example, why Senators who opposed fishing expeditions in 2005 would come to embrace broadened use of Section 215 orders in 2009.

I guessed, for example, that the government was bulk collecting data and mining it to identify targets for surveillance.

We probably know what this is: the bulk collection and data mining of information to select targets under FISA. Feingold introduced a bajillion amendments that would have made data mining impossible, and each time Mike McConnell and Michael Mukasey would invent reasons why Feingold’s amendments would have dire consequences if they passed. And the legal information Feingold refers to is probably the way in which the Administration used EO 12333 and redacted procedures to authorize the use of data mining to select FISA targets.

Sadly, I allowed myself to get distracted by my parallel attempts to understand how the government used Section 215 to obtain TATP precursors. As more and more people confirmed that, I stopped pursuing the PATRIOT Act ties to 702 as aggressively.

2010

Throwing our PATRIOT at Assange

This may be controversial, given everything that has transpired since, but it is often forgotten what measures the US used against Wikileaks in 2010. The funding boycott is one thing (which is what led Wikileaks to embrace Bitcoin, which means it is now in great financial shape). But there’s a lot of reason to believe that the government used PATRIOT authorities to target not just Wikileaks, but its supporters and readers; this was one hint of that in real time.

2011

The March–and April or May–2004 Changes to the Illegal Wiretap Program

When the first iteration of the May 2004 Jack Goldsmith OLC memo first got released, I identified that there were multiple changes made and unpacked what some of them were. The observation that Goldsmith newly limited Stellar Wind to terrorist conversations is one another reporter would claim credit for “scooping” years later (and get the change wrong in the process). We’re now seeing the scope of targeting morph again, to include a range of domestic crimes.

Using Domestic Surveillance to Get Rapists to Spy for America

Something that is still not widely known about 702 and our other dragnets is how they are used to identify potential informants. This post, in which I note Ted Olson’s 2002 defense of using (traditional) FISA to find rapists whom FBI can then coerce to cooperate in investigations was the beginning of my focus on the topic.

2012

FISA Amendments Act: “Targeting” and “Querying” and “Searching” Are Different Things

During the 2012 702 reauthorization fight, Ron Wyden and Mark Udall tried to stop back door searches. They didn’t succeed, but their efforts to do so revealed that the government was doing so. Even back in 2012, Dianne Feinstein was using the same strategy the NSA currently uses — repeating the word “target” over and over — to deny the impact on Americans.

Sheldon Whitehouse Confirms FISA Amendments Act Permits Unwarranted Access to US Person Content

As part of the 2012 702 reauthorization, Sheldon Whitehouse said that requiring warrants to access the US person content collected incidentally would “kill the program.” I took that as confirmation of what Wyden was saying: the government was doing what we now call back door searches.

2013

20 Questions: Mike Rogers’ Vaunted Section 215 Briefings

After the Snowden leaks started, I spent a lot of time tracking bogus claims about oversight. After having pointed out that, contrary to Administration claims, Congress did not have the opportunity to be briefed on the phone dragnet before reauthorizing the PATRIOT Act in 2011, I then noted that in one of the only briefings available to non-HPSCI House members, FBI had lied by saying there had been no abuses of 215.

John Bates’ TWO Wiretapping Warnings: Why the Government Took Its Internet Dragnet Collection Overseas

Among the many posts I wrote on released FISA orders, this is among the most important (and least widely understood). It was a first glimpse into what now clearly appears to be 7 years of FISA violation by the PRTT Internet dragnet. It explains why they government moved much of that dragnet to SPCMA collection. And it laid out how John Bates used FISA clause 1809(a)(2) to force the government to destroy improperly collected data.

Federated Queries and EO 12333 FISC Workaround

In neither NSA nor FBI do the authorities work in isolation. That means you can conduct a query on federated databases and obtain redundant results in which the same data point might be obtained via two different authorities. For example, a call between Michigan and Yemen might be collected via bulk collection off a switch in or near Yemen (or any of the switches between there and the US), as well as in upstream collection from a switch entering the US (and all that’s assuming the American is not targeted). The NSA uses such redundancy to apply the optimal authority to a data point. With metadata, for example, it trained analysts to use SPCMA rather than PATRIOT authorities because they could disseminate it more easily and for more purposes. With content, NSA appears to default to PRISM where available, probably to bury the far more creative collection under EO 12333 for the same data, and also because that data comes in structured form.

Also not widely understood: the NSA can query across metadata types, returning both Internet and phone connection in the same query (which is probably all the more important now given how mobile phones collapse the distinction between telephony and Internet).

This post described how this worked with the metadata dragnets.

The Purpose(s) of the Dragnet, Revisited

The government likes to pretend it uses its dragnet only to find terrorists. But it does far more, as this analysis of some court filings lays out.

2014

The Corporate Store: Where NSA Goes to Shop Your Content and Your Lifestyle

There’s something poorly understood about the metadata dragnets NSA conducts. The contact-chaining isn’t the point. Rather, the contact-chaining serves as a kind of nomination process that puts individuals’ selectors, indefinitely, into the “corporate store,” where your identity can start attracting other related datapoints like a magnet. The contact-chaining is just a way of identifying which people are sufficiently interesting to submit them to that constant, ongoing data collection.

SPCMA: The Other NSA Dragnet Sucking In Americans

I’ve done a lot of work on SPCMA — the authorization that, starting in 2008, permitted the NSA to contact chain on and through Americans with EO 12333 data, which was one key building block to restoring access to EO 12333 analysis on Americans that had been partly ended by the hospital confrontation, and which is where much of the metadata analysis affecting Americans has long happened. This was my first comprehensive post on it.

The August 20, 2008 Correlations Opinion

A big part of both FBI and NSA’s surveillance involves correlating identities — basically, tracking all the known identities a person uses on telephony and the Internet (and financially, though we see fewer details of that), so as to be able to pull up all activities in one profile (what Bill Binney once called “dossiers”). It turns out the FISC opinion authorizing such correlations is among the documents the government still refuses to release under FOIA. Even as I was writing the post Snowden was explaining how it works with XKeyscore.

A Yahoo! Lesson for USA Freedom Act: Mission Creep

This is another post I refer back to constantly. It shows that, between the time Yahoo first discussed the kinds of information they’d have to hand over under PRISM in August 2007 and the time they got directives during their challenge, the kinds of information they were asked for expanded into all four of its business areas. This is concrete proof that it’s not just emails that Yahoo and other PRISM providers turn over — it’s also things like searches, location data, stored documents, photos, and cookies.

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal

Confession: I have an entire chapter of the start of a book on the Yahoo challenge to PRISM. That’s because so much about it embodied the kind of dodgy practices the government has, at the most important times, used with the FISA Court. In this post, I showed that the documents that the government provided the FISCR hid the fact that the then-current versions of the documents had recently been modified. Using the active documents would have shown that Yahoo’s key argument — that the government could change the rules protecting Americans anytime, in secret — was correct.

2015

Is CISA the Upstream Cyber Certificate NSA Wanted But Didn’t Really Get?

