Posts

20 Questions: Mike Rogers’ Vaunted Section 215 Briefings

/1 Comment/in , /by

Comment — Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

A — To the FBI’s knowledge, those authorities have not been abused.

That exchange is, according to DOJ’s Congressional Affairs Office, the level of detail offered up at a May 13, 2011 briefing of the House Republican Caucus regarding the PATRIOT Act provisions the House would vote to reauthorize less than two weeks later.

The questioner — who is not identified — may have been talking about comments Russ Feingold made way back on October 1, 2009, as part of the previous reauthorization of the PATRIOT Act (remember, by this point, Feingold was no longer in the Senate). Here are the things Feingold said about Section 215 in that Senate Judiciary Committee markup.

I remain concerned that critical information about the implementation of the Patriot Act remains classified. Information that I believe, would have a significant impact on the debate….. There is also information about the use of Section 215 orders that I believe Congress and the American People deserve to know. It is unfortunate that we cannot discuss this information today.

Mr Chairman, I am also a member of the intelligence Committee. I recall during the debate in 2005 that proponents of Section 215 argued that these authorities had never been misused. They cannot make that statement now. They have been misused. I cannot elaborate here. But I recommend that my colleagues seek more information in a classified setting.

I want to specifically disagree with Senator Kyle’s [sic] statement that just the fact that there haven’t been abuses of the other provisions which are Sunsetted. That is not my view of Section 215. I believe section 215 has been misused as well.

Given the context, it is unclear whether Feingold referred to use of Section 215 for things they shouldn’t have, use of it to authorize bulk collection generally, or in the compliance issues identified in 2009 on which the Administration had recently briefed the Intelligence Committee. But his suggestion that the Senate Judiciary Committee was getting less detailed briefings than the Senate Intelligence Committee at that point is consistent with DOJ’s 2009 notice to Congress on the dragnet, which said, “The [compliance] incidents, and the Court’s responses, were also reported to the Intelligence Committees in great detail,” with no mention of similarly detailed briefings to SJC (the 2011 letter indicates that by that point SJC was getting detailed briefings as well). This, in turn, suggests he was referring to dragnet-related violations.

Regardless of what Feingold meant, though, he tied misuse very closely to the secret use of Section 215 to conduct dragnet collection of all Americans’ phone records. Feingold’s other public statements about Section 215 focus even more closely on the secret dragnet application of it.

In other words, this appears to have been a question attempting to get at the secret application of the PATRIOT Act that Feingold, along with Ron Wyden and people like Jerry Nadler, had been warning about. This appears to have been an attempt to learn about a topic that — in 2009, at least — DOJ had “agree[d] that it is important that all Members of Congress have access to information about this program” (DOJ didn’t include such blather in its 2011 notice).

Exactly 100 days before the briefing at which this question was asked, DOJ had sent House Intelligence Chair Mike Rogers (who appears to have convened this briefing) a letter noting, “In 2009, a number of technical compliance problems and human implementation errors in these two bulk collection programs were discovered as a result of Department of Justice (DOJ) reviews and internal NSA oversight.”

Yet in response to a query clearly designed to elicit both the existence of the dragnet program and details on problems associated with it, FBI Director Robert Mueller and then-General Counsel Valerie Caproni (and/or whatever staffers were with them) said, to the Bureau’s knowledge, there had been no abuses. Perhaps, then, as now, they’re relying on the claim that none of these compliance issues were willful — the letter said they weren’t intentional or bad-faith — to avoid telling members of Congress about problems with the program.

Remember, this is one of the (and may have been the only) briefings that Mike Rogers now claims provided adequate substitute for letting House members know about the letter describing the dragnet and the compliance problems associated with it. Rogers’ House Intelligence spokesperson, Susan Phalen, has claimed those briefings “not only covered all of the material in the letter but also provided much more detail.” (As far as I’ve been able to tell from the FOIA production to the ACLU, there was no similar briefing for the Democratic caucus, though FOIA production tends to be incomplete; one Democratic Congressman, Hansen Clarke, attended the Republican briefing.)

And DOJ’s own records of the briefing make it clear that when someone tried, however inartfully, to learn about the program, Mueller and Caproni obfuscated about the compliance issues and possibly the existence of the dragnet itself.

This is a concrete example of what both Justin Amash and Ron Wyden have described as a game of 20 questions briefers play in these briefings. The questioner raised one of the few public hints about the dragnet program to ask the FBI about it, and the FBI responded in a manner very similar to the way James Clapper did in March, when he lied to the SSCI.

Now, we don’t know what remains behind the redactions in the briefing, but there is one other piece of evidence that this briefing, at least, didn’t even touch on the dragnet. If you look at all 5 closed briefings turned over in production to ACLU, two — a February 28, 2011 briefing for SJC and a March 17, 2011 briefing for the House Intelligence Committee — were deemed classified “per OGA letter dated 4/26/2012.” The acronym “Other Government Agency” is usually used to refer to CIA, but in this context, where we now know NSA played a central role but revealing that role last year would have disclosed significant new details about the secret application of Section 215, it may well refer to NSA. Those briefings also redacted the identities of some briefers which, again, may be classified to hide the NSA’s role in this program.

