Posts

It Is False that Downstream 702 Collection Consists Only of To and From Communications

I was swamped this week when Hoover Institute had this conference on Section 702 of FISA. But I heard so much about this panel, with Jim Baker, Susan Hennessey, Alex Abdo, and Julian Sanchez, I had to watch.

The panel generally and Hennessey especially gave far too much credence to the claim that NSA self-reported the upstream search violations revealed in the April 26 Rosemary Collyer opinion. You cannot claim NSA self-reported a problem they sat on for nine months before initially explaining, and pointedly didn’t mention in the initial reauthorization application, and that’s just one example of egregiously belated reporting described in the opinion. I’ll have far more to say about that — and NSA oversight generally — in the upcoming days.

I’m also frankly shocked that no one on the panel mentioned the approval to share EO 12333 data that was authorized between the time NSA belatedly declared these problems and the time it said it would discontinue an abusive problem. Here’s what the timing looked like:

  • January 2016: Several formal discoveries of the problems in upstream searches
  • September 26, 2016: Initial application (that didn’t disclose the problems) first submitted
  • October 24, 2016: The government first discloses the upstream search problems
  • January 3, 2017: Loretta Lynch signs procedures authorizing the sharing of raw EO 12333 data
  • March 30, 2017: The government submits their fix to upstream problems
  • April 26, 2017: Rosemary Collyer opinion authorizing the reframed upstream collection

The timing is critical because in between the time the government very belatedly revealed the problems with upstream and the time it decided to halt a narrowly defined “about” collection, it got approval to share raw EO 12333 data between agencies. The searches that NSA won’t be able to do under Section 702 are all, by definition, possible (though probably not as easy) to do under EO 12333. So the government can still obtain the very things they’ve told the FISC they won’t collect [under 702], and they can share them more easily with the FBI and CIA (which can do back door searches on them). In other words, even as the FISC was saying that the backdoor searches of upstream collection violated the Fourth Amendment, the government was self-authorizing a way to do the very same searches via means that don’t have any FISC oversight (and for which the existing oversight regime is flimsy).

But one thing that was most striking for me came when Hennessey stated “there are two forms of collection, upstream and downstream. Within downstream there’s only to and from collection.”

This is the kind of claim that seems to be correct. Indeed, much of Rosemary Collyer’s shitty opinion is premised on such an assumption. In all unclassified FISC discussions, back door searches of PRISM content are considered acceptable because (the assumption is) the searches would return only the side of the US person conversing with a foreign intelligence target. The idea is that the US person would be interesting and potentially valid foreign intelligence because they had knowingly communicated with a target.

But it is actually incorrect.

That’s because PRISM (which has been renamed “downstream” for some reason, which distracts from what kind of providers these actually are) is significantly about the collection of stored data. And the data it collects is not just electronic surveillance (that is, data in motion). As the WaPo described years ago, the NSA will collect other things that are in someone’s users account.

No government oversight body, including the Justice Department, the Foreign Intelligence Surveillance Court, intelligence committees in Congress or the president’s Privacy and Civil Liberties Oversight Board, has delved into a comparably large sample of what the NSA actually collects — not only from its targets but also from people who may cross a target’s path.

Among the latter are medical records sent from one family member to another, résumés from job hunters and academic transcripts of schoolchildren. In one photo, a young girl in religious dress beams at a camera outside a mosque.

Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.

I raise this not to gotcha Hennessey for making a mistake at all; as I said, on its face the statement seems to be, but is not, correct. Rather, I wanted to point to an assumption virtually everyone has been making about PRISM collection and its suitability for back door searches that may not be valid. If you think about the hack-and-leak dumps in recent years, for example, often the most damaging, as well as the most ridiculous infringements on privacy, involve email attachments, such as the list of most Democratic members of Congress’ email many passwords for which were easily obtainable online, or phone conversations about routine housekeeping or illness. And that’s just attachments; most of the PRISM providers are actually cloud storage providers, in addition to being electronic communication providers, and from the very first requests to Yahoo there was mission creep of all the types of things the government might demand.

And while NSA and FBI aren’t supposed to keep stuff that doesn’t count as foreign intelligence or criminal information, it’s clear (from the WaPo report) that NSA, at least, does.

So as we talk about how inappropriate the upstream back door searches were and are because they can search on stuff that’s not foreign intelligence information, we should remember that the very same thing is likely true of back door searches of  the fruits of searches on a person’s cloud storage account.

 

Matt Olsen Admits He Didn’t Bargain on a President Trump

Something predictable, but infuriating, happened at least week’s Cato conference on surveillance.

