Posts

Asha Rangappa Demands Progressive Left Drop Bad Faith Beliefs in Op-Ed Riddled with Errors Demonstrating [FBI’s] Bad Faith

It’s my fault, apparently, that surveillance booster Devin Nunes attacked the FBI this week as part of a ploy to help Donald Trump quash the investigation into Russian involvement in his election victory. That, at least, is the claim offered by the normally rigorous Asha Rangappa in a NYT op-ed.

It’s progressive left privacy defenders like me who are to blame for Nunes’ hoax, according to Rangappa, because — she claims — “the progressive narrative” assumes the people who participate in the FISA process, people like her and her former colleagues at the FBI and the FISA judges, operate in bad faith.

But those on the left denouncing its release should realize that it was progressive and privacy advocates over the past several decades who laid the groundwork for the Nunes memo — not Republicans. That’s because the progressive narrative has focused on an assumption of bad faith on the part of the people who participate in the FISA process, not the process itself.

And then, Ragappa proceeds to roll out a bad faith “narrative” chock full of egregious errors that might lead informed readers to suspect FBI Agents operate in bad faith, drawing conclusions without doing even the most basic investigation to test her pre-conceived narrative.

Rangappa betrays from the very start that she doesn’t know the least bit about what she’s talking about. Throughout, for example, she assumes there’s a partisan split on surveillance skepticism: the progressive left fighting excessive surveillance, and a monolithic Republican party that, up until Devin Nunes’ stunt, “has never meaningfully objected” to FISA until now. As others noted to Rangappa on Twitter, the authoritarian right has objected to FISA from the start, even in the period Rangappa used what she claims was a well-ordered FISA process. That’s when Republican lawyer David Addington was boasting about using terrorist attacks as an excuse to end or bypass the regime. “We’re one bomb away from getting rid of that obnoxious [FISA] court.”

I’m more peeved, however, that Rangappa is utterly unaware that for over a decade, the libertarian right and the progressive left she demonizes have worked together to try to rein in the most dangerous kinds of surveillance. There’s even a Congressional caucus, the Fourth Amendment Caucus, where Republicans like Ted Poe, Justin Amash, and Tom Massie work with Rangappa’s loathed progressive left on reform. Amash, Mike Lee, and Rand Paul, among others, even have their name on legislative attempts to reform surveillance, partnering up with progressives like Zoe Lofgren, John Conyers, Patrick Leahy, and Ron Wyden. This has become an institutionalized coalition that someone with the most basic investigative skills ought to be able to discover.

Since Rangappa has not discovered that coalition, however, it is perhaps unsurprising she has absolutely no clue what the coalition has been doing.

In criticizing the FISA process, the left has not focused so much on fixing procedural loopholes that officials in the executive branch might exploit to maximize their legal authority. Progressives are not asking courts to raise the probable cause standard, or petitioning Congress to add more reporting requirements for the F.B.I.

Again, there are easily discoverable bills and even some laws that show the fruits of progressive left and libertarian right efforts to do just these things. In 2008, the Democrats mandated a multi-agency Inspector General on Addington’s attempt to blow up FISA, the Stellar Wind program. Progressive Pat Leahy has repeatedly mandated other Inspector General reports, which forced the disclosure of FBI’s abusive exigent letter program and that FBI flouted legal mandates regarding Section 215 for seven years (among other things). In 2011, Ron Wyden started his thus far unsuccessful attempt to require the government to disclose how many Americans are affected by Section 702. In 2013, progressive left and libertarian right Senators on the Senate Judiciary Committee tried to get the Intelligence Community Inspector General to review how the multiple parts of the government’s surveillance fit together, to no avail.

Rangappa’s apparent ignorance of this legislative history is all the more remarkable regarding the last several surveillance fights in Congress, USA Freedom Act and this year’s FISA Amendments Act reauthorization (the latter of which she has written repeatedly on). In both fights, the bipartisan privacy coalition fought for — but failed — to force the FBI to comply with the same kind of reporting requirements that the bill imposed on the NSA and CIA, the kind of reporting requirements Rangappa wishes the progressive left would demand. When a left-right coalition in the House Judiciary Committee tried again this year, the FBI stopped negotiating with HJC’s staffers, and instead negotiated exclusively with Devin Nunes and staffers from HPSCI.

With USAF, however, the privacy coalition did succeed in a few reforms (including those reporting requirements for NSA and CIA). Significantly, USAF included language requiring the FISA Court to either include an amicus for issues that present “a novel or significant interpretation of the law,” or explain why it did not. That’s a provision that attempts to fix the “procedural loophole” of having no adversary in the secret court, though it’s a provision of law the current presiding FISC judge, Rosemary Collyer, blew off in last year’s 702 reauthorization. (Note, as I’ve said repeatedly, I don’t think Collyer’s scofflaw behavior is representative of what FISC judges normally do, and so would not argue her disdain for the law feeds a “progressive narrative” that all people involved in the FISA process operated in bad faith.)

Another thing the progressive left and libertarian right won in USAF is new reporting requirements on FISA-related approvals for FISC, to parallel those DOJ must provide. Which brings me to Rangappa’s most hilarious error in an error-ridden piece (it’s an error made by multiple civil libertarians earlier in the week, which I corrected on Twitter, but Rangappa appears to mute me so wouldn’t have seen it).

To defend her claim that the FISC judge who approved the surveillance of Carter Page was operating, if anything, with more rigor than in past years, Rangappa points to EPIC’s tracker of FISA approvals and declares that the 2016 court rejected the highest number of applications in history.

We don’t know whether the memo’s allegations of abuse can be verified. It’s worth noting, however, that Barack Obama’s final year in office saw the highest number of rejected and modified FISA applications in history. This suggests that FISA applications in 2016 received more scrutiny than ever before.

Here’s why this is a belly-laughing error. As noted, USAF required the FISA Court, for the first time, to release its own record of approving applications. It released a partial report (for the period following passage of USAF) covering 2015, and its first full report for 2016. The FISC uses a dramatically different (and more useful) counting method than DOJ, because it counts what happens to any application submitted in preliminary form, whereas DOJ only counts applications submitted in final form. Here’s how the numbers for 2016 compare.