If all this speculation is correct, then it means there was no mention of the NSA in the briefing for the Republican caucus. If there was no mention of NSA, then they really couldn’t have explained the program (both the 2009 and 2011 notices make extensive reference to the NSA).

In any case, what remains unredacted is quite clear. Someone at that briefing — the briefing that Mike Rogers’ staffer claims offered more information than had been provided in the DOJ letter — tried to learn about problems with the secret program. And they got stonewalled in response.

Was the person who asked this question and got an incomplete answer one of the 65 people who would go on to reauthorize the PATRIOT Act having had no way of learning about the program and its compliance problems?

The Two OLC Still-Secret Memos Behind the Cross-Border Keyword Searches?

/1 Comment/in , , /by

Last week, Charlie Savage explained what this paragraph from the NSA’s targeting document means.

In addition, in those cases where NSA seeks to acquire communications about the target that are not to or from the target, SNA will either employ an Internet Protocol filter to ensure that the person from whom it seeks to obtain foreign intelligence information is located overseas, or it will target Internet links that terminate in a foreign country. In either event, NSA will direct surveillance at a party to the communication reasonably believed to be outside the United States.

Savage explained that it refers to the way the US snoops through almost all cross-border traffic for certain keywords.

To conduct the surveillance, the N.S.A. is temporarily copying and then sifting through the contents of what is apparently most e-mails and other text-based communications that cross the border. The senior intelligence official, who, like other former and current government officials, spoke on condition of anonymity because of the sensitivity of the topic, said the N.S.A. makes a “clone of selected communication links” to gather the communications, but declined to specify details, like the volume of the data that passes through them.

[snip]

The official said that a computer searches the data for the identifying keywords or other “selectors” and stores those that match so that human analysts could later examine them. The remaining communications, the official said, are deleted; the entire process takes “a small number of seconds,” and the system has no ability to perform “retrospective searching.”

The official said the keyword and other terms were “very precise” to minimize the number of innocent American communications that were flagged by the program. At the same time, the official acknowledged that there had been times when changes by telecommunications providers or in the technology had led to inadvertent overcollection. The N.S.A. monitors for these problems, fixes them and reports such incidents to its overseers in the government, the official said.

In his post on Savage’s story (which I think misreads what Savage describes), Ben Wittes focused closely on the last paragraphs of the story.

But that leaves a big oddity with respect to the story. The end of Savage’s story reads as follows:

There has been no public disclosure of any ruling by the Foreign Intelligence Surveillance Court explaining its legal analysis of the 2008 FISA law and the Fourth Amendment as allowing “about the target” searches of Americans’ cross-border communications. But in 2009, the Justice Department’s Office of Legal Counsel signed off on a similar process for searching federal employees’ communications without a warrant to make sure none contain malicious computer code.

That opinion, by Steven G. Bradbury, who led the office in the Bush administration, may echo the still-secret legal analysis. He wrote that because that system, called EINSTEIN 2.0, scanned communications traffic “only for particular malicious computer code” and there was no authorization to acquire the content for unrelated purposes, it “imposes, at worst, a minimal burden upon legitimate privacy rights.”

The Bradbury opinion was echoed by a later Obama-era opinion by David Barron, and Bradbury later wrote an article about the issue. But here’s the thing: If my read is right and the rule Savage cites permits only acquisition of communications “about” potential targets only from folks reasonably believed themselves to be overseas, these opinions are of questionable relevance. Indeed, if my reading is correct, why is there a Fourth Amendment issue here at all? The Fourth Amendment, after all, does not generally have extraterritorial application. This may be a reason to suspect that the issue is more complicated than I’m suggesting here. It may also merely suggest that someone cited to Savage a memo that is of questionable relevance to the issue at hand.

In his letter to John Brennan in January asking for a slew of things, Ron Wyden mentioned two opinions that may be the still-secret legal analysis mentioned by Savage.

Third, over two years ago, Senator Feingold and I wrote to the Attorney General regarding two classified opinions from the Justice Department’s Office of Legal Counsel, including an opinion that interprets common commercial service agreements. We asked the Attorney General to declassify both of these opinions, and to revoke the opinion pertaining to commercial service agreements. Last summer, I repeated the request, and noted that the opinion regarding commercial service agreements has direct relevance to ongoing congressional debates regarding cybersecurity legislation. The Justice Department still has not responded to these letters.

The opinions would have to pre-date January 14, 2011, because Feingold and Wyden requested the opinions before that date.

The reason I think the service agreements one may be relevant is because the opinions Ben cites focus on whether government users have given consent for EINSTEIN surveillance; in his article on it Bradbury focuses on whether the government could accomplish something similar with critical infrastructure networks.

Remember, we do know of one OLC memo — dated January 8, 2010 — that pertains to the government obtaining international communications willingly from service providers. We learned about it in the context of the Exigent Letters IG Report, which first led observers to believe it pertained to phone records.

But we’ve subsequently learned this is the passage of ECPA the OLC interpreted creatively in secret.

(f) Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978, and procedures in this chapter or chapter 121 and the Foreign Intelligence Surveillance Act of 1978 shall be the exclusive means by which electronic surveillance, as defined in section 101 of such Act, and the interception of domestic wire, oral, and electronic communications may be conducted.

