Posts

Richard Burr’s Backdoor Data Retention Amendment

The Senate Intelligence Authorization is now available here.

In addition to language requiring social media companies to report terrorist activity on their network to the government — which yesterday Jim Comey said they didn’t need — it has a provision that might to lead to data retention mandates under USA F-ReDux. It requires reporting if any provider stops retaining call detail records at least 18 months.

SEC. 602. NOTIFICATION OF CHANGES TO RETENTION OF CALL DETAIL RECORD POLICIES.
(a) Requirement To Retain.—Not later than 15 days after learning that an electronic communication service provider that generates call detail records in the ordinary course of business has changed its policy on the retention of such call detail records to result in a retention period of less than 18 months, the Director of National Intelligence shall provide written notification of such change to the congressional intelligence committees.

(b) Definitions.—In this section:

(1) CALL DETAIL RECORD.—The term “call detail record”—

(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location or global positioning system information.

(2) ELECTRONIC COMMUNICATION SERVICE.—The term “electronic communication service” has the meaning given that term in section 2510 of title 18, United States Code. [my emphasis]

The important details of this provision, however, are in the definitions.

This retention requirement applies to all electronic communication service providers that generate call detail records. That means it applies not just to telecoms, traditionally defined, but also to internet service providers. And the definition of call detail record relies on “session identifier,” not any phone call made.

That either confirms that USA F-ReDux will apply to Internet companies as well as phone companies, and/or it suggests SSCI wants data retention to apply to far more than just the newfangled phone dragnet.

Google Applauds USA F-ReDux Because It “Modernizes” Surveillance

Thus far, none of the Internet providers who have issued statements in support of the latest incarnation of USA Freedom Act (which I’m calling USA F-ReDux) have mentioned that they will be getting expansive immunity and compensation for helping the government spy on you.

Google didn’t mention it either.

Along with two other features, Google argues USA F-ReDux would,

[E]nd the bulk collection of communications metadata under various legal authorities. This not only includes telephony metadata collected under Section 215, but also Internet metadata that has been or could be collected under other legal authorities.

I find that an interesting way to describe the bill, particularly given that Google calls this “modernizing” surveillance, not limiting it.

Congress Has Only A Few Weeks Left to Modernize Surveillance Laws

Both the government and some providers used that same language — “modernize” — during the FISA Amendments Act, too. Sure, that was partly because it accommodated the law to growing Internet reliance. USA F-ReDux will do that too, to the extent it allows the government to obtain metadata for things like Google Meet-Ups and other VOIP calls and Internet messaging, which the government needs if it really wants dragnet coverage. FAA also involved deputizing Internet providers so that their data could not longer be collected in bulk by phone companies.

Modernizing surveillance, they called that.

And as I’ve just begun to lay out, this bill will set up a system similar in many respects to PRISM, where the government would go to the provider to get what they wanted on a target. Under PRISM, what the government wanted quickly expanded. Within 6 months of the roll-out of PRISM, the government was already asking for 9 different types of data from providers like Yahoo, apparently spanning Yahoo’s four business functions (meaning email, information services, data storage, and Yahoo internal functions).

Here, as with FAA, the government will go to providers to get what they want. And given that the bill permits the government to ask providers to chain on non-Call Detail Record session identifiers (things like cookies and location data), the government will benefit from, though not directly access, some of the same data that the government started obtaining under PRISM. And while I would hope the FISA Court would exert some oversight, I would also bet the government will make increasingly expansive claims about what constitutes a “session identifier” that can be used to chain (we know that, overseas, they chain on address books and photographs, for example).

And in one way, USA F-ReDux is worse than PRISM. Unlike FAA, USA F-ReDux will feature an added role for a Booz-type contractor compiling all this data, possibly in some cloud somewhere that would be about as safe as all the documents Edward Snowden took, to make it easier to chain across providers.

This is what Google celebrates as “modernization.”

But let’s go back to Google’s representation of this as ending bulk collection of, “Internet metadata that has been or could be collected under other legal authorities.”

We’ve long discussed the Section 215 dragnet as covering just calls made by phone companies (though Verizon’s Counsel, in a hearing last year, noted that the government would have to get VOIP if it wanted full coverage).

But that’s not true. As I reported the other day, at least one of the phone metadata dragnets was collecting VOIP metadata. Google’s VOIP metadata. In fact, the only known use of the DEA dragnet involved a US user subscribing to Google calls.

In other words, the Shantia Hassanshahi case is important not just because it led to us learning about the DEA dragnet, but because it revealed that (in addition to Google’s Internet metadata being collected under PRTT illegally for years), Google’s VOIP data also got sucked up in at least one phone dragnet.

Google doesn’t like other people being able to spy on its customers.

But now that USA F-ReDux will return it to the position of having the monopoly on spying on its customers, it calls this “modernization.”

USA F-ReDux: Chaining on “Session Identifying Information” that Is Not Call Detail Records

The House Judiciary Committee just released the latest incarnation of USA Freedom Act, which for now I’m calling USA F-ReDux.

One thing they’ve changed from the Patrick Leahy version is to reword what, under Leahy’s bill, provided for two hops of “connection chaining,” without defining what “connection chaining” meant.

Now, they provide a first hop that produces call detail records…

(iii) provide that the Government may require the prompt production of a first set of call detail records using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii);

Later on in the bill, they define call detail record, which is what it was under the Leahy bill.

‘(3) CALL DETAIL RECORD.—The term ‘call detail record’—

(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location or global positioning system information.