Rangappa relies on EPIC’s count, which for 2016 not only includes an error in the granted number, but adopts the AOUSC counting method just for 2016, making the methodology of its report invalid (it does have a footnote that explains the new AOUSC numbers, but not why it chose to use that number rather than the DOJ one or at least show both).

Using the only valid methodology for comparison with past years, DOJ’s intentionally misleading number, FISC rejected zero applications, which is consistent or worse than other years.

It’s not the error that’s the most amusing part, though. It’s that, to make the FISC look good, she relies on data made available, in significant part, via the efforts of a bipartisan coalition that she claims consists exclusively of lefties doing nothing but demonizing the FISA process.

If anyone has permitted a pre-existing narrative to get in the way of understanding the reality of how FISA currently functions, it’s Rangappa, not her invented progressive left.

Let me be clear. In spite of Rangappa’s invocation (both in the body of her piece and in her biography) of her membership in the FBI tribe, I don’t take her adherence to her chosen narrative in defiance of facts that she made little effort to actually learn to be representative of all FBI Agents (which is why I bracketed FBI in my title). That would be unfair to a lot of really hard-working Agents. But I can think of a goodly number of cases, some quite important, where that has happened, where Agents chased a certain set of leads more vigorously because they fit their preconceptions about who might be a culprit.

That is precisely what has happened here. A culprit, Devin Nunes — the same guy who helped the FBI dodge reporting requirements Rangappa thinks the progressive left should but is not demanding — demonized the FISA process by obscuring what really happens. And rather than holding that culprit responsible, Rangappa has invented some other bad guy to blame. All while complaining that people ever criticize her FBI tribe.

Christopher Wray Was Doing Great Until He Accused Chad of Spewing Jihadist Propaganda

In his first House Judiciary Committee oversight hearing today, FBI Director Christopher Wray responded to questions about FBI Agent Peter Strzok by explaining there was an ongoing Inspector General investigation into Strzok’s role in the investigation into Hillary’s treatment of classified information more times (at least 16) than he dodged answers in his confirmation hearing (11).

At that level, it was a typical HJC hearing, as each side spent more time pitching their partisan spin (with Democrats asking a string of questions Wray was unable to answer about Russia) rather than — with a few exceptions — conducting much oversight.

That said, I really appreciated two aspects of Wray’s testimony today. First, with the very notable exception of FISA matters (specifically, any FISA applications tied to Trump’s associates, and whether they derived in any way from the Steele dossier), Wray seemed genuinely willing to accept HJC’s mandate to conduct oversight.

As I’ve already noted, I get that HJC can be full of partisan hacks. But it is also the case that the Executive branch, particularly something as powerful as the FBI, must be subject to the oversight requests of Congress. And under both the Bush and Obama Administrations, FBI and DOJ largely treated their oversight committees with (sometimes deserved, but often undeserved) contempt. Even where Wray was bullshitting members of Congress, such as when he pretended that moving Strzok to human resources wasn’t a demotion, he at least appeared to treat their inquiries with respect.

Perhaps, if it is treated with respect it sometimes doesn’t deserve, HJC will come to become the committee FBI and DOJ need as an oversight body.

The other thing I appreciated — particularly in the wake of Jim Comey’s treatment of everything as a fight between “good guys” and “bad guys” — was Wray’s repeated invocation of the humanness of FBI and its officials. For example, in what must have been a rehearsed response to a question about the reputation of the FBI, Wray said, “Do we make mistakes? You bet we make mistakes. Just like everyone who is human makes mistakes,” before describing how the IG (which is currently investigating Strzok) provides the opportunity to “hold our folks accountable, if that’s appropriate.” Somewhat less convincingly, in response to a question from Cedric Richmond, who cleverly noted that the FBI Headquarters is still named after the architect of COINTELPRO, J Edgar Hoover, Wray again stressed the humanity of FBI. “It’s something we’re not proud of but it is also something we’ve learned from … We’re human, we make mistakes. We have things that we’ve done well. We’ve had things we done badly, and when we’ve done badly we try to learn from them.”

Given FBI’s intransigence on back door searches and Wray’s own evolving understanding of the problems caused by the designation Black Identity Extremist (not to mention what appears to be undeserved self-congratulation about how many — or rather few — open investigation into white supremacist terrorists the FBI has) I’m not convinced the FBI really has learned those lessons. It is still too white and too male of an organization to understand how much it polices some of the same things COINTELPRO did, and with even more intrusive tools.

But I am heartened that the FBI Director, perhaps largely because of the focus on Strzok, publicly recognized that FBI is not always the good guy, contrary to what Comey internalized and evangelized over and over. In discussions with Karen Bass about the BIE designation, too, it sounded like he was at least able to listen, even if he refused to withdraw the intelligence report that created the designation.

That said, Wray made several outright errors that need to be corrected.

The first two, both about Section 702, came in response to questions by Ted Poe (who was one of just a few people to raise Section 702, in spite of the fact that I’ve heard from numerous staffers they can’t get answers about key aspects of how 702 works). First, addressing Poe’s claim that back door searches are abusive, Wray claimed that courts that had considered the querying had found it to be consistent with the Fourth Amendment.

Every court, every  court, to have looked at the way in which Section 702 is handled, including the querying, has concluded that it’s being done consistent with the Fourth Amendment.

As the EFF laid out, that’s not actually true. The Ninth Circuit punted on precisely the issue of back door searches.

When Wray mentions the Ninth Circuit, he is likely referencing a 2016 decision by the U.S. Court of Appeals for the Ninth Circuit. In the opinion for USA v. Mohamed Osman Mohamud, the appeals court ruled that, based on the very specific evidence of the lawsuit, data collected under Section 702 did not violate a U.S. person’s Fourth Amendment rights. But the judge explicitly wrote that this lawsuit did not involve some of the more “complex statutory and constitutional issues” potentially raised by Section 702.

