Posts

A Dragnet of emptywheel’s Most Important Posts on Surveillance, 2007 to 2017

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten this week.

To celebrate, the emptywheel team has been sharing some of our favorite work from the last decade. This is my massive dragnet of surveillance posts.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2007

Whitehouse Reveals Smoking Gun of White House Claiming Not to Be Bound by Any Law

Just days after opening the new digs, I noticed Sheldon Whitehouse entering important details into the Senate record — notably, that John Yoo had pixie dusted EO 12333 to permit George Bush to authorize the Stellar Wind dragnet. In the ten years since, both parties worked to gradually expand spying on Americans under EO 12333, only to have Obama permit the sharing of raw EO 12333 data in its last days in office, completing the years long project of restoring Stellar Wind’s functionalities. This post, from 2016, analyzes a version of the underlying memo permitting the President to change EO 12333 without providing public notice he had done so.

2008

McConnell and Mukasey Tell Half Truths

In the wake of the Protect America Act, I started to track surveillance legislation as it was written, rather than figure out after the fact how the intelligence community snookered us. In this post, I examined the veto threats Mike McConnell and Michael Mukasey issued in response to some Russ Feingold amendments to the FISA Amendments Act and showed that the government intended to use that authority to access Americans’ communication via both what we now call back door searches and reverse targeting. “That is, one of the main purposes is to collect communications in the United States.”

9 years later, we’re still litigating this (though, since then FISC has permitted the NSA to collect entirely domestic communications under the 2014 exception).

2009

FISA + EO 12333 + [redacted] procedures = No Fourth Amendment

The Government Sez: We Don’t Have a Database of All Your Communication

After the FISCR opinion on what we now know to be the Yahoo challenge to Protect American Act first got declassified, I identified several issues that we now have much more visibility on. First, PAA permitted spying on Americans overseas under EO 12333. And it didn’t achieve particularity through the PAA, but instead through what we know to be targeting procedures, including contact chaining. Since then we’ve learned the role of SPCMA in this.

In addition, to avoid problems with back door searches, the government claimed it didn’t have a database of all our communication — a claim that, narrowly parsed might be true, but as to the intent of the question was deeply misleading. That claim is one of the reasons we’ve never had a real legal review of back door searches.

Bush’s Illegal Domestic Surveillance Program and Section 215

On PATRIOTs and JUSTICE: Feingold Aims for Justice

During the 2009 PATRIOT Act reauthorization, I continued to track what the government hated most as a way of understanding what Congress was really authorizing. I understood that Stellar Wind got replaced not just by PAA and FAA, but also by the PATRIOT authorities.

All of which is a very vague way to say we probably ought to be thinking of four programs–Bush’s illegal domestic surveillance program and the PAA/FAA program that replaced it, NSLs, Section 215 orders, and trap and trace devices–as one whole. As the authorities of one program got shut down by exposure or court rulings or internal dissent, it would migrate to another program. That might explain, for example, why Senators who opposed fishing expeditions in 2005 would come to embrace broadened use of Section 215 orders in 2009.

I guessed, for example, that the government was bulk collecting data and mining it to identify targets for surveillance.

We probably know what this is: the bulk collection and data mining of information to select targets under FISA. Feingold introduced a bajillion amendments that would have made data mining impossible, and each time Mike McConnell and Michael Mukasey would invent reasons why Feingold’s amendments would have dire consequences if they passed. And the legal information Feingold refers to is probably the way in which the Administration used EO 12333 and redacted procedures to authorize the use of data mining to select FISA targets.

Sadly, I allowed myself to get distracted by my parallel attempts to understand how the government used Section 215 to obtain TATP precursors. As more and more people confirmed that, I stopped pursuing the PATRIOT Act ties to 702 as aggressively.

2010

Throwing our PATRIOT at Assange

This may be controversial, given everything that has transpired since, but it is often forgotten what measures the US used against Wikileaks in 2010. The funding boycott is one thing (which is what led Wikileaks to embrace Bitcoin, which means it is now in great financial shape). But there’s a lot of reason to believe that the government used PATRIOT authorities to target not just Wikileaks, but its supporters and readers; this was one hint of that in real time.

2011

The March–and April or May–2004 Changes to the Illegal Wiretap Program

When the first iteration of the May 2004 Jack Goldsmith OLC memo first got released, I identified that there were multiple changes made and unpacked what some of them were. The observation that Goldsmith newly limited Stellar Wind to terrorist conversations is one another reporter would claim credit for “scooping” years later (and get the change wrong in the process). We’re now seeing the scope of targeting morph again, to include a range of domestic crimes.

Using Domestic Surveillance to Get Rapists to Spy for America

Something that is still not widely known about 702 and our other dragnets is how they are used to identify potential informants. This post, in which I note Ted Olson’s 2002 defense of using (traditional) FISA to find rapists whom FBI can then coerce to cooperate in investigations was the beginning of my focus on the topic.

2012

FISA Amendments Act: “Targeting” and “Querying” and “Searching” Are Different Things

During the 2012 702 reauthorization fight, Ron Wyden and Mark Udall tried to stop back door searches. They didn’t succeed, but their efforts to do so revealed that the government was doing so. Even back in 2012, Dianne Feinstein was using the same strategy the NSA currently uses — repeating the word “target” over and over — to deny the impact on Americans.

Sheldon Whitehouse Confirms FISA Amendments Act Permits Unwarranted Access to US Person Content

As part of the 2012 702 reauthorization, Sheldon Whitehouse said that requiring warrants to access the US person content collected incidentally would “kill the program.” I took that as confirmation of what Wyden was saying: the government was doing what we now call back door searches.

2013

20 Questions: Mike Rogers’ Vaunted Section 215 Briefings

After the Snowden leaks started, I spent a lot of time tracking bogus claims about oversight. After having pointed out that, contrary to Administration claims, Congress did not have the opportunity to be briefed on the phone dragnet before reauthorizing the PATRIOT Act in 2011, I then noted that in one of the only briefings available to non-HPSCI House members, FBI had lied by saying there had been no abuses of 215.

John Bates’ TWO Wiretapping Warnings: Why the Government Took Its Internet Dragnet Collection Overseas

Among the many posts I wrote on released FISA orders, this is among the most important (and least widely understood). It was a first glimpse into what now clearly appears to be 7 years of FISA violation by the PRTT Internet dragnet. It explains why they government moved much of that dragnet to SPCMA collection. And it laid out how John Bates used FISA clause 1809(a)(2) to force the government to destroy improperly collected data.