Savage’s reference to the Bradbury opinion suggests all this happens at the packet stage, which may be one (arguably indefensible) way around the electronic communications dodge.

The FBI had not relied on the opinion as of 2010, when we first learned about it. But we also know that since then, the government stopped collecting Internet metadata using a Pen Regsiter/Trap and Trace order.

We know that Feingold and Wyden, with Dick Durbin, asked for a copy of the opinion themselves shortly after the IG Report revealed it. It’s possible that the former two asked for it to be declassified.

This is, frankly, all a wildarsed guess. But Wyden certainly thinks there are two problematic OLC memos out there pertaining to cybersecurity. And Savage seems to think this process parallels the means the government is using for cybersecurity. So it may be these are the opinions.

Did NSA Interpret Adverse FISC Fourth Amendment Ruling as Permission to Search American Contacts?

/3 Comments/in , /by

Finally! The backdoor!

The Guardian today confirms what Ron Wyden and, before him, Russ Feingold have warned about for years. In a glossary updated in June 2012, the NSA claims that minimization rules “approved” on October 3, 2011 “now allow for use of certain United States person names and identifiers as query terms.”

A secret glossary document provided to operatives in the NSA’s Special Source Operations division – which runs the Prism program and large-scale cable intercepts through corporate partnerships with technology companies – details an update to the “minimization” procedures that govern how the agency must handle the communications of US persons. That group is defined as both American citizens and foreigners located in the US.

“While the FAA 702 minimization procedures approved on 3 October 2011 now allow for use of certain United States person names and identifiers as query terms when reviewing collected FAA 702 data,” the glossary states, “analysts may NOT/NOT [not repeat not] implement any USP [US persons] queries until an effective oversight process has been developed by NSA and agreed to by DOJ/ODNI [Office of the Director of National Intelligence].”

The term “identifiers” is NSA jargon for information relating to an individual, such as telephone number, email address, IP address and username as well as their name.

The document – which is undated, though metadata suggests this version was last updated in June 2012 – does not say whether the oversight process it mentions has been established or whether any searches against US person names have taken place.

The Guardian goes on to quote Ron Wyden confirming that this is the back door he’s been warning about for years.

Once Americans’ communications are collected, a gap in the law that I call the ‘back-door searches loophole’ allows the government to potentially go through these communications and conduct warrantless searches for the phone calls or emails of law-abiding Americans.

But the Guardian is missing one critical part of this story.

The FISC Court didn’t just “approve” minimization procedures on October 3, 2011. In fact, that was the day that it declared that part of the program — precisely pertaining to minimization procedures — violated the Fourth Amendment.

So where the glossary says minimization procedures approved on that date “now allow” for querying US person data, it almost certainly means that on October 3, 2011, the FISC court ruled the querying the government had already been doing violated the Fourth Amendment, and sent it away to generate “an effective oversight process,” even while approving the idea in general.

And note that FISC didn’t, apparently, require that ODNI/DOJ come back to the FISC to approve that new “effective oversight process.”

Consider one more thing.

As I have repeatedly highlighted, the Senate Intelligence Committee (and the Senate Judiciary Committee, though there’s no equivalent report) considered whether to regulate precisely this issue last year when extending the FISA Amendments Act.

Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession. The Department of Justice and Intelligence Community reaffirmed that any queries made of Section 702 data will be conducted in strict compliance with applicable guidelines and procedures and do not provide a means to circumvent the general requirement to obtain a court order before targeting a U.S. person under FISA.

But in spite of Ron Wyden and Mark Udall’s best efforts — and, it now appears, in spite of FISC concerns about precisely this issue — the Senate Intelligence Committee chose not to do so.

This strongly suggests that the concerns FISC had about the Fourth Amendment directly pertained to this backdoor search. But if that’s the case, it also suggests that none of NSA’s overseers — not the Intelligence Committees, not ODNI/DOJ, and not FISC — have bothered to actually close that back door.

The FBI and CIA Unminimized Collections and the Holes in Article III Review of FISA Amendments Act

/5 Comments/in , /by

In my piece confirming that the NSA can search on US person data collected incidentally in Section 702 collection, I pointed to these two paragraphs from the minimization procedures.

6(c)

(1) NSA may provide to the Central Intelligence Agency (CIA) unminimized communications acquired pursuant to section 702 of the Act. CIA will identify to NSA targets for which NSA may provide unminimized communications to CIA. CIA will process any such unminimized communications received from NSA in accordance with CIA minimization procedures adopted by the Attorney General, in consultation with the Director of National Intelligence, pursuant to subsection 702(e) of the Act.

(2) NSA may provide to the FBI unminimized communications acquired pursuant to section 702 of the Act. FBI will identify to NSA targets for which NSA may provide unminimized communications to the FBI. FBI will process any such unminimized communications received from NSA in accordance with FBI minimization procedures  adopted by the Attorney General, in consultation with the Director of National Intelligence, pursuant to subsection 702(e) of the Act.

It’s not clear what this entails.