Notably, the judge wrote that the Mohamud case did not involve “the retention and querying of incidentally collected communications.” That’s exactly what we mean when we talk about “backdoor searches.”

Wray is mischaracterizing the court’s opinion. He is wrong.

In addition, Wray claimed that,

The individuals that are incidentally collected — the US person information that is incidentally collected — are people that are in communication with foreigners who are the subject of foreign intelligence investigations, so like an ISIS recruiter, there’s a US person picked up, that person would have been in email contact, for example, with an ISIS recruiter.

While I’m not certain precisely what gets dumped into the FBI database that is queried, it is false to claim that every US person who has information collected would necessarily have been in communication with the target. That’s because PRISM providers are cloud storage providers and NSA gets anything a target stores and then some, and because people email very interesting stuff to each other all the time. That means there’s a whole bunch of other things that might implicate US persons swept up in the PRISM collection that gets shared, in raw form, with the FBI.

I wanted to point to an assumption virtually everyone has been making about PRISM collection and its suitability for back door searches that may not be valid. If you think about the hack-and-leak dumps in recent years, for example, often the most damaging, as well as the most ridiculous infringements on privacy, involve email attachments, such as the list of most Democratic members of Congress’ email many passwords for which were easily obtainable online, or phone conversations about routine housekeeping or illness. And that’s just attachments; most of the PRISM providers are actually cloud storage providers, in addition to being electronic communication providers, and from the very first requests to Yahoo there was mission creep of all the types of things the government might demand.

And while NSA and FBI aren’t supposed to keep stuff that doesn’t count as foreign intelligence or criminal information, it’s clear (from the WaPo report) that NSA, at least, does.

So as we talk about how inappropriate the upstream back door searches were and are because they can search on stuff that’s not foreign intelligence information, we should remember that the very same thing is likely true of back door searches of  the fruits of searches on a person’s cloud storage account.

Plus, while the example of an ISIS recruiter makes for good show, the targets will also include people like Chinese scientists and Russian businessmen, among other things. There are completely innocent reasons — like science!!! — to speak to such targets. And yet if FBI does a back door search on Americans who’ve engaged in such innocent discussions it can and almost certainly has led to innocent people being targeted unfairly.

It bothers me that me — a dirty fucking hippie blogger, though admittedly one who has become (as a Congressional staffer introduced me as earlier this year) as expert on FISA as anyone outside of government — knows these details better than the FBI Director (who, after all, was involved in not providing defendants adequate notice of this stuff during its illegal go-around under Stellar Wind).

But Wray’s biggest error, on a different topic, came later. After first dodging Pramila Jayapal’s questions about whether Trump’s tweets have contributed to the spike of hate crimes this year by suggesting the data was untrustworthy (!!!), Director Wray than answered her question about the Muslim ban this way.

An awful lot of our terror investigations do also involve immigration violations, so there is a close nexus between immigration violations and counterterrorism investigations, and an awful lot of the terrorist investigations we have involve global jihadist rhetoric, which is disproportionately concentrated in certain countries.

One reason terror investigations involve immigration violations is because that’s an easy way to punish someone who hasn’t actually committed any crime (and given that most terrorist attacks are not recent immigrants, sort of beside the point).

But the notion that immigration from Muslim majority countries — like the six included in the current Muslim ban: Iran, Libya, Syria, Yemen, Somalia, and Chad — is dangerous because global jihadist rhetoric arises from those countries is the height of nonsense. That’s because the most effective recruiter of Americans for almost a decade was a man, Anwar al-Awlaki, who wrote much of his propaganda here or in the UK; while his rhetoric subsequently did get published from Yemen, he’s been dead for 6 years, with far less jihadist rhetoric in English from there. And while Syria, Somalia, and Libya do export hateful rhetoric, so did Iraq and does Saudi Arabia and Pakistan, two countries we haven’t banned. Iran certainly exports a great deal of anti-American rhetoric, but it is not recruiting terrorists here and most of its anti-American actions are legitimate state-based opposition derived from power relations, not religion. And Awlaki is by no means the only producer of anti-American rhetoric in majority Christian countries, including but not limited to the US and UK.

Ultimately, of course, Jayapal was talking about Trump’s Muslim ban, the one that bans elite Venezuelans and North Koreans along with weaker Muslim ones. And while he didn’t go as far as to say that Kim Jong-Un was spewing jihadist rhetoric, that’s the logic here.

But by implication, he was talking about Chad, which in spite of its cooperation on terrorism, got added to the list because Trump is incompetent. To suggest Chad is a propaganda threat and the US and UK are not is the height of folly.

But that’s what the FBI Director claimed today to avoid criticizing Trump’s bigotry.

Update: For some reason I was writing Cedric Richmond’s last name wrong all day today. I’ve corrected my use of “Johnson” instead of “Richmond” here. My apologies to him for my still uncorrected tweets.

What a Social Media Check for Visas Would Require

There’s a bunch of fevered commentary arising out of the report that Tashfeen Malik, one of the perpetrators of the San Bernardino attack, espoused extremism on Facebook before she entered the country. Otherwise sane members of Congress are submitting legislation calling for the government to review social media before granting a visa.

Here’s why that’s dumb.

First, let’s look at whether the State Department really could have found Malik’s posting before granting her a K1 visa. As CNN reported, Malik hadn’t actually been plotting jihad in the open, as much of the reporting on this suggests.

Tashfeen Malik advocated jihad in messages on social media, but her comments were made under a pseudonym and with strict privacy settings that did not allow people outside a small group of friends to see them, U.S. law enforcement officials told CNN on Monday.

[snip]

The New York Times reported on Sunday that U.S. immigration officials conducted three background checks on Malik when she emigrated from Pakistan but allegedly did not uncover social media postings in which she said she supported violent jihad and wanted to be a part of it.

According to the law enforcement officials, because Malik used a pseudonym and privacy controls, her postings would not have been found even if U.S. authorities had reviewed social media as part of her visa application process.