Federated Queries and EO 12333 FISC Workaround

In neither NSA nor FBI do the authorities work in isolation. That means you can conduct a query on federated databases and obtain redundant results in which the same data point might be obtained via two different authorities. For example, a call between Michigan and Yemen might be collected via bulk collection off a switch in or near Yemen (or any of the switches between there and the US), as well as in upstream collection from a switch entering the US (and all that’s assuming the American is not targeted). The NSA uses such redundancy to apply the optimal authority to a data point. With metadata, for example, it trained analysts to use SPCMA rather than PATRIOT authorities because they could disseminate it more easily and for more purposes. With content, NSA appears to default to PRISM where available, probably to bury the far more creative collection under EO 12333 for the same data, and also because that data comes in structured form.

Also not widely understood: the NSA can query across metadata types, returning both Internet and phone connection in the same query (which is probably all the more important now given how mobile phones collapse the distinction between telephony and Internet).

This post described how this worked with the metadata dragnets.

The Purpose(s) of the Dragnet, Revisited

The government likes to pretend it uses its dragnet only to find terrorists. But it does far more, as this analysis of some court filings lays out.

2014

The Corporate Store: Where NSA Goes to Shop Your Content and Your Lifestyle

There’s something poorly understood about the metadata dragnets NSA conducts. The contact-chaining isn’t the point. Rather, the contact-chaining serves as a kind of nomination process that puts individuals’ selectors, indefinitely, into the “corporate store,” where your identity can start attracting other related datapoints like a magnet. The contact-chaining is just a way of identifying which people are sufficiently interesting to submit them to that constant, ongoing data collection.

SPCMA: The Other NSA Dragnet Sucking In Americans

I’ve done a lot of work on SPCMA — the authorization that, starting in 2008, permitted the NSA to contact chain on and through Americans with EO 12333 data, which was one key building block to restoring access to EO 12333 analysis on Americans that had been partly ended by the hospital confrontation, and which is where much of the metadata analysis affecting Americans has long happened. This was my first comprehensive post on it.

The August 20, 2008 Correlations Opinion

A big part of both FBI and NSA’s surveillance involves correlating identities — basically, tracking all the known identities a person uses on telephony and the Internet (and financially, though we see fewer details of that), so as to be able to pull up all activities in one profile (what Bill Binney once called “dossiers”). It turns out the FISC opinion authorizing such correlations is among the documents the government still refuses to release under FOIA. Even as I was writing the post Snowden was explaining how it works with XKeyscore.

A Yahoo! Lesson for USA Freedom Act: Mission Creep

This is another post I refer back to constantly. It shows that, between the time Yahoo first discussed the kinds of information they’d have to hand over under PRISM in August 2007 and the time they got directives during their challenge, the kinds of information they were asked for expanded into all four of its business areas. This is concrete proof that it’s not just emails that Yahoo and other PRISM providers turn over — it’s also things like searches, location data, stored documents, photos, and cookies.

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal

Confession: I have an entire chapter of the start of a book on the Yahoo challenge to PRISM. That’s because so much about it embodied the kind of dodgy practices the government has, at the most important times, used with the FISA Court. In this post, I showed that the documents that the government provided the FISCR hid the fact that the then-current versions of the documents had recently been modified. Using the active documents would have shown that Yahoo’s key argument — that the government could change the rules protecting Americans anytime, in secret — was correct.

2015

Is CISA the Upstream Cyber Certificate NSA Wanted But Didn’t Really Get?

Among the posts I wrote on CISA, I noted that because the main upstream 702 providers have a lot of federal business, they’ll “voluntarily” scan on any known cybersecurity signatures as part of protecting the federal government. Effectively, it gives the government the certificate it wanted, but without any of the FISA oversight or sharing restrictions. The government has repeatedly moved collection to new authorities when FISC proved too watchful of its practices.

The FISA Court’s Uncelebrated Good Points

Many civil libertarians are very critical of the FISC. Not me. In this post I point out that it has policed minimization procedures, conducted real First Amendment reviews, taken notice of magistrate decisions and, in some cases, adopted the highest common denominator, and limited dissemination.

How the Government Uses Location Data from Mobile Apps

Following up on a Ron Wyden breadcrumb, I figured out that the government — under both FISA and criminal law — obtain location data from mobile apps. While the government still has to adhere to the collection standard in any given jurisdiction, obtaining the data gives the government enhanced location data tied to social media, which can implicate associates of targets as well as the target himself.

The NSA (Said It) Ate Its Illegal Domestic Content Homework before Having to Turn It in to John Bates

I’m close to being able to show that even after John Bates reauthorized the Internet metadata dragnet in 2010, it remained out of compliance (meaning NSA was always violating FISA in obtaining Internet metadata from 2002 to 2011, with a brief lapse). That case was significantly bolstered when it became clear NSA hastily replaced the Internet dragnet with obtaining metadata from upstream collection after the October 2011 upstream opinion. NSA hid the evidence of problems on intake from its IG.

FBI Asks for at Least Eight Correlations with a Single NSL

As part of my ongoing effort to catalog the collection and impact of correlations, I showed that the NSL Nick Merrill started fighting in 2004 asked for eight different kinds of correlations before even asking for location data. Ultimately, it’s these correlations as much as any specific call records that the government appears to be obtaining with NSLs.

2016

What We Know about the Section 215 Phone Dragnet and Location Data

During the lead-up to the USA Freedom Debate, the government leaked stories about receiving a fraction of US phone records, reportedly because of location concerns. The leaks were ridiculously misleading, in part because they ignored that the US got redundant collection of many of exactly the same calls they were looking for from EO 12333 collection. Yet in spite of these leaks, the few figured out that the need to be able to force Verizon and other cell carriers to strip location data was a far bigger reason to pass USAF than anything Snowden had done. This post laid out what was known about location data and the phone dragnet.

While It Is Reauthorizing FISA Amendments Act, Congress Should Reform Section 704

When Congress passed FISA Amendments Act, it made a show of providing protections to Americans overseas. One authority, Section 703, was for spying on people overseas with help of US providers, and another was for spying on Americans overseas without that help. By May 2016, I had spent some time laying out that only the second, which has less FISC oversight, was used. And I was seeing problems with its use in reporting. So I suggested maybe Congress should look into that?

It turns out that at precisely that moment, NSA was wildly scrambling to get a hold on its 704 collection, having had an IG report earlier in the year showing they couldn’t audit it, find it all, or keep it within legal boundaries. This would be the source of the delay in the 702 reauthorization in 2016, which led to the prohibition on about searches.