In other words, that first hop cannot include one definition of content or, most importantly, cell site location.

But the second one can.

The second hop is based off session-identifying information that is not limited by that CDR definition.

(iv) provide that the Government may require the prompt production of a second set of call detail records using session-identifying information or a telephone calling card number identified by the specific selection term used to produce call detail records under clause (iii)

They might as well have said, you can get call detail records, which we’ll define as a limited kind of session-identifying information, and then you can get call detail records (which have to be no more than a SIM card ID) using session-identifying information that doesn’t qualify under our CDR definition.

And that second session-identifying information could easily include cell location, cookies and permacookies, or a slew of other things that count as session-identifying information when you’re talking smart phones.

In other words, this seems to confirm the concerns I have had from day one that by going to the providers, they intend to do chaining off of information that doesn’t qualify under the narrow definition of session-identifying information.

Update: Here’s one more piece of evidence this is about getting smart phone data. USA F-ReDux introduces a new definition of “specific selection term” just for the CDR function. And it specifically permits the chaining on “accounts.”

(B) CALL DETAIL RECORD APPLICATIONS.—For purposes of an application submitted under subsection (b)(2)(C), the term ‘specific selection term’ means a term that specifically identifies an individual, account, or personal device.

Now, it’s possible that they just mean to chain on Friends and Family accounts, as AT&T will gladly do with just an NSL.

Except you get into accounts when you’re dealing with calls and messaging tied to a computer account and not any device. So they could chain on my “emptywheel” account to get Skype calls.

That’s fine, to an extent. They need such accounts to have anything close to full coverage, given how much messaging traffic takes place online. But that also says you’re already broaching any distinction between “calls” and Internet.

Yes, the Government Does Spy Under Grandfathered Approvals

Charlie Savage is catching no end of shit today because he reported on a provision in the PATRIOT Act (one I just noticed Tuesday, actually, when finding the sunset language for something else) that specifies ongoing investigations may continue even after a sunset.

The law says that Section 215, along with another section of the Patriot Act, expires on “June 1, 2015, except that former provisions continue in effect with respect to any particular foreign intelligence investigation that began before June 1, 2015, or with respect to any particular offense or potential offense that began or occurred before June 1, 2015.”

Michael Davidson, who until his retirement in 2011 was the Senate Intelligence Committee’s top staff lawyer, said this meant that as long as there was an older counterterrorism investigation still open, the court could keep issuing Section 215 orders to phone companies indefinitely for that investigation.

“It was always understood that no investigation should be different the day after the sunset than it was the day before,” Mr. Davidson said, adding: “There are important reasons for Congress to legislate on what, if any, program is now warranted. But considering the actual language of the sunset provision, no one should believe the present program will disappear solely because of the sunset.”

Mr. Davidson said the widespread assumption by lawmakers and executive branch officials, as well as in news articles in The New York Times and elsewhere, that the program must lapse next summer without new legislation was incorrect.

The exception is obscure because it was recorded as a note accompanying Section 215; while still law, it does not receive its own listing in the United States Code. It was created by the original Patriot Act and was explicitly restated in a 2006 reauthorization bill, and then quietly carried forward in 2010 and in 2011.

Now, I’m happy to give Savage shit when I think he deserves it. But I’m confident those attacking him now are wrong.

Before I get into why, let me first say that to some degree it is moot. The Administration believes that, legally, it needs no Congressional authorization to carry out the phone dragnet. None. What limits its ability to engage in the phone dragnet is not the law (at least not until some courts start striking the Administration’s interpretation down). It’s the willingness of the telecoms to cooperate. Right now, the government appears to have a significant problem forcing Verizon to fully cooperate. Without Verizon, you don’t have an effective dragnet, which is significantly what USA Freedom and other “reform” efforts are about, to coerce or entice Verizon’s full cooperation without at the same time creating a legal basis to kill the entire program.

That said, not only is Davidson likely absolutely correct, but there’s precedent at the FISA Court for broadly approving grandfathering claims that make dubious sense.

As Davidson noted elsewhere in Savage’s story, the FBI has ongoing enterprise investigations that don’t lapse — and almost certainly have not lapsed since 9/11. Indeed, that’s the investigation(s) the government appears, from declassified documents, to have argued the dragnet is “relevant” to. So while some claim this perverts the definition of “particular,” that’s not the word that’s really at issue here, it’s the “relevant to” interpretation that USAF leaves intact, effectively ratifying (this time with uncontested full knowledge of Congress) the 2004 redefinition of it that everyone agrees was batshit insane. If you want to prevent this from happening, you need to affirmatively correct that FISA opinion, not to mention not ratify the definition again, which USAF would do (as would a straight reauthorization of PATRIOT next year).

And as I said, there is precedent for this kind of grandfathering at FISA, all now in the public record thanks to the declassification of the Yahoo challenge documents (and all probably known to Davidson, given that he was a lead negotiator on FISA Amendments Act which included significant discussion about sunset procedures, which they lifted from PAA.

For starters, on January 15, 2008, in an opinion approving the certifications for Protect America Act submitted in August and September 2007, Colleen Kollar-Kotelly approved the grand-fathering of the earlier 2007 large content dockets based on the government’s argument that they had generally considered the same factors they promised to follow under the PAA certifications and would subject the data obtained to the post-collection procedures in the certifications. (See page 15ff)

Effectively then, this permitted them to continue collection under the older, weaker protections, under near year-long PAA certifications.