A U.S. official told CNN shortly after the San Bernardino attack that the United States only recently began reviewing the social media activity of visa applicants from certain countries. The date that these types of reviews began is not clear, but it was after Malik was considered, the source said.

So to get to the posts in question, someone would have had to match her pseudonym to a known identifier of hers, access her private communication, and then translate it from Urdu.

The NSA (though not State) actually has the ability to do that. They’d probably find her pseudonym either the way the FBI reportedly did, by giving Facebook her known email which they’d find was tied to that account, or they’d stick known identifiers (including name, email, credit card with which she paid her visa fee) into a tool the NSA has for correlating identities.

This process would be helped, of course, if DHS’ online visa application system was working, because that would not only increase the chances you’d get a working email for the applicant, but it would also give you at least one IP address you could also correlate on. But the effort to do that has become the worst kind of boondoggle, with a billion dollars spent and just one online form working. So this whole process would be started with less certainty attached to any online identifier.

The NSA also has the ability to read private posts — on Facebook at least. Given that at the time Malik applied for her visa she was neither a US person (I’m still not certain whether she would have been treated as a US person just with a fiance visa, on application for a Green Card, or on receipt of one), nor in the country, NSA could have used PRISM (with the added benefit that it would provide a bunch more identities to check).

Of course, you’d also want to check non-US social media, like Telegram (which ISIS has reportedly been using) and Vkontakte (which the Tsarnaev brothers used). That’s going to be harder to do.

Finally, you’d have to translate any posts Malik wrote from Urdu to English. While an initial translation could be done by machine, to understand any subtleties of the posting, you’d need to get a human translator to do the work, and even for key languages like Urdu and Arabic, the government has far too few translators.

So you could do such a check, at least for US-based social media, but you’d have to involve the NSA.

Now consider the resource demands of doing this. There are upwards of 450,000 immigrant visas issued each year.  There are another 750,000 student and temporary work visas, both categories of which are closer to a typical terrorist profile than a fiance visa (that doesn’t include exchange visitors and a range of other kinds of work visas).

Last year, the government targeted 92,000 people under Section 702, which you’d have  to use to get just private (not encrypted) communications. So you’d have to do an order of magnitude more PRISM searches every year to thoroughly check the social media of just the most obvious visa applicants. You’d either have to vastly expand NSA’s workstaff — and require key social media providers, like Facebook, to do the same just to stay ahead of compliance requests — or you’d have to pull them off of investigating targets about which they have some reason to be interested already.

Of course, if you did that — if you passed a law requiring all immigrants and long term visa applicants to be checked — then you’d make it far easier for people to evade detection, because you’d be alerting the few people who’d want to evade detection that you would check their accounts. They could then move to social media, like Telegram, that the US would have a harder time checking, and encrypt their messages.

Moreover, you’d be making this great effort at a time when much more obvious problems (such as that online form!) haven’t been fixed. Most importantly, since 9/11, it has been a top priority to track the exits of short term visitors (including those people with visa waivers), and the government still hasn’t managed that yet. If you want to make America more safe, you’d be far better served finally fixing that problem than reading a million people’s secret social media posts.

While They’re Replacing John Boehner, the GOP Should Replace Devin Nunes, Too

In a profile in Politico, Justin Amash* makes the case that the Freedom Caucus’ rebellion against John Boehner isn’t so much about ideology, it is about process.

Republican leaders see Freedom Caucus members as a bunch of bomb-throwing ideologues with little interest in finding solutions that can pass a divided government.

But that’s a false reading of the group, Amash told his constituents. Their mission isn’t to drag Republican leadership to the right, though many of them would certainly favor more conservative outcomes. It’s simply to force them to follow the institution’s procedures, Amash argued.

That means allowing legislation and amendments to flow through committees in a deliberative way, and giving individual members a chance to offer amendments and to have their ideas voted on on the House floor. Instead of waiting until right before the latest legislative crisis erupts, then twisting members’ arms for votes, they argue, leadership must empower the rank and file on the front end and let the process work its will.

“In some cases, conservative outcomes will succeed. In other cases, liberal outcomes will succeed. And that’s OK,” said Amash, who was reelected overwhelmingly last year after the U.S. Chamber of Commerce backed his Republican primary rival. “We can have a House where different coalitions get together on different bills and pass legislation. And then we present that to the Senate and we present it to the White House.

The truth lies somewhere in-between. After all, 8 of the 21 questions the FC posed to potential Speaker candidates are ideological in nature, hitting on the following issues:

  • Obamacare
  • Budget and appropriation resolution reform
  • Ex-Im bank
  • Highway Trust Fund
  • Impeaching the IRS Commissioner
  • First Amendment Defense Act

Admittedly, even some of those — the financial ones — are procedural, but there are some key ideological litmus tests there.

Of the remaining 21 questions, 3 pertain to use of NRCC resources, 4 pertain to conference make-up, and 6 have to do with process. In other words, this block of members wants to end the systematic exclusion of their members from leadership and other positions and the systematic suppression of legislation that might win a majority vote without leadership sanction.

And while I certainly recognize that some of these process reforms — again, especially the financial ones — would likely lead to more hostage taking, I also think such reforms would also make (as one example) stupid wars and surveillance less likely, because a transpartisan majority of the House opposes many such things while GOP leadership does not (Nancy Pelosi generally opposes stupid surveillance and wars but also usually, though not always, does the bidding of the President).

The Yoder-Polis Act, an ECPA reform bill supported by 300 co-sponsors, is an example of worthy legislation that has long been held up because of leadership opposition.

While making the case for reform, though, I’d like to make the suggestion for another: to boot Devin Nunes, the current Chair of the House Intelligence Committee. According to the House Republican rules, the only positions picked by the Speaker are Select Committee Chairs, which would include Nunes and Benghazi Committee Chair Trey Gowdy (the latter of whom seems to be taken care of with Republican after Republican now admitting the committee is just a hack job, though if the FC wants to call for Richard Hanna to take over as Chair to shut down this government waste, I’d be cool with that too).

