Posts

Freedumb versus Freedumber

I’ve already done a few posts on the USA Freedumber bill, AKA HR 3361. This post shows that the Administration has gotten explicit that the chaining process is now about “connected” identifiers and not necessarily “contacts” between them. And this post shows they’ve added another trough of compensation at which intelligence contractors can feed.

But I realize now it really needs a systematic comparison of the bill with USA Freedumb, the previously gutted manager’s amendment. This will be a working thread.

PDF 3 Freedumber: Includes language explicitly envisioning getting call records outside of the limited method rolled out here.

(including an application for the production of call detail records other than in the manner described in subparagraph (C))

We know they always planned to be able to get historical call records via the old means (though new language in section C makes it clear the systematic program can get historical records too), but I wonder if this is also there to get call detail records from smaller telecoms.

Here’s that historical language:

in the case of an application for the production on a daily basis of call detail records created before, on, or after the date of the application relating to an authorized investigation [my emphasis]

See this post for how they changed the chaining language on PDF 5.

PDF6 : They changed the minimization language to be tied to “foreign intelligence” information. I wrote about it in this post at the Guardian.

PDF 7: They’ve gotten rid of language limiting emergency authorities to terrorist investigations as shown:

(A) reasonably determines that an emergency situation requires the production of tangible things to obtain information for an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to protect against international terrorism before an order authorizing such production can with due diligence be obtained;

The bill keeps the weak prohibition on using stuff that shouldn’t have been gotten under emergency powers (the AG ensures that such data are not used, but then AG is the one who originally thought it’d be kosher in the first place, making the AG the worst person to police its non-usage). So it turns the emergency powers into a bigger loophole.

PDF 11: I noted that they’ve extended compensation beyond just the telecoms to other advisors (AKA Booz). They’ve also given the Booz figures immunity.

(e)(1) No cause of action shall lie in any court against a person who—

(A) produces tangible things or provides information, facilities, or technical assistance pursuant to an order issued or an emergency production required under this section; or

(B) otherwise provides technical assistance to the Government under this section or to implement the amendments made to this section by the USA FREEDOM Act.

PDF 13: Here’s the new definition for Specific Selection Term. I’ll have a post on this later, but suffice it to say that “such as” is the new “relevant to.”

SPECIFIC SELECTION TERM.—The term ‘specific selection term’ means a discrete term, such as a term specifically identifying a person, entity, account, address, or device, used by the Government to limit the scope of the information or tangible things sought pursuant to the statute authorizing the provision of such information or tangible things to the Government.’

I’m not as bugged by “address” or “device” as some others are–I actually think they’re useful. Still, it’s far too broad.

PDF 15: For some reason, Freedumber gives the IC IG 6 months after the DOJ IG finishes his IG report (which retains the gap where 2010 and 2011 are) before he has to submit his report.

Not later than 180 days after the date on which the Inspector General of the Department of Justice submits the report required under subsection (c)(3), the Inspector General of the Intelligence Community  shall submit

These shouldn’t need to be sequential. So I wonder why they did this, if not to delay the required reporting out beyond the beginning of consideration of the sunset.

PDF 18: They can keep on dragnetting up until the moment when the new law goes into effect.

RULE OF CONSTRUCTION.—Nothing in this Act shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.) as in effect prior to the effective date described in subsection (a) during the period ending on such effective date.

So they’re stocking up on data. And why not! You never know what fun new data you’ll get under the new system you need a dragnet for?

PDF 19: The NGO community is really excited about this addition.

SEC. 110. RULE OF CONSTRUCTION.

Nothing in this Act shall be construed to authorize the production of the contents (as such term is defined in section 2510(8) of title 18, United States Code) of any electronic communication from an electronic communication service provider (as such term is defined in section 701(b)(4) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1881(b)(4)) under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.).

I’m not so excited. First, while this language makes it clear the bill does not affirmatively authorized such production, if FISC has already approved it, they don’t need a bill, they’ve got authorization. In addition, I think there are some Internet entities that aren’t included in the definition of electronic communication service providers.’