A bunch of spook lawyers did a panel, at which they considered the state of surveillance under Trump. Former White House Director of Privacy and Civil Liberties Tim Edgar asked whether adhering to basic norms, which he suggested would otherwise be an adequate on surveillance, works in a Trump Administration.

In response, former NSA General Counsel Matt Olsen provided an innocuous description of the things he had done to expand the dragnet.

I fought hard … in the last 10 [years] when I worked in national security, for increasing information sharing, breaking down barriers for sharing information, foreign-domestic, within domestic agencies, and for the modernization of FISA, so we could have a better approach to surveillance.

Then, Olsen admitted that he (who for three years after he left NSA headed up the National Counterterrorism Center managing a ton of analysts paid to imagine the unimaginable) did not imagine someone like Trump might come along.

As I fought for these changes, I did not bargain on a President Trump. That was beyond my ability to imagine as a leader of the country in thinking about how these policies would actually be implemented by the Chief Executive.

It was beyond his ability [breathe, Marcy, breathe] to imagine someone who might abuse power to come along!!!

What makes Olsen’s comment even more infuriating that I called out Olsen’s problematic efforts to “modernize” FISA and sustain the phone dragnet even in spite of abuse in September, in arguing that Hillary could not, in fact, be supporting a balanced approach on intelligence if she planned on hiring him, as seemed likely.

Olsen was the DOJ lawyer who oversaw the Yahoo challenge to PRISM in 2007 and 2008. He did two things of note. First, he withheld information from the FISC until forced to turn it over, not even offering up details about how the government had completely restructured PRISM during the course of Yahoo’s challenge, and underplaying details of how US person metadata is used to select foreign targets. He’s also the guy who threatened Yahoo with $250,000 a day fines for appealing the FISC decision.

Olsen was a key player in filings on the NSA violations in early 2009, presiding over what I believe to be grossly misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets. Basically, working closely with Keith Alexander, he hid the fact that NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333.

These comments were used, in this post by former NSA Compliance chief John DeLong and former NSA lawyer Susan Hennessey (the latter of whom was on this panel) to unbelievably dishonestly suggest that surveillance skeptics, embodied by me and EFF’s Nate Cardozo (who has been litigating some of these issues for years), took our understanding of NSA excesses from one footnote in a FISA Court opinion, rather than from years of reading underlying documents.

Readers are likely aware of the incident, which has become a persistent reference point for NSA’s most ardent critics. One such critic recently pointed to a FISC memorandum referencing the episode as evidence that “NSA lawyers routinely lie, even to the secret rubber stamp FISA court”; another cited it in claiming DOJ’s attorneys made “misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets” and that “NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333.”

These allegations are false. And by insisting that government officials routinely mislead and lie, these critics are missing one of the most important stories in the history of modern intelligence oversight.

Never mind that I actually hadn’t cited the footnote. Never mind that then FISA Judge Reggie Walton was the first to espouse my “false” view, even before seven more months of evidence came out providing further support for it.

The underlying point is that these two NSA people were so angry that I called out Matt Olsen for documented actions he had taken that they used it as a foil to make some pretty problematic claims about the oversight over NSA spying. But before they did so, they assured us of the integrity of the people involved (that is, Olsen and others).

It’s tempting to respond to these accusations by defending the integrity of the individuals involved. After all, we know from firsthand experience that our former colleagues—both within the NSA and across the Department of Justice, the Office of the Director of National Intelligence, and the Department of Defense—serve the public with a high degree of integrity. But we think it is important to move beyond the focus on who is good and who is bad, and instead explore the history behind that footnote and the many lessons learned and incorporated into practice. After all, we are ultimately a “government of laws,” not of people.

 

 

We are a government of laws, not people, they said in October, before laying out oversight that (they don’t tell you, but I will once I finally get back to responding to this post) has already proven to be inadequate. I mean, I agree with their intent — that we need(ed) to build a bureaucracy that could withstand the craziest of Executives. But contrary to what they claim in their piece and the presumably best intent of DeLong, they didn’t do that.

They now seem to realize that.

In the wake of the Trump victory, a number of these people are now admitting that maybe their reassurances about the bureaucracy they contributed to — which were in reality based on faith in the good intentions and honesty and competence of their colleagues — were overstated. Maybe these tools are too dangerous for an unhinged man to wield.

And, it turns out, one of the people largely responsible for expanding the dragnet that its former defenders now worry might be dangerous for Donald Trump to control never even imagined that someone like Trump might come along.