But with Boehner on his way out, it seems fair to suggest that Nunes should go too. While Nunes was actually better on Benghazi than his predecessor (raising questions about the CIA’s involvement in gun-running), he has otherwise been a typical rubber stamp for the intelligence community, rushing to pass info-sharing with Department of Energy even while commenting on their shitty security practices, and pitching partisan briefings to give the IC one more opportunity to explain why the phone dragnet was more useful than all the independent reviews say it was.

The Intelligence Community has lost credibility since 9/11, and having a series of rubber stamp oversight Chairs (excepting Silvestre Reyes, who was actually reasonably good) has only exacerbated that credibility problem. So why not call for the appointment of someone like former state judge Ted Poe, who has experience with intelligence related issues on both the Judiciary and Foreign Relations Committees, but who has also been a staunch defender of the Constitution.

Hostage taking aside, I’m sympathetic to the argument that the House should adopt more inclusive rules, in part because it would undercut the problems of a two party duopoly serving DC conventional wisdom.

But no place in Congress needs to be reformed more than our intelligence oversight. And while picking a more independent Chair won’t revamp the legal structure of intelligence oversight, it might initiate a process of bringing more rigorous oversight to our nation’s intelligence agencies.

Of course, who am I kidding?!?! It’s not even clear that the GOP will succeed in finding a palatable Speaker candidate before Boehner retires. Throwing HPSCI Chair into the mix would likely be too much to ask. Nevertheless, as we discuss change and process, HPSCI is definitely one area where we could improve process to benefit the country.


*Amash is my congressperson, but I have not spoken to him or anyone else associated with him for this post and don’t even know if he’d support this suggestion.

Some Thoughts on USA F-ReDux

There’s a funny line in the House Judiciary Committee’s report on USA F-ReDux. Amid the discussion of the new Call Detail Record function, it explains the government will be doing CDR chaining on “metadata it already lawfully possesses,” even as providers will be chaining on metadata in their possession.

In addition, the government can use the FISC-approved specific selection term to identify CDRs from metadata it already lawfully possesses.

The line should not be surprising. As I reported in 2013, the NSA does what are called “federated” queries, metadata chaining across data collected from a variety of sources. This line, then, simply acknowledges that the government will continue to conduct what amounts to federated queries even under the new system.

But the line ought to raise the question, “where does this lawfully possessed data come from?”

The data almost certainly comes from at least 3 sources: metadata taken from PRISM collection in databases that get copied wholesale (so Internet metadata within a hop of a foreign target), records of international phone calls, and records from Internet data collected overseas.

The latter two, of course, would be collected in bulk.

So within the report on a bill many claim ends bulk collection of American’s phone records is tacit admission that the bulk collection continues (not to mention that the government has broad access to data collected under PRISM).

After yesterday’s 338 – 88 vote in the House in favor of USA F-ReDux, a number of people asked me to explain my view on the bill.

First, the good news. As I noted, while the language on CDR chaining in the actual bill is muddled, the House report includes language that would prohibit most of the egregious provider-based chaining I can imagine. So long as nothing counters that, one of my big concerns dating back to last year has been addressed.

I also opposed USAF last fall because I expected the Second Circuit would weigh in in a way that was far more constructive than that bill, and I didn’t want a crappy bill to moot the Second Circuit. While there are many things that might yet negate the Second Circuit ruling (such as conflicting decisions from the DC or 9th Circuits or a reversal by SCOTUS), the Second Circuit’s decision was even more useful than I imagined.

But that’s part of why I’m particularly unhappy that Specific Selection Term has not been changed to require the government to more narrowly target its searches. Indeed, I think the bill report’s language on this is particularly flaccid.

Section 501(b)(2)(A) of FISA will continue to require the government to make ‘‘a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation….’’50 Section 103 requires the government to make an additional showing, beyond relevance, of a specific selection term as the basis for the production of the tangible things sought, thus ensuring that the government cannot collect tangible things based on the assertion that the requested collection‘‘is thus relevant, because the success of [an] investigative tool depends on bulk collection.’’ 51 Congress’ decision to leave in place the ‘‘relevance’’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term. These changes restore meaningful limits to the‘‘relevance’’ requirement of Section 501, consistent with the opinion of the U.S. Court of Appeals for the Second Circuit in ACLU v.Clapper.

Meaningful limits on “relevant to” would be specific guidelines for the court on what is reasonable and what is not. Instead, USA F-ReDux still subjects the narrowness of an SST to a “greatest extent reasonably practicable” standard, which in the past we’ve seen amount to prioritization of the practicability of spying over privacy interests. While people can respectfully disagree on this front, I believe USA F-ReDux still permits both bulk collection of non-communications records and bulky collection of communications records (including FBI’s Internet collection). In the wake of the Second Circuit opinion, I find that especially inexcusable.

I also am not convinced USA F-ReDux is an across-the-board privacy win. I argued last year that USAF swaps a well-guarded unexploded nuclear bomb for many more exploding IEDs striking at privacy. By that, I mean that the new CDR function will probably not result in any less privacy impact, in practice (that is, assuming NSA follows its own minimization rules, which it hasn’t always), than the prior dragnet. That’s true because:

  • We have every reason to believe the CDR function covers all “calls,” whether telephony or Internet, unlike the existing dragnet. Thus, for better and worse, far more people will be exposed to chaining than under the existing dragnet. It will catch more potential terrorists, but also more innocent people. As a result, far more people will be sucked into the NSA’s maw, indefinitely, for exploitation under all its analytical functions. This raises the chances that an innocent person will get targeted as a false positive.
  • The data collected under the new CDR function will be circulated far more broadly than status quo. Existing dragnet orders limit access to the results of queries to those with special training unless one of four named individuals certifies that the query result relates to counterterrorism. But USA F-ReDux (and the current minimization procedures for Section 702 data; USA F-ReDux will likely use the PRISM infrastructure and processing) makes it clear that FBI will get access to raw query results. That almost certainly means the data will be dumped in with FBI’s PRISM and FISA data and subjected to back door searches at even the assessment level, even for investigations that have nothing to do with terrorism. As on the NSA side, this increases the risk that someone will have their lives turned upside down for what amounts to being a false positive. It also increases the number of people who, because of something in their metadata that has nothing to do with a crime, can be coerced into becoming an informant. And, of course, they’ll still never get notice that that’s where this all came from, so they will have a difficult time suing for recourse.