PDF 20: Wow, they’ve utterly gutted the minimization procedures they had tried to add to Pen Register authority (which had included minimization procedures in applications and allowed the judge to review them). Instead of that we get,

(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard nonpublicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect  national security, include protections for the collection, retention, and use of information concerning United States persons.

Which would lead me to believe they either are or intend to resume using this abusively.

PDF 21: THe new bill takes out language trying to cut down on reverse targeting (it had made it illegal if it was a purpose of the acquisition at all). Great. So they’re now legislatively approving reverse targeting.

PDF 21: They changed limits on upstream collection from this:

(B) consistent with such definition, minimize the acquisition, and prohibit the retention and dissemination, of any communication as to which the sender and all intended recipients are determined to be located in the United States and prohibit the use of any discrete, non-target communication that is determined to be to or from a United States person or a person who appears to be located in the United States, except to protect against an immediate threat to  human life.’’.

To this (emphasis mine):

(B) consistent with such definition—

(i) minimize the acquisition, and prohibit the retention and dissemination, of any communication as to which the sender and all intended recipients are determined to be located in the United States at the time of acquisition, consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information; and

(ii) prohibit the use of any discrete communication that is not to, from, or about the target of an acquisition and is to or from an identifiable United States person or a person reasonably believed to be located in the United States, except to protect against an immediate threat to human life.’

The first clause could be read two ways: either to require minimization of data for which recipients were in the US when the data was collected. Or, more likely, they mean to require minimization of data that NSA immediately determines (at the the acquisition) to be in the US. If it’s the latter, it expands upstream collection.

The second clause limits the prohibition on using MCATs (that is, unrelated comms picked up off of targeted comms in the associated inbox) that aren’t targeted to those that involve identifiable US persons. In its discussions with John Bates, the NSA claimed it couldn’t identify which comms were USPs. Which means this would gut the minimization procedures put in place in 2011.

In other words, this language guts John Bates’ efforts to rein in illegal unconstitutional collection of US person content within the US.

PDF 27: As others have noted Freedumber gives the DNI the authority over declassification decisions on significant FISC opinions. It specifies the requirement to apply to any “significant interpretation of the term ‘specific selection term’.”

PDF 33: A reporting requirement on Section 215 is watered down to become a summary of compliance reviews, rather than the reviews themselves.

More troubling still, the same passage eliminates the language requiring reports on PRTT.

(6) any compliance reviews conducted by the Federal Government of electronic surveillance, physical searches, the installation of pen register or trap  and trace devices, access to records, or acquisitions conducted under this Act.’’.

PDF 33-34: Freedumber includes a DNI report of aggregate requests, but only with detail on targets, not on number of people affected (or even number of selectors). This is the cover up report for the dragnets. For NSLs, it also only provides the number of requests for information, but doesn’t break out targets. This may be solely because of the subscriber function but it would seem to permit the hiding of bulk collection under other NSLs. (That is, this may well be worse than current reporting.)

PDF 40: Freedumber shifts reporting requirements pertaining to FISC decisions such that Congress only gets notice of a denied or modified application if it includes a significant construction of law. Given that there’s been a huge increase in modified programs, this would serve to hide the kinds of bulk collection going on. It also takes out a requirement that the government summarize what went on.

In addition, there are changes on transparency the companies can do. I’ll sort that out at another time, but even what is there is not transparent.

The Administration Stops Pretending Phone Dragnet Is Only about Phone Calls

The other day, I noted that the language describing contact-chaining had been changed to permit chaining between identifiers that had a “connection” even without any actual phone contact. At a minimum, this permits the government to contact chain on various phones associated with the same person. But in the telecoms hands (which have access to geolocation information the government may not collect under the phone dragnet) it may also mean close proximity.