Among the posts I wrote on CISA, I noted that because the main upstream 702 providers have a lot of federal business, they’ll “voluntarily” scan on any known cybersecurity signatures as part of protecting the federal government. Effectively, it gives the government the certificate it wanted, but without any of the FISA oversight or sharing restrictions. The government has repeatedly moved collection to new authorities when FISC proved too watchful of its practices.

The FISA Court’s Uncelebrated Good Points

Many civil libertarians are very critical of the FISC. Not me. In this post I point out that it has policed minimization procedures, conducted real First Amendment reviews, taken notice of magistrate decisions and, in some cases, adopted the highest common denominator, and limited dissemination.

How the Government Uses Location Data from Mobile Apps

Following up on a Ron Wyden breadcrumb, I figured out that the government — under both FISA and criminal law — obtain location data from mobile apps. While the government still has to adhere to the collection standard in any given jurisdiction, obtaining the data gives the government enhanced location data tied to social media, which can implicate associates of targets as well as the target himself.

The NSA (Said It) Ate Its Illegal Domestic Content Homework before Having to Turn It in to John Bates

I’m close to being able to show that even after John Bates reauthorized the Internet metadata dragnet in 2010, it remained out of compliance (meaning NSA was always violating FISA in obtaining Internet metadata from 2002 to 2011, with a brief lapse). That case was significantly bolstered when it became clear NSA hastily replaced the Internet dragnet with obtaining metadata from upstream collection after the October 2011 upstream opinion. NSA hid the evidence of problems on intake from its IG.

FBI Asks for at Least Eight Correlations with a Single NSL

As part of my ongoing effort to catalog the collection and impact of correlations, I showed that the NSL Nick Merrill started fighting in 2004 asked for eight different kinds of correlations before even asking for location data. Ultimately, it’s these correlations as much as any specific call records that the government appears to be obtaining with NSLs.

2016

What We Know about the Section 215 Phone Dragnet and Location Data

During the lead-up to the USA Freedom Debate, the government leaked stories about receiving a fraction of US phone records, reportedly because of location concerns. The leaks were ridiculously misleading, in part because they ignored that the US got redundant collection of many of exactly the same calls they were looking for from EO 12333 collection. Yet in spite of these leaks, the few figured out that the need to be able to force Verizon and other cell carriers to strip location data was a far bigger reason to pass USAF than anything Snowden had done. This post laid out what was known about location data and the phone dragnet.

While It Is Reauthorizing FISA Amendments Act, Congress Should Reform Section 704

When Congress passed FISA Amendments Act, it made a show of providing protections to Americans overseas. One authority, Section 703, was for spying on people overseas with help of US providers, and another was for spying on Americans overseas without that help. By May 2016, I had spent some time laying out that only the second, which has less FISC oversight, was used. And I was seeing problems with its use in reporting. So I suggested maybe Congress should look into that?

It turns out that at precisely that moment, NSA was wildly scrambling to get a hold on its 704 collection, having had an IG report earlier in the year showing they couldn’t audit it, find it all, or keep it within legal boundaries. This would be the source of the delay in the 702 reauthorization in 2016, which led to the prohibition on about searches.

The Yahoo Scan: On Facilities and FISA

The discussion last year of a scan the government asked Yahoo to do of all of its users was muddled because so few people, even within the privacy community, understand how broadly the NSA has interpreted the term “selector” or “facility” that it can target for collection. The confusion remains to this day, as some in the privacy community claim HPSCI’s use of facility based language in its 702 reauthorization bill reflects new practice. This post attempts to explain what we knew about the terms in 2016 (though the various 702 reauthorization bills have offered some new clarity about the distinctions between the language the government uses).

2017

Ron Wyden’s History of Bogus Excuses for Not Counting 702 US Person Collection

Ron Wyden has been asking for a count of how many Americans get swept up under 702 for years. The IC has been inventing bogus explanations for why they can’t do that for years. This post chronicles that process and explains why the debate is so important.

The Kelihos Pen Register: Codifying an Expansive Definition of DRAS?

When DOJ used its new Rule 41 hacking warrant against the Kelihos botnet this year, most of the attention focused on that first-known usage. But I was at least as interested in the accompanying Pen Register order, which I believe may serve to codify an expansion of the dialing, routing, addressing, and signaling information the government can obtain with a PRTT. A similar codification of an expansion exists in the HJC and Lee-Leahy bills reauthorizing 702.

The Problems with Rosemary Collyer’s Shitty Upstream 702 Opinion

The title speaks for itself. I don’t even consider Rosemary Collyer’s 2017 approval of 702 certificates her worst FISA opinion ever. But it is part of the reason why I consider her the worst FISC judge.

It Is False that Downstream 702 Collection Consists Only of To and From Communications

I pointed out a number of things not raised in a panel on 702, not least that the authorization of EO 12333 sharing this year probably replaces some of the “about” collection function. Most of all, though, I reminded that in spite of what often gets claimed, PRISM is far more than just communications to and from a target.

UNITEDRAKE and Hacking under FISA Orders

A document leaked by Shadow Brokers reveals a bit about how NSA uses hacking on FISA targets. Perhaps most alarmingly, the same tools that conduct such hacks can be used to impersonate a user. While that might be very useful for collection purposes, it also invites very serious abuse that might create a really nasty poisonous tree.

A Better Example of Article III FISA Oversight: Reaz Qadir Khan

In response to Glenn Gerstell’s claims that Article III courts have exercised oversight by approving FISA practices (though the reality on back door searches is not so cut and dry), I point to the case of Reaz Qadir Khan where, as Michael Mosman (who happens to serve on FISC) moved towards providing a CIPA review for surveillance techniques, Khan got a plea deal.

The NSA’s 5-Page Entirely Redacted Definition of Metadata

In 2010, John Bates redefined metadata. That five page entirely redacted definition became codified in 2011. Yet even as Congress moves to reauthorize 702, we don’t know what’s included in that definition (note: location would be included).

FISA and the Space-Time Continuum

This post talks about how NSA uses its various authorities to get around geographical and time restrictions on its spying.

The Senate Intelligence Committee 702 Bill Is a Domestic Spying Bill

This is one of the most important posts on FISA I’ve ever written. It explains how in 2014, to close an intelligence gap, the NSA got an exception to the rule it has to detask from a facility as soon as it identifies Americans using the facility. The government uses it to collect on Tor and, probably VPN, data. Because the government can keep entirely domestic communications that the DIRNSA has deemed evidence of a crime, the exception means that 702 has become a domestic spying authority for use with a broad range of crimes, not to mention anything the Attorney General deems a threat to national security.

“Hype:” How FBI Decided Searching 702 Content Was the Least Intrusive Means

In a response to a rare good faith defense of FBI’s back door searches, I pointed out that the FBI is obliged to consider the least intrusive means of investigation. Yet, even while it admits that accessing content like that obtained via 702 is extremely intrusive, it nevertheless uses the technique routinely at the assessment level.