One other significant concern I’ve got about the existing bill — which I also had last year — is that the emergency provision serves as a loophole for Section 215 collection; if the FISC deems emergency collections illegal, the government still gets to keep — and parallel construct — the data. I find this especially concerning given how much Internet data FBI collects using this authority.

I have — as I had last year — mixed feelings about the “improvements” in it. I believe the amicus, like initial efforts to establish PCLOB, will create an initially ineffective function that might, after about 9 years, someday become effective. I believe the government will dodge the most important FISC opinion reporting, as they currently do on FOIAs. And, in spite of a real effort from those who negotiated the transparency provisions, I believe that the resulting reporting will result in so thoroughly an affirmatively misleading picture of surveillance it may well be counterproductive, especially in light of the widespread agreement the back doors searches of Section 702 data must be closed (while there are a few improvements on reporting to Congress in this year’s bill, the public reporting is even further gutted than it was last year).

And now there’s new gunk added in.

One change no one has really examined is a change extending “foreign power” status from those proliferating WMDs to those “conspiring” or “abetting” efforts to do so. I already have reasons to believe the WMD spying under (for example) PRISM is among the more constitutionally problematic. And this extends that in a way no one really understands.

Even more troublesome is the extension of Material Support maximum sentences from 15 to 20 years. Remember, under Holder v. HLP, a person can be convicted of material support for First Amendment protected activities. Thus, USA F-ReDux effectively embraces a 20 year sentence for what could be (though isn’t always) thought crimes. And no one has explained why it is necessary! I suspect this is an effort to use harsh sentences to coerce people to turn informant. If so, then this is an effort to recruit fodder for infiltrators into ISIS. But if all that’s correct, it parallels similar efforts under the Drug War to use excessive sentences to recruit informants, who — it turns out in practice — often lead to false convictions and more corruption. In other words, at a moment when there is bipartisan support for sentencing reform for non-violent crimes (for which many cases of Material Support qualify), USA F-ReDux goes in the opposite direction for terrorism, all at a time when the government claims it should be putting more emphasis on countering extremism, including diversion.

So while I see some advantages to the new regime under USA F-ReDux (ironically, one of the most important is that what surveillance the government does will be less ineffective!), I am not willing to support a bill that has so many bad things in it, even setting aside the unconstitutional surveillance it doesn’t address and refuses to count in transparency provisions. I think there need to be privacy advocates who live to fight another day (and with both ACLU and EFF withdrawing their affirmative support for the bill, we at least have litigators who can sue if and when we find the government violating the law under this new scheme — I can already identify an area of the bill that is certainly illegal).

That said, it passed with big numbers yesterday. If it passes, it passes, and a bunch of authoritarians will strut their purported support for liberty.

At this point, however, the priority needs to be on preventing the bill from getting worse (especially since a lot of bill boosters seem not to have considered at what point they would withdraw their support because the bill had gotten too corrupted). Similarly, while I’m glad bill sponsors Jim Sensenbrenner and Jerry Nadler say they won’t support any short-term extension, that may tie their own hands if what comes back is far worse than status quo.

There’s some good news there, too. The no votes on yesterday’s House vote were almost exclusively from supporters of privacy who believe the bill doesn’t go far enough, from Justin Amash to Jared Polis to Tom Massie to Donna Edwards to Ted Poe to rising star Ted Lieu and — most interestingly — Jan Schakowsky (who voted for the crappier House bill when she was on HPSCI last year). Hopefully, if and when Mitch McConnell throws in more turdballs, those who opposed the bill yesterday can whip efforts to defeat it.

Stay tuned.

emptywheel Coverage of USA F-ReDux, or, PRISM for Smart Phones

This post will include all my coverage on USA F-ReDux.

Ten Goodies USA F-ReDux Gives the Intelligence Community 

USA F-ReDux’s boosters often suggest the bill would be a big sacrifice for the Intelligence Community. That’s nonsense. This post lists just 10 of the goodies the IC will get under the bill, including chaining on Internet calls, a 2nd super-hop, emergency provisions ripe for abuse, and expansions of data sharing.

2nd Circuit Decision Striking Down Dragnet Should Require Tighter “Specific Selection Term” Language in USA F-ReDux 

The 2nd Circuit just ruled that the phone dragnet was not authorized by Section 215. The language in the opinion on DOJ’s misinterpretation of “relevant to” ought to lead Congress to tighten the definition of “Specific Selection Term” in the bill to better comply with the opinion.

USA F-ReDux: Chaining on “Session Identifying Information” that Is Not Call Detail Records 

As I correctly predicted a year ago, by outsourcing “connection chaining” to the providers, the Intelligence Community plans to be able to chain on session identifying information (things like location and cookies) that is probably illegal.

USA F-ReDux: Dianne Feinstein Raises the Data Handshake Again (Latest post)

Some months ago, Bob Litt emphasized USA Freedom would only work if the telecoms retained enough data for pattern analysis (which may or may not back my worry the government plans to outsource such pattern analysis to the telecoms). Nevertheless, no one seems to want to discuss whether and if so how USA F-ReDux will ensure providers do keep data. Except Dianne Feinstein, who today once again suggested there is a kind of “data handshake” whereby the telecoms will retain our data without being forced.

Unlike the Existing Phone Dragnet, USA F-ReDux Does Not Include “Telephony” in Its Definition of Call Detail Record 

The definition of Call Detail Record that will be adopted under USA F-ReDux is closely related to the definition currently used in the phone dragnet — though the USA F-ReDux does not require CDRs to be comprehensive records of calls as the existing phone dragnet does. The big difference, however, is that USA F-ReDux never specifies that calls include only telephony calls.