In the weeks immediately following Kollar-Kotelly’s approval of the underlying certifications (though there’s evidence they had planned the move as far back as October, before they served Directives on Yahoo), the government significantly reorganized their FAA program, bringing FBI into a central role in the process and almost certainly setting up the back door searches that have become so controversial. They submitted new certifications on January 31, 2008, on what was supposed to be the original expiration date of the PAA. As Kollar-Kotelly described in an June 18, 2008 opinion (starting at 30), that came to her in the form of new procedures received on February 12, 2008, 4 days before the final expiration date of PAA.

On February 12, 2008, the government filed in each of the 07 Dockets additional sets of procedures used by the Federal Bureau of Investigation(FBI) when that agency acquires foreign intelligence information under PAA authorities. These procedures were adopted pursuant to amendments made by the Attorney General and the Director of National Intelligence (DNI) on January 31, 2008 to the certifications in the 07 Dockets.

Then, several weeks later — and therefore several weeks after PAA expired on February 16, 2008 — the government submitted still new procedures.

On March 3, 2008, the government submitted NSA and FBI procedures in a new matter [redacted]

[snip]

Because the FBI and NSA procedures submitted in Docket No. [redacted] are quite similar to the procedures submitted in the 07 Dockets, the Court has consolidated these matters for purposes of its review under 50 U.S.C. § 1805c.

For the reasons explained below, the Court concludes that it retains jurisdiction to review the above-described procedures under §1805c. On the merits, the Court finds that the FBI procedures submitted in each of the 07 Dockets, and the NSA and FBI procedures submitted in Docket No. [redacted] satisfy the applicable review for clear error under 50 U.S.C. § 1805c(b).

She regarded these new procedures, submitted well after the law had expired, a modification of existing certifications.

In all [redacted] of the above-captioned dockets, the DNI and the Attorney General authorized acquisitions of foreign intelligence information by making or amending certifications prior to February 16, 2009, pursuant to provisions of the PAA codified at 50 U.S.C. § 1805b.

She did this in part by relying on Reggie Walton’s interim April 25, 2008 opinion in the Yahoo case that the revisions affecting Yahoo were still kosher, without, apparently, considering the very different status of procedures changed after the law had expired.

The government even considered itself to be spying with Yahoo under a September 2007 certification (that is, the latter of at least two certifications affecting Yahoo) past the July 10, 2008 passage of FISA Amendments Act, which imposed additional protections for US persons.

These are, admittedly, a slightly different case. In two cases, they amount to retaining older, less protective laws even after their replacement gets passed by Congress. In the third, it amounts to modifying procedures under a law that has already expired but remains active because of the later expiration date of the underlying certificate.

Still, this is all stuff the FISC has already approved.

The FISC also maintains — incorrectly in my opinion, but I’m not a FISC judge so they don’t much give a damn — that the 2010 and 2011 PATRIOT reauthorizations ratified everything the court had already approved, even the dragnets not explicitly laid out in the law. This sunset language was public, and there’s nothing exotic about what they say. To argue the FISC wouldn’t consider these valid clauses grand-fathering the dragnet, you’d have to argue they don’t believe the 2010 and 2011 reauthorizations ratified even the secret things already in place. That’s highly unlikely to happen, as it would bring the validity of their 40ish reauthorizations under question, which they’re not going to do.

Again, I think it’s moot. The “reform” process before us is about getting Verizon to engage in a dragnet that is not actually authorized by the law as written. They’re not doing what the government would like them to do now, so there’s no reason to believe this grandfathered language would lead them to suddenly do so.

Emergency Dragnet Chaining, Now with First Amendment Protections!

Thursday, I Con the Record quietly released the most recent phone dragnet order, BR-125, dated September 11, 2014 (curiously, I Con the Record went back to correct its original release to indicate the order had been reauthorized on 9/11, not 9/12; I think FISC has been setting deadlines such that they are a Friday, but this one was approved on a Thursday).

Congratulations, Raymond Dearie! The government will point to your approval of this order as yet more proof of the soundness of the program.

There is one intriguing new addition to the order (the change shows up in two places). Both footnote 6 and footnote 7 add a requirement to the emergency provision for a First Amendment review. Footnote 7, which is more extensive, reads:

Before an emergency query is performed under this authority, NSA’s Office of General Counsel (OGC), in consultation with the Director or Acting Director shall confirm that any selection term reasonably believed to be used by a United States (U.S.) person is not regarded as associated with [redacted–description of terrorist groups acceptably included in this program] solely on the basis of activities that are protected by the First Amendment of the Constitution.

Such a requirement was not in the emergency procedures as originally proposed by the government nor in the orders issued since. (Update: Though of course, First Amendment review is required by the law; ultimately, the order for NSA to do a First Amendment review is tantamount to a reminder that it has to follow the law even when doing emergency queries.)

While we can’t know whether this got added because NSA used the emergency provisions to chain on someone for their speech, most changes to dragnet orders have historically been a response to some kind of problem.

And whether or not this language arose out of some issue or just intelligent caution, it provides yet another reason why the emergency provision of USA Freedom Act should not be passed as written.

As I have laid out, one of the ways in which Leahy’s emergency provision is notably worse than this emergency provision is because it puts the Attorney General in charge of compliance. It does not — as the current emergency provisions do — give broad authority to the FISC to remedy any collection conducted under the emergency provision that should not have been. As adopted, the current provisions even permit the FISC to order “destroying the results of the emergency query and recalling any reports or other disseminations based on those results”).