Other Key Posts Threads

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

10 Years of emptywheel: Key Non-Surveillance Posts 2011-2012

10 Years of emptywheel: Key Non-Surveillance Posts 2013-2015

10 Years of emptywheel: Key Non-Surveillance Posts 2016-2017

10 Years of emptywheel: Jim’s Dimestore

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

“Hype:” How FBI Decided Searching 702 Content Was the Least Intrusive Means

Former FBI Special Agent Asha Rangappa has a defense of back door searches at Just Security that (unlike most defenses of 702) actually takes on those searches as practiced in most problematic way at FBI, rather than as done in much more controlled fashion at NSA.

FBI does federated searches

I think she nitpicks a few issues. For example, she claims that back door opponents claim there is a “stand-alone computer in the middle of each FBI office with a big sign that reads ‘702 DATABASE ‘” but then goes on to claim “FBI uses one database for all of its investigative functions,” even while admitting that the FBI really does “federated queries” of multiple repositories. The distinction — particularly given that we know the database comes with access limits tied to job function — could offer solutions to concerns about 702 data (including providing access to just metadata, a proposal I’m not a fan of but one she attacks in the post). She also ignores the FBI’s use of “ad hoc databases” that have posed access and data protection concerns in the past.  Which is to say, the technical realities of how FBI Agents access this data soup are more complex than she lays out, and those complexities should be part of the discussion because they present additional risks and opportunities.

FBI’s raw data will be US-person focused

Rangappa minimizes what percentage of raw data obtained by FBI would include US person contact.

According to FBI Director Christopher Wray, the FBI receives about 4.3 percent of the NSA’s total collection – and since not every incidental communication will necessarily involve an USPER, the number of communications involving Americans are likely less than that.

While the FBI does have global investigations, the FBI is going to have few full investigations that have no domestic component. Investigations focused on US victims (say a US company hacked by Russian or Chinese state actors) won’t include many US interlocutors, but the other most likely 702 related investigations would all be focused on international communications: who suspected extremists were talking to in the US, what Iranians were buying dual use or other proliferation products, including from US companies, which Americans that Chinese scientists or Russian businessmen were engaging with closely. The 5,000 or so targets sucked into FBI would be the 5,000 targets in most frequent contact with Americans, by design. That has been the entire justification for this collection program since its inception as Stellar Wind.

And — as Ron Wyden recently made clear — it is permissible to target a foreigner if collecting on a US person is one purpose of the targeting, so long as the foreigner is targetable in his own right. Indeed, we can probably point to examples where that happened. That’s going to increase the US content pulled in with those 5,000 targets.

702 can target a whole bunch of selectors

And I believe this is misleading.

PRISM allows the NSA to target non-U.S. persons reasonably believed to be located abroad based on “selectors” – like an email address or a phone number (but not keywords or names) – which will reasonably return foreign intelligence information.

It is true that upstream collection doesn’t use keywords (and has halted about collection altogether). It is true that the most common selector provided in a directive to Google will be an email address. But there are a slew of other kinds of selectors that NSA and FBI can target. That includes IP addresses, which given the 2014 exception means entirely domestic communications can be collected. Even ignoring the targeting of IP addresses that Americans are known to also use (which will come into FBI’s possession a different way), the collection on chat room IPs, just as one example, might suck up a lot more US person content than individual emails might. And the FBI can also search for things like cookies or encryption tools, which will pull in different kinds of content.

FBI’s queries are not all routinely audited

I think Rangappa overstates the tracking of queries and makes an outright error when she claims that backdoor searches are “routinely audited.”

Every query, furthermore, is documented and placed in a case file. (If we learned anything from James Comey, it’s that the FBI puts everything down on paper.) In fact, every query conducted by the FBI is recorded and must be traceable back to an authorized purpose and a case file.  Agent queries are routinely audited, and a failure of an agent to provide an authorized purpose for conducting a query can be grounds for sanctions, suspension, or even termination.

She overstates the tracking of queries because by design there’s not a case file for many of the queries in question, because they’re done at the assessment stage. Moreover, if the FBI tracked its queries as well as Rangappa claims, it could provide documentation of what was going on to oversight bodies, but it has persistently claimed it could not do so, not in public, and not even in private.

More importantly, the FBI’s use of 702 is simply not audited adequately. That’s true, in part, because in 2012-2013, FBI moved much of its FISA activity to field offices, and not every field office gets audited every six months.

During this reporting period, however, FBI transitioned much of its dissemination from FBI Headquarters to FBI field offices. NSD is conducting oversight reviews of FBI field offices use of these disseminations, but because every field office is not reviewed every six months, NSD no longer has comprehensive numbers on the number of disseminations of United States person information made by FBI.

In 2015 — the most recent period for which we’ve gotten a Semiannual Report — NSD only reviewed minimization at 15 field offices (and ODNI did not attend all of these).

During these field office reviews, NSD also audits a sample of FBI personnel queries in systems that contain unminimized Section 702 collection. As detailed in the attachments to the Attorney General’s Section 707 Report, NSD conducted minimization reviews at 15 FBI field offices during this reporting period and reviewed cases involving Section 702-tasked facilities.

FBI has 56 field offices. And while I’m confident that NSD focuses its 702 reviews on the offices that work with FISA most often — places like DC, NY, LA, SF, and places with significant foreign population, like Detroit and Minneapolis — that means that when a field office that doesn’t use FISA often (say, if an Agent in Milwaukee were researching a hacker named MalwareTech), a combination of inexperience and lax oversight might be especially likely to result in problems.  And note, in any office, just a sample of queries gets reviewed, as the government explained to FISC last year, and the tracking isn’t detailed enough to figure out what occurred with a query without talking to the Agent who did it.

Additionally, NSD conducts minimization reviews in multiple FBI field offices each year. As part of these minimization reviews, NSD and FBI National Security Law Branch have emphasized the above requirements and processes during field office training. Further, during the minimization reviews, NSD audits a sample of queries performed by FBI personnel in the databases storing raw FISA-acquired information, including raw section 702-acquired information. Since December 2015, NSD has reviewed these queries to determine if any such queries were conducted solely for the purpose of retaining evidence of a crime. If such a query was conducted, NSD would seek additional information from the relevant FBI personnel as to whether FBI personnel received and reviewed section 702-acquired information of or concerning a U.S. person in response to such a query.

Notably, the one case where FBI reported a criminal return on a criminal search in 702 information only got reported after NSD did follow-up questioning. So yeah, NSD spends 4 days at Main Justice reviewing this stuff and goes to 27% of the field offices every six months, but that’s a far cry from “routinely auditing” queries.

The importance of investigative levels

The most remarkable thing about Rangappa’s post, however, is how well she exhibits the absurdity of what really goes on here. She correctly states — as I reported here — that FBI only obtains 702 content in full investigations. And she provides a short description of FBI’s three investigative levels.

Specifically, the NSA passes on to the FBI information collected on selectors associated with “Full Investigations” opened by the FBI. Full Investigations are the most serious class of investigations within the Bureau, and require the most stringent predicate to open: There must be an “articulable factual basis” that a federal crime has occurred or is occurring or a threat to national security exists.  (Two other investigative classifications, Preliminary Investigations and Threat Assessments, have lower thresholds to open and shorter time limits to remain open.)