But Dianne Feinstein once defended the FISA Amendments Act authorization to search on US person information by pointing to Nidal Hasan. Remember, his emails were picked up on a generalized collection of Anwar al-Awlaki’s communications, which should have been a traditional FISA warrant, but may have been conducted via the same software tools as FAA collection. In which case, the kind of access described in the Webster report would provide one idea of what this looks like from the FBI side. That process has almost certainly been streamlined, given that the god-awlful software the FBI used prevented it from pulling the entire stream of Hasan’s emails to Awlaki.

First, the FBI’s database of intercepts sucked. When the first Hasan intercepts came in, it allowed only keyword searches; tests the Webster team ran showed it would have taken some finesse even to return all the contacts between Hasan and Awlaki consistently. More importantly, it was not until February 2009 that the database provided some way to link related emails, so the Awlaki team in San Diego relied on spreadsheets, notes, or just their memory to link intercepts. (91) But even then, the database only linked formal emails; a number of Hasan’s “emails” to Awlaki were actually web contacts, (100) which would not trigger the database’s automatic linking function. In any case, it appears the Awlaki team never pulled all the emails between Hasan and Awlaki and read them together, which would have made Hasan seem much more worrisome (though when the San Diego agent set the alert for the second email, he searched and found the first one).

Even before this was streamlined, the collection seemed to lack real minimization. Though to be fair, the Agents spending a third of their days reading Awlaki’s emails were drowning and really had an incentive to get reports out as quickly as possible. But they seemed to be in the business of sending out reports with IDs, not the reverse.

In addition, we know that subsequent to that time, the FBI started using this collection (and, I’m quite certain, Samir Khan’s), as a tripwire — what they call “Strategic Collections.”

The Hasan attack (and presumably subsequent investigations, as well as the Umar Farouk Abdulmutallab attack) appears to have brought about a change in the way wiretaps like Awlaki’s are treated. Now, such wiretaps–deemed Strategic Collections–will have additional follow-up and management oversight.

The Hasan matter shows that certain [redacted] [intelligence collections] [redacted] serve a dual role, providing intelligence on the target while also serving as a means of identifying otherwise unknown persons with potentially radical or violent intent or susceptibilities. The identification and designation of Strategic Collections [redacted] will allow the FBI to focus additional resources–and, when appropriate, those of [redacted] [other government agencies]–on collections most likely to serve as “trip wires.” This will, in turn, increase the scrutiny of information that is most likely to implicate persons in the process of violent radicalization–or, indeed, who have radicalized with violent intent. This will also provide Strategic Collections [redacted] with a significant element of program management, managed review, and quality control that was lacking in the pre-Fort Hood [review of information acquired in the Aulaqi investigation] [redacted].

If implemented prior to November 5, 2009, this process would have [redacted] [enhanced] the FBI’s ability to [redacted] identify potential subjects for “trip wire” and other “standalone” counterterrorism assessments or investigations. (99)

Many many many of the aspirational terrorists the FBI rolled up in 2010 and afterwards were people who had communicated or followed Awlaki or Khan. And to the extent we’ve prosecuted a bunch of wayward youth who can’t pull together a plot without the FBI’s assistance, that ought to be a concern on many levels.

Because it would mean this unminimized production is part of the Terror Manufacturing Industry. (Mind you, the FBI was doing this with their own surveillance based off Hal Turner in the 00s, so it’s not an approach limited to Muslim radicals.)

To the extent that FAA collection might be sent to FBI as a way to identify non-criminal leads to criminalize, it’s a problem, particularly if the FISA Court doesn’t see what minimization the FBI uses.

Read more

The CNET “Bombshell” and the Four Surveillance Programs

/40 Comments/in , /by

CNET is getting a lot of attention for its report that NSA, “has acknowledged in a new classified briefing that it does not need court authorization to listen to domestic phone calls.”

In general, I’m just going to outsource my analysis of what the exchange means to Julian Sanchez (I hope he doesn’t charge me as much as Mike McConnell’s Booz Allen Hamilton for outsourced analysis).

What seems more likely is that Nadler is saying analysts sifting through metadata have the discretion to determine (on the basis of what they’re seeing in the metadata) that a particular phone number or e-mail account satisfies the conditions of one of the broad authorizations for electronic surveillance under §702 of the FISA Amendments Act.

[snip]

The analyst must believe that one end of the communication is outside the United States, and flag that account or phone line for collection. Note that even if the real target is the domestic phone number, an analyst working from the metadatabase wouldn’t have a name, just a number.  That means there’s no “particular, known US person,” which ensures that the §702 ban on “reverse targeting” is, pretty much by definition, not violated.

None of that would be too surprising in principle: That’s the whole point of §702!

That is, what Nadler may have learned that the same analysts who have access to the phone metadata may also have authority to issue directives to companies for phone content collection. If so, it would be entirely feasible for the same analyst to learn, via the metadata database, that a suspect phone number is in contact with the US and for her to submit a request for actual content to the providers, without having to first get a FISA order covering the US person callers directly. Since she was still “targeting” the original overseas phone number, she would be able to get the US person content without a specific order.

Screen shot 2013-06-16 at 11.50.59 AMI just want to point to a part of this exchange that everyone is ignoring (but that I pointed out while live tweeting this).

Mueller: I’m not certain it’s the same–I’m not certain it’s an answer to the same question.