The Administration made this all more obvious with changes it added to the HR 3361, AKA the USA Freedom (Freedumb) Act. It changed the language on contact chaining from this:

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production;

(II) using the results of the production under subclause (I) as the basis for production; and

(III) using the results of the production under subclause (II) as the basis for production;

To this:

(iii) provide that the Government  may require the prompt production of call  detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii)  as the basis for production; and

(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;

(iv) provide that, when produced, such records be in a form that will be useful to the Government;

Now there is actually an important improvement in this language. The new language requires each step return to a call detail record: a phone number or SIM card number, for example. The telecoms can’t use things like geolocation or email addresses in that interim hop, as they might have been able to do under the previous language.

Though the end results may only need to be “a form that will be useful to the Government.” Before, the end results had to be a CDR; this would seem to permit some other kind of result.

And along the way, the Administration has abandoned all pretense that contact-chaining is only about tracking who calls whom. This language makes clear that the chaining is about connections.

As I said, the most obvious kind of “connection” is a burner phone: identifying the new phone of the same target based off the old phones existing call patterns. And, given the big push to outsource the call records to the telecoms, NSA surely intends to use cell location (the telecoms can legally use location, whereas the NSA is not permitted to under current FISA rules).

But those are only the most obvious applications. It would take a great deal of imagination, I think, to anticipate all the kinds of connections the NSA might ask the telecoms to make for them.

Where Does the Bulk Collection Under NSLs Happen?

Back in January, I noted that both the President’s Review Group and those behind the Leahy-Sensenbrenner USA Freedom Act seemed very concerned that the government is using NSLs to conduct bulk collection (which is the term I used, based off the fact that both made parallel changes to Section 215 and NSL collection). Both required (recommended, in the case of PRG) that the government fix that by requiring that NSL’s including language asserting that the particular information sought has a tie to the investigation in question, and some limits on the amount of information collected.

Here’s how the PRG phrased it.

Recommendation 2 We recommend that statutes that authorize the issuance of National Security Letters should be amended to permit the issuance of National Security Letters only upon a judicial finding that:

(1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and

(2) like a subpoena, the order is reasonable in focus, scope, and breadth.

The thing is, because NSLs haven’t shown up in any troves of leaked documents, we don’t know why USA Freedom original backers and PRG are so concerned NSLs today collect data beyond reasonable breadth (though IG reports done years ago raised big concerns, many of them about whether FBI was meeting the legal standards required).

We don’t know what kind of bulk collection they’re engaging in.

Because FBI — not NSA — primarily uses NSLs, we don’t know what the problem is.

I raise this now because — in addition to having planned on writing this post since January — of questions about whether the HjC HJC and HPSCI “reform” bills will really end what you and I (as distinct from the Intelligence Community) would consider bulk collection.

And NSL reporting — unlike that for Section 215 — provides some hints on where the bulk collection might be.

Here’s what the most recent FISA report to Congress says about (most) NSLs issued last year.

Requests Made for Certain Information Concerning Different United States Persons Pursuant to National Security Letter Authorities During Calendar Year 2013 (USA PATRIOT Improvement and Reauthorization Act of 2005, Pub. L. No. 109-177 (2006))

Pursuant to Section 118 of the USA PATRIOT Improvement and Reauthorization Act, Pub. L. 109-177 (2006), the Department of Justice provides Congress with annual reports regarding requests made by the Federal Bureau of Investigation (FBI) pursuant to the National Security Letter (NSL) authorities provided in 12 U.S.C. § 3414, 15 U.S.C. § 1681u, 15 U.S.C. § 1681v, 18 U.S.C § 2709, and 50 U.S.C. § 436.

In 2013, the FBI made 14,219 requests (excluding requests for subscriber information only) for information concerning United States persons. These sought information pertaining to 5,334 different United States persons.2

2 In the course of compiling its National Security Letter statistics, the FBI may over-report the number of United States persons about whom it obtained information using National Security Letters. For example, NSLs that are issued concerning the same U.S. person and that include different spellings of the U.S. person’s name would be counted as separate U.S. persons, and NSLs issued under two different types of NSL authorities concerning the same U.S. person would be counted as two U.S. persons.