She helpfully describes how investigations work through stages, with new investigative methods approved for each

Querying DIVS is, quite literally, the first and most basic thing the FBI does in its investigative sequence. Depending on the kind of information the search returns, an agent will then take the next prescribed step as outlined in the FBI’s Domestic and Investigative Operations Guide (DIOG) until a case is either opened for further investigation, or the matter is resolved in the negative and closed.

She then dismisses the concern that FBI does queries of 702 data at the assessment level without really addressing it.

Much of the criticism of the FBI’s use of 702 centers around the fact that agents can query subjects in their databases even if there is no evidence of criminal wrongdoing. However, as any law enforcement official will tell you, criminals and spies don’t show up on the doorstep of law enforcement with all of their evidence and motives neatly tied up in a bow. Cases begin with leads, tips, or new information obtained in the course of other cases. Often, the discrete pieces of information the FBI receives may not in and of themselves constitute criminal acts – and the identifying information provided to the FBI may be incomplete. However, anytime the FBI receives a credible piece of information that could indicate a potential violation of the law or a threat to national security, it has a legal duty determine whether a basis for further investigation exists. It is for this reason that a query of its existing databases is essential before proceeding further.

Somehow, the necessity of investigating a tip requires not an assessment of the lead itself, but querying a vast data store to see if the lead connects to any other known evidence even if that evidence is not itself evidence of criminal behavior. (One of the reasons FBI does that — which I’ve written about elsewhere — is to make it easier to find informants.)

That logic — which absolutely reflects the logic under which FBI operates — is all the more bizarre given the fact that the FBI is obliged, under the same DIOG Rangappa cites as the basis for the step-by-step development of an FBI case, to always consider using the “least intrusive” means as laid out by this language in the Attorney General Guidelines.

The conduct of investigations and other activities authorized by these Guidelines may present choices between the use of different investigative methods that are each operationally sound and effective, but that are more or less intrusive, considering such factors as the effect on the privacy and civil liberties of individuals and potential damage to reputation. The least intrusive method feasible is to be used in such situations.

DIOG section 4.4, which lays out what least intrusive means, says that “wiretaps … are very intrusive.” It says that “collecting information regarding an isolated event, such as a certain phone number called … is less intrusive or invasive of an individual’s privacy than collecting a complete communications … profile.” It states that, “If, for example, the threat is remote, the individual’s involvement is speculative, and the probability of obtaining probative information is low, intrusive methods may not be justified, and, in fact, may do more harm than good.”

Ultimately, though, the DIOG swallows all these rules by stating that, “FBI employees may use any lawful method allowed, even if intrusive, where the intrusiveness is warranted by the threat to the national security.” The logic must be — probably not born out even by FBI’s limitation to obtaining raw 702 data tied to Full Investigations — that for any person tied to a Full Investigation, any possible tie to an American about whom someone has submitted a tip, national security overrides all FBI’s rules about least intrusive methods.

But nonetheless, the FBI’s own guidelines admit how intrusive it is to start an investigation by looking at entire conversations rather than simply seeing the record of a email sent. That is, however, what the routine practice is.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

On 702, NSA Wants to Assure You You’re Not a Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target

NSA just released a touchy-feely Q&A, complete with a touchy-feely image of the NSA, explaining “the Impact of Section 702 on the Typical American.”

I shall now shred it.

First note that this document deals with 702? It should be dealing with Title VII, because the entire thing gets reauthorized by 702 reauthorization. That means Sections 704 and 705(b), which are used to target Americans, will be reauthorized. And they have had egregious problems in recent years (even if the problems only affect some subset of around 300 Americans). Sure, Paul Manafort and Carter Page are not your “typical” Americans, but abuses against them would be problematic for reasons that could affect Americans (not least that they could fuck up the Mueller probe if FISA disclosure for defendants weren’t so broken).

The piece starts by talking about how the IC uses 702 to “hunt” for information on “adversaries,” which it suggests include terrorists and hackers.

The U.S. Intelligence Community relies on Section 702 of the Foreign Intelligence Surveillance Act in the constant hunt for information about foreign adversaries determined to harm the nation or our allies. The National Security Agency (NSA), for example, uses this law to target terrorists and thwart their plans. In a time of increasing cyber threats, Section 702 also aids the Intelligence Community’s cybersecurity efforts.

Somehow, it neglects to mention the foreign government certificate — which can target people who aren’t “adversaries” at all, but instead foreign muckety mucks we want to know about — or the counterproliferation certificate — which can target businesses of all kinds that deal in dual use technologies. Not to mention the SysAdmins that it might target for all these purposes.

The piece then lays out in two paragraphs and six questions (I include just one below) the basic principles that 702 can only “target” foreigners overseas.

Under Section 702, the government cannot target a U.S. person anywhere in the world, or any person located in the United States.

Under Section 702, NSA can target foreigners reasonably believed to be located outside the United States only if it has a basis to believe it will acquire certain types of foreign intelligence information that have been authorized for collection.

[snip]

Q: Can I, as an American, be the target of Section 702 surveillance?

A: No. As an American citizen, you cannot be the target of surveillance under Section 702. Even if you were not an American, you could not be targeted under Section 702 if you were located in the United States.

Effectively, this passage might as well say, “target target target target target target target target target target
target target target target target target target target target,” which is how many times (19) the word is used in the touchy-feely piece. The word “incidental” appears just once, where it entertains what happens if one of “Mary’s” foreign relatives were in a terrorist organization.

Q: One of Mary’s foreign relatives in South America is a member of an international terrorist group. Could Mary’s conversations with that relative be collected under Section 702?

A: Yes, it’s possible, if the U.S. government is aware of the relative’s membership in a terrorist group and the relative is one of the 106,000 targets under Section 702. However, even if this scenario occurred, there would still be protections in place for Mary, a U.S. citizen, if her conversations with that target were incidentally intercepted. For example:

U.S. intelligence agencies’ court-approved minimization procedures are specifically designed to protect the privacy of U.S. persons by, among other things, limiting the circumstances in which NSA can include the identity of a U.S. person in an intelligence report. Moreover, even where those procedures allow the NSA to include the identity of a U.S. person in an intelligence report, NSA frequently substitutes the U.S. person identity with a generic phrase or term, such as “U.S. person 1” or “a named U.S. person.” NSA calls this “masking” the identity of the U.S. person.

There are also what’s known as “age-off requirements”: After a certain period of time, the IC must delete any unminimized Section 702 information, regardless of the nationality of the communicants.

I guess the NSA figured if they used “Fatima,” whose relatives were in Syria, this scenario would be too obvious?

Yet in this, the only discussion of “incidental” collection, the NSA doesn’t explain how it is used — for example to find informants (meaning Fatima might be coerced into informing on her mosque if she discussed her tax dodging with her cousin) or to find 2nd degree associates (meaning Fatima’s friend in the US, Mohammed, might get an FBI visit because Fatima’s cousin in Syria is in ISIS). It also doesn’t explain that the “age-off” is five years, if Fatima is lucky enough to avoid having the FBI deem her conversations with her cousin in Syria interesting. If not, the data will sit on an FBI server for 30 years, ready to provide an excuse to give Fatima extra attention next time some bigot gets worried because he sees her taking pictures at Disney World.

