Posts

What We Know about the Section 215 Phone Dragnet and Location Data

Last month’s squabble between Marco Rubio and Ted Cruz about USA Freedom Act led a number of USAF boosters to belatedly understand what I’ve been writing for years: that USAF expanded the universe of people whose records would be collected under the program, and would therefore expose more completely innocent people, along with more potential suspects, to the full analytical tradecraft of the NSA, indefinitely.

In an attempt to explain why that might be so, Julian Sanchez wrote this post, focusing on the limits on location data collection that restricted cell phone collection. Sanchez ignores two other likely factors — the probable inclusion of Internet phone calls and the ability to do certain kinds of connection chaining — that mark key new functionalities in the program which would have posed difficulties prior to USAF. But he also misses a lot of the public facts about location collection and cell phones under the Section 215 dragnet.  This post will lay those out.

The short version is this: the FISC appears to have imposed some limits on prospective cell location collection under Section 215 even as the phone dragnet moved over to it, and it was not until August 2011 that NSA started collecting cell phone records — stripped of location — from AT&T under Section 215 collection rules. The NSA was clearly getting “domestic” records from cell phones prior to that point, though it’s possible they weren’t coming from Section 215 data. Indeed, the only known “successes” of the phone dragnet — Basaaly Moalin and Adis Medunjanin — identified cell phones. It’s not clear whether those came from EO 12333, secondary database information that didn’t include location, or something else.

Here’s the more detailed explanation, along with a timeline of key dates:

There is significant circumstantial evidence that by February 17, 2006 — two months before the FISA Court approved the use of Section 215 of the PATRIOT Act to aspire to collect all Americans’ phone records — the FISA Court required briefing on the use of “hybrid” requests to get real-time location data from targets using a FISA Pen Register together with a Section 215 order. The move appears to have been a reaction to a series of magistrates’ rulings against a parallel practice in criminal cases. The briefing order came in advance of the 2006 PATRIOT Act reauthorization going into effect, which newly limited Section 215 requests to things that could be obtained with a grand jury subpoena. Because some courts had required more than a subpoena to obtain location, it appears, FISC reviewed the practice in the FISC — and, given the BR/PR numbers reported in IG Reports, ended, sometime before the end of 2006 though not immediately.

The FISC taking notice of criminal rulings and restricting FISC-authorized collection accordingly would be consistent with information provided in response to a January 2014 Ron Wyden query about what standards the FBI uses for obtaining location data under FISA. To get historic data (at least according to the letter), FBI used a 215 order at that point. But because some district courts (this was written in 2014, before some states and circuits had weighed in on prospective location collection, not to mention the 11th circuit ruling on historical location data under US v. Davis) require a warrant, “the FBI elects to seek prospective CSLI pursuant to a full content FISA order, thus matching the higher standard imposed in some U.S. districts.” In other words, as soon as some criminal courts started requiring a warrant, FISC apparently adopted that standard. If FISC continued to adopt criminal precedents, then at least after the first US v. Davis ruling, it would have and might still require a warrant (that is, an individualized FISA order) even for historical cell location data (though Davis did not apply to Stingrays).

FISC doesn’t always adopt the criminal court standard; at least until 2009 and by all appearances still, for example, FISC permits the collection, then minimization, of Post Cut Through Dialed Digits collected using FISA Pen Registers, whereas in the criminal context FBI does not collect PCTDD. But the FISC does take notice of, and respond to — even imposing a higher national security standard than what exists at some district levels — criminal court decisions. So the developments affecting location collection in magistrate, district, and circuit courts would be one limit on the government’s ability to collect location under FISA.

That wouldn’t necessarily prevent NSA from collecting cell records using a Section 215 order, at least until the Davis decision. After all, does that count as historic (a daily collection of records each day) or prospective (the approval to collect data going forward in 90 day approvals)? Plus, given the PCTDD and some other later FISA decisions, it’s possible FISC would have permitted the government to collect but minimize location data. But the decisions in criminal courts likely gave FISC pause, especially considering the magnitude of the production.

Then there’s the chaos of the program up to 2009.

At least between January 2008 and March 2009, and to some degree for the entire period preceding the 2009 clean-up of the phone and Internet dragnets, the NSA was applying EO 12333 standards to FISC-authorized metadata collection. In January 2008, NSA co-mingled 215 and EO 12333 data in either a repository or interface, and when the shit started hitting the fan the next year, analysts were instructed to distinguish the two authorities by date (which would have been useless to do). Not long after this data was co-mingled in 2008, FISC first approved IMEI and IMSI as identifiers for use in Section 215 chaining. In other words, any restrictions on cell collection in this period may have been meaningless, because NSA wasn’t heeding FISC’s restrictions on PATRIOT authorized collection, nor could it distinguish between the data it got under EO 12333 and Section 215.

Few people seem to get this point, but at least during 2008, and probably during the entire period leading up to 2009, there was no appreciable analytical border between where the EO 12333 phone dragnet ended and the Section 215 one began.

There’s no unredacted evidence (aside from the IMEI/IMSI permission) the NSA was collecting cell phone records under Section 215 before the 2009 process, though in 2009, both Sprint and Verizon (even AT&T, though to a much less significant level) had to separate out their entirely foreign collection from their domestic, meaning they were turning over data subject to EO 12333 and Section 215 together for years. That’s also roughly the point when NSA moved toward XML coding of data on intake, clearly identifying where and under what authority it obtained the data. Thus, it’s only from that point forward where (at least according to what we know) the data collected under Section 215 would clearly have adhered to any restrictions imposed on location.

In 2010, the NSA first started experimenting with smaller collections of records including location data at a time when Verizon Wireless was named on primary orders. And we have two separate documents describing what NSA considered its first collection of cell data under Section 215 on August 29, 2011. But it did so only after AT&T had stripped the location data from the records.

It appears Verizon never did the same (indeed, Verizon objected to any request to do so in testimony leading up to USAF’s passage). The telecoms used different methods of delivering call records under the program. In fact, in August 2, 2012, NSA’s IG described the orders as requiring telecoms to produce “certain call detail records (CDRs) or telephony metadata,” which may differentiate records that (which may just be AT&T) got processed before turning over. Also in 2009, part of Verizon ended its contract with the FBI to provide special compliance with NSLs. Both things may have affected Verizon’s ability or willingness to custom what it was delivering to NSA, as compared to AT&T.

All of which suggests that at least Verizon could not or chose not to do what AT&T did: strip location data from its call records. Section 215, before USAF, could only require providers to turn over records they kept, it could not require, as USAF may, provision of records under the form required by the government. Additionally, under Section 215, providers did not get compensated after the first two dragnet orders.