The report would seem to say that the 14,219 requests were based off requests about 5,334 US persons. That’s not really bulk collection, at least on its face! So where is the bulk collection PRG and USAF seem worried about?

It’s possible this report hides some bulk collection in a different Agency. The law requiring this report only requires DOJ to report on the number of requests DOJ made in the previous year.

 In April of each year, the Attorney General shall submit to Congress an aggregate report setting forth with respect to the preceding year the total number of requests made by the Department of Justice for information concerning different United States persons under–

(A) section 2709 of title 18, United States Code (to access certain communication service provider records), excluding the number of requests for subscriber information;

[the law goes on to list the other NSL provisions]

While DOJ’s report should cover both FBI and DEA, I suppose it’s possible that some other entities — not just NSA but also Treasury, NCTC, and CIA — are submitting NSLs themselves, particularly in the case of financial records (though I think Treasury doesn’t have to use NSLs to do this).

The other obvious place the language of the report hides bulk collection is in subscriber records. The law exempts subscriber information requests from the reporting pertaining to US persons. The FBI could be applying for what amount to phone books of all the subscribers of all the phone companies and Internet service providers in the United States and it wouldn’t show up in this report, even though those requests might pertain to hundreds of millions of US persons.

I assume to some extent it is doing this, because there must be a reason subscriber records were excluded from this law. And this would count as bulk collection even according to the Intelligence Community definition of the term.

Via the PRG, we can get a sense of how many such subscriber requests there are. It says FBI issued 21,000 NSLs in FY 2012.

FBI issued 21,000 NSLs in Fiscal Year 2012, primarily for subscriber information.

While the reporting period is different, DOJ reported that FBI obtained 15,229 NSLs in 2012. Which means the balance — so around 5,500 NSLs — would be for subscriber data. Even if only a significant fraction of those are for all of companies’ subscribers, that’s still a fairly comprehensive list of subscriber information across a broad range of providers.

Those 5,500 requests could each be 50 US persons or 120 million US persons; we don’t know. That would be pretty significant bulk collection. But not the same kind of privacy risk PRG seems to have in mind (and if that were the only problem, why change all 4 NSL statutes, as USA Freedom Act did and to the extent it makes a difference still does)?

Still, we know that even the other NSLs — the ones for which we have real data about how many US persons the NSLs “pertained to” — affected far more US persons. That’s because the Exigent Letters IG Report made it clear that two providers (one of these is AT&T, which did it routinely; see page 75ff) provided community of interest information — multiple hops of call records — in response to NSLs. In discovering that, DOJ’s IG complained that FBI was routinely getting information — the derivative call records — that it had not done a relevancy determination for, but it didn’t object across the board.

That concern about ensuring that records obtained via a national security request are “relevant” according to the plain meaning of the term sure seems quaint right now, doesn’t it?

But the potential that FBI is using NSLs to obtain derivative records off of the original selector would sure explain why PRG and Pat Leahy and others are concerned about NSLs (and what we would call — but IC wouldn’t — “bulk collection”).

I assume they can only do this with complicit providers (and I suspect this explains the rise of Section 215 orders with attached minimization requirements in recent years).

But if it happens in significant number at all, it would explain why Leahy and PRG consider it an equivalent problem to Section 215. Because it would mean FBI was using NSLs — not just with telecom and Internet records, but possibly with other things (though I don’t see how you could do this on credit reports) — to get data on associations several levels removed from the target of the NSL.

Here’s the immediate takeaway, though.

Aside from the phone book application (which is significant and I think would be curtailed given the HJC bill, unless FBI were to make requests of AT&T using “AT&T” as the selection term) and financial records (which I’m still thinking through), NSLs appear to include a great deal of “bulk” collection (that is, collection of innocent persons’ data based on association). But they appear to do so from specific identifiers.