Under USA Freedom, if the FISC caught the government using an emergency authorization to identify the communications network of someone who engaged in protected speech, it would not have the explicit authority to demand the Attorney General destroy the records collected as a result. It has that authority right now.

And the latest dragnet order at least raises questions about whether it has already had to exercise that authority.

Do Verizon and AT&T’s Super Cookies Count as Sesson Identifiers?

Over the past weeks, we’ve been learning more and more about a supercookie that Verizon and AT&T have stuck in the phone browsing of users on their mobile network. In the case of Verizon, you can’t opt out of sending the supercookie any time you browse using Verizon’s network, and websites you visit will be able to use Verizon’s supercookie to track you as well.

Whatever the merits of Verizon’s new business model, the technical design has two substantial shortcomings. First, the X-UIDH header functions as a temporary supercookie.3 Any website can easily track a user, regardless of cookie blocking and other privacy protections.4 No relationship with Verizon is required.

Second, while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header.5 All they do, seemingly, is prevent Verizon from selling information about a user.

Unless you opt out, this cookie will also track your your geography and demography.

Kashmir Hill has been doing great work on it, including today’s responses from the two phone companies about what they’ve been doing.

How long have they been tagging their users this way?

Verizon: Two years. Given how long Verizon has been doing it, Kasowic said she was “surprised” by the attention this week.
AT&T: “A little while.” AT&T is just “testing it” at this point.

Why are they tagging customers this way?

Verizon: To deliver ads, to authenticate users and allow them to avoid filling out forms, and for fraud prevention.
AT&T: To deliver ads.

Is there any privacy protection built in?

Verizon: The code is “dynamic” and will change on a “regular basis” — at least once per week.
AT&T: The code is dynamic and will change daily.

[snip]

Can they opt out of anything?

Verizon: Customers can’t opt out of the header code being sent “because it’s used for multiple purposes,” says Kasowic. But they can opt out of it being used to show them relevant ads. “When it’s used for the advertising program, there’s a place where information is tied to the UIDH (Unique Identifier Header) — such as ‘Females in Alexandria, VA. between the ages of 25 and 50,” said Kasowic. “It’s just segments that other people wouldn’t understand. There’s no personal identification. If you opt out, there’s no information stored there.” But the tracking code remains.
AT&T: Siegel says customers will be able to opt out of ad delivery and tracking.

Among all the other worries I have about this, I have my lingering worry: that the government will use the supercookie if and when USA Freedom Act passes. As a reminder, here’s how USAF defines “call detail record,” which is a key part of their ongoing daily production.

(2) CALL DETAIL RECORD.—The term ‘call detail record’—

(A) means session identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location information.

This definition uses language tied to phone calls, but with the limited exception of the CDR definition used for NSLs, there is a well-established tradition of using phone CDR language to get Internet records. And a cookie is the quintessential “session identifier.” While Verizon’s supercookies might provide access to things that might qualify as content — “any information concerning the substance, purport, or meaning of that communication” — it would not seem to necessitate this. Plus, the supercookie would provide generalized location without cell site location.

In other words, the Verizon supercookie would provide FBI and NSA a way to get rich information on the target and his online actions — including co-presence on sites that might include chat rooms (which would serve as your hops) — that they could then match up to the backside, tracking the cookie on across the web. Depending on what Verizon uses it to authenticate users for, it may give a lot more. (Note, too, that Sprint appears to be working on the equivalent of a burner phone application for mobile devices based off cookies; this supercookie would seem to make that even easier.)

The Yahoo example — where the government moved from requesting emails and instant messages to requesting 9 things, potentially across all of Yahoo’s business units in 5 months — is instructive. Even if they aren’t already planning on using this (which I doubt, given that it has been out there for 2 years), they will use it. And nothing in the bill seems to prohibit it.

I’m not convinced this is the only answer to my question about what connection chaining does. But I think it is one of answer.

Update: Propublica reports that Twitter has adopted Verizon’s UIDH for its own advertising purposes.

The data can be used by any site – even those with no relationship to the telecoms — to build a dossier about a person’s behavior on mobile devices – including which apps they use, what sites they visit and for how long.

MoPub, acquired by Twitter in 2013, bills itself as the “world’s largest mobile ad exchange.” It uses Verizon’s tag to track and target cellphone users for ads, according to instructions for software developers posted on its website.

No, Obama Doesn’t Need Legislation to Fix the Dragnet–Unless the “Fix” Isn’t One

In an editorial calling on Congress to pass the USA Freedom Act, the USA Today makes this claim.

Obama’s proposal last January — to leave the data with phone companies, instead of with the government — can’t happen without a new law. And, as in so many other areas, the deeply divided Congress has failed to produce one.

I don’t know whether that is or is not the case.

I do know 3 Senate Intelligence Committee members say it is not the case.

Ron Wyden, Mark Udall, and Martin Heinrich wrote Obama a letter making just this point in June. They argued that Obama could accomplish most, if not all, of what he claimed he wanted without legislation, largely with a combination of Section 215 Orders to get hops and Pen Registers to get prospective collection.

[W]e believe that, in the meantime, the government already has sufficient authorities today to implement most, if not all, of the Section 215 reforms laid out in your proposal without delay in a way that does not harm our national security. More comprehensive congressional action is vital, but the executive branch need not wait for Congress to end the dragnet collection of millions of Americans’ phone records for a number of reasons.