The Yahoo Scan: On Facilities and FISA

The discussion last year of a scan the government asked Yahoo to do of all of its users was muddled because so few people, even within the privacy community, understand how broadly the NSA has interpreted the term “selector” or “facility” that it can target for collection. The confusion remains to this day, as some in the privacy community claim HPSCI’s use of facility based language in its 702 reauthorization bill reflects new practice. This post attempts to explain what we knew about the terms in 2016 (though the various 702 reauthorization bills have offered some new clarity about the distinctions between the language the government uses).

2017

Ron Wyden’s History of Bogus Excuses for Not Counting 702 US Person Collection

Ron Wyden has been asking for a count of how many Americans get swept up under 702 for years. The IC has been inventing bogus explanations for why they can’t do that for years. This post chronicles that process and explains why the debate is so important.

The Kelihos Pen Register: Codifying an Expansive Definition of DRAS?

When DOJ used its new Rule 41 hacking warrant against the Kelihos botnet this year, most of the attention focused on that first-known usage. But I was at least as interested in the accompanying Pen Register order, which I believe may serve to codify an expansion of the dialing, routing, addressing, and signaling information the government can obtain with a PRTT. A similar codification of an expansion exists in the HJC and Lee-Leahy bills reauthorizing 702.

The Problems with Rosemary Collyer’s Shitty Upstream 702 Opinion

The title speaks for itself. I don’t even consider Rosemary Collyer’s 2017 approval of 702 certificates her worst FISA opinion ever. But it is part of the reason why I consider her the worst FISC judge.

It Is False that Downstream 702 Collection Consists Only of To and From Communications

I pointed out a number of things not raised in a panel on 702, not least that the authorization of EO 12333 sharing this year probably replaces some of the “about” collection function. Most of all, though, I reminded that in spite of what often gets claimed, PRISM is far more than just communications to and from a target.

UNITEDRAKE and Hacking under FISA Orders

A document leaked by Shadow Brokers reveals a bit about how NSA uses hacking on FISA targets. Perhaps most alarmingly, the same tools that conduct such hacks can be used to impersonate a user. While that might be very useful for collection purposes, it also invites very serious abuse that might create a really nasty poisonous tree.

A Better Example of Article III FISA Oversight: Reaz Qadir Khan

In response to Glenn Gerstell’s claims that Article III courts have exercised oversight by approving FISA practices (though the reality on back door searches is not so cut and dry), I point to the case of Reaz Qadir Khan where, as Michael Mosman (who happens to serve on FISC) moved towards providing a CIPA review for surveillance techniques, Khan got a plea deal.

The NSA’s 5-Page Entirely Redacted Definition of Metadata

In 2010, John Bates redefined metadata. That five page entirely redacted definition became codified in 2011. Yet even as Congress moves to reauthorize 702, we don’t know what’s included in that definition (note: location would be included).

FISA and the Space-Time Continuum

This post talks about how NSA uses its various authorities to get around geographical and time restrictions on its spying.

The Senate Intelligence Committee 702 Bill Is a Domestic Spying Bill

This is one of the most important posts on FISA I’ve ever written. It explains how in 2014, to close an intelligence gap, the NSA got an exception to the rule it has to detask from a facility as soon as it identifies Americans using the facility. The government uses it to collect on Tor and, probably VPN, data. Because the government can keep entirely domestic communications that the DIRNSA has deemed evidence of a crime, the exception means that 702 has become a domestic spying authority for use with a broad range of crimes, not to mention anything the Attorney General deems a threat to national security.

“Hype:” How FBI Decided Searching 702 Content Was the Least Intrusive Means

In a response to a rare good faith defense of FBI’s back door searches, I pointed out that the FBI is obliged to consider the least intrusive means of investigation. Yet, even while it admits that accessing content like that obtained via 702 is extremely intrusive, it nevertheless uses the technique routinely at the assessment level.

Other Key Posts Threads

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

10 Years of emptywheel: Key Non-Surveillance Posts 2011-2012

10 Years of emptywheel: Key Non-Surveillance Posts 2013-2015

10 Years of emptywheel: Key Non-Surveillance Posts 2016-2017

10 Years of emptywheel: Jim’s Dimestore

Verizon Gets Out of the Upstream Surveillance Business

Even as the privacy world has been discussing how NSA got out of one kind of the upstream collection business on April 28, most people overlooked that someone else got out of the upstream collection business almost entirely just a few days later. That’s when Verizon finalized its sale of a big chunk of its data centers — including the ones used for Stormbrew collection — to Equinix. (h/t to SpaceLifeForm for reminding me)

When Equinix announced the $3.6B cash purchase in December, it emphasized the Miami data center — though which much of the traffic from Latin America passes on to the rest of the world — and the Culpepper site serving the National Security world.

  • The NAP (Network Access Point) of the Americas facility in Miami is a key interconnection point and will become a strategic hub and gateway for Equinix customer deployments servicing Latin America. Combined with the Verizon data centers in Bogotá and the NAP do Brasil in São Paulo, it will strategically position Equinix in the growing Latin American market.
  • The NAP of the Capital Region in Culpeper, VA is a highly secure campus focused on government agency customers, strengthening Equinix as a platform of choice for government services and service providers.

The purchase also expands Equinix’s presence in Silicon Valley.

Mind you, spying infrastructure has continued to evolve since Snowden documents elucidated where the Stormbrew collection points were and what they did. So maybe these data centers are no longer key “chokepoints’ (as the NSA called them) of American spying.

But if they are, then Verizon is no longer the one sifting through your data.

In Spying, “Things like phone numbers or emails” Turn Out to Be Far More

According to Reuters, the Intelligence Community doesn’t intend to share any details of the Yahoo scan revealed several weeks back with anyone outside of the FISA oversight committees — the House and Senate Intelligence and Judiciary Committees.

Executive branch officials spoke to staff for members of the Senate and House of Representatives committees overseeing intelligence operations and the judiciary, according to people briefed on the events, which followed Reuters’ disclosure of the massive search.

But attempts by other members of Congress and civil society groups to learn more about the Yahoo order are unlikely to meet with success anytime soon, because its details remain a sensitive national security matter, U.S. officials told Reuters. Release of any declassified version of the order is unlikely in the foreseeable future, the officials said.

On its face, it’s a stupid stance, as I think the scan probably fits within existing legal precedents that have already been made public, even if it stretches those precedents from “packet content as content” to “email content as content” (and it may not even do that).