Mueller didn’t deny the NSA can get access to US person phone content without a warrant. He just suggested that Nadler might be conflating two different programs or questions.

And that’s one of the things to remember about this discussion. Among many other methods of shielding parts of the programs, the government is thus far discussing primarily the two programs identified by the Guardian: the phone metadata collection (which the WaPo reports is called MAINWAY) and the Internet content access (PRISM).

Read more

Russ Feingold: Yahoo Didn’t Get the Info Needed to Challenge the Constitutionality of PRISM

/16 Comments/in , , /by

The NYT has a story that solves a question some of us have long been asking: Which company challenged a Protect America Act order in 2007, only to lose at the district and circuit level?

The answer: Yahoo.

The Yahoo ruling, from 2008, shows the company argued that the order violated its users’ Fourth Amendment rights against unreasonable searches and seizures. The court called that worry “overblown.”

But the NYT doesn’t explain something that Russ Feingold pointed out when the FISA Court of Review opinion was made public in 2009 (and therefore after implementation of FISA Amendments Act): the government didn’t (and still didn’t, under the PAA’s successor, the FISA Amendments Act, Feingold seems to suggests) give Yahoo some of the most important information it needed to challenge the constitutionality of the program.

The decision placed the burden of proof on the company to identify problems related to the implementation of the law, information to which the company did not have access. The court upheld the constitutionality of the PAA, as applied, without the benefit of an effective adversarial process. The court concluded that “[t]he record supports the government. Notwithstanding the parade of horribles trotted out by the petitioner, it has presented no evidence of any actual harm, any egregious risk of error, or any broad potential for abuse in the circumstances of the instant case.” However, the company did not have access to all relevant information, including problems related to the implementation of the PAA. Senator Feingold, who has repeatedly raised concerns about the implementation of the PAA and its successor, the FISA Amendments Act (“FAA”), in classified communications with the Director of National Intelligence and the Attorney General, has stated that the court’s analysis would have been fundamentally altered had the company had access to this information and been able to bring it before the court.

In the absence of specific complaints from the company, the court relied on the good faith of the government. As the court concluded, “[w]ithout something more than a purely speculative set of imaginings, we cannot infer that the purpose of the directives (and, thus, of the surveillance) is other than their stated purpose… The petitioner suggests that, by placing discretion entirely in the hands of the Executive Branch without prior judicial involvement, the procedures cede to that Branch overly broad power that invites abuse. But this is little more than a lament about the risk that government officials will not operate in good faith.” One example of the court’s deference to the government concerns minimization procedures, which require the government to limit the dissemination of information about Americans that it collects in the course of its surveillance. Because the company did not raise concerns about minimization, the court “s[aw] no reason to question the adequacy of the minimization protocol.” And yet, the existence of adequate minimization procedures, as applied in this case, was central to the court’s constitutional analysis. [bold original, underline mine]

This post — which again, applies to PAA, though seems to be valid for the way the government has conducted FAA — explains why.

The court’s ruling makes it clear that PAA (and by association, FAA) by itself is not Constitutional. By itself, a PAA or FAA order lacks both probable cause and particularity.

The programs get probable cause from Executive Order 12333 (the one that John Yoo has been known to change without notice), from an Attorney General assertion that he has probable cause that the target of his surveillance is associated with a foreign power.

And the programs get particularity (which is mandated from a prior decision from the court, possibly the 2002 one on information sharing) from a set of procedures (the descriptor was redacted in the unsealed opinion, but particularly given what Feingold said, it’s likely these are the minimization procedures both PAA and FAA required the government to attest to) that give it particularity. The court decision makes it clear the government only submitted those — even in this case, even to a secret court — ex parte.

The petitioner’s arguments about particularity and prior judicial review are defeated by the way in which the statute has been applied. When combined with the PAA’s other protections, the [redacted] procedures and the procedures incorporated through the Executive Order are constitutionally sufficient compensation for any encroachments.

The [redacted] procedures [redacted] are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. [redacted] Although the PAA itself does not mandate a showing of particularity, see 50 USC 1805b(b), this pre-surveillance procedure strikes us as analogous to and in conformity with the particularity showing contemplated by Sealed Case.

In other words, even the court ruling makes it clear that Yahoo saw only generalized descriptions of these procedures that were critical to its finding the order itself (but not the PAA in isolation from them) was constitutional.

Incidentally, while Feingold suggests the company (Yahoo) had to rely on the government’s good faith, to a significant extent, so does the court. During both the PAA and FAA battles, the government successfully fought efforts to give the FISA Court authority to review the implementation of minimization procedures.

The NYT story suggests that the ruling which found the program violated the Fourth Amendment pertained to FAA.

Last year, the FISA court said the minimization rules were unconstitutional, and on Wednesday, ruled that it had no objection to sharing that opinion publicly. It is now up to a federal court.

I’m not positive that applies to FAA, as distinct from the 215 dragnet or the two working in tandem.

But other reporting on PRISM has made one thing clear: the providers are still operating in the dark. The WaPo reported from an Inspector General’s report (I wonder whether this is the one that was held up until after FAA renewal last year?) that they don’t even have visibility into individual queries, much less what happens to the data once the government has obtained it.