Congress’s Orwellian spying “reforms”: Why the government wants to outsource its surveillance to your Internet provider 

At Salon, I explain more about why the IC wants to create PRISM for Smart Phones with USA F-ReDux.

Google Applauds USA F-ReDux Because It “Modernizes” Surveillance 

Neither Google nor any of the other providers are admitting they’ll be getting expansive immunity to help spy on their users if USA F-ReDux passes. But Google does reveal they consider this move “modernization,” not reform. Is that because they’ll once again get a monopoly on spying on their users?

Read more

Bob Litt: That Bill I Wrote Looks Great on First Read

Supporters of USA F-ReDux are hailing Bob Litt’s comments approving of the bill.

“On first read, the new version of the USA Freedom Act looks like it accomplishes the president’s goals and will preserve important intelligence capabilities,” Robert Litt, the general counsel at the Office of the Director of National Intelligence, said on Friday.

“The administration has worked very closely with members of Congress, their staff — both parties in both houses — to come up with this bill,” he added.

But as even his comments make clear, to say nothing of the comments made during markup yesterday, he didn’t just “on first read it” Tuesday after it was released.

He largely wrote it.

In fact, when the Judiciary Committee tried to add things to the bill yesterday to make it comply with the Constitution, they claimed to be impotent to do so because that would blow up the bill. And so they bowed to IC demands.

No wonder Litt is fond of it.

Nine Members of Congress Vote to Postpone the Fourth Amendment

Broadcast live streaming video on Ustream

John Conyers, Jim Sensenbrenner, Darrell Issa, Steve Cohen, Jerry Nadler, Sheila Jackson Lee, Trey Gowdy,  John Ratcliffe, Bob Goodlatte all voted to postpone the Fourth Amendment today.

At issue was Ted Poe’s amendment to the USA Freedom Act (USA F-ReDux; see the debate starting around 1:15), which prohibited warrantless back door searches and requiring companies from inserting technical back doors.

One after another House Judiciary Committee member claimed to support the amendment and, it seems, agreed that back door searches violate the Fourth Amendment. Though the claims of support from John Ratcliffe, who confessed to using back door searches as a US Attorney, and Bob Goodlatte, who voted against the Massie-Lofgren amendment last year, are suspect. But all of them claimed they needed to vote against the amendment to ensure the USA Freedom Act itself passed.

That judgment may or may not be correct, but it’s a fairly remarkable claim. Not because — in the case of people like Jerry Nader and John Conyers — there’s any question about their support for the Fourth Amendment. But because the committee in charge of guarding the Constitution could not do so because the Intelligence Committee had the sway to override their influence. That was a point made, at length, by both Jim Jordan and Ted Poe, with the latter introducing the point that those in support of the amendment but voting against it had basically agreed to postpone the Fourth Amendment until Section 702 reauthorization in 2017.

(1:37) Jordan: A vote for this amendment is not a vote to kill the bill. It’s not a vote for a poison pill. It’s not a vote to blow up the deal. It’s a vote for the Fourth Amendment. Plain and simple. All the Gentleman says in his amendment is, if you’re going to get information from an American citizen, you need a warrant. Imagine that? Consistent with the Fourth Amendment. And if this committee, the Judiciary Committee, the committee most responsible for protecting the Bill of Rights and the Constitution and fundamental liberties, if we can’t support this amendment, I just don’t see I it. I get all the arguments that you’re making, and they’re all good and the process and everything else but only in Congress does that trump — I mean, that should never trump the Fourth Amendment.

(1:49) Poe; We are it. The Judiciary Committee is it. We are the ones that are protecting or are supposed to protect, and I think we do, that Constitution that we have. And we’re not talking about postponing an Appropriations amount of money. We’re not talking about postponing building a bridge. We’re talking about postponing the Fourth Amendment — and letting it apply to American citizens — for at least two years. This is our opportunity. If the politics says that the Intel Committee — this amendment may be so important to them that they don’t like it they’ll kill the deal then maybe we need to reevaluate our position in that we ought to push forward for this amendment. Because it’s a constitutional protection that we demand occur for American citizens and we want it now. Not postpone it down the road to live to fight another day. I’ve heard that phrase so long in this Congress, for the last 10 years, live to fight another day, let’s kick the can down the road. You know? I think we have to do what we are supposed to do as a Committee. And most of the members of the Committee support this idea, they agree with the Fourth Amendment, that it ought to apply to American citizens under these circumstances. The Federal government is intrusive and abusive, trying to tell companies that they want to get information and the back door comments that Ms. Lofgren has talked about. We can prevent that. I think we should support the amendment and then we should fight to keep this in the legislation and bring the legislation to the floor and let the Intel Committee vote against the Fourth Amendment if that’s what they really want to do. And as far as leadership goes I think we ought to just bring it to the floor. Politely make sure that the law, the Constitution, trumps politics. Or we can let politics trump the Constitution. That’s really the decision.

Nevertheless, only Louie Gohmert, Raul Labrador, Zoe Lofgren, Suzan DelBene, Hakeem Jeffries, David Cicilline, and one other Congressman–possibly Farenthold–supported the amendment.

The committee purportedly overseeing the Intelligence Community and ensuring it doesn’t violate the Constitution has instead dictated to the committee that guards the Constitution it won’t be permitted to do its job.

Amash-Conyers Fails 205-217

In one of the closest votes in a long time for civil liberties, the Amash-Conyers amendment just failed, but only barely, by a vote of 205-217.

The debate was lively, with Mike Rogers, Michele Bachmann, and Iraq verteran Tom Cotton spoke against the amendment; Amash closely managed time to include a broad mix of Democrats and Republicans.

The only nasty point of the debate came when Mike Rogers (R-MI) suggested Justin Amash (R-MI) was leading this charge for Facebook likes.

Update: Here’s the roll call.

That Makes Over 21 Requests by 31 Members of Congress, Mr. President

Adding the letter that Barbara Lee, as well as a list of all Members of Congress who have, at one time or another, requested the targeted killing memos.