In addition, given that the scan was approved by a judge (albeit one working within the secret FISA court and relying on prior decisions that were issued in secrecy), by releasing more details about the scan the government could at least claim that a judge had determined the scan was necessary and proportionate to obtain details about the (as described to NYT) state-sponsored terrorist group targeted by the scan. This decision presumably relies on a long line of decisions finding warrantless surveillance justified by special needs precedents, which began to be laid out for FISC in In Re Sealed Case in 2002.

Nevertheless, even given the toll the government’s secrecy is having on Yahoo (and presumably on other providers’ willingness to cooperate with the IC), the government thus far has remained intransigent in its secrecy.

Which suggests that the IC believes it would risk more by releasing more data than by its continued, damaging silence.

I’ve already explained one of the risks they might face: that their quick anonymous description of this as a “state-sponsored terrorist group” might (this is admittedly a wildarsed guess) really mean they hacked all of Yahoo’s users to get to Iranian targets, something that wouldn’t have the same scare power as terrorists like ISIS, especially in Europe, which has a markedly different relationship with Iran than the US has.

But I also think ODNI risks losing credibility because it appears to conflict with what ODNI specifically and other spook officials generally have said in the past, both to the US public and to the international community. As I note here, the definition of “facility” has been evolving at FISC since at least 2004. But the privacy community just released a letter and a quote to Reuters that seems unaware of the change. The letter asserts,

According to reports, the order was issued under Title I of FISA, which requires the government to demonstrate probable cause that its target is a foreign power or an agent of a foreign power (such as a spy or a terrorist), and probable cause that the “facility” at which the surveillance is conducted will carry the target’s communications. If reports are true, this authority to conduct a particularized search has apparently been secretly construed to authorize a mass scan.

Traditional FISA orders haven’t been limited to particularized targets since 2007, when an order targeting Al Qaeda was used to temporarily give Stellar Wind legal sanction. If one order requiring a scan of traffic at  telecom switches could target Al Qaeda in 2007, then surely one order can target Iran’s Revolutionary Guard or a similar organization in 2016. The problem is in the execution of the order, requiring Yahoo to scan all its incoming email, but it’s not clear the legal issues are much worse than in the 2007 execution.

A Reuters source goes even further, suggesting that all of Yahoo is the facility, rather than the specific code tied to the targeted group.

The groups say that Title I of the Foreign Intelligence Surveillance Act, under which sources said the order was issued, requires a finding that the target of such a wiretap is probably an agent of a foreign power and that the facility to be tapped is probably going to be used for a transmission. An entire service, such as Yahoo, has never publicly been considered to be a “facility” in such a case: instead, the word usually refers to a phone number or an email account.

Never mind that under the phone dragnet, Verizon was counted as the targeted selector (which was used by terrorists and everyone else), though admittedly that was just for metadata. Had Yahoo been designed the “place” at which a physical search were conducted this usage might be correct (that said, we know very little about how physical searches, including for stored communication, work in practice), but as Semiannual reports have made clear (admittedly in the Section 702 context), facility has come to be synonymous with selector.

[T]argeting is effectuated by tasking communication facilities (also referred to as “selectors”), including but not limited to telephone numbers and electronic communications accounts, to Section 702 electronic communication service providers.

Facilities are selectors, and here FBI got a selector tied to a kind of usage of email — perhaps an encryption signature — approved as a selector/facility.

In spite of the fact that somewhere among 30 NGOs someone should have been able to make this argument (and ACLU’s litigation side surely could do so), there is good reason for them to believe this.

That’s because the IC has very deliberately avoided talking about how what are called “about” scans but really should be termed signature scans really work.

This is most striking in a March 19, 2014 Privacy and Civil Liberties Oversight Board hearing, which was one of the most extensive discussions of how Section 702 work. Shortly after this hearing, I contacted PCLOB to ask whether they were being fully briefed, including on the non-counterterrorism uses of 702, such as cyber, which use (or used) upstream selectors in a  different way.

Several different times in the hearing, IC witnesses described selectors as “selectors such as telephone numbers or email addresses” or “like telephone numbers or email addresses,” obscuring the full extent of what might be included (Snowden tweeted a list that I included here). Bob Litt did so while insisting that Section 702 (he was referring both to PRISM and upstream here) was not a bulk collection program:

I want to make a couple of important overview points about Section 702. First, there is either a misconception or a mischaracterization commonly repeated that Section 702 is a form of bulk collection. It is not bulk collection. It is targeted collection based on selectors such as telephone numbers or email addresses where there’s reason to believe that the selector is relevant to a foreign intelligence purpose.

I just want to repeat that Section 702 is not a bulk collection program.

Then-Deputy Assistant Attorney General Brad Weigmann said selectors were “really phone numbers, email addresses, things like that” when he defined selector.

A selector would typically be an email account or a phone number that you are targeting. So this is the, you get, you know, terrorists at Google.com, you know, whatever. That’s the address that you have information about that if you have reason to believe that that person is a terrorist and you would like to collect foreign intelligence information, I might be focusing on that person’s account.

[snip]

So that’s when we say selector it’s really an arcane term that people wouldn’t understand, but it’s really phone numbers, email addresses, things like that.

And when then-NSA General Counsel Raj De moved from describing Section 702 generally (“selectors are things like”), to discussing upstream, he mistakenly said collection was based on “particularly phone numbers or emails” then immediately corrected himself to say, “things like phone numbers or emails.”

So there’s two types of collection under Section 702. Both are targeted, as Bob was saying, which means they are both selector-based, and I’ll get into some more detail about what that means. Selectors are things like phone numbers and email addresses.

[snip]

It is also however selector-based, i.e. based on particular phone numbers or emails, things like phone numbers or emails. This is collection to, from, or about selectors, the same selectors that are used in PRISM selection. This is not collection based on key words, for example.

 

That language would — and apparently did — create the false impression that about collection really did just use emails and phone numbers (which is why I called PCLOB, because I knew they were or had also targeted cyber signatures).

Here’s how all that evasiveness appeared in the PCLOB 702 report:

Although we cannot discuss the details in an unclassified public report, the moniker “about” collection describes a number of distinct scenarios, which the government has in the past characterized as different “categories” of “about” collection. These categories are not predetermined limits that confine what the government acquires; rather, they are merely ways of describing the different forms of communications that are neither to nor from a tasked selector but nevertheless are collected because they contain the selector somewhere within them.

That certainly goes beyond the linguistic game the IC witnesses were playing, but stops well short of explaining that this really isn’t all about emails and phone numbers.