But because the program is so highly classified, only a few people at most at each company would legally be allowed to know about PRISM, let alone the details of its operations.

[snip]

According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process. [my emphasis]

This gets to the heart of the reason why Administration claims that “the Courts” have approved this program are false. In a signature case where an Internet provider challenged it — which ultimately led the other providers to concede they would have to comply — the government withheld some of the most important information pertaining to constitutionality from the plaintiff.

The government likes to claim this is constitutional, but that legal claim has always relied on preventing the providers and, to some extent, the FISA Court itself from seeing everything it was doing.

Is Robert Mueller, a Purported Hero of the Hospital Confrontation, Responsible for Section 215 Use?

/7 Comments/in , /by

On March 23, 2004 at noon, less than two weeks after the dramatic hospital confrontation and threats to quit reportedly got the Administration to agree to stop data mining Americans, FBI Director Robert Mueller had a meeting with Dick Cheney, at the Vice President’s request, in the Vice President’s office. In his notes, Mueller doesn’t describe what the VIce President wanted, nor am I aware that it has even been reported in the press.

The next day, the Chief Division Counsel of some Division of the FBI wrote a memo to the FBI General Counsel noting that FBI was using a “new standard” with Section 215 of the PATRIOT Act and indicating that a “recent decision” had been made to bypass the review of the Office of Intelligence Policy and Review on Section 215 applications.

In part, the apparent decision to bypass OIPR, which had rejected the premise of the previous Section 215 orders FBI had submitted in the past, reflected no more than a concerted effort on FBI’s part to make sure it could start using all the PATRIOT authorities it had been granted in 2001 in anticipation of renewal discussions that would take place the following year. Yet the timing of this change is particularly curious, given that we now know Section 215 has been used to collect data that could be used for data mining Americans, precisely the problem that had caused the hospital confrontation 12 days earlier.

At the very least, however, it shows that sometime around the same time as Jim Comey and others at DOJ tried to stop the data mining of Americans under NSA’s illegal program, FBI claimed to have eliminated one review step for Section 215 orders and changed the standard used for them. That reference notwithstanding, DOJ Inspector General at least reported that OIPR continued to have a role. (Note, the office that got cut out of the process, OIPR, is where one of the key whistleblowers on the illegal program, Thomas Tamm worked, though I have asked him if he knew whether they used Section 215 to accomplish the same program and he didn’t know anything about it.)

On May 21, 2004, just as the the confrontation was settling down, FBI got its first Section 215 order approved. MIRACLES! the memo subject line read. “We got our first business record order signed today. It only took two and a half years.”

Now, at least some of the people commenting publicly on the confirmation that Section 215 has been used to compile a database recording details on all calls Americans make say Section 215 has supported that purpose only since 2006. Dianne Feinstein, for example, says the practice has gone on for 7 years.

As far as I know, this is the exact three month renewal of what has been the case for the past seven years. This renewal is carried out by the FISA Court under the business records section of the Patriot Act. Therefore, it is lawful.

Seven years would put its start almost exactly at the March 9, 2006 renewal of the PATRIOT Act, which added new language on Section 215 in the wake of the December 15, 2005 exposure of Bush’s illegal wiretap program. In discussions of this collection program since last week, it has generally been accepted that’s when it all started.

Curiously (particularly given his insistence that PRISM only started in 2008, slides to the contrary notwithstanding), James Clapper made no claims about precisely when this practice started.

The Patriot Act was signed into law in October 2001 and included authority to compel production of business records and other tangible things relevant to an authorized national security investigation with the approval of the FISC. This provision has subsequently been reauthorized over the course of two Administrations – in 2006 and in 2011. It has been an important investigative tool that has been used over the course of two Administrations, with the authorization and oversight of the FISC and the Congress.

It is possible that this program was conducted under a different PATRIOT provision (such as the Pen Register ones) prior to 2006; in fact, Clapper never mentions the term “Section 215” in his purported clarification of the program.

Now, consider one more detail. In a statement before the 2009 debate on PATRIOT Act reauthorization focusing closely on Section 215, Russ Feingold suggested that the debate over reauthorization in 2005, which led to purported initial use of Section 215 to conduct this dragnet, had been stymied by classification of how the PATRIOT had been implemented.

I remain concerned that critical information about the implementation of the Patriot Act has not been made public – information that I believe would have a significant impact on the debate. During the debate on the Protect America Act and the FISA Amendments Acts in 2007 and 2008, critical legal and factual information remained unknown to the public and to most members of Congress – information that was certainly relevant to the debate and might even have made a difference in votes. And during the last Patriot Act reauthorization debate in 2005, a great deal of implementation information remained classified.

[snip]

But there also is information about the use of Section 215 orders that I believe Congress and the American people deserve to know. I do not underestimate the importance of protecting our national security secrets. But before we decide whether and in what form to extend these authorities, Congress and the American people deserve to know at least basic information about how they have been used. So I hope that the administration will consider seriously making public some additional basic information, particularly with respect to the use of Section 215 orders.

There can be no question that statutory changes to our surveillance laws are necessary. Since the Patriot Act was first passed in 2001, we have learned important lessons, and perhaps the most important of all is that Congress cannot grant the government overly broad authorities and just keep its fingers crossed that they won’t be misused, or interpreted by aggressive executive branch lawyers in as broad a way as possible. [my emphasis]

This suggests the plan to use Section 215 may have been explicit in those classified debates.