February 2011: Ron Wyden asks the Director of National Intelligence for the legal analysis behind the targeted killing program; the letter references “similar requests to other officials.” (1) 

April 2011: Ron Wyden calls Eric Holder to ask for legal analysis on targeted killing. (2)

May 2011: DOJ responds to Wyden’s request, yet doesn’t answer key questions.

May 18-20, 2011: DOJ (including Office of Legislative Affairs) discusses “draft legal analysis regarding the application of domestic and international law to the use of lethal force in a foreign country against U.S. citizens” (this may be the DOJ response to Ron Wyden).

October 5, 2011: Chuck Grassley sends Eric Holder a letter requesting the OLC memo by October 27, 2011. (3)

November 8, 2011: Pat Leahy complains about past Administration refusal to share targeted killing OLC memo. Administration drafts white paper, but does not share with Congress yet. (4) 

February 8, 2012: Ron Wyden follows up on his earlier requests for information on the targeted killing memo with Eric Holder. (5)

March 7, 2012: Tom Graves (R-GA) asks Robert Mueller whether Eric Holder’s criteria for the targeted killing of Americans applies in the US; Mueller replies he’d have to ask DOJ. Per his office today, DOJ has not yet provided Graves with an answer. (6) 

March 8, 2012: Pat Leahy renews his request for the OLC memo at DOJ appropriations hearing.(7)

June 7, 2012: After Jerry Nadler requests the memo, Eric Holder commits to providing the House Judiciary a briefing–but not the OLC memo–within a month. (8)

June 12, 2012: Pat Leahy renews his request for the OLC memo at DOJ oversight hearing. (9)

June 22, 2012: DOJ provides Intelligence and Judiciary Committees with white paper dated November 8, 2011.

June 27, 2012: In Questions for the Record following a June 7 hearing, Jerry Nadler notes that DOJ has sought dismissal of court challenges to targeted killing by claiming “the appropriate check on executive branch conduct here is the Congress and that information is being shared with Congress to make that check a meaningful one,” but “we have yet to get any response” to “several requests” for the OLC memo authorizing targeted killing. He also renews his request for the briefing Holder had promised. (10)

July 19, 2012: Both Pat Leahy and Chuck Grassley complain about past unanswered requests for OLC memo. (Grassley prepared an amendment as well, but withdrew it in favor of Cornyn’s.) Leahy (but not Grassley) votes to table John Cornyn amendment to require Administration to release the memo.

July 24, 2012: SSCI passes Intelligence Authorization that requires DOJ to make all post-9/11 OLC memos available to the Senate Intelligence Committee, albeit with two big loopholes.

December 4, 2012: Jerry Nadler, John Conyers, and Bobby Scott ask for finalized white paper, all opinions on broader drone program (or at least a briefing), including signature strikes, an update on the drone rule book, and public release of the white paper.

December 19, 2012: Ted Poe and Tredy Gowdy send Eric Holder a letter asking specific questions about targeted killing (not limited to the killing of an American), including “Where is the legal authority for the President (or US intelligence agencies acting under his direction) to target and kill a US citizen abroad?”

January 14, 2013: Wyden writes John Brennan letter in anticipation of his confirmation hearing, renewing his request for targeted killing memos. (11)

January 25, 2013: Rand Paul asks John Brennan if he’ll release past and future OLC memos on targeting Americans. (12)

February 4, 2013: 11 Senators ask for any and all memos authorizing the killing of American citizens, hinting at filibuster of national security nominees. (13)

February 6, 2013: John McCain asks Brennan a number of questions about targeted killing, including whether he would make sure the memos are provided to Congress. (14)

February 7, 2013Pat Leahy and Chuck Grassley ask that SJC be able to get the memos that SSCI had just gotten. (15)

February 7, 2013: In John Brennan’s confirmation hearing, Dianne Feinstein and Ron Wyden reveal there are still outstanding memos pertaining to killing Americans, and renew their demand for those memos. (16)

February 8, 2013: Poe and Gowdy follow up on their December 19 letter, adding several questions, particularly regarding what “informed, high level” officials make determinations on targeted killing criteria.

February 8, 2013: Bob Goodlatte, Trent Franks, and James Sensenbrenner join their Democratic colleagues to renew the December 4, 2012 request. (17)

February 12, 2013: Rand Paul sends second letter asking not just about white paper standards, but also about how National Security Act, Posse Commitatus, and Insurrection Acts would limit targeting Americans within the US.

February 13, 2013: In statement on targeted killings oversight, DiFi describes writing 3 previous letters to the Administration asking for targeted killing memos. (18, 19, 20)

February 20, 2013: Paul sends third letter, repeating his question about whether the President can have American killed inside the US.

February 27, 2013: At hearing on targeted killing of Americans, HJC Chair Bob Goodlatte — and several other members of the Committee — renews request for OLC memos. (21)

March 11, 2013: Barbara Lee and 7 other progressives ask Obama to release “in an unclassified form, the full legal basis of executive branch claims” about targeted killing, as well as the “architecture” of the drone program generally. (22)

All Members of Congress who have asked about Targeted Killing Memos and/or policies

  1. Ron Wyden
  2. Dianne Feinstein
  3. Saxby Chambliss
  4. Chuck Grassley
  5. Pat Leahy
  6. Tom Graves
  7. Jerry Nadler
  8. John Conyers
  9. Bobby Scott
  10. Ted Poe
  11. Trey Gowdy
  12. Rand Paul
  13. Mark Udall
  14. Dick Durbin
  15. Tom Udall
  16. Jeff Merkley
  17. Mike Lee
  18. Al Franken
  19. Mark Begich
  20. Susan Collins
  21. John McCain
  22. Bob Goodlatte
  23. Trent Franks
  24. James Sensenbrenner
  25. Barbara Lee
  26. Keith Ellison
  27. Raul Grijalva
  28. Donna Edwards
  29. Mike Honda
  30. Rush Holt
  31. James McGovern