All that said, the dragnet has identified cell phones! In fact, the only known “successes” under Section 215 — the discovery of Basaaly Moalin’s T-Mobile cell phone and the discovery of Adis Medunjanin’s unknown, but believed to be Verizon, cell phone — did, and they are cell phones from companies that didn’t turn over records. In addition, there’s another case, cited in a 2009 Robert Mueller declaration preceding the Medunjanin discovery, that found a US-based cell phone.

There are several possible explanations for that. The first is that these phones were identified based off calls from landlines and/or off backbone records (so the phone number would be identified, but not the cell information). But note that, in the Moalin case, there are no known land lines involved in the presumed chain from Ayro to Moalin.

Another possibility — a very real possibility with some of these — is that the underlying records weren’t collected under Section 215 at all, but were instead collected under EO 12333 (though Moalin’s phone was identified before Michael Mukasey signed off on procedures permitting the chaining through US person records). That’s all the more likely given that all the known hits were collected before the point in 2009 when the FISC started requiring providers to separate out foreign (EO 12333) collection from domestic and international (Section 215) collection. In other words, the Section 215 phone dragnet may have been working swimmingly up until 2009 because NSA was breaking the rules, but as soon as it started abiding by the rules — and adhering to FISC’s increasingly strict limits on cell location data — it all of a sudden became virtually useless given the likelihood that potential terrorism targets would use exclusively cell and/or Internet calls just as they came to bypass telephony lines. Though as that happened, the permissions on tracking US persons via records collected under EO 12333, including doing location analysis, grew far more permissive.

In any case, at least in recent years, it’s clear that by giving notice and adjusting policy to match districts, the FISC and FBI made it very difficult to collect prospective location records under FISA, and therefore absent some means of forcing telecoms to strip their records before turning them over, to collect cell data.

Read more

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

James Orenstein Calls Out Jim Comey on His Prevarications about Democracy

At a 10 AM Senate Homeland Security hearing on October 8, Jim Comey read prepared testimony that reiterated his claim that encrypted devices are causing FBI problems, but stated that the Administration is not seeking legislation to do anything about it.

Unfortunately, changing forms of Internet communication and the use of encryption are posing real challenges to the FBI’s ability to fulfill its public safety and national security missions.. This real and growing gap, to which the FBI refers as “Going Dark,” is an area of continuing focus for the FBI; we believe it must be addressed given the resulting risks are grave both in both traditional criminal matters as well as in national security matters. The United States Government is actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors’ use of their encrypted products and services. However, the Administration is not seeking legislation at this time.

That statement got the Administration a lot of good press, with the WaPo declaring “Obama administration opts not to force firms to decrypt data — for now” and the NYT, even after this ruling had been unsealed, reporting, “Obama Won’t Seek Access to Encrypted User Data.” In the actual hearing, Comey was more clear that he did intend to keep asking providers for data and that the government was having “increasingly productive conversations with industry” to get them to do so, inspired in part by government claims about the ISIS threat. Part of that cooperation, per Comey, was “how can we get you to comply with a court order.”

Sometime that same day, on October 8, government lawyers submitted a request to a federal magistrate in Brooklyn to obligate Apple to help unlock a device law enforcement had been unable to unlock on their own.

In a sealed application filed on October 8, 2015, the government asks the court to issue an order pursuant to the All Writs Act, 28 U.S.C. § 1651, directing Apple, Inc. (“Apple”) to assist in the execution of a federal search warrant by disabling the security of an Apple device that the government has lawfully seized pursuant to a warrant issued by this court. Law enforcement agents have discovered the device to be locked, and have tried and failed to bypass that lock. As a result, they cannot gain access to any data stored on the device notwithstanding the authority to do so conferred by this court’s warrant.

The next day the judge, James Orenstein, deferred ruling on whether the All Writs Act is applicable in this case (though he did suggest it probably wasn’t) pending briefing from Apple on how burdensome it would find the request. Orenstein released his memo after giving the government opportunity to review his order.

This is not the first time the government has tried to use the All Writs Act to force providers (Apple, in at least one of the known cases) to help unlock a phone. EFF described two instances from last year in a December post. It also reviewed a 2005 ruling where Orenstein refused to allow the government to use All Writs Act to force telecoms to provide cell site location in real time.

Of course, as Lawfare seems to suggest, it has taken a decade for the decision Orenstein made in that earlier ruling — that the government needs a warrant to get cell tracking from a phone — to finally get fully developed into a debate and some Supreme Court (US v. Jones) and circuit rulings. That’s because in the interim, plenty of magistrates continued to compel providers to give such information to the government.

It’s quite possible the same is true here: that this is not just the third attempt to get a court to issue an All Writs Act to get Apple to provide data, but that instead, a number of magistrates who are more compliant with government wishes have agreed to do so as well. Indeed, as Orenstein noted, that’s a suggestion the government made in its application when it claimed “in other cases, courts have ordered Apple to assist in effectuating search warrants under the authority of the All Writs Act [and that] Apple has complied with such orders.”

What Orenstein did, then, was to make it clear this continues to go on, that even as Jim Comey and others were making public claims (and getting public acclaim) for not seeking legislation that would compel production of encrypted data the government — including, presumably, the FBI — was seeking court orders that would compel production secretly. The key rhetorical move in Orenstein’s order came when Orenstein compared Comey’s public statements claiming to support debate on this issue to the attempt to claim the government had to rely on the All Writs Act because no law existed. In a long footnote, Orenstein quoted from Comey’s Lawfare post,

Democracies resolve such tensions through robust debate …. It may be that, as a people, we decide the benefits here outweigh the costs and that there is no sensible, technically feasible way to optimize privacy and safety in this particular context, or that public safety folks will be able to do their job well enough in a world of universal strong encryption. Those are decisions Americans should make, but I think part of my job is [to] make sure the debate is informed by a reasonable understanding of the costs.

Then Orenstein pointed out that relying on the All Writs Act would undercut precisely the democratic debate Comey claimed to want to have.

Director Comey’s view about how such policy matters should be resolved is in tension, if not entirely at odds, with the robust application of the All Writs Act the government now advocates. Even if CALEA and the Congressional determination not to mandate “back door” access for law enforcement to encrypted devices does not foreclose reliance on the All Writs Act to grant the instant motion, using an aggressive interpretation of that statute’s scope to short-circuit public debate on this controversy seems fundamentally inconsistent with the proposition that such important policy issues should be determined in the first instance by the legislative branch after public debate – as opposed to having them decided by the judiciary in sealed, ex parte proceedings.

To be fair, even as the government was submitting its secret request to Orenstein, Comey was disavowing his former pro-democratic stance, and instead making it clear the government would try to find some other way to get orders forcing providers to comply.