Plus, there’s one exchange from that March 2014 hearing that might be taken to rule out about collection from a PRISM provider. In reply to specific prodding from Elisabeth Collins Cook, De said about collection cannot be made via PRISM.

MS. COLLINS COOK: I wanted to ask one additional question about abouts. Can you do about collection through PRISM?

MR. DE: No.

MS. COLLINS COOK: So it is limited to upstream collection?

MR. DE: Correct. PRISM is only collection to or from selectors.

Of course, De was referring to warrantless collection under Section 702. He wasn’t talking at all about what is possible under Title I. But it may have left the impression that one couldn’t order a PRISM provider to do an about scan, even though in 2007 FISA ordered telecoms to do about scans.

Ultimately, though, the IC is likely remaining mum about these details because revealing it would make clear what publicly released opinions do, but not in real detail: that these about scans have gotten far beyond a collection of content based off a scan of readily available metadata. These scans likely replicate the problem identified in 2004, in that the initial scan is not of things that count as metadata to the provider doing the scan.

The IC may have FISC approval for that argument. But they also had FISC approval for the Section 215 dragnet. And that didn’t live up to public scrutiny either.

Can the Government Use FISA to Get Evidence of Past Criminal Activities?

A terror support case due to start in NYC in December seems to present some interesting questions about the use of EO 12333 and FISA evidence. Ahmed Mohammed El Gammal was arrested last year on charges he helped someone else — who apparently got killed in Syria — travel to and train for ISIL. After almost a year and several continuations, the government provided notice they intended to use material gathered under a FISA physical surveillance order (but not an electronic surveillance order). The case clearly involves a ton of Internet communications; the defense proposed voir dire questions ask if potential jurors are familiar with Twitter, Tango, Whatsapp, Cryptocat, Viber, Skype, Surespot or Snapchat, and asks how much potential jurors use Facebook.

After the government submitted the FISA notice, El Gammal’s lawyers submitted three filings: one seeking access to CIPA information, one seeking to suppress the FISA material, and one asking where all the other surveillance came from.

The FISA complaint, aside from the standard challenge, appears to stem from both the delay in notification and some concerns the government did not adhere to minimization procedures (in the defense reply, they noted that the government had already released minimization procedures but refused to do so here). In addition, the FISA challenge suggests the government used FISA to “was to gather evidence of his past criminal activity,” which it argues is unlawful. His lawyers also seem to question whether there was no other way to obtain the information (which is particularly interesting given the delayed notice).

In addition, the government’s response describes some of the reasons El Gammal’s lawyers suspect the government used some kind of exotic (probably 12333) surveillance against him (some of which are partly or entirely redacted in the defense filings).

The defendant’s motion speculates that the Government relied upon undisclosed techniques when it (1) “appears to have sought information about El Gammal from at least two entities—Verizon and Yahoo—before his identity seems to have become known through the criminal investigation,” (Def. Memo. 3) (2) “seems to have learned about El Gammal before receiving, in the criminal investigation, the first disclosure that would necessarily have identified him,” (Def. Memo. 5) and (3) appeared to have “reviewed the contents of [CC-1’s] [social media] account before [the social media provider] made its Rule 41 return” (Def. Memo. 5). This speculation is baseless. The Government has used a number of investigative techniques in this case. Not all of those techniques require notice or disclosure at this (or any) stage of the investigation.2 And the Government has complied with its notice and disclosure obligations to date.

2 Additional background regarding this investigation is provided in Section IV.A. of the Government’s September 23, 2016 Classified Memorandum in Opposition to the Defendant’s Pretrial Motion to Suppress, and for the Disclosure of the FISA Order, Application, and Related Materials.

It appears that the government had obtained Facebook material (the primary social media involved here) either under Section 702 or EO 12333, then parallel constructed it via warrant. And it appears to suggest the involvement of some kind  of programmatic Verizon and Yahoo collection that may not have been disclosed (El Gammal was in custody before the end of the old phone dragnet).

Particularly given the timing (in the wake of FBI obtaining a way to get into Syed Rezwan Farook’s phone), I had thought the physical search might have been to decrypt El Gammal’s iPhone, but it appears the government had no problems accessing the content of multiple Apple devices.

There’s no reason to think El Gammal will have any more luck obtaining this information than previous defendants seeking FISA and 12333 information have been.

But his lawyers (SDNY’s excellent public defenders office) do seem to think they’re looking at something more programmatic than they’ve seen before. And they do seem to believe those techniques are being parallel constructed.

Does a Fifth of Yahoo’s Value Derive from (Perceived) Security and Privacy?

The NYPost is reporting that Verizon is trying to get a billion dollar discount off its $4.8 billion purchase price for Yahoo.

“In the last day we’ve heard that [AOL head, who is in charge of these negotiations] Tim [Armstong] is getting cold feet. He’s pretty upset about the lack of disclosure and he’s saying can we get out of this or can we reduce the price?” said a source familiar with Verizon’s thinking.

That might just be tough talk to get Yahoo to roll back the price. Verizon had been planning to couple Yahoo with its AOL unit to give it enough scale to be a third force to compete with Google and Facebook for digital ad dollars.

The discount is being pushed because it feels Yahoo’s value has been diminished, sources said.

AOL/Yahoo will reach about 1 billion consumers if the deal closes in the first quarter, with a stated goal to reach 2 billion by 2020. AOL boss Tim Armstrong flew to the West Coast in the past few days to meet with Yahoo executives to hammer out a case for a price reduction, a source said.

At one level, this is just business. Verizon has the opportunity to save some money, and it is exploring that opportunity.

But the underlying argument is an interesting one, as it floats a potential value — over a fifth of the original purchase price — tied to Yahoo’s ability to offer its users privacy.

As I understand it, the basis for any discount would be an interesting debate, too. The NYP story implies this is a reaction to both Yahoo’s admission that upwards of 500 million Yahoo users got hacked in 2014 and the more recent admission that last year Yahoo fulfilled a FISA order to scan all its incoming email addresses without legal challenge.

Yahoo has claimed that it only recently learned about the 2014 hack of its users — it told Verizon within days of discovering the hack. If that’s true, it’s not necessarily something Yahoo could have told Verizon before the purchase. (Indeed, Verizon should have considered Yahoo’s security posture when buying it.) But there are apparently real questions about how forthcoming Yahoo has been about the extent of the hack. The number of people affected might be in the billions.

Yahoo can’t claim to have been ignorant about its willingness to respond to exotic FISA requests without legal challenge, however.