Curiously, while the NSA doesn’t address the disproportionate impact of 702 on Muslims, it does pretend to address the disproportionate impact on Asians or their family members — people like like Xiaoxiang Xi and Keith Gartenlaub.

Q: Could the government target my colleague, who is a citizen of an Asian country, as a pretext to collect my communications under Section 702?

A: No. That would be considered “reverse targeting” and is prohibited.

Thanks to Ron Wyden, we know how cynically misleading this answer is. He explained in the SSCI 702 reauthorization bill report that the government may,

conduct unlimited warrantless searches on Americans, disseminate the results of those searches, and use that information against those Americans, so long as it has any justification at all for targeting the foreigner.

Effectively, the government has morphed the “significant purpose” logic from the PATRIOT Act onto 702, meaning collecting foreign intelligence doesn’t have to be the sole purpose of targeting a foreigner; learning about what an American is doing, such as a scientist engaging in scientific discussion, can be one purpose of the targeting.

After dealing with unmasking, the NSA then performs the always cynical move of asking whether the NSA can query US person content.

Q: Can NSA use my information to query lawfully collected 702 data?

A: NSA can query already lawfully collected Section 702 information using a U.S. person’s name or identifier (such as an e-mail account or phone number) only if the query is reasonably designed to identify foreign intelligence information.

However, a U.S. person is still afforded protection. The justification for the query must be documented. The process for conducting a query is also subject to internal controls. Such queries are reviewed by the Department of Justice and the Office of the Director of National Intelligence to ensure they meet the relevant legal requirements. Additionally, if the query was subsequently identified as being improper, it would be reported to the Foreign Intelligence Surveillance Court and to Congress.

This passage is absolutely correct. But also absolutely beside the point, because NSA sends a significant chunk of its collection to the FBI where it can be searched to assess leads and search for evidence of crimes, and where queries get nowhere near the kind of oversight that NSA queries get.

Then the piece tries to explain the need for all the secrecy.

Q: Terrorists aim to hurt Americans and our allies, so why doesn’t the Intelligence Community share more Section 702 information about how the IC goes after them?

A: The Intelligence Community has dramatically enhanced transparency, especially regarding its implementation of Section 702. Thousands of pages of key documents have been officially released, and are available on IC on the Record. The public has more information than ever before on how the IC uses this critical foreign surveillance authority. That said, the IC must continue to protect classified information. This includes specifics on whether or not it has collected information about any particular individual.

If terrorists could find out that NSA had intercepted their communications, terrorists would likely change their communications methods to avoid further detection.

This is, partly, a straw man. People aren’t really asking to know NSA’s individual targets. They’re asking to know whether the government has back doored their iPhones via demands under FISA, or whether the NSA is collecting on the 430,000 Americans that use Tor every day, or if they’re also using this “foreign intelligence” collection program to hunt Americans buying drugs on Dark Markets or even BLM activists that our racist Attorney General has deemed a threat to national security. And in the name of keeping secrets from terrorists (who actually have the feedback mechanism of observing what gets their associates drone-killed to learn what gets collected), the government is refusing to admit that the answer to all those questions is yes: yes, the government has back doored our iPhones, yes, the government is spying on the 430,000 Americans that use Tor, and yes, for those who use Tor to buy drugs, they may even use 702 data to prosecute you.

Finally, the NSA pretends that everyone else in the world has a program just like this.

Q: Is the U.S. government the only one in the world with intercept programs like 702?

A: No. Many other countries have intelligence surveillance intercept programs, nearly all of which have far fewer privacy protections. Section 702 and its supporting policies and practices stand out in terms of strength of oversight, privacy protections, and public transparency.

It is true that other countries have “intercept programs,” but with the exception of China and Russia’s access to domestic Internet companies, no other country has a program “like 702” that, by virtue of the United States hosting the world’s most popular Internet companies, gives the US the luxury of spying on the rest of the world using a nice note to Google rather than having to hack users individually (or hack all users, as Russia did with Yahoo).

So, yes, the NSA has now offered a picture of itself, literally and metaphorically, that minimizes the scope, the thousands of spies it employs, and the reach, both domestic and global. But it’s a profoundly misleading picture.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

How FBI Could Use Reverse Targeting to Use Section 702 against Keith Gartenlaub

Some weeks ago, in a post named, “Evidence the US Government Used Section 702 against Keith Gartenlaub[‘s Parents-in-Law],” I laid out the evidence that Section 702 was used against Keith Gartelaub. As I showed,

  • A warrant in his case seemed to parallel construct Yahoo and Google content, often a sign the government is trying to introduce a second source for PRISM content
  • In spite of reference to Skype metadata, nothing in the court case ever seemed to reflect the content from those calls, in spite of the fact they’d be readily collectible
  • After approving the sharing of FISA information with the National Center for Missing and Exploited Children for traditional FISA data, the government approved such sharing for 702 data the day before they arrested Gartenlaub

But there was just one problem with that argument — one made clear in the title of the post. Ultimately, the government is only supposed to be allowed to target foreigners like Gartenlaub’s “well connected” Chinese parents-in-law, not Gartenlaub. Yet by all appearances, the investigation started with Gartenlaub, basically by deciding that allegations of Boeing theft must mean there was a Boeing theft at Gartenlaub’s location and then, very quickly, settling on Gartenlaub as the likely culprit.

Around January 28, 2013: Agent Wesley Harris reads article that leads him to start searching for Chinese spies at Boeing

February 7, 8, and 22, 2013: Harris interviews Gartenlaub

June 18, 2013: Agent Harris obtains search warrant for Gartenlaub and his wife, Tess Yi’s, Google and Yahoo accounts

So if Agent Harris did obtain 702 data between February, when he first showed interest in Gartenlaub, and June, when he appeared to be parallel constructing Google and Yahoo content, it would have been for the purpose of obtaining information on Gartenlaub, already a focus of the investigation.

That would pretty clearly be reverse targeting (unless, for some reason, the FBI already had a big stash of his in-laws’ communications in their 702 collection, in which it’d come up in a back door search).

In other words, while there’s a good deal of circumstantial evidence that the government used 702 to spy on his conversations with his in-laws, that shouldn’t be allowed under a common sense definition of what reverse targeting does.

Except, as Senator Wyden’s 702 reform and the SSCI bill report make clear, that kind of reverse targeting actually is permitted by current practice.

In his comments to the SSCI bill report, for example, Wyden explained,

The bill does not include a meaningful prohibition on reverse targeting, which would require a warrant when a significant purpose of targeting a foreigner is actually to collect the communications of the American communicant. The current standard permits the government to conduct unlimited warrantless searches on Americans, disseminate the results of those searches, and use that information against those Americans, so long as it has any justification at all for targeting the foreigner.

His own bill would insert language prohibiting the targeting someone outside the US if a significant purpose is to get the communications of someone inside the US. If it was, the bill would require the government to get a Title I (traditional) order. [Bolded language is new.]