And that will not be curtailed by the HJC bill, not at all. It is clear these requests for NSLs are already currently based off selectors — it shows in this reporting.

So at least for two uses of NSLs — credit reports and call details (but not subscriber records) — the House bill simply codifies the status quo.

Update: Here’s the financial records language on NSLs:

Financial institutions, and officers, employees, and agents thereof, shall comply with a request for a customer’s or entity’s financial records made pursuant to this subsection by the Federal Bureau of Investigation when the Director of the Federal Bureau of Investigation (or the Director’s designee in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director) certifies in writing to the financial institution that such records are sought for foreign counter intelligence  [2] purposes to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution of the United States.

It’s clearly intended to work for things that would be a selection term — “customer” or “entity” (which in this context would seem to be different from a customer!) — but I’m not sure it requires that the collection be based off the customer selection term.

“Specific Selection Term:” Still Not Convinced

While I was squawking about how Jim Sensenbrenner issued a manager’s amendment (aka USA Freedumb) purporting to end bulk collection by tying everything to a “specific selection term” without defining what “specific selection term” meant, the House Judiciary Committee released an updated version of the bill defining the term.

(2) SPECIFIC SELECTION TERM.—The term ‘specific selection term’ means a term used to uniquely describe a person, entity, or account.’

All the relevant invocations of the term now refer back to this definition.

The language not only doesn’t convince me this bill works, I think it validates my concern about the bill.

That’s because the word “entity” is already too loosely defined. Is this like the definition of the entity that struck us on 9/11 that Presidents have expanded anachronistically? Al Qaeda = AQAP = al-Nusra?

And in just about every case imaginable — an entity’s phone numbers, its bank accounts, its email addresses (though perhaps not domain name and IP) — there is a necessary translation process between the entity and the selector(s) that would be used for a search.

That this translation happens shows up in some of the invocations of “specific selection term” where they say the “specific selection term” will be used as a “basis” for selecting what to actually search on, as with the Pen Register section.

(3) a specific selection term to be used as the basis for selecting the telephone line or other facility to which the pen register or trap and trace device is to be attached or applied; and’

Al Qaeda is not the name of the telephone line (or facility, which itself has been an invention used to conduct bulk collection in the name of a specific selector).

This “basis for” language shows up even with the NSL language.

COUNTERINTELLIGENCE ACCESS TO TELEPHONE TOLL AND TRANSACTIONAL RECORDS.—Section 2709(b)  of title 18, United States Code, is amended in the matter preceding paragraph (1) by striking ‘‘may’’ and inserting ‘‘may, using a specific selection term as the basis for a request’’.

If the bill just required account identifiers or eliminated that “as a basis for” language, it might work. But as it is, that “as a basis for” involves analysis that also involves the possibility of using far different — and far broader — terms for the actual queries. (And it’s not clear — at least not to me — where and whether judges would get to approve this translation process.)

But you don’t have to take my word for it. You can look at a program that relied on “specific selection terms” “as a basis for” unbelievably vast collection.

The phone dragnet program.

In every single phone dragnet order, there’s a section that says records may only be searched if they’ve been associated with particular entities. Here’s the first one:

Screen shot 2014-05-06 at 10.15.18 PM

Read more

USA Freedumb Act: The Timing

A number of people have expressed appreciation for this analysis: if you find this useful, please consider donating to support my work. 

I’m going to do a series of more finished posts on the “compromised” version of Jim Sensenbrenner’s USA Freedom Act, which I hereby dub the USA Freedumb Act (thanks to Fake John Schindler for the suggestion), because so many of the reforms have been gutted. Here’s the initially proposed bill. Here’s my working thread on USA Freedumb.

You will hear a great many respectable people making positive comments about this bill, comments they normally would not make. That’s because of the carefully crafted timing.