Verizon bought Yahoo at a time when Yahoo’s aggressive challenged to PRISM back in 2007 was public knowledge. Given that Verizon had been — or at least had been making a show — of limiting what it would agree to do under USA Freedom Act (Verizon got too little credit, in my opinion, for being the prime necessary driver behind the reform), that earlier legal challenge would have aligned with what Verizon itself was doing: limiting its voluntary cooperation with US government spying requests. But now we learn Yahoo had repurposed its own spam and kiddie porn filter to help the government spy, without complaint, and without even telling its own security team.

I’ll let the mergers and acquisitions lawyers fight over whether Verizon has a claim about the purchase price here. Obviously, the $1 billion is just the opening offer.

But there is a real basis for the claim, at least in terms of value. Verizon bought Yahoo to be able to bump its user base up high enough to be able to compete with Google and Facebook. The perception, particularly in Europe, that Yahoo has neither adequately valued user security nor pushed back against exotic US government demands (especially in the wake of the Snowden revelations) will make it a lot harder to maintain, much less expand, the user base that is the entire purpose for the purchase.

So we’re about to learn how much of an international Internet Service Provider’s value is currently tied to its ability to offer security to its users.

Tuesday: Allez Vous F

J’adore Stromae. I’m not in the hip hop demographic, but Stromae — whose real name is Paul Van Haver — pulls me in. This multi-talented artist born to a Rwandan father and a Belgian mother pulls together multiple genres of music laced with compelling au courant lyrics presented with stunning visual effects — how could I not love him?

This particular song, Papatouai, has a strong psychic undertow. This song asks where Papa is; the lyrics and video suggest an emotionally or physically distant father. Van Haver’s own father was killed in the Rwandan genocide when he was not yet ten years old. Is this song about his own father, or about inaccessible fathers in general? The use of older African jazz rhythms emphasizes retrospection suggesting a look backward rather than forward for the missing father figure(s). More than a third of a billion views for this video say something important about its themes.

Much of Stromae’s work is strongly political, but it conveys the difficulty of youth who are multi-racial/multi-ethnic unsatisfied with the binaries and economic injustices forced on them by oldsters. A favorite among kids I know is AVF (Allez Vous Faire):

“Allez vous faire!”
Toujours les mêmes discours, toujours les mêmes airs,
Hollande, Belgique, France austère.
Gauches, ou libéraux, avant-centres ou centristes,
Ça m’est égal, tous aussi démagos que des artistes.


Go fuck yourselves!
Always the same words, always the same airs.
Holland, Belgium, France, austere.
Right or Left? Moderate or Extremist?
They’re all the same to me – the demagogues and the artists.

Remarquable et pertinent, non? I’m also crazy about Tous Les Mêmes, a trans- and cis-feminist song with a marvelous old school Latin beat simmering with frustration. But there’s not much I don’t like by Stromae; I can’t name a song I wouldn’t listen to again and again.

If you’re ready for more Stromae, try his concert recorded in Montreal this past winter. So good.

Expedition to the Cyber Pass

  • UK wireless firm O2 customer data breached and sold (BBC) — O2 customers who were gamers at XSplit had their O2 account data stolen. The approach used, credential stuffing, relies on users who employ the same password at multiple sites. Wonder how Verizon’s recent hiring of O2’s CEO Ronan Dunne will play out during the integration of Yahoo into Verizon’s corporate fold, given Verizon’s data breach? Will Dunne insist on mandatory 2FA policy and insure Verizon and Yahoo accounts can’t use the same passwords?
  • Speaking of Yahoo: 200 million credentials for sale (Motherboard) — Yahoo’s Tumblr had already been involved in a massive breach, now there’s Yahoo accounts available on the dark web. Given the Verizon breach already mentioned, it’s just a matter of time before these accounts are cross-matched for criminal use.
  • Oracle’s not-so-good-very-bad-too-many 276 vulnerabilities patched (Threatpost) — Whew. Two. Hundred. Seventy. Six. That’s a lot of risk. Good they’re all patched, but wow, how did Oracle end up with so many to begin with? Some of them are in products once owned by Sun Microsystems, including Java. Maybe Oracle ought to rethink Java’s licensing and work with the software community to develop a better approach to patching Java?
  • F-35 ready, says USAF — kind of (Bloomberg) — Massively expensive combat jet now up for ‘limited combat use’, except…

    The initial aircraft won’t have all the electronic combat, data fusion, weapons capacity or automated maintenance and diagnostics capabilities until the most advanced version of its complex software is fielded by 2018.

    Uh, what the hell did we spend a gazillion-plus bucks on if we don’t have aircraft with competitive working electronics?

Light load today, busy here between getting youngest ready for college and primary day in Michigan. YES, YOU, MICHIGANDER, GO VOTE IN THE PRIMARY! Polls close at 8:00 p.m. EDT, you still have time — check your party for write-in candidates. You can check your registration, precinct, ballot at this MI-SOS link.

The rest of you: check your own state’s primary date and registration deadlines. Scoot!

How Did Booz Employee Analyst-Trainee Edward Snowden Get the Verizon 215 Order?

One thing I’ve been pondering as I’ve been going through the Snowden emails liberated by Jason Leopold is the transition Snowden made just before he left. They show that in August 2012, Snowden was (as we’ve heard) a Dell contractor serving as a SysAdmin in Hawaii.

Screen Shot 2016-06-10 at 1.48.37 PM

The training he was taking (and complaining about) in around April 5 – 12, 2013 was in preparation to move into an analyst role with the National Threat Operations Center.

Screen Shot 2016-06-10 at 1.55.17 PM

That would mean Snowden would have been analyzing US vulnerabilities to cyberattack in what is a hybrid “best defense is a good offense” mode; given that he was in HI, these attacks would probably have been launched predominantly from, and countermeasures would be focused on, China. (Before Stewart Baker accuses me of showing no curiosity about this move, as Baker did about the Chinese invitation to Snowden’s girlfriend to a pole dancing competition, I did, but got remarkably little response from anyone on it.)

It’s not clear why Snowden made the switch, but we have certainly seen a number of cybersecurity related documents — see the packet published by Charlie Savage in conjunction with his upstream cyber article. Even the PRISM PowerPoint — the second thing released — actually has a cybersecurity focus (though I think there’s one detail that remains redacted). It’s about using upstream to track known cyberthreat actors.

Screen Shot 2016-06-10 at 2.09.14 PM

I suspect, given the inaccuracies and boosterism in this slide deck, that it was something Snowden picked up while at Booz training, when he was back in Maryland in April 2013. Which raises certain questions about what might have been available at Booz that wasn’t available at NSA itself, especially given the fact that all the PRISM providers’ names appear in uncoded fashion.