(d) Targeting procedures
(1) Requirement to adopt–The Attorney General, in consultation with the Director of National Intelligence, shall adopt targeting procedures that are reasonably designed to—
(A) ensure — 

(aa) that any acquisition authorized under subsection (a) is limited to targeting persons reasonably believed to be located outside the United States; and
(bb) that an application is filed under title I, if otherwise required, when a significant purpose of an acquisition authorized under subsection (a) is to acquire the communications of a particular, known person reasonably believed to be located in the United States; 

And a SSCI Wyden amendment modified by Angus King would prohibit the targeting of someone overseas if a purpose of the targeting was to collect on someone in the US.

By a vote of four ayes to eleven noes, the Committee rejected an amendment by Senator Wyden, as modified by Senator King, which would have revised the standard on current reverse targeting prohibitions to replace ‘‘the’’ with ‘‘a,’’ such that the statute would state ‘‘If a purpose of such acquisition is to target a particular known person.’’ The votes in person or by proxy were as follows: Chairman Burr—no; Senator Risch—no; Senator Rubio—no; Senator Collins—no; Senator Blunt—no; Senator Lankford—no; Senator Cotton—no; Senator Cornyn—no; Vice Chairman Warner—no; Senator Feinstein—no; Senator Wyden—aye; Senator Heinrich— aye; Senator King—aye; Senator Manchin—no; and Senator Harris—aye.

 

Clearly, the current prohibition on reverse targeting actually would nevertheless permit the government to obtain Gartenlaub’s in-laws communications to find out what they talk about in order to assess whether he might be plotting to steal IP from Boeing with them. And even though we still only have circumstantial evidence this is what happened, if it did, it would show the problem with reverse targeting: because Gartenlaub had Chinese in-laws, it (may have) made it far easier to obtain potentially damning information using 702 than it would be for any of his colleagues who didn’t have such ties with anyone of interest in China.

Effectively (again, if Gartenlaub was indeed reverse targeted), it would mean the government could obtain communications without any suspicion from which they could look for evidence of probable cause that he (or his wife) was an agent of a foreign power.

Ultimately, after both a criminal warrant and a FISA warrant claiming they had probable cause Gartenlaub was spying for China, after reading his emails for months, searching his home, and searching multiple devices, the government never found evidence to support that claim. But they did find old child porn (though no forensic evidence showing he had accessed that porn). It appears likely that they would never have found it if he hadn’t had the bad luck of marrying a well-connected Chinese-American.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Yup: The Government Is Secretly Hiding Its Crypto Battles in the Secret FISA Court

When I analyzed the Wyden-Paul Section 702 reform bill, I noted language that suggested Wyden was concerned about the government using the secrecy of FISA Court proceedings to demand technical assistance from providers they otherwise couldn’t get. Wyden’s bill makes it clear he’s concerned that the government would (or is) making technical demands without even telling the FISC it is doing so. His bill would explicitly require review of any technical demands by the court.

(B) LIMITATIONS.—The Attorney General or the Director of National Intelligence may not request assistance from an electronic communication service provider under subparagraph (A) without demonstrating, to the satisfaction of the Court, that the assistance sought—

(i) is necessary;

(ii) is narrowly tailored to the surveillance at issue; and

(iii) would not pose an undue burden on the electronic communication service provider or its customers who are not an intended target of the surveillance.

(C) COMPLIANCE.—An electronic communication service provider is not obligated to comply with a directive to provide assistance under this paragraph unless

(i) such assistance is a manner or method that has been explicitly approved by the Court; and

(ii) the Court issues an order, which has been delivered to the provider, explicitly describing the assistance to be furnished by the provider that has been approved by the Court.

I suggested the most likely use of such a “technical assistance” demand would be requiring a company (cough, Apple) to back door its encryption.

The most obvious such application would involve asking Apple to back door its iPhone encryption.

As a reminder, national security requests to Apple doubled in the second half of last year.

The number of national security orders issued to Apple by US law enforcement doubled to about 6,000 in the second half of 2016, compared with the first half of the year, Apple disclosed in its biannual transparency report. Those requests included orders received under the Foreign Intelligence Surveillance Act, as well as national security letters, the latter of which are issued by the FBI and don’t require a judge’s sign-off.

We would expect such a jump if the government were making a slew of new requests of Apple related to breaking encryption on their phones.

In his statement on the bill, Wyden made it clear that that’s precisely what he is concerned about.

It leaves in place current statutory authority to compel companies to provide assistance, potentially opening the door to government mandated de-encryption without FISA Court oversight. [my emphasis]

And note: he is saying that the government will (that is, has already, most likely) done this without asking the FISC to review whether its technical demands are narrowly tailored and necessary.

Update: This post has been updated in response to comments to clarify that Wyden is not concerned about technical demands per se, but about technical demands with no FISC review.

Update: One more point to make clear: for “individual” orders, the court will review every facility, which will involve some review of what kinds of access the government will get (such as when, in 2015, the government ordered Yahoo to scan all its users for some kind of signature).

But under 702, the “assistance” language that the government could use to obligate back doors (or whatever else) is not tied to anything the court reviews. Annual certifications have to affirm that the collection requires domestic provider assistance (but does not require a description of what that assistance entails).

vi) the acquisition involves obtaining foreign intelligence information from or with the assistance of an electronic communication service provider; and

But then once that certificate is signed, the government can work at the level of directives, demanding, compensating, and indemnifying the provider for that assistance all without any court review.

(h) Directives and judicial review of directives

(1) Authority: With respect to an acquisition authorized under subsection (a), the Attorney General and the Director of National Intelligence may direct, in writing, an electronic communication service provider to—

(A) immediately provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition in a manner that will protect the secrecy of the acquisition and produce a minimum of interference with the services that such electronic communication service provider is providing to the target of the acquisition; and

(B) maintain under security procedures approved by the Attorney General and the Director of National Intelligence any records concerning the acquisition or the aid furnished that such electronic communication service provider wishes to maintain.

(2) Compensation

The Government shall compensate, at the prevailing rate, an electronic communication service provider for providing information, facilities, or assistance in accordance with a directive issued pursuant to paragraph (1).

(3) Release from liability
No cause of action shall lie in any court against any electronic communication service provider for providing any information, facilities, or assistance in accordance with a directive issued pursuant to paragraph (1).

That’s why the risk is that much greater for 702: because the court is never going to review the individual directives which is where the specific technical assistance gets laid out (unless a provider is permitted to challenge those directives).

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Eleven (or Thirteen) Senators Are Cool with Using Section 702 to Spy on Americans

The Senate Intelligence Committee report on its version of Section 702 “reform” is out. It makes it clear that my concerns raised here and here are merited.

In this post, I’ll examine what the report — particularly taken in conjunction with the Wyden-Paul reform — reveals about the use of Section 702 for domestic spying.

The first clue is Senator Wyden’s effort to prohibit collection of domestic communications — the issue about which he and Director of National Intelligence Dan Coats have been fighting about since June.