Read more

FISA Amendments Act: “Targeting” and “Querying” and “Searching” Are Different Things

/23 Comments/in /by

Steven Aftergood suggests there’s disagreement among Senate Intelligence Committee members about whether or not the FISA Amendments Act allows the government to get US person content without a warrant.

The dispute was presented but not resolved in a new Senate Intelligence Committee report on the Foreign Intelligence Surveillance Act Amendments Act (FAA) Sunsets Extension Act, which would renew the provisions of the FISA Amendments Act through June 2017.

“We have concluded… that section 702 [of the Act] currently contains a loophole that could be used to circumvent traditional warrant protections and search for the communications of a potentially large number of American citizens,” wrote Senators Ron Wyden and Mark Udall.

But Senator Dianne Feinstein, the Committee chair, denied the existence of a loophole.  Based on the assurances of the Department of Justice and the Intelligence Community, she said that the Section 702 provisions “do not provide a means to circumvent the general requirement to obtain a court order before targeting a U.S. person under FISA.”

I don’t think there is a conflict. Rather, I think DiFi simply responded to Wyden and Udall’s assertions with the same spin the government has used for some time. That’s because DiFi is talking about “targeting” and Wyden and Udall are talking about “searching” US person communications.

DiFi quotes much of the language from Section 702 earlier in her statement on FAA, repeating, repeating the word “target” three times.

In enacting this amendment to FISA, Congress ensured there would be important protections and oversight measures to safeguard the privacy and civil liberties of U.S. persons, including specific prohibitions against using Section 702 authority to: “intentionally target any person known at the time of acquisition to be located in the United States;” “intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States;” “intentionally target a United States person reasonably believed to be located outside the United States;” or “intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States.” As an additional measure the law also requires that an acquisition under Section 702 “shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.” [my emphasis]

Her specific retort to the problem Wyden and Udall differentiates clearly between “querying information collected under Section 702 to find communications of a particular United States person” and “conduct[ing] queries to analyze data already in its possession” and “targeting.”

Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. Read more

First They Came for Russ Feingold, Then They Came for CATO

/1 Comment/in , , /by

As I’ve followed all the really interesting commentary on the Koch Brothers’ efforts to take over Cato (Dave Weigel, Jonathan Adler, Jane Mayer, Brad DeLong) I keep thinking back to this Adam Serwer post last year, pointing out one of the most anti-libertarian moves they made: dumping $25,000 to beat the biggest defender of civil liberties in the Senate.

Another way to put this is that the Kochs will happily put their money behind candidates who agree with their economic agenda but disagree with their social agenda. They will never put their money behind candidates of whom the reverse is true.

The best example of this I can think of is the Senate’s lost liberaltarian Russ Feingold. Feingold was the only senator to vote against the PATRIOT Act. He was one of the first senators to endorse marriage equality. He voted against the war in Iraq, against TARP and financial reform, and has consistently sought to rein in the surveillance state. He was, however, also one of the architects of campaign-finance reform along with John McCain and a supporter of the health-care bill and the stimulus.

When Feingold’s candidacy was in danger, the Koch’s poured their money into the coffers of Feingold’s opponent, Ron Johnson. According to the FEC, the Koch brothers each gave him individual contributions of $2,400, while KochPAC gave him $10,000. Charles Koch’s son Chase Koch gave Johnson $5,800, while David’s* wife Julia Koch gave another $2,400. An Elizabeth Koch from the same zip code in Wichita as Charles and Julia gave an additional $2,400. All in all, the Koch family gave Johnson more than $25,000 to send Russ Feingold home. What type of candidate were they supporting?

Johnson is anti-marriage equality, anti-choice, has no problem with open-ended military engagements and he supports the PATRIOT Act with some caveats, but only because “you have Barack Obama in power versus George Bush. I wasn’t overly concerned with George Bush in power.”

[snip]

In other words, faced with one candidate who shares their views on social issues and national security and another who shares their views on economic issues, the Kochs chose the latter.

Libertarianism, which was fostered to offer ideological cover for laissez faire capitalism, is now being actively replaced by its biggest patrons with a TeaParty ideology that has been co-opted over the last three years to offer populist cover for unrestrained capitalism.

So while I am fascinated by Corey Robin’s critique of Julian Sanchez’ presignation,

When the Kochs wield their money at Cato, that’s hegemony. But when they do it in Wisconsin, that’s democracy.

I think Robin’s comments on this year’s Ron Paul debate among the left is far more important.

Our problem—and again by “our” I mean a left that’s social democratic (or welfare state liberal or economically progressive or whatever the hell you want to call it) and anti-imperial—is that we don’t really have a vigorous national spokesperson for the issues of war and peace, an end to empire, a challenge to Israel, and so forth, that Paul has in fact been articulating.  The source of Paul’s positions on these issues are not the same as ours (again more reason not to give him our support).  But he is talking about these issues, often in surprisingly blunt and challenging terms. Would that we had someone on our side who could make the case against an American empire, or American supremacy, in such a pungent way.