Incidentally, Snowden’s job changes at NSA also reveal that there are Booz analysts, not NSA direct employees, doing Section 702 analysis (though that is technically public). In case that makes you feel any better about the way the NSA runs it warrantless surveillance programs.

Anyway, thus far, all that makes sense: Snowden got into a cybersecurity role, and one of the latest documents he took was a document that included a cybersecurity function (though presumably he could have gotten most of the ones that had already been completed as a SysAdmin before that).

But one of the most sensitive documents he got — the Verizon Section 215 primary order — has nothing to do with cybersecurity. The Section 215 dragnet was supposed to be used exclusively for counterterrorism. (And as I understand it, there are almost no documents, of any type, listing provider names in the Snowden stash, and not all that many listing encoded provider names). But the Verizon dragnet order it is dated April 23, 2013, several weeks into the time Snowden had moved into a cybersecurity analytical role.

Screen Shot 2016-06-10 at 2.29.20 PM

There’s probably an easy explanation: That even though NSA is supposed to shift people’s credentials as they move from job to job, it hadn’t happened for Snowden yet. If that’s right, it would say whoever was responsible for downgrading Snowden’s access from SysAdmin to analyst was slow to make the change, resulting in one of the most significant disclosures Snowden made (there have been at least some cases of credentials not being adjusted since Snowden’s leaks, too, so they haven’t entirely addressed what would have to be regarded as a major fuck-up if that’s how this happened).

Interestingly, however, the declassification stamp on the document suggests it was classified on April 12, not April 23, which may mean they had wrapped up the authorization process, only to backdate it on the date it needed to be reauthorized. April 12, 2013 was, I believe, the last day Snowden was at Fort Meade.

Screen Shot 2016-06-10 at 2.34.33 PM

Whatever the underlying explanation, it should be noted that the most sensitive document Snowden leaked — the one that revealed that the government aspired to collect phone records from every single Verizon customer (and, significantly, the one that made court challenges possible) — had to have been obtained after Snowden formally left his SysAdmin, privileged user, position.

Wednesday Morning: A Whiter Shade

She said, ‘There is no reason
and the truth is plain to see.’
But I wandered through my playing cards
and would not let her be

— excerpt, Whiter Shade of Pale by Procol Harum
cover here by Annie Lennox

I’ve been on an Annie Lennox jag, sorry. I’m indulging myself here at the intersection of a favorite song which fit today’s theme and a favorite performer. Some of you will take me to task for not using the original version by Procol Harum, or another cover like Eric Clapton’s. Knock yourselves out; it’s Lennox for me.

Speaking of a whiter shade and truth…

FBI used a ‘gray hat’ to crack the San Bernardino shooter’s phone
Last evening after regular business hours WaPo published a story which made damned sure we knew:

1) The FBI waded into a fuzzy zone to hack the phone — oh, not hiring a ‘black hat’, mind you, but a whiter-shade ‘gray hat’ hacker;
2) Cellebrite wasn’t that ‘gray hat’;
3) The third-party resource was referred to as ‘professional hackers’ or ‘researchers who sell flaws’;
4) FBI paid a ‘one-time fee’ for this hack — which sounds like, “Honest, we only did it once! How could we be pregnant?!
5) A ‘previously unknown software flaw’ was employed after the third-party pointed to it.

This reporting only generated more questions:

• Why the careful wording, ‘previously unknown software flaw’ as opposed to zero-day vulnerability, which has become a term of art?
• How was the determination made that the party was not black or white but gray, and not just a ‘professional hacker who sold knowledges about a flaw they used’? Or was the explanation provided just stenography?
• However did Cellebrite end up named in the media anyhow if they weren’t the source of the resolution?
• What assurances were received in addition to the assist for that ‘one-time fee’?
• Why weren’t known security experts consulted?
• Why did the FBI say it had exhausted all resources to crack the San Bernardino shooter’s phone?
• Why did FBI director Jim Comey say “we just haven’t decided yet” to tell Apple about this unlocking method at all if ‘persons familiar with the matter’ were going to blab to WaPo about their sketchy not-black-or-white-hat approach instead?

That’s just for starters. Marcy’s gone over this latest story, too, be sure to read.

Volkswagen execs get a haircut
Panic among employees and state of Lower Saxony over VW’s losses and anticipated payouts as a result of Dieselgate impelled executives to share the pain and cut their bonuses. Germany’s Lower Saxony is the largest state/municipal shareholder in VW, but it’s doubly exposed to VW financial risks as nearly one in ten Germans are employed in the automotive industry, and VW is the largest single German automotive company. The cuts to bonuses will be retroactive, affecting payouts based on last year’s business performance.

Fuzzy dust bunnies

  • Verizon workers on strike (Boston Globe) — Until minimum wage is raised across the country and offshoring jobs stops, we’ll probably see more labor actions like this. Should be a warning to corporations with quarter-after-quarter profits and offshore tax shelters to watch themselves — they can afford to pay their workers.
  • Facebook deploys bots across its services (Computerworld) — But, but AI is years away, said Microsoft research…meanwhile, you just know Amazon’s Alexa is already looking to hookup with Facebook’s chatbot.
  • Google’s charitable arm ponied up $20M cash for disabled users’ technology improvements (Google.org) — IMO, this was a great move for an underserved population.
  • Judge’s rejects Obama administration blow-off of apex predator wolverines (HGN) — Wolverines, a necessary part of health northern and mountain ecosystems, need cold weather to survive. Montana’s U.S. District Court ruled the administration had not done enough to protect biodiversity including the wolverine. Crazy part of this entire situation is that the feds don’t believe the wolverine warrants Endangered Species Act (ESA) protection and that they can’t tell what effects climate change has on this species, but the species is seen rarely to know. Hello? A rarely-seen species means the numbers are so low they are at risk of extinction — isn’t that what the ESA is supposed to define and prevent?

UPDATE — 12:10 PM EDT —
From @cintagliata via Twitter:

Back in 1971, researchers observed Zika virus replicating in neurons and glia. (in mice) http://bit.ly/1XvsD4d

I’m done with the pesticides-as-causal theory. It may be a secondary exacerbating factor, but not likely primary. In short, we’ve had information about Zika’s destructive effects on the brain and nervous system for 45 years. It’s past time for adequate funding to address prevention, treatments, control of its spread.

It’s all down the hump from here, kids. See you tomorrow morning!