As you recall, Mike Rogers originally got the House Parliamentarian to rule that the bill could go through the House Intelligence Committee. And his bill, which I affectionately call “RuppRoge” after Rogers and Dutch Ruppersberger and Scooby Doo’s “Rut Roh” phase, is genuinely shitty. Not only does it put the NSA onsite at providers and extend call records collection beyond terrorism applications, but it also extends such collection beyond call records generally. It is likely an attempt to get the US back into the Internet dragnet business. Shitty bill.

That said, in key ways RuppRoge is very similar to USA Freedumb. Both “limit” bulk collection by limiting collection to selectors (Freedumb does so across the board, including for NSLs, whereas RuppRoge does so for sensitive Business Records, call records, and Internet metadata). Both propose a similarly (IMO) flimsy FISC advocate. Both propose laughably weak FISC transparency measures. Both will include compensation and immunity for providers they don’t currently have.

Aside from three areas where RuppRoge is better — it forces agencies to update their EO 12333 proposals, doesn’t extend the PATRIOT Act, and provides a (not very useful) way to challenge certificates, all the way up to SCOTUS — and three where it is far worse — it develops more Insider Threat measures, it applies for uses beyond terrorism and beyond call records, and doesn’t include new (but now circumscribed) IG reporting  — they’re not all that different. [Correction: USA Freedumb ALSO applies beyond terrorism.]

They’re differently shitty, but both are pretty shitty.

The reason why otherwise respectable people are welcoming the shitty Freedumb bill, however, is that it gives House Judiciary Committee — with a number of real reformers on it — first pass on this bill. It’s a jurisdictional issue. It puts the jurisdiction for surveillance bills back where it belongs, at the Judiciary Committee.

Oh, by the way, one of the more extensive (in terms of text) real changes in Freedumb is it finally includes the House Judiciary Committee, along with the House and Senate Intelligence Committees and Senate Judiciary Committee, among the committees that get certain kinds of reporting. Jurisdiction. (No, I can’t explain to you why it wasn’t included in the first place in 2008, and no, I can’t explain why that detail is not better known.) It gives everyone on HJC a tiny reason to support the bill, because they’ll finally get the reporting they should have gotten in 2008.

The House Intelligence Committee will consider RuppRoge the day after HJC considers Freedumb, Thursday. Which has elicited hasty (overly hasty, IMO) statements of support for Freedumb, as a way to head off the shitty RuppRoge.

Effectively, the National Security State has managed to put two differently shitty bills before Congress and forced reformers to choose. Freedumb is the better (as in less horrible) bill, and it might get better in Committee. But it’s not a runaway call. And the haste has prevented anyone from really figuring out what a central change to both programs means, which limits collection to selectors, which could be defined in very broad terms (and about which — you’ll have to take my word for now — the NSA has lied in public comments).

One more timing issue that I suspect explains the sudden activity surrounding “reform.” The Privacy and Civil Liberties Oversight Board is due to release a report on Section 702 in the next month or so (its comment period for the report closed on April 11). Given the comments of David Medine, James Dempsey, and Patricia Wald at hearings, I strongly suspect PCLOB will recommend reforms — at least — to back door searches, and possibly to upstream collection. Both are items which were gutted as USA Freedom became Freedumb. (In addition, two aspects that would have expanded PCLOB’s authorities — giving it a role in picking the FISC advocate and giving it subpoena power — have been removed.) So in the same way that President Obama rushed to reaffirm NSA’s unified structure, in which the Information Assurance Division and Cybercommand functions are unified with the more general NSA spying function, before his handpicked Review Group recommended they be split, this seems to be a rush to pre-empt any recommendations PCLOB makes.

Ultimately, these two shitty bills are destined to be merged in conference anyway, and reformers seem to have given up 75% of the field before we get started.

Which means just about the only “reform” we’ll get are actually tactical fixes to help the Security State deal with legal and technical issues they’ve been struggling with.

The USA Freedumb Act has become — with DiFi’s Fake FISA Fix and RuppRoge before it — the third fake reform since Edward Snowden’s leaks first got published. Wearing down the reformers seems to be working.