First, we believe that the Foreign Intelligence Surveillance Court’s (FISC) expansive interpretation of the USA PATRIOT Act to allow the collection of millions of Americans’ phone records makes it likely that the FISC would also agree to a more narrowly-drawn interpretation of the law, without requiring further congressional action. Certainly, it seems likely that the FISC would permit the executive branch to use its current authorities to obtain phone records up to two “hops” from a suspicious phone number or to compel technical assistance by and compensation for recipients of court orders. Unless the FISC has already rejected such a request from the government, it does not seem necessary for the executive branch to wait for Congress before taking action.

Second, we believe that the FISC would likely approve the defined and limited prospective searches for records envisioned under your proposal pursuant to current USA PATRIOT Act Section 214 pen register authorities, given how broadly it has previous interpreted these authorities. Again, we believe it is vital for Congress to enact reforms, but we also believe that the government has sufficient authorities today under the USA PATRIOT Act to conduct these targeted prospective searches in the interim.

Finally, although we have seen no evidence that the government has needed the bulk phone records collection program to attain any time-sensitive objectives, we agree that new legislation should provide clear emergency authorities to allow the government to obtain court approval of individual queries after the fact under specific circumstances. The law currently allows prospective emergency acquisitions of call records under Section 403 of the Foreign Intelligence Surveillance Act (FISA), and the acquisition of past records without judicial review under national security letter authorities. While utilizing a patchwork of authorities is not ideal, it could be done on an interim basis, while Congress works to pass legislation.

Just weeks before they sent this, Deputy Attorney General James Cole had seemed to say they could (if not already were) getting hybrid orders, in that case mixing phone and location. So it seems like DOJ is confident they could use such hybrid orders, using Section 215 for the hops and Pen Registers for the prospective collection (though, given that they’re already using Section 215 for prospective collection, I’m not sure why they’d need to use hybrids to get anything but emergency orders).

And it makes sense. After all, the public claims about what the Call Detail Record provision would do, at least, describe it as a kind of Pen Register on steroids, 2-degrees of Pen Register. As the Senators suggest, FBI already gets two-degree information of historical records with mere NSLs, so it’d be surprising if they couldn’t get 2 degrees prospectively with a court order.

So at least according to three members of the Senate Intelligence Committee, USA Today is simply wrong.

Mind you, I’m not entirely convinced they’re right.

That’s because I suspect the new CDR provision is more than a Pen Register on steroids, is instead something far more intrusive, one that gets far beyond mere call records. I suspect the government will ask the telecoms to chain on location, address books, and more — as they do overseas — which would require far more than a prospective Pen Register and likely would require super immunity, as the bill provides.

I suspect the Senators are wrong, but if they are, it’s because Obama (or his Intelligence Community) wants something that is far more invasive then they’ve made out.

Still, for USAF supporters, there seems no question. If all Obama wants to replace the phone dragnet is prospective 2-degree call (not connection) chaining on RAS targets, he almost certainly has that authority.

But if he needs more authority, then chances are very good he’s asking for something far more than he has let on.

Update: Note, USAT makes at least one other clear error in this piece, as where it suggests the “the program” — the phone dragnet — imposes costs on cloud companies like Microsoft and Google.

The Continuing Myth about USA Freedom Transparency

Summary: This is a response to an Elizabeth Goitein claim that USA Freedom would provide detailed reporting on FISA programs. That’s false. As I show below, the only three kinds of collection for which reasonably real numbers will be reported are Individual FISA orders, NSLs (though FBI refuses to count those accurately), and the new CDR provision (though it will be presented as foreign collection even though it will be domestic). On everything else, the reporting will be excepted away beyond usefulness. Further, both PRTT and traditional 215 will likely get reported only as “fewer than 500,” a significant regression from current reporting.

In a piece at Just Security, Brennan Center’s Elizabeth Goitein bemoans what she claims as a distraction from passing the USA Freedom Act in the form of ISIS.

Then came ISIS. Following the group’s capture of territory in Iraq, its beheading of two American journalists, and its calls for followers to launch attacks in the US, some American lawmakers claimed it would be irresponsible to ratchet back surveillance authorities in the face of a new terrorist threat. 

I’m skeptical that USAF was going to pass anyway, and equally skeptical the Republicans are really responding to ISIS and not improving GOP Senate chances.

But I’m more interested in Goitein’s portrayal of the bill.

To her credit, she limits her most aggressive claims that the bill would end bulk collection to the phone dragnet. Though she claims continuation of the financial dragnets would be a misreading of the bill.

The bill also would prohibit bulk collection of other types of transactional data, although the wording of these bans is susceptible to distorted readings, as some have observed.

That’s something on which we can fairly disagree. In my opinion, this language does nothing to limit the financial dragnet.

(i) means a term that specifically identifies a person, account, address, or personal device, or another specific identifier, that is used by the Government to narrowly limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things; 

As I’ve noted, permitting “person” as a selector permits the use of “Western Union.” And the language “to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things” closely resembles claims we’ve seen in released applications and orders. I would be fairly shocked if the applications for the Western Union dragnet didn’t say — as NSA said of the phone dragnet — that FBI required all foreign money transfers to be able to track such transfers. If so, then FISC has already bought off on the government’s claim that the existing financial dragnets are as narrowly limited as “reasonably practicable, consistent with the purpose for seeking the tangible things.” If so — and given public FISC releases, this is actually not a distorted reading in the least — then this bill will not affect the existing dragnets in the least. 