By a vote of four ayes to eleven noes, the Committee rejected an amendment by Senator Wyden that would have prohibited acquisition under Section 702 of communications known to be entirely domestic under authority to target certain persons outside of the United States. The votes in person or by proxy were as follows: Chairman Burr—no; Senator Risch—no; Senator Rubio—no; Senator Collins—no; Senator Blunt—no; Senator Lankford—no; Senator Cotton—no; Senator Cornyn—no; Vice Chairman Warner—no; Senator Feinstein—aye; Senator Wyden—aye; Senator Heinrich— aye; Senator King—no; Senator Manchin—no; and Senator Harris—aye.

It tells us that the government collects entirely domestic communications, a practice that Wyden tried to prohibit in his own bill, which added this language to Section 702.

(F) may not acquire communications known to be entirely domestic;

This would effectively close the 2014 exception, which permitted the NSA to continue to collect on a facility even after it had identified that Americans also used it. As I have explained is used to collect Tor (and probably VPN) traffic to obtain foreigners’ data. I suspect that detail is what Wyden had in mind when, in his comments in the report, he said the report itself “omit[s] key information about the scope of authorities granted the government” (though there are likely other things this report hides).

I have concerns about this report. By omitting key information about the scope of authorities granted the government, the Committee is itself contributing to the continuing corrosive problem of secret law

As the bill report lays out, Senators Burr, Risch, Rubio, Collins, Blunt, Lankford, Cotton, Cornyn, Warner, King, and Manchin are all cool using a foreign surveillance program to spy on their constituents, especially given that Burr has hidden precisely the impact of that spying in this report.

Any bets on whether they might have voted differently if we all got to know what kind of spying on us this bill authorized.

That, of course, is only eleven senators who are cool with treating their constituents (or at least those using location obscuring techniques) like foreigners.

But I’m throwing Feinstein and Harris in with that group, because they voted against a Wyden amendment that would have limited how the government could use 702 collected data in investigations.

By a vote of two ayes to thirteen noes, the Committee rejected an amendment by Senator Wyden that would have imposed further restrictions on use of Section 702-derived information in investigations and legal proceedings. The votes in person or by proxy were as follows: Chairman Burr—no; Senator Risch—no; Senator Rubio—no; Senator Collins—no; Senator Blunt—no; Senator Lankford—no; Senator Cotton—no; Senator Cornyn—no; Vice Chairman Warner—no; Senator Feinstein—no; Senator Wyden— aye; Senator Heinrich—aye; Senator King—no; Senator Manchin— no; and Senator Harris—no.

While we don’t have the language of this amendment, I assume it does what this language in Wyden’s bill does, which is to limit the use of Section 702 data for purposes laid out in the known certificates (foreign government including nation-state hacking, counterproliferation, and counterterrorism — though this language makes me wonder if there’s a Critical Infrastructure certificate or whether it only depends on the permission to do so in the FBI minimization procedures, and the force protection language reminds me of the concerns raised by a recent HRW FOIA permitting the use of 12333 language to do so).

(B) in a proceeding or investigation in which the information is directly related to and necessary to address a specific threat of—

(i) terrorism (as defined in clauses (i) through (iii) of section 2332(g)(5)(B) of title 18, United States Code);

(ii) espionage (as used in chapter 37 of title 18, United States Code);

(iii) proliferation or use of a weapon of mass destruction (as defined in section 2332a(c) of title 18, United States Code);

(iv) a cybersecurity threat from a foreign country;

(v) incapacitation or destruction of critical infrastructure (as defined in section 1016(e) of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 (42 U.S.C. 5195c(e))); or

(vi) a threat to the armed forces of the United States or an ally of the United States or to other personnel of the United States Government or a government of an ally of the United States.

Compare this list with the one included in the bill, which codifies the use of 702 data for issues that,

“Affects, involves, or is related to” the national security of the United States (which will include proceedings used to flip informants on top of whatever terrorism, proliferation, or espionage and hacking crimes that would more directly fall under national security) or involves,

  • Death
  • Kidnapping
  • Serious bodily injury
  • Specified offense against a minor
  • Incapacitation or destruction of critical infrastructure (critical infrastructure can include even campgrounds!)
  • Cybersecurity, including violations of CFAA
  • Transnational crime, including transnational narcotics trafficking
  • Human trafficking (which, especially dissociated from transnational crime, is often used as a ploy to prosecute prostitution; the government also includes assisting undocumented migration to be human trafficking)

[snip]

Importantly, the bill does not permit judicial review on whether the determination that something “affects, involves, or is related to” national security. Meaning Attorney General Jeff Sessions could decide tomorrow that it can collect the Tor traffic of BLM or BDS activists, and no judge can rule that’s an inappropriate use of a foreign intelligence program.

The bill report’s description of this section makes it clear that — in spite of its use of the word “restriction,” — this is really about providing affirmative “permission.”

Section 6 provides restrictions on the Federal Bureau of Investigation’s (FBI’s) use of Section 702-derived information, so that the FBI can use the information as evidence only in court proceedings [my emphasis]

That is, Wyden would restrict the use of 702 data to purposes the FISC has affirmatively approved, rather than the list of 702 purposes expanded to include the most problematic uses of Tor: all hacking, dark markets, and child porn.

So while Feinstein and Harris voted against the use of 702 to collect known domestic communications, they’re still okay using domestic Tor commuincations they say they don’t want to let NSA collect to prosecute Americans (which is actually not surprising given their past actions on sex workers).

Again, they’re counting on the fact that the bill report is written such that their constituents won’t know that this is going on. Unless they read me.

Look, I get the need to collect on Tor traffic to go after its worst uses. But if you’re going to do that, stop pretending this is a foreign surveillance bill, and instead either call it a secret court bill (one that effectively evades warrant requirements for all Tor wiretapping in this country), or admit you’re doing that collection and put review of it back into criminal courts where it belongs.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Ron Wyden Is Worried the Government Will Use FISA Process to Force Companies to Make Technical Changes

Ron Wyden and Rand Paul just introduced their bill to fix Section 702. It’s a good bill that not only improves Section 702 (by prohibiting back door searches, prohibiting the 2014 exception, and limiting use of 702 data), but also improves FISC and PCLOB.

The most alarming part of the bill, though, is Section 14. It prohibits the Attorney General and Director of National Intelligence from asking for technical assistance under Section 702 that is not narrowly targeted or explicitly laid out and approved by the court.

(B) LIMITATIONS.—The Attorney General or the Director of National Intelligence may not request assistance from an electronic communication service provider under subparagraph (A) without demonstrating, to the satisfaction of the Court, that the assistance sought—

(i) is necessary;

(ii) is narrowly tailored to the surveillance at issue; and

(iii) would not pose an undue burden on the electronic communication service provider or its customers who are not an intended target of the surveillance.

(C) COMPLIANCE.—An electronic communication service provider is not obligated to comply with a directive to provide assistance under this paragraph unless

(i) such assistance is a manner or method that has been explicitly approved by the Court; and

(ii) the Court issues an order, which has been delivered to the provider, explicitly describing the assistance to be furnished by the provider that has been approved by the Court.