Friday Morning: Far Over Yonder

It was rough road this week, but we made it to Friday again for more jazz. Today’s genre is ska jazz, which will feel like an old friend to many of you.

The artist Tommy McCook was one of the earliest artists in this genre. Just listen to his work and you’ll understand why he has had such a deep and long-lasting influence on contemporary Jamaican music.

Let’s get cooking.

Apple pan dowdy

  • Need a hashtag for NotAlliPhones after FBI says hack only works on “narrow slice” (Reuters) — The method offered by a third party to open San Bernardino shooter’s iPhone 5c won’t work on later phones like the iPhone 5s in the Brooklyn case, according to FBI director Jim Comey. While it may be assumed newer technology is the barrier, this could be a simple line in the sand drawn by the FBI so as to limit potential risk.
  • Yet another pearl-clutching essay asking us if Apple went too far protecting privacy (MIT Technology Review) — This is the second such POS in this outlet in the last couple of months. Oh, by all means, let’s risk exposing hundreds of millions of iOS users to any surveillance because law enforcement needs access to the kind of information they didn’t have 20 years ago.
  • Apple has complied with government requests to crack iPhones 70 times, beginning in 2008 (Mac Rumors) — The first request, believed to have occurred while George Bush was still in office, arose from a child abuse and pornography case. In a case like this where children may have been endangered, one can understand the impetus for the request. But maybe, just maybe, Apple was so firm about the San Bernardino iPhone 5c is that Apple knows the government has gone too far after nearly eight years of compliance.
  • And for a change of pace, a recipe for Apple Pan Dowdy. Don’t fret over the pastry flour; just use all-purpose and not bread flour.

Leftovers

  • Yahoo up for bids, Verizon interested (Reuters) — The same telecom once in trouble for using persistent cookies is interested in a search engine-portal business which may offer them access to non-Verizon customers. Plan ahead for the next level of consumer tracking if Verizon’s bid wins. Bidding deadline has been extended from April 11 to the 18th.
  • Households at bottom income levels can’t afford food, housing (Vox) — Can’t understand why the rise of angry white man candidates? This is one big reason — things are getting much worse for those who can afford it least. And nobody working in Capitol Hill or the White House seems to give a rat’s whisker.
  • Banksters blame Hollywood for lack of interest in dodgy subprime automotive bonds (Indiewire) — Investment banking firm Morgan Stanley credits the film The Big Short, based on Michael Lewis’ book about the 2000s housing bubble and the subprime mortgage crisis, with spooking investors away from subprime automotive bonds. By all means, let’s not look in the mirror, banksters, or at the inability of working poor to make ends meet, increasing likely uptick in automotive loan defaults.
  • Venezuela makes every Friday a holiday (Bloomberg)

    — The deep El Nino cycle caused drought conditions, substantively lowering reservoir levels. President Maduro is asking large customers to make their electricity in addition to declaring every Friday for the next two months a work holiday to conserve energy. Clearly Venezuela needed investment in solar energy before this El Nino began.

  • Researchers found people do stupid stuff when they find a flash drive (Naked Security) — After sprinkling a campus with prepared USB flash drives, a study found nearly half the people who found them plugged them into a computer, ostensibly to find the owner. DON’T DO IT. If you find one, destroy it. If you lost one, consider it a lost cause — and before you lose one, make sure you’ve encrypted it just in case somebody is stupid enough to try and find the owner/look at the contents.

HIGHLY EDITORIAL COMMENT: Bill, STFU.
Just because a single African American author called you “The First Black President” doesn’t mean you are literally a black man (and the label wasn’t meant as a compliment). Your massive white/male/former-elected privilege is getting in the way of listening to people you helped marginalize. You cannot fake feeling their pain or triangulate this away. Just shut up and listen, if for no other reason than you’re hurting your wife yet again. (Sorry, I had to get that off my chest. This opinion may differ from those of other contributors at this site. YMMV.)

Phew. Hope you have a quiet, calm weekend planned. We could use one. See you Monday morning!

FBI’s Open NSL Requests

DOJ’s Inspector General just released a report of all the recommendations it made prior to September 15, 2015 that are not yet closed. As it explained in the release, the IG compiled the report in response to a congressional request, but they’ve posted (and will continue to post, every 6 months) the report for our benefit as well.

Specifically, we have posted a report listing all recommendations from OIG audits, evaluations, and reviews that we had not closed as of September 30, 2015.  As you will see, most of the recommendations show a status of “resolved,” which indicates that the Department of Justice has agreed with our recommendation, but we have not yet concluded that they have fully implemented it.

As that release made clear, most of the recommendations that have not yet been closed are not open, but resolved, which means DOJ has agreed with the IG’s recommendation but has not fully implemented a fix for that recommendation.

Which leaves the “open” recommendations, which might include recommendations DOJ hasn’t agreed to address or hasn’t told the IG how they’ll address. There are 20 open recommendations in the report, most of which date to 2014. That’s largely because every single one of the 10 recommendations made in the 2014 report on National Security Letters remains open. Here are some of my posts on that report (one, two, three, four, five), but the recommendations pertain to not ingesting out-of-scope information, counting the NSL’s accurately, and maintaining paperwork so as to be able to track NSLs. [Update: as the update below notes, the FBI response to the released report claimed it was responding, in whole or in part, to all 10 recommendations, which means the “open” category here means that FBI has not had time to go back and certify that FBI has done what it said.]

Three of the other still-open recommendations pertain to hiring; they pertain to nepotism, applicants for the civil rights division wanting to enforce civil rights laws (!), and the use of political tests for positions hiring career attorneys (this was the Monica Goodling report). Another still open recommendation suggests DOJ should document why US Attorneys book hotels that are outside cost limits (this pertains, ironically, to Chris Christie’s travel while US Attorney).

The remaining 2 recommendations, both of which date to 2010, are of particular interest.

1/19/2010: A Review of the Federal Bureau of Investigation’s Use of Exigent Letters and Other Informal Requests for Telephone Records

The OIG recommends that the FBI should issue guidance specifically directing FBI personnel that they may not use the practices known as hot number [classified and redacted] to obtain calling activity information from electronic communications service providers.

The first pertains to the IG Report on exigent letters. The report described (starting on PDF 94) how FBI contracted with two providers for “hot number” services that would let them alert the FBI when certain numbers were being used. FBI first contracted for the service with MCI or Verizon, not AT&T (as happened with most tech novelties in this program). The newly released version of the report make it clear that redactions are redacted for b1 (classification), b4 (trade secrets), b7A (enforcement proceedings), and b7E (law enforcement technique). At one point, then General