Still, I commend Goitein for exercising far more caution than other USAF supporters have in the past about the extent of the bill.

But Goitein’s claims about the transparency required under the bill are simply wrong.

The USA Freedom Act also would require more detailed statistical reporting by the government on the number of people affected by specific surveillance authorities –including, for most FISA programs, a separate tally of U.S. persons affected. These numbers give meaning to abstract legal interpretations. It’s clear that the FISC endorsed a broad interpretation of the term “relevance,” but only the numbers can tell us exactly how broad.

This bill will be less than useless in helping us understand how broadly the government is collecting; it will be counter-productive.

Here’s what, to the best of my understanding, we’ll actually get:

Individual orders (Titles I, III, 703, 704): We’ll get a “good faith” estimate of how many individuals are targeted. The government won’t reveal the split of this targeting. That will likely hide that much of its “targeting” consists of obtaining already collected data. The government won’t reveal that it does not use 703. At all.

702: We’ll get the number “1” for total orders, and something like 90,000 for targets. We’ll get a grossly misrepresentative number for number of people located in the US collected under PRISM, because the government will not be required to count IPs in the US as someone in the US. We’ll also get a certificate saying it cannot estimate whether more than 56,000 US persons are collected in upstream every year (because if the government did so it would then be illegal). We’ll get numbers like NSA 100 and CIA 1000 for back door searches, but we will get nothing on FBI back door searches, which can be done with no suspicion of wrong-doing. This leaves out 56,000 or more Americans affected via upstream, probably 100s of 1000s under an IP dodge, and probably 10s of 1000s affected in back door searches, and that’s assuming the DNI doesn’t use a Certificate to refuse to report all people affected by PRISM. Update: See this post for something else that may be hidden — non-communication cloud data.

Title IV (PRTT): We’ll start with a number like 140, as currently counted this would show as something like 300 targets, 70 of whom are named US persons who got their phone or email records collected. But this may not count US persons who have their email records collected, because the government won’t have to treat a US IP as a US person. It also won’t count the people sucked up in Stingray use, as that is not counted as a communication collected. That’ll ensure the number is fewer than 500, meaning that’s the only number we’ll get, which is far worse then reporting we currently get. Moreover, if as I suspect any bulkier PRTT program collects location, it will show only something like 4 al Qaeda related targets (because location data is not a communication). And the government can issue a claim that it can’t count those in the US (because if it did so it’d be illegal). One way or another, this will leave out hundreds of thousands, and perhaps millions, of affected Americans. 

Traditional 215: Under current counting we’d get a number like 210 orders, targeting 800 targets. Here’s how it’ll break out in this reporting:

Exotic Internet requests (currently the majority of 215 orders): These are in the US, but they won’t be counted as such because they’re FBI orders and FBI is exempted from counting that. I suspect they’re also exempted even more generally from total persons affected counts as subscriber session time (see below regarding the definition of communications collected), though that’s a guess. Update: see this post for more on this language.

Less exotic Internet orders: These won’t have to be reported as US persons either, because the government doesn’t have to treat US IPs as US location.

Known non-financial dragnets: Under current counting this would probably count as roughly 24 orders (assuming 6 programs with 90 day renewals), with 4 targets — the al Qaeda groups included — each. Under USAF reporting, none of the individuals affected by the known bulk non-communications dragnets — which we know to include financial records and purchase records and which may include travel records — will get reported because the bill doesn’t require non-communications 215 orders to be individualized.

Having exempted almost every known kind of 215 order from individualized reporting, it’ll bring the total number affected well under 500, meaning that’s all we’ll get for persons affected, a far worse report than we currently get. This will definitely leave out millions of affected Americans, and will present the false impression that most 215 orders affect foreigners. 

New-Fangled 215: For CIA and NSA — which are unlikely to use this provision — the government will have to report the targets, plus the people within 2 degrees sucked in with those targets. For FBI, which is likely to collect this data now that it doesn’t require ingesting all the phone records in the US and because FBI has far more liberal sharing rules, it’ll probably report 300 targets, and a total of 3 million people affected. But those won’t be identified as Americans because the FBI is exempted from that. Moreover, since this will bring the number under 500, that’s all we’ll get for targets (though not persons affected). This will probably hide hundreds of thousands of Americans affected.

Update, 10/5: See this post for one other thing USAF may hide: cloud-related metadata that might be used for connection chaining.

NSLs: This bill provides slightly more breakout on US/non-US NSL reporting, though that has largely been available via IG report (plus, FBI refuses to count it accurately), except for subscriber data.

To sum up, what USAF effectively does is require reporting on the number of people affected by surveillance programs, and for most requires a break-out of the number of US persons affected. But then it uses the following exemptions to hide by far the bulk of the US persons affected — and in most cases, the number of persons affected — by surveillance:

  • 603(b)(2): Only a phone number registered in the US provides a reasonable basis that a person is located in the US. Thus all bulky Internet collection in the US can and will be hidden as foreign collection.
  • 603(e)(2): For several target and affected numbers, DNI will report numbers under 500 as fewer than 500. This will result in significantly less granular reporting than we currently have for some authorities, especially PRTT and 215.
  • 603(e)(3): If records are held by FBI or queries are conducted for them, 702 back door searches, communications-related traditional 215 orders, and newfangled 215 results don’t have to report on US persons affected. FBI will effectively be even more of a black hole where reporting goes to die than it already is.
  • 603(e)(4): DNI can certify that it can’t report on the 702 and PRTT Americans caught in the dragnet. Unless they use the IP dodge, they’ll almost certainly do this because if they admit this is US person collection, it’ll become illegal.
  • 603(g)(3): The definition of “individual whose communications were collected,” on which non back door 702, PRTT, and both traditional and newfangled 215 individualized reporting is based, would (according to my reading–lawyers should definitely check this) exclude:
    • Any location data (tracking devices are excluded)
    • Any financial, purchase, or other non-communication record (they are non-communication)
    • Any subscriber to an electronic computer service who is not a party to a communication who has had only her call records or session times collected [(B)(ii) excludes subparagraph (C) of 2703(c)(2)]

That is, after requiring reporting for most FISA reports, it then exempts virtually all of it from reporting.