This suggests that Wyden is concerned the government might use — or has used — FISA to make sweeping onerous technical demands of companies without explicitly explaining what those demands are to the Court.

The most obvious such application would involve asking Apple to back door its iPhone encryption.

As a reminder, national security requests to Apple doubled in the second half of last year.

The number of national security orders issued to Apple by US law enforcement doubled to about 6,000 in the second half of 2016, compared with the first half of the year, Apple disclosed in its biannual transparency report. Those requests included orders received under the Foreign Intelligence Surveillance Act, as well as national security letters, the latter of which are issued by the FBI and don’t require a judge’s sign-off.

We would expect such a jump if the government were making a slew of new requests of Apple related to breaking encryption on their phones.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

After the Ad Hominem Approach to Surveillance Reauthorization Fails, Spooks Now Revert to Secrecy

As I have noted, thus far the surveillance boosters’ favored approach to Section 702 reauthorization has been to engage in ad hominem attacks against people engaging in good faith in the legislative process (even while they, themselves, make what would most charitably be called significant errors). Even when people make a concerted effort to avoid such sloppy attacks — as FBI Director Christopher Wray did at a recent appearance — they still accuse others of believing in myths while ignoring their own myth-making.

But now Richard Burr and the spooks he caters to are adopting another approach: legislating in secret.

The SSCI is reportedly moving to mark up their own version of Section 702 reauthorization this week — a bill crafted by Senators Burr, Warner, Feinstein, and Cornyn. The make-up of the team is key: because Cornyn and Feinstein are also on Senate Judiciary, they can sink any alternate bill that moves through that committee (something Feinstein has been doing since at least 2009).

As Wyden says in a letter objecting to the secret mark-up,

Section 702 has been the subject of extensive public testimony, while relevant FISA Court orders, minimization procedures and other documents have been declassified and released to the public. In this context, the public is right to expect that Congress debate the reauthorization of this authority in the open. Indeed, a transparent legislative process is a fundamental hallmark of our democracy.

A bunch of NGOs have also called on Burr to make this mark-up public.

There are several likely reasons why Burr and the spooks want to craft their legislation in secret.

Perhaps most importantly, by holding a closed session, you delay by about a month and a half what happened in the session, what the cleared Senators debated, and the tactical means the Chair (in this case Burr) used to shut down reform suggestions. That’s what happened in 2012, when Feinstein delayed the release of the bill report for about that long, hiding details about Ron Wyden’s attempt to get a count of US persons affected by 702 (see these three posts — one, two, three — for details, though Wyden did manage to call Feinstein out for lying about FISC always finding the collection to be constitutional).

Indeed, I’d bet a lot of money that one reason Burr wants to have a secret mark-up is to the very same thing Feinstein did four years ago: hide the government’s lies about their alleged inability to do a count of how many Americans get sucked up as part of 702, and how.

But the other reason Burr and the spooks likely want to have a mark-up in secret is precisely because of the transparency won since 2013, they don’t have winning arguments anymore. While courts, because of the secrecy reviewing cases without any adversarial process and often not getting a full picture of how 702 works, have found 702 itself constitutional (though the Ninth Circuit largely dodged the question of back door searches), as more and more people understand how it works (and as white men watching the Mike Flynn case come to understand how fragile life can get for those picked up incidentally), the program seems problematic.

And even those who believe 702 in its current form serves an irreplaceable role in our surveillance system can see the need for no-nonsense reforms, such as requiring an amicus help review yearly reauthorization.

In other words, by hiding this mark-up, Burr is conceding that he can’t win this legislative battle democratically. He, and the spooks, have to cheat. And they’re willing to do so, to codify parts of this program that likely wouldn’t pass court review if done in a real adversarial process.

We are at a critical tipping point with surveillance in this country, as the government chips away at the technologies that allow individuals to retain some kind of privacy. And to ensure we slide over that tipping point and down the dangerous slope on the other side, a bunch of spooks and their servants are cowering from democracy.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Reclassification of Details on the 2011 Upstream Fight

As I noted in this post, Charlie Savage recently liberated more details on the resolution of the 2011 upstream 702 problems.

With respect to some details, however, the newly liberated documents represent a reclassification of details that were made public when the October 3, 2011 John Bates opinion was released in 2013. The government has provided entirely classified documents that are probably the early exchanges on the problem, including language that was unclassified in Bates’ 2011 opinion. In addition, the government has redacted dates that were also made public in Bates’ opinion.

I laid out both the timeline and the language cited from those early exchanges in this post. As I noted in this post, that timeline makes it clear that at the same time John Bates was asking NSA to assess the impact of upstream collection on US persons by sampling real NSA collection, Ron Wyden and Mark Udall were asking for the same thing.

I’ve laid out the combined timeline below. What it — and the newly released documents — show is just how brazen James Clapper’s refusal to provide real numbers to Wyden and Udall was. Not only did their request exactly coincide with the government’s request for more time so they could get more data — the count of US persons — to Bates (though Clapper’s record quick response delivered his refusal before Bates got his first real numbers). But the 48-hour turnaround on analysis of SCTs in September shows how quickly NSA can get rough estimates of US person data when they need to.

There are more alarming things the reclassification of these details suggests, which I’ll address in a follow-up. But for now, know that in 2011, the Intelligence Community refused to treat Congress with the same respect due a co-equal branch of government as it was treating Bates (and that’s the deep background to James Clapper’s 2013 “not wittingly” response).

April 2011, unknown date: Wyden and Udall ask for estimate of US person collection verbally

 

April 19, 2011: Notice of two upstream overcollection violations [see PDF 144]

April 20, 2011: One recertification submission

April 22, 2011: Two more recertification submissions

May 2, 2011: Clarification letter first admits MCT problem

May 5, 2011: Government asks for extension until July 22, 2011

May 9, 2011: Court grants extension, issues briefing order

June 1, 2011: Government submits response to briefing order

June 17, 2011: Court presents follow-up questions

June 28, 2011: Government response to follow-up questions

July 8, 2011: Court (John Bates) meets with senior DOJ people, tells them he has serious concerns

July 14, 2011: Government files another extension; court grants extension to September 20, 2011

July 14, 2011: Wyden and Udall send letter to James Clapper asking (among other things):

  • In a December 2007 Statement of Administration Policy on the FISA Amendments Act, the Office of Management and Budget said that it would “likely be impossible” to count the number of people located in the United States whose communications were reviewed by the government pursuant to the FISA Amendments Act. Is this still the case? If so, is it possible to estimate this number with any accuracy?
  • Have any apparently law-abiding Americans had their communications collected by the government pursuant to the FISA Amendments Act?

July 26, 2011: Clapper responds to Wyden and Udall, refusing to give numbers or describe compliance incidents

August 16, 2011: Government files supplement, presenting results of “manual review of statistically representative sample” for 6 months

August 22, 2011: Meeting between Court and government

August 30, 2011: Government makes another submission

September 7, 2011: Court has hearing

September 9, 2011: Government files additional submission, submitting results of analysis of SCTs completed in just 48 hours

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.