But, given Orenstein’s invitation for Apple to lay out how onerous this is on it, Comey might get the democratic debate he once embraced.

Update: When I wrote this in the middle of the night I misspelled Judge Orenstein’s name. My apologies!

 

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Why Do All the Stingray NDAs Date to 2011 to 2012?

The other day, the Baltimore Sun continued its great work on Stingrays with a report on the most recent court disclosure from the Baltimore Police Department, revealing that instead of the 4,300 uses of its Stingray that it testified to earlier this month, it had in fact used the Stingray 25,000 times, not counting the times it has used it in exigent situations.

While police said earlier this month that the agency had deployed a “Stingray” cell simulator device more than 4,300 times since 2007 Det. Michael Dressel testified Monday that the actual number of times used with a court order was north of 25,000 times. The lesser figure reflected the amount since the department changed the way it documents its use of the device.

[snip]

Dressel said there are a number of scenarios in which police can cite exigent circumstances and proceed without a court order or search warrant. He said he did not know the number of such instances.

The revelation, on its face, reveals two important points. That BPD, at least, doesn’t track all its uses of its Stingray. But also that at some point in time (the original count purported to date back to 2007), the department changed the way it counted Stingrays.

This post started as a reflection on the changing numbers Baltimore Police Department has given for its use of Stingrays. I learned after I posted that the Sun had retracted the 25,000 number.

That said, the now retracted article got me thinking about the data of all the Stingray NDAs.

The two complete non-disclosure agreements we’ve seen — from Erie (June 29, 2012) and Baltimore (July 13, 2011) — as well as some of the partial ones we’ve seen — Tacoma (December 19, 2012), Minneapolis (June 12, 2012), San Bernadino (December 7, 2012), Hillsborough, FL (around March 6, 2012) — all date to around the same 2011 to 2012 time period. But Stingray use goes back well before that, as the contracts released make clear. That’s all not long after the government started trying to protect its use of Stingray to find Daniel Rigmaiden (see the docket starting at document 465 and this contemporaneous coverage of it), which Stephanie Pell and Chris Soghoian point to as the first time use of a Stingray showed up in a criminal proceeding (see 29 ff).

That may not be the explanation — I can think of a number of other possibilities why, starting in 2011, the government changed how it approached Stingray secrecy — but it is a possibility. 2011 is also the year US v. Jones was briefed to SCOTUS, and also the year NSA ultimately gave up its efforts to get location as part of its phone dragnet. It at least appears possible that FBI started pushing out NDAs (or new NDAs) starting in 2011.

Is that what led to the change in how BPD counted these?

In any case, I’m increasingly wondering whether there’s a significant change that took place in 2011 with how the FBI administered Stingray use at the local level, which led, in that year and the next, to a whole new Nondisclosure regime.

 

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

“Information Is No Longer Being Collected in Bulk [Pursuant to 21 U.S.C. § 876]”

Given the details in yesterday’s USAT story on DEA’s dragnet, I wanted to re-examine the DEA declaration revealing details of the phone dragnet in the Shantia Hassanshahi case which I wrote about here. As I noted then, there’s a footnote modifying the claim that the database in question “was suspended in September 2013” that is entirely redacted. And the declaration only states that “information is no longer being collected in bulk pursuant to 21 U.S.C. §876,” not that it is no longer being collected.

According to the USAT, DEA moved this collection to more targeted subpoenas that may number in the thousands.

The DEA asked the Justice Department to restart the surveillance program in December 2013. It withdrew that request when agents came up with a new solution. Every day, the agency assembles a list of the telephone numbers its agents suspect may be tied to drug trafficking. Each day, it sends electronic subpoenas — sometimes listing more than a thousand numbers — to telephone companies seeking logs of international telephone calls linked to those numbers, two official familiar with the program said.

The data collection that results is more targeted but slower and more expensive. Agents said it takes a day or more to pull together communication profiles that used to take minutes.

We should expect this move occurred either in the second half of 2013 (after the dragnet first got shut down) or the first half of 2014 (after DEA backed off its request to restart the draget). And we should expect these numbers to show in the telecoms transparency reports.

But they don’t — or don’t appear to.

Both AT&T and Verizon reported their 2013 numbers for the entire year. They both broke out their 2014 numbers semiannually. (Verizon; AT&T 2013AT&T 2014; h/t Matt Cagle, who first got me looking at these numbers)

Here are the numbers for all subpoenas (see correction below):

Screen Shot 2015-04-08 at 1.50.32 PM

Both companies show a decrease in overall criminal subpoenas from 2013 to 2014. And while Verizon shows a continued decline, AT&T’s subpoena numbers went back up in the second half of 2014, but still lower than half of 2013’s numbers.

In any case, both companies report at least 15% fewer subpoenas in 2014, at a time when — according to what USAT got told — they should have been getting thousands of extra subpoenas a day.

It is possible what we’re seeing is just the decreased utility of phone records. As the USAT notes, criminals are increasingly using messaging platforms that use the Internet rather than telecoms.

But it’s possible the DEA’s dragnet went somewhere else entirely.

Though USAT doesn’t mention it (comparing instead with the Section 215 dragnet, which is not a comparable program because it, like Hemisphere as far as we know, focuses solely on domestic records), the NSA has an even bigger phone and Internet dragnet that collects on drug targets. Indeed, President Obama included “transnational criminal threats” among the uses permitted for data collected in bulk under PPD-28, which he issued January 17, 2014. So literally weeks after DEA supposedly moved to subpoena-based collection in December 2013, the President reiterated support for using NSA (or, indeed, any part of the Intelligence Community) bulk collections to pursue transnational crime, of which drug cartels are the most threatening.

There is no technical reason to need to collect this data in the US. Indeed, given the value of location data, the government is better off collecting it overseas to avoid coverage under US v. Jones. Moreover, as absolutely crummy as DOJ is about disclosing these kinds of subpoenas, it has disclosed them, whereas it continues to refuse to disclose any collection under EO 12333.

Perhaps it is the case that DEA really replaced its dragnet with targeted collection. Or perhaps it simply moved it under a new shell, EO 12333 collection, where it will remain better hidden.

Update: I realized I had used criminal subpoenas for AT&T, but not for Verizon (which doesn’t break out criminal and civil). Moreover, it’s not clear whether the telecoms would consider these criminal or civil subpoenas.

I also realized one other possible explanation why these don’t show up in the numbers. USAT reports that DEA uses subpoenas including thousands of numbers, whereas they used to use a subpoena to get all the records. That is, the telecoms may count each of these subpoenas as just one subpoena, regardless of whether it obtains 200 million or 1,000 numbers. Which would have truly horrifying implications for “Transparency.”