Psyche!

This is not serious transparency reporting. Rather, it’s a hoax, at best reporting knowingly false information, but usually creating nothing but propaganda creating a grossly misleading description of what collection occurs.

Updated 10/4 with summary and some clarifications.

James Clapper, Bates-Stamp, and Gutting the FISA Advocate

As I noted the other day, in his letter purportedly “supporting” Patrick Leahy’s USA Freedom Act, James Clapper had this to say about the special advocate amicus curiae position laid out by the law.

We note that, consistent with the President’s request, the bill estsablishes a process for the appointment of an amicus curiae to assist the FISA Court and FISA Court of Review in matters that present a novel or significant interpretation of the law. We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

Clapper stretches the actual terms of all four provisions of the bill he discusses — he admits he’ll use selection terms outside those enumerated by the statute, he discusses collecting “metadata” rather than the much more limited “call detail records” laid out in the bill, and he facetiously claims FBI won’t count its back door searches because of technical rather than policy choices.

But I think Clapper’s comments about the FISC amicus curiae deserve particular attention, because the letter suggests strongly that Clapper will ignore the law on one of the key improvements in the bill.

Clapper claims, first of all, that Obama has called for the appointment of an amicus curiae.

That’s false.

Obama actually called for fully-independent advocates.

To ensure that the Court hears a broader range of privacy perspectives, I am calling on Congress to authorize the establishment of a panel of advocates from outside government to provide an independent voice in significant cases before the Foreign Intelligence Surveillance Court.

That may seem like semantics. But in his letter, Clapper signals he will make the amicus curiae something different. First, he emphasized this amicus will not interfere with ex parte communications between the court and the government. That may violate this passage of Leahy’s bill, which guarantees the special advocate have access to anything that is “relevant” to her duties.

(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—

[snip]

(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;

Given that in other parts of 50 USC 1861, “relevant” has come to mean “all,” it’s pretty amazing that Clapper says the advocate won’t have access to all communication between the government and the court.

There are just two bases on which the advocate can be denied access to documents she would need.

(i) IN GENERAL.—A special advocate, experts appointed to assist a special advocate, or any other amicus or technical expert appointed by the court may have access to classified documents, information, and other materials or proceedings only if that individual is eligible for access to classified information and to the extent consistent with the national security of the United States.

(ii) RULE OF CONSTRUCTION.— Nothing in this section shall be construed to require the Government to provide information to a special advocate, other amicus, or technical expert that is privileged from disclosure.

If we could believe that Clapper were operating on good faith, this language would be fairly innocuous. But given that Clapper has made it very explicit he wants to continue to conduct ex parte communication, and given that the Director of National Intelligence has a significant role in both need to know determinations and privilege claims, this language — and Clapper’s commitment to retain ex parte communications — is a pretty good indication he plans to deny access based on these two clauses.

And all that’s before Clapper says he plans to continue to work with Leahy to address some of John Bates purported concerns.

As a reminder, in Bates’ most recent letter, he claimed to be speaking “on behalf of the Judiciary” and used the royal “we” throughout. In response to the letter, Steve Vladeck raised real questions what basis Bates had to use that royal “we.”

Judge Bates’s latest missive … raises the question of why Judge Bates believes he’s entitled to speak “on behalf of the Judiciary”–especially when at least two former FISA judges have expressly endorsed reforms far more aggressive than those envisaged by the Senate bill, and when the substance of Judge Bates’s objections go principally to burdens on the Executive Branch, not the courts.

Then Senior 9th Circuit Chief Judge Alex Kozinski weighed in. While he professed not to have studied the matter, he made it quite clear that he

was not aware of Director Bates’s letter before it was sent, nor did [he] receive a copy afterwards.

[snip]

having given the matter little consideration, and having had no opportunity to deliberate with the other members of the Judicial Conference, I have serious doubts about the views expressed by Judge Bates. Insofar as Judge Bates’s August 5th letter may be understood as reflecting my views, I advise the Committee that this is not so.

In other words, Bates decided to speak for the Judiciary without consulting them.

And, as Vladeck correctly notes, what he said seemed to represent the views of the Executive, not the Judiciary. I think that conclusion is all the more compelling when you consider the 3 big opinions we know Bates wrote while serving on FISC:

  • Around July 2010: After noting that the Executive had violated the PRTT orders from 2004 until 2009 when it was shut down, including not disclosing that virtually every record collected included unauthorized collection, he reauthorized and expanded the program 11- to 24-fold, expanding both the types of data permitted and the breadth of the collection. Bates did prevent the government from using some of what it had illegally collected in the past, but told them if they didn’t know it was illegal they could use it.
  • October 3, 2011: The year after he had reauthorized PRTT in spite of the years of violation, the government informed him they had been illegally collecting US person content for 3 years. Bates authorized some of this collection prospectively (though more assertively required them to get rid of the past illegal collection). At the same time, Bates permitted NSA and CIA to conduct back door searches of US person PRISM content.
  • February 19, 2013: Bates unilaterally redefined the PATRIOT Act to permit the government to collect on US persons solely for their First Amendment activities, so long as the activities of their associates were not protected by the First Amendment.