This, it’s clear, is why people like Glenn Greenwald say that Paul’s voice needs to be heard.  Not, Greenwald makes clear, because he supports Paul, but because it is a terrible comment—a shanda for the left—that we don’t have anyone on our side of comparable visibility launching an attack on American imperialism and warfare. (Recalling what I said in the context of the death of Christopher Hitchens, I suspect this has something to do with our normalization and acceptance of war as a way of life.) In other words, we need to listen to Paul, not because he’s worthy of our support, and certainly not because the reasons that underlie his positions on foreign policy are ours, but because he reveals what’s not being said, or not being said enough, on our side.

[snip]

Ron Paul is unacceptable, and it’s unacceptable that we don’t have someone on the left who is raising the issues of imperialism, war and peace, and civil liberties in as visible and forceful a way.

Russ Feingold is gone from the Senate. As of last night, Dennis Kucinich will be gone
from the House next year. For what it’s worth, Ron Paul, too, will be gone from the House. In my own neighborhood, we hope Justin Amash, who hopes to assume Paul’s mantle, is gone from the House too.

There are other voices stepping up. But even Ron Wyden, who is a lonely voice criticizing the Obama Administration’s most egregious civil liberties abuses, offered somewhat tempered criticism of Attorney General Holder’s speech on Monday.

Attorney General Holder’s speech today is a welcome step in the right direction, but further steps need to be taken, and they need to be taken soon.

The government–both Republican and Democratic–has spent billions to create a climate of fear. It has succeeded in leading people to accept the assault on civil liberties without even questioning efficacy, much less constitutionality or abuse.

Meanwhile, even more money is being dumped into a reframed ideology of unrestrained capitalism, one with a populist face unembarrassed by its own inconsistency.

So I’ll go even further than Alex Pareene, who lists all the reasons we should care about the Koch takeover attempt on Cato. There is a case to be made for the Constitution and for executive restraint. We on the left need to get more effective at making it. Because the capitalist case is in the process of being bought out.

Will SCOTUS Invent a “Database-and-Mining” Exception to the Fourth Amendment?

/7 Comments/in /by

As I noted yesterday, the Administration appealed the 2nd Circuit Decision granting review of the FISA Amendments Act to the Supreme Court last week. I wanted to talk about their argument in more detail here.

Over at Lawfare, Steve Vladeck noted that this case would likely decide whether and what the “foreign intelligence surveillance” exception to the Fourth Amendment, akin to “special needs” exceptions like border searches and drug testing.

Third, if the Court affirms (or denies certiorari), this case could very well finally settle the question whether the Fourth Amendment’s Warrant Clause includes a “foreign intelligence surveillance exception,” as the FISA Court of Review held in the In re Directives decision in 2008. That’s because on the merits, 50 U.S.C. § 1881a(b)(5) mandates that the authorized surveillance “shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.” Thus, although it is hard to see how surveillance under § 1881a could violate the Fourth Amendment, explication of the (as yet unclear) Fourth Amendment principles that govern in such cases would necessarily circumscribe the government’s authority under this provision going forward (especially if In re Directives is not followed…).

I would go further and say that this case will determine whether there is what I’ll call a database-and-mining exception allowing the government to collect domestic data to which no reasonable suspicion attaches, store it, data mine it, and based on the results of that data mining use the data itself to establish cause for further surveillance. Thus, it will have an impact not just for this warrantless wiretapping application, but also for things like Secret PATRIOT, in which the government is collecting US person geolocation data in an effort to be able to pinpoint the locations of alleged terrorists, not to mention the more general databases collecting things like who buys hydrogen peroxide.

I make a distinction between foreign intelligence surveillance and “database-and-mining” exceptions because the government is, in fact, conducting domestic surveillance under these programs and using it to collect intelligence on US persons (indeed, when asked about Secret PATRIOT earlier this month, James Clapper invoked “foreign or domestic” intelligence in the context of Secret PATRIOT). The government has managed to hide that fact thus far by blatantly misleading the FISA Court of Review in In re Directives and doing so (to a lesser degree) here.

In In re Directives, the government misled the court in two ways. First, according to Russ Feingold, the government didn’t reveal (and the company challenging the order didn’t have access to) information about how the targeting is used. The amendments he tried to pass–and which Mike McConnell and Michael Mukasey issued veto threats in response to–suggest some of the problems Feingold foresaw and the intelligence community refused to fix: reverse targeting, inclusion of US person data in larger data mining samples, and the retention and use of improperly collected information.

The government even more blatantly misled the FISCR with regards to what it did with US person data.

The petitioner’s concern with incidental collections is overblown. It is settled beyond peradventure that incidental collections occurring as a result of constitutionally permissible acquisitions to not render those acquisitions unlawful.9 [citations omitted] The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.

9 The petitioner has not charged that the Executive Branch is surveilling overseas persons in order intentionally to surveil persons in the United States. Because the issue is not before us, we do not pass on the legitimacy vel non of such a practice.

The notion that the government doesn’t have this US person data in a database is farcical at this point, as the graphic above showing the relative size of the NSA’s data center in UT–which I snipped from this larger ACLU graphic–makes clear (though the government’s unwillingness to be legally bound to segregate US person data made that clear, as well). Read more