Update: There would be limitations to relying on the NSA’s database (though DEA could create its own for countries of particular interest). First, DEA could not search for US person identifiers without Attorney General approval (though under SPMCA, it could conduct chaining it knew to include US persons). Also, as of August 2014, at least, NSA wasn’t sharing raw EO 12333 data with other agencies, per this Charlie Savage story.

The N.S.A. is also permitted to search the 12333 storehouse using keywords likely to bring up Americans’ messages. Such searches must have “foreign intelligence” purposes, so analysts cannot hunt for ordinary criminal activity.

For now, the N.S.A. does not share raw 12333 intercepts with other agencies, like the F.B.I. or the C.I.A., to search for their own purposes. But the administration is drafting new internal guidelines that could permit such sharing, officials said.

That said, it’s clear that NSA shares metadata under ICREACH with other agencies, explicitly including DEA.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Sonia Sotomayor, John Roberts, and the Riley Decision

In a piece just published at Salon, I look at John Roberts’ citation in his Riley v. California decision of Sonia Sotomayor’s concurrence in US v. Jones, the opinion every privacy argument has invoked since she wrote it two years ago. I argue Roberts uses it to adopt her argument that digital searches are different.

A different part of Sotomayor’s concurrence, arguing that the existing precedent holding that you don’t have a privacy interest in data you’ve given to a third party “is ill suited to the digital age,” has been invoked repeatedly in privacy debates since she wrote it. That’s especially true since the beginning of Edward Snowden’s leaks. Lawsuits against the phone dragnet often cite that passage, arguing that the phone dragnet is precisely the kind of intrusion that far exceeds the intent of old precedent. And the courts have – with the exception of one decision finding the phone dragnet unconstitutional – ruled that until a majority on the Supreme Court endorses this notion, the old precedents hold.

Roberts cited from a different part of Sotomayor’s opinion, discussing how much GPS data on our movements reveals about our personal lives. That appears amid a discussion in which he cites things that make cellphones different: the multiple functions they serve, the different kinds of data we store in the same place, our Web search terms, location and apps that might betray political affiliation, health data or religion. That is, in an opinion joined by all his colleagues, the chief justice repeats Sotomayor’s argument that the sheer volume of this information makes it different.

Roberts’ argument here goes beyond both Antonin Scalia’s property-based opinion and Sam Alito’s persistence-based opinion in US v. Jones.

Which seems to fulfill what I predicted in my original analysis of US v. Jones — that the rest of the Court might come around to Sotomayor’s thinking in her concurrence (which, at the time, no one joined).

Sotomayor, IMO, is the only one ready to articulate where all this is heading. She makes it clear that she sides with those that see a problem with electronic surveillance too.

I would take these attributes of GPS monitoring into account when considering the existence of a reasonable societal expectation of privacy in the sum of one’s public movements. I would ask whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the Government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on.

[snip]

I would also consider the appropriateness of entrusting to the, in the absence of any oversight from a coordinate branch, a tool so amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent“a too permeating police surveillance,”

And in a footnote, makes a broader claim about the current expectation of privacy than Alito makes.

Owners of GPS-equipped cars and smartphones do not contemplate that these devices will be used to enable covert surveillance of their movements.

Ultimately, the other Justices have not tipped their hand where they’ll come down on more generalized issues of cell phone based surveillance. Sotomayor’s opinion actually doesn’t go much further than Scalia claims to when he says they can return to Katz on such issues–but obviously none of the other Republicans joined her opinion. And all those who joined Alito’s opinion seem to be hiding behind the squishy definitions that will allow them to flip flop when the Administration invokes national security.

Sotomayor’s importance to this decision likely goes beyond laying this groundwork two years ago.

There’s evidence that Sotomayor had a more immediate impact on this case. In a recent speech — as reported by Adam Serwer, who recalled this comment after yesterday’s opinion — Sotomayor suggested she had to walk her colleagues through specific aspects of the case they didn’t have the life experience to understand.

The Supreme Court has yet to issue opinions on many of its biggest cases this term, and Sotomayor offered few hints about how the high court might rule. She did use an example of a recent exchange from oral argument in a case involving whether or not police can search the cell phones of arrestees without a warrant to explain the importance of personal experience in shaping legal judgments.
“One of my colleagues asked, ‘who owns two cell phones, why would anybody?’ In a room full of government lawyers, each one of them has two cell phones,” Sotomayor said to knowing laughter from the audience. “My point is that issue was remedied very quickly okay, that misimpression was.”
The colleague was Chief Justice John Roberts, who along with Justice Antonin Scalia,seemed skeptical during oral arguments in Wurie v. United States that anyone but a drug dealer would need two cell phones.

“That’s why it’s important to have people with different life experiences,” Sotomayor said. ”Especially on a court like the Supreme Court, because we have to correct each other from misimpressions.”

In my Salon piece, I suggest that some years from today, some Court observer (I had Jeffrey Toobin in mind) will do a profile of how Sotomayor has slowly brought her colleagues around on what the Fourth Amendment needs to look like in the digital age.

I come away from this opinion with two strong hunches. First, that years from now, some esteemed court watcher will describe how Sonia Sotomayor has gradually been persuading her colleagues that they need to revisit privacy, because only she would have written this opinion two years ago.

Of course, it likely took Roberts writing the opinion to convince colleagues like Sam Alito. Roberts wrapped it up in nice originalist language, basically channeling James Madison with a smart phone. That’s something that surely required Roberts’ stature and conservatism to pull off.

But if this does serve as a renewed Fourth Amendment, with all the heft that invoking the Founders gives it, I’ll take it.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Unanimous: Cops Need a Warrant to Access Your Phone Data

SCOTUS just unanimously held that cops generally need a warrant to access your cell phone data. Chief Justice Roberts wrote the opinion. The opinion is here.

I’m reading now to figure out what it means. Will update accordingly.

This passage is getting widely cited:

These cases require us to decide how the search incident to arrest doctrine applies to modern cell phones, which are now such a pervasive and insistent part of daily life that  the proverbial visitor from Mars might conclude they were an important feature of human anatomy. A smart phone of the sort taken from Riley was unheard of ten years ago; a significant majority of American adults now own such  phones.

I’m amused by the way Roberts deals with the government’s belated encryption argument.

Encryption isa security feature that some modern cell phones use in addition to password protection. When such phones lock, data becomes protected by sophisticated encryption that  the password. Brief for United States as Amicus Curiae in No. 13–132, p. 11.

[snip]

And data encryption is even further afield. There, the Government focuses on the ordinary operation of a phone’s security features,apart from any active attempt by a defendant or his associates to conceal or destroy evidence upon arrest.

We have also been given little reason to believe that either problem is prevalent.

[snip]

Similarly, the opportunities for officers to search a password-protected phone before data becomes encrypted are quite limited. Law enforcement officers are very unlikely to come upon such a phone in an unlocked state because most phones lock at the touch of a button or, as a default, after some very short period of inactivity. See, e.g., iPhone User Guide for iOS 7.1 Software 10 (2014) (default lock after about one minute). This may explain why the encryption argument was not made until the merits stage in this Court, and has never been considered by the Courts of Appeals

Read more

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

About HR 3361, the NSA Surveillance Efficiency Act, AKA USA Freedom Act

The House Intelligence Committee passed a bill out of its committee Thursday, HR 3361, that will reportedly solve a problem (or problems) the NSA has been struggling with since 2009. The bill will now move to the full House for a vote.

The public — and surely a great majority of members of Congress — have no idea precisely what problem this bill will solve is: planted leaks suggest it has to do with difficulties dealing with cell phone records, perhaps because they include location data. If that is part of the problem, then it’s a fairly recent development, perhaps arising after US v. Jones raised new concerns about the legality of collecting location data without a warrant. There’s also the presumably-related issue of an automated query function; NSA has been struggling to resume that function since its alert function got shut down as a legal violation in 2009. The ability to tie multiple identities from the same person together as NSA runs those alerts may be a related issue.

The bill has not been reported as a fix for NSA’s long-term legal and technical struggles (though LAT’s Ken Dilanian has asked why civil liberties groups are so happy about this given that it will expose more data to NSA collection). Rather, it has been called the USA Freedom Act and reported as a reform of the phone dragnet program, a successful effort to “end” “bulk collection.”

The bill does have the critically important effect of ending the government’s practice of collecting and storing some significant portion of all US call records, beyond whatever US person call records it collects overseas. That, by itself, is the equivalent of defusing a nuclear bomb. It is a very important improvement on the status quo.

It remains entirely unclear — and unexamined, as far as I can tell — whether the bill will increase or decrease the number of entirely innocent Americans who will be subjected to the full range of NSA’s analytical tradecraft because they got swept up based on the guilt by association principle behind contact-chaining, or whether the bill will actually expose more kinds of US person records to the scrutiny of the NSA.

The bill the press is calling USA Freedom Act may also — though we don’t know this either — have the salutary benefit of changing the way the NSA currently collects data under other Section 215, Pen Register, and NSL collection efforts.  The bill requires that all Section 215 (both call record and otherwise), Pen Register, and NSL queries be based on a specific selection term that remains vaguely defined (a definition the House Intelligence Committee considered eliminating before Thursday’s hearing). But it remains unclear how much that rule — even ignoring questions about the definition — will limit any current practices. At Wednesday’s hearing Bob Goodlatte said the bill “preserves the individual use of Section 215 under the existing relevancy standard for all business records,” and at least for several NSL authorities, the new “restrictions” almost certainly present no change (and another NSL authority, the Right to Financial Privacy Act, uses the same “entity” language the bill definition does, suggesting it is unlikely to change either). Plus, at least according to DOJ’s public claims and court filings, it ended the bulk domestic collection under PRTT in 2011. So the language “ending” “bulk collection” may do no more than make it harder for FBI to construct its own phone books of phone company and ISP subscribers using NSLs, if it does even that.

What the bill doesn’t do — because this part of the bill was stripped as part of the compromise — is provide the Intelligence Community’s oversight committees detailed reports of what kind of records the government obtains under Section 215 (and for what agencies), and how many Americans are subject to all the FISA authorities, including Section 215. That is, the compromise eliminated the one thing that could measure whether the bill really did “end” “bulk collection” as you or I would understand it. In its stead, the bill largely codifies an existing reporting agreement that AT&T has already demonstrated to be completely deceptive. In Wednesday’s hearing, Zoe Lofgren called provider reporting “the canary in the coal mine” the committee would rely on to understand what collection occurred.

So this bill that “ends” “bulk collection” still prevents us, or even the oversight committees working in our name, from learning whether it does so.

It does, however, have some interesting features, given its other purpose of solving one or more challenges facing the NSA.

The first of those is immunity.

No cause of action shall lie in any court against a person who produces tangible things or provides information, facilities, or technical assistance pursuant to an  order issued or an emergency production required under this section. 

This is another part of the bill the underlying reasons for which the public, and probably much of Congress, doesn’t understand. At one level, it seems to immunize the process that may have telecoms playing a role the NSA previously did, analyzing the data; it may also pertain to providing NSA access to the telecoms’ physical facilities. But given the background to the move to telecoms — NSA’s legal-technical problems dealing with cell phone data because it ties to location — it is possible the immunity gives the telecoms protection if they use but don’t turn over data they have already, such as location data or even Internet metadata, to perform the interim analysis.

Consider how the bill describes the call record query process.

[T]he Government  may require the production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using the results of the production under subclause (I) as the basis for production;

So a 2-hop query goes from a “specific selection term” to “the results of the production” to the “call detail record” handed over to the government. While the definition of call detail records clearly prohibits the final production to the government of either content or cell location, nothing in this process description prevents the telecoms from using such things (most Internet metadata is legally content to the telecoms) in that interim hop; indeed, the “results of the production under subclause (I)” available to the telecoms almost certainly would include some of this information, particularly for smart phones. We know the Hemisphere program (the AT&T-specific program for the DEA) uses cell location in its analysis. Remember, too, how NSA is gobbling up smart phone data (including things like address books) in overseas programs; this may permit analysis of similar data — if not collection of it — domestically.  So at the very least, this scheme seems to give the NSA access to cell location and possibly a whole lot more data for analysis they otherwise couldn’t get (which David Sanger’s sources confirm).

And consider two more details from Wednesday’s House Judiciary hearing. At it, Lofgren repeated a list of business records the government might obtain under Section 215 she got Deputy Attorney General James Cole to confirm at an earlier hearing. It includes:

  • ATM photos
  • location where phone calls made
  • credit card transactions
  • cookies
  • Internet searches
  • pictures captured by CCTV cameras

So long as the word “entity” in the definition of specific selection term remains undefined, so long as FISC precedents permit the tapping of entire circuits in the name of collecting on an entity, the government may still be able to collect massive amounts of this data, not actually targeted at a suspect but rather something defined as an entity (in both the existing 215 program and the new call records one the bill retains the “relevant to” language that has been blown up beyond meaning).

Finally, consider what happened with Lofgren’s last attempted amendment. After having submitted a number of other failed amendments, Lofgren submitted an amendment to fix what she called an inadvertent error in the manager’s amendment specifically prohibiting the collection of content under Section 215.

I believe this amendment fixes — at least I hope — an error that was created in the manager’s amendment that I cannot believe was intended. As you know we have specified that the content is not included in business records. This amendment clarifies that business records do not include the content of communication. We specify that in the new section about call detail records, but but the specification that content was not included somehow got dropped out of the business records section. It was included in your original bill but it didn’t make it into the manager’s amendment. I think this amendment clarifies the ambiguity that could be created and I hope it was not intentional.

This is a problem I pointed out here.

Almost without missing a beat after she introduced this, Jim Sensenbrenner recessed the hearing, citing votes. While there were, in fact, votes, Luis Pierluisi (who cast the decisive vote in favor of an amendment to redefine counterintelligence) and possibly Lofgren got a lecture at the break about how any such amendments might blow up the deal the Committee had with Mike Rogers and HPSCI. After the break, Lofgren withdrew the amendment, expressing hope it could be treated as a clerical fix.

That purported error was not fixed before HPSCI (which explicitly permitted the collection of content under its bill) voted out the bill.

Perhaps it will be “fixed” before it comes to the floor.

But if it doesn’t, it may expand (or, given Lofgren’s stated concerns about what records Section 215 might cover, sustain) the use of Section 215 to collect content, not just metadata. Imagine the possibility this gets yoked to expanded analysis at telecoms under the new CDR program?

We don’t know. This bill has gotten past two committees of Congress (we didn’t get to see any of the debate at HPSCI) without these details becoming clear. But the questions raised by this bill when you consider it as the fix to one or more problems the NSA has been struggling with, it does raise real questions.

Again, I don’t want to make light of the one thing we know this bill will do — take a database showing all phone-based relationships in the country out of NSA’s hands. That eliminates an intolerably risky program. That is an important fix.

But that shouldn’t lead us to ignore the potential expansion of spying that may come with this bill.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Verizon Publicity Stunt, Mosaic Theory, and Collective Fourth Amendment Rights

On Friday, I Con the Record revealed that a telecom — Ellen Nakashima confirms it was Verizon — asked the FISA Court to make sure its January 3 order authorizing the phone dragnet had considered Judge Richard Leon’s December 16 decision that it was unconstitutional. On March 20, Judge Rosemary Collyer issued an opinion upholding the program.

Rosemary Collyer’s plea for help

Ultimately, in an opinion that is less shitty than FISC’s previous attempts to make this argument, Collyer examines the US v. Jones decision at length and holds that Smith v. Maryland remains controlling, mostly because no majority has overturned it and SCOTUS has provided no real guidance as to how one might do so. (Her analysis raises some of the nuances I laid out here.)

The section of her opinion rejecting the “mosaic theory” that argues the cumulative effect of otherwise legal surveillance may constitute a search almost reads like a cry for help, for guidance in the face of the obvious fact that the dragnet is excessive and the precedent that says it remains legal.

A threshold question is which standard should govern; as discussed above, the court of appeals’ decision in Maynard and two concurrences in Jones suggest three different standards. See Kerr, “The Mosaic Theory of the Fourth Amendment,” 111 Mich. L. Rev. at 329. Another question is how to group Government actions in assessing whether the aggregate conduct constitutes a search.See id. For example, “[w]hich surveillance methods prompt a mosaic approach? Should courts group across surveillance methods? If so, how? Id. Still another question is how to analyze the reasonableness of mosaic searches, which “do not fit an obvious doctrinal box for determining reasonableness.” Id. Courts adopting a mosaic theory would also have to determine whether, and to what extent, the exclusionary rule applies: Does it “extend over all the mosaic or only the surveillance that crossed the line to trigger a search?”

[snip]

Any such overhaul of Fourth Amendment law is for the Supreme Court, rather than this Court, to initiate. While the concurring opinions in Jones may signal that some or even most of the Justices are ready to revisit certain settled Fourth Amendment principles, the decision in Jones itself breaks no new ground concerning the third-party disclosure doctrine generally or Smith specifically. The concurring opinions notwithstanding, Jones simply cannot be read as inviting the lower courts to rewrite Fourth Amendment law in this area.

As I read these passages, I imagined that Collyer was trying to do more than 1) point to how many problems overruling the dragnet would cause and 2) uphold the dignity of the rubber stamp FISC and its 36+ previous decisions the phone dragnet is legal.

There is reason to believe she knows what we don’t, at least not officially: that even within the scope of the phone dragnet, the dragnet is part of more comprehensive mosaic surveillance, because it correlates across platforms and identities. And all that’s before you consider how, once dumped into the corporate store and exposed to NSA’s “full range of analytic tradecraft,” innocent Americans might be fingerprinted to include our lifestyles.

That is, not only doesn’t Collyer see a way (because of legal boundary concerns about the dragnet generally, and possibly because of institutional concerns about FISC) to rule the dragnet illegal, but I suspect she sees the reverberations that such a ruling would have on the NSA’s larger project, which very much is about building mosaics of intelligence.

No wonder the government is keeping that August 20, 2008 opinion secret, if it indeed discusses the correlations function in the dragnet, because it may well affect whether the dragnet gets assessed as part of the mosaic NSA uses it as.

Verizon’s flaccid but public legal complaint

Now, you might think such language in Collyer’s opinion would invite Verizon to appeal this decision. But given this lukewarm effort, it seems unlikely to do so. Consider the following details:

Leon issued his decision December 16. Verizon did not ask the FISC for guidance (which makes sense because they are only permitted to challenge orders).

Verizon got a new Secondary Order after the January 3 reauthorization. It did not immediately challenge the order.

It only got around to doing so on January 22 (interestingly, a few days after ODNI exposed Verizon’s role in the phone dragnet a second time), and didn’t do several things — like asking for a hearing or challenging the legality of the dragnet under 50 USC 1861 as applied — that might reflect real concern about anything but the public appearance of legality. (Note, that timing is of particular interest, given that the very next day, on January 23, PCLOB would issue its report finding the dragnet did not adhere to Section 215 generally.)

Indeed, this challenge might not have generated a separate opinion if the government weren’t so boneheaded about secrecy.

Verizon’s petition is less a challenge of the program than an inquiry whether the FISC has considered Leon’s opinion.

It may well be the case that this Court, in issuing the January 3,2014 production order, has already considered and rejected the analysis contained in the Memorandum Order. [redacted] has not been provided with the Court’s underlying legal analysis, however, nor [redacted] been allowed access to such analysis previously, and the order [redacted] does not refer to any consideration given to Judge Leon’s Memorandum Opinion. In light of Judge Leon’s Opinion, it is appropriate [redacted] inquire directly of the Court into the legal basis for the January 3, 2014 production order,

As it turns out, Judge Thomas Hogan (who will take over the thankless presiding judge position from Reggie Walton next month) did consider Leon’s opinion in his January 3 order, as he noted in a footnote.

Screen Shot 2014-04-28 at 10.49.42 AM

And that’s about all the government said in its response to the petition (see paragraph 3): that Hogan considered it so the FISC should just affirm it.

Verizon didn’t know that Hogan had considered the opinion, of course, because it never gets Primary Orders (as it makes clear in its petition) and so is not permitted to know the legal logic behind the dragnet unless it asks nicely, which is all this amounted to at first.

Note that the government issued its response (as set by Collyer’s scheduling order) on February 12, the same day it released Hogan’s order and its own successful motion to amend it. So ultimately this headache arose, in part, because of the secrecy with which it treats even its most important corporate spying partners, which only learn about these legal arguments on the same schedule as the rest of us peons.

Yet in spite of the government’s effort to dismiss the issue by referencing Hogan’s footnote, Collyer said because Verizon submitted a petition, “the undersigned Judge must consider the issue anew.” Whether or not she was really required to or could have just pointed to the footnote that had been made public, I don’t know. But that is how we got this new opinion.

Finally, note that Collyer made the decision to unseal this opinion on her own. Just as interesting, while neither side objected to doing so, Verizon specifically suggested the opinion could be released with no redactions, meaning its name would appear unredacted.

The government contends that certain information in these Court records (most notably, Petitioner’s identity as the recipient of the challenged production order) is classified and should remain redacted in versions of the documents that are released to the public. See Gov’t Mem. at 1. Petitioner, on the other hand, “request[s] no redactions should the Court decide to unseal and publish the specified documents.” Pet. Mem. at 5. Petitioner states that its petition “is based entirely on an assessment of [its] own equities” and not on “the potential national security effects of publication,” which it “is in no position to evaluate.” Id.

I’ll return to this. But understand that Verizon wanted this opinion — as well as its own request for it — public.

Read more

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

DOJ Inspector General Investigating DEA’s Use of Parallel Construction under Hemisphere

Screen Shot 2014-04-18 at 11.02.49 AMAs I noted in my last post, DOJ’s Inspector General recently created a page showing their ongoing investigations. It shows some things not described in Inspector General Michael Horowitz’ last report to Congress.

Of particular interest is this investigation.

Administrative Subpoenas

The OIG is examining the DEA’s use of administrative subpoenas to obtain broad collections of data or information. The review will address the legal authority for the acquisition or use of these data collections; the existence and effectiveness of any policies and procedural safeguards established with respect to the collection, use, and retention of the data; the creation, dissemination, and usefulness of any products generated from the data; and the use of “parallel construction” or other techniques to protect the confidentiality of these programs.

The description doesn’t say it, but this is Hemisphere, the program under which DEA submits administrative subpoenas to AT&T for phone records from any carrier that uses AT&T’s backbone. DEA gets information matching burner phones as well as the call records. In addition, it gets some geolocation — and continued to increase what it was getting even after US v Jones raised concerns about such tracking.

The presentation on Hemisphere makes it very clear the government uses “parallel construction” to hide Hemisphere.

Protecting the Program: When a complete set of CDRs are subpoenaed from the carrier, then all memorialized references to relevant and pertinent calls can be attributed to the carrier’s records, thus “walling off” the information obtained from Hemisphere. In other words, Hemisphere can easily be protected if it is used as a pointed system to uncover relevant numbers.

Exigent Circumstances — Protecting the Program: In special cases, we realize that it might not be possible to obtain subpoenaed phone records that will “wall off” Hemisphere. In these special circumstances, the Hemisphere analyst should be contacted immediately. The analyst will work with the investigator and request a separate subpoena to AT&T.

Official Reporting — Protecting the Program: All requestors are instructed to never refer to Hemisphere in any official document. If there is no alternative to referencing a Hemisphere request, then the results should be referenced as information obtained from an AT&T subpoena.

And this is not the only area where DEA Is using parallel construction to hide where it gets its investigative leads. Reuters reported in August that DEA also uses parallel construction to hide the leads it gets from purportedly national security-related wiretapping.

A secretive U.S. Drug Enforcement Administration unit is funneling information from intelligence intercepts, wiretaps, informants and a massive database of telephone records to authorities across the nation to help them launch criminal investigations of Americans.

Although these cases rarely involve national security issues, documents reviewed by Reuters show that law enforcement agents have been directed to conceal how such investigations truly begin – not only from defense lawyers but also sometimes from prosecutors and judges.

The undated documents show that federal agents are trained to “recreate” the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant’s Constitutional right to a fair trial. If defendants don’t know how an investigation began, they cannot know to ask to review potential sources of exculpatory evidence – information that could reveal entrapment, mistakes or biased witnesses.

[snip]

The two senior DEA officials, who spoke on behalf of the agency but only on condition of anonymity, said the process is kept secret to protect sources and investigative methods. “Parallel construction is a law enforcement technique we use every day,” one official said. “It’s decades old, a bedrock concept.”

A dozen current or former federal agents interviewed by Reuters confirmed they had used parallel construction during their careers. Most defended the practice; some said they understood why those outside law enforcement might be concerned.

Presuming that Horowitz is investigating whether DEA’s extensive use of parallel construction complies with the Constitution (and not, as is possible, whether the sources of this information are being adequately buried), this is welcome news indeed.

But it’s also one of several reasons why I’m particularly alarmed, in retrospect, that Horowitz is complaining about his ability to get grand jury information without having to get either Attorney General Holder or Deputy Attorney General James Cole to personally approve it.

After all, the only way you can learn what truly happens in prosecutions that have used parallel construction to hide their sources is to work backward from the actual prosecution. Read more

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

SPCMA: The Other NSA Dragnet Sucking In Americans

Screen Shot 2014-02-16 at 10.42.09 PMIn December, I wrote a post noting that NSA personnel performing analysis on PATRIOT-authorized metadata (both phone or Internet) can choose to contact chain on just that US-collected data, or — in what’s call a “federated query” — on foreign collected data, collected under Executive Order 12333, as well. It also appears (though I’m less certain of this) that analysts can do contact chains that mix phone and Internet data, which presumably is made easier by the rise of smart phones.

Section 215 is just a small part of the dragnet

This is one reason I keep complaining that journalists reporting the claim that NSA only collects 20-30% of US phone data need to specify they’re talking about just Section 215 collection. Because we know, in part because Richard Clarke said this explicitly at a Senate Judiciary Committee hearing last month, that Section “215 produces a small percentage of the overall data that’s collected.” At the very least, the EO 12333 data will include the domestic end of any foreign-to-domestic calls it collects, whether made via land line or cell. And that doesn’t account for any metadata acquired from GCHQ, which might include far more US person data.

The Section 215 phone dragnet is just a small part of a larger largely-integrated global dragnet, and even the records of US person calls and emails in that dragnet may derive from multiple different authorities, in addition to the PATRIOT Act ones.

SPCMA provided NSA a second way to contact chain on US person identifiers

With that background, I want to look at one part of that dragnet: “SPCMA,” which stands for “Special Procedures Governing Communications Metadata Analysis,” and which (the screen capture above shows) is one way to access the dragnet of US-collected (“1st person”) data. SPCMA provides a way for NSA to include US person data in its analysis of foreign-collected intelligence.

According to what is currently in the public record, SPCMA dates to Ken Wainstein and Steven Bradbury’s efforts in 2007 to end some limits on NSA’s non-PATRIOT authority metadata analysis involving US persons. (They don’t call it SPCMA, but the name of their special procedures match the name used in later years; the word, “governing,” is for some reason not included in the acronym)

Wainstein and Bradbury were effectively adding a second way to contact chain on US person data.

They were proposing this change 3 years after Collen Kollar-Kotelly permitted the collection and analysis of domestic Internet metadata and 1 year after Malcolm Howard permitted the collection and analysis of domestic phone metadata under PATRIOT authorities, both with some restrictions, By that point, the NSA’s FISC-authorized Internet metadata program had already violated — indeed, was still in violation — of Kollar-Kotelly’s category restrictions on Internet metadata collection; in fact, the program never came into compliance until it was restarted in 2010.

By treating data as already-collected, SPCMA got around legal problems with Internet metadata

Against that background, Wainstein and Bradbury requested newly confirmed Attorney General Michael Mukasey to approve a change in how NSA treated metadata collected under a range of other authorities (Defense Secretary Bob Gates had already approved the change). They argued the change would serve to make available foreign intelligence information that had been unavailable because of what they described as an “over-identification” of US persons in the data set.

NSA’s present practice is to “stop” when a chain hits a telephone number or address believed to be used by a United States person. NSA believes that it is over-identifying numbers and addresses that belong to United States persons and that modifying its practice to chain through all telephone numbers and addresses, including those reasonably believed to be used by a United States person, will yield valuable foreign intelligence information primarily concerning non-United States persons outside the United States. It is not clear, however, whether NSA’s current procedures permit chaining through a United States telephone number, IP address or e-mail address.

They also argued making the change would pave the way for sharing more metadata analysis with CIA and other parts of DOD.

The proposal appears to have aimed to do two things. First, to permit the same kind of contact chaining — including US person data — authorized under the phone and Internet dragnets, but using data collected under other authorities (in 2007, Wainstein and Bradbury said some of the data would be collected under traditional FISA). But also to do so without the dissemination restrictions imposed by FISC on those PATRIOT-authorized dragnets.

In addition (whether this was one of the goals or not), SPCMA defined metadata in a way that almost certainly permitted contact chaining on metadata not permitted under Kollar-Kotelly’s order.

“Metadata” also means (1) information about the Internet-protocol (IP) address of the computer from which an e-mail or other electronic communication was sent and, depending on the circumstances, the IP address of routers and servers on the Internet that have handled the communication during transmission; (2) the exchange of an IP address and e-mail address that occurs when a user logs into a web-based e-mail service; and (3) for certain logins to web-based e-mail accounts, inbox metadata that is transmitted to the user upon accessing the account.

Some of this information — such as the web-based email exchange — almost certainly would have been excluded from Kollar-Kotelly’s permitted categories because it would constitute content, not metadata, to the telecoms collecting it under PATRIOT Authorities.

Wainstein and Bradbury appear to have gotten around that legal problem — which was almost certainly the legal problem behind the 2004 hospital confrontation — by just assuming the data was already collected, giving it a sort of legal virgin birth.

Doing so allowed them to distinguish this data from Pen Register data (ironically, precisely the authority Kollar-Kotelly relied on to authorize PATRIOT-authorized Internet metadata collection) because it was no longer in motion.

First, for the purpose of these provisions, “pen register” is defined as “a device or process which records or decodes dialing, routing, addressing or signaling information.” 18 U.S.C. § 3127(3); 50 U.S.C. § 1841 (2). When NSA will conduct the analysis it proposes, however, the dialing and other information will have been already recorded and decoded. Second, a “trap and trace device” is defined as “a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing and signaling information.” 18 U.S.C. § 3127(4); 50 U.S.C. § 1841(2). Again, those impulses will already have been captured at the point that NSA conducts chaining. Thus, NSA’s communications metadata analysis falls outside the coverage of these provisions.

And it allowed them to distinguish it from “electronic surveillance.”

The fourth definition of electronic surveillance involves “the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication …. ” 50 U.S.C. § 1802(f)(2). “Wire communication” is, in turn, defined as “any communication while it is being carried by a wire, cable, or other like com1ection furnished or operated by any person engaged as a common carrier …. ” !d. § 1801 (1). The data that the NSA wishes to analyze already resides in its databases. The proposed analysis thus does not involve the acquisition of a communication “while it is being carried” by a connection furnished or operated by a common carrier.

This legal argument, it seems, provided them a way to carve out metadata analysis under DOD’s secret rules on electronic surveillance, distinguishing the treatment of this data from “interception” and “selection.”

For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto, contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”

This approach reversed an earlier interpretation made by then Counsel of DOJ’s Office of Intelligence and Policy Review James A Baker.

Baker may play an interesting role in the timing of SPCMA. He had just left in 2007 when Bradbury and Wainstein proposed the change. After a stint in academics, Baker served as Verizon’s Assistant General Counsel for National Security (!) until 2009, when he returned to DOJ as an Associate Deputy Attorney General. Baker, incidentally, got named FBI General Counsel last month.

NSA implemented SPCMA as a pilot in 2009 and more broadly in 2011

It wasn’t until 2009, amid NSA’s long investigation into NSA’s phone and Internet dragnet violations that NSA first started rolling out this new contact chaining approach. I’ve noted that the rollout of this new contact-chaining approach occurred in that time frame.

Comparing the name …

SIGINT Management Directive 424 (“SIGINT Development-Communications Metadata Analysis”) provides guidance on the NSA/ CSS implementation of the “Department of Defense Supplemental Procedures Governing Communications Metadata Analysis” (SPCMA), as approved by the U.S. Attorney General and the Secretary of Defense. [my emphasis]

And the description of the change …

Specifically, these new procedures permit contact chaining, and other analysis, from and through any selector, irrespective of nationality or location, in order to follow or discover valid foreign intelligence targets. (Formerly analysts were required to determine whether or not selectors were associated with US communicants.) [emphasis origina]

,,, Make it clear it is the same program.

NSA appears to have made a few changes in the interim. Read more

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.