In short, even though Bates knew better than anyone but perhaps Reggie Walton of the Executive’s persistent violations of FISA orders, he repeatedly expanded these programs in dangerous ways even as he found out about new violations.

That’s they guy lecturing Leahy on how the FISC needs to work, invoking the royal “we” he hasn’t gotten permission to use.

And consider the things Bates asked for in his most recent letter — which, by invocation, Clapper is suggesting he’ll demand from Leahy.

  • The advocate should not be mandated to speak for privacy and civil liberties.
  • The advocate should not be adversarial because that might lead the government to stop sharing information it is required to share.
  • The advocate should not be required to be consulted on all novel issues [I wonder now if Bates considers the First Amendment application a novel issue?] because that might take too long.

Basically, Bates says Leahy should replace his language with the House language.

In our view, the greater flexibility and control that the FISA courts would have under the amicus provision in H.R. 3361 make it a better fit for FISA court proceedings than the special advocate provision of S. 2685. As discussed above, the House bill would give the FISA courts substantial flexibility not only in deciding when to appoint an amicus in the first place, but also in tailoring the nature and scope of the assistance provided to the circumstances of a particular matter.

So the guy who Bates-stamped so many dangerous decisions wants FISC to retain the authority to continue doing so.

Again, Clapper is absolutely wrong when he claims this kind of thing — a role the FISC can sharply limit what advice it gets and the DNI can sustain ex parte proceedings by claiming privilege or need to know — is what President Obama endorsed 8 months ago.

Which raises the question: is the President going to tell his DNI to implement his own policy choices? Or is he going to let James Clapper and Bob Litt muddle up a democratic bill again?

As Snowden Leak Anniversary Approaches, Intelligence Community Prepares to Declare Victory

As June 5 approaches — and with it the one year anniversary of the first reporting on Edward Snowden’s leaks — the privacy community is calling supporters to redouble efforts to improve the NSA “reform bill,” which I call the USA Freedumber Act, in the Senate.

I explained here why the Senate is unlikely to improve USA Freedumber in any meaningful way. The votes just aren’t there — not even in the Senate Judiciary Committee.

Ominously, Dianne Feinstein just scheduled an NSA hearing for Thursday afternoon, when most of the privacy community will be out rallying the troops.

Unless the surveillance community finds some way to defeat USA Freedumber, the intelligence community will soon be toasting themselves that they used the cover of Edward Snowden’s disclosures to expand surveillance. The “Edward Snowden Put the NSA in Your Smartphone Act,” they might call it.

To prevent that, the privacy community needs to find a way to defeat USA Freedumber. It’s not enough, in my opinion, to point to the judicial review codified by USA Freedumber to accede to letting this pass. Not only doesn’t USA Freedumber end what most normal people call, “bulk collection,” but it expands collection in a number of ways.

That’s true, in part, because of the way the bill defines “bulk collection.” USA Freedumber only considers something “bulk collection” if it collects all of some kind of data (so, all phone data in the US). If NSA limits collection at all — selecting to collect all the phone records from Area Code 202, for example — it no longer qualifies as bulk collection under the Intel Community definition used in the bill, no matter how broadly they’re collecting.

Here’s a post where I lay that out.

To make things worse, the last version of the House bill changed the term “selection term” to make it very broad: including “entities,” “addresses,” and “devices” among the things that count as a single target, all of which invite mass targeting. I was always skeptical about “specific selection term” serving as the limiting factor in the bill; key language about how the FISC currently understands “selection term” remains classified. But I do know that Zoe Lofgren and others in the House kept saying that under the current definition of the bill the government could collect all records in, say, my Area Code 202 example. And if that’s possible, it means the phone dragnet under this “reform” may be little more targeted than upstream Section 702 collection currently is, which has telecoms sniff through up to 75% of US Internet traffic.

But it’s not just that the bill doesn’t deliver what its boosters claim it does.

There are 4 other ways that the bill makes the status quo worse, as I show in this post:

  • The move to telecoms codifies changes in the chaining process that will almost certainly expand the universe of data being analyzed — potentially significantly
  • In three ways, the bill would permit the use of phone chaining for purposes beyond counterterrorism, which isn’t currently permitted
  • The bill weakens the minimization procedures on upstream Section 702 collection imposed by FISC Judge John Bates in 2011, making it easier for the government to collect and keep domestic content domestically
  • The bill moves the authority to set minimization procedures for Pen Registers from FISC to the Attorney General (and weakens them significantly), thus eliminating the tool John Bates used to shut down illegal content-as-metadata collection

In my opinion, these changes mean the NSA will be able to do much of what they were doing in 2009, before what were then called abuses — but under this bill would be legalized — were discovered. That, plus they’re likely to expand the dragnet beyond terrorism targets.

For a year, privacy advocates have believed we’d get reform in response to Snowden’s leaks. For too long, advocates treated HR 3361 as positive reform.

But unless we defeat USA Freedumber, the Intelligence Community will have used the event of Snowden’s leaks as an opportunity to expand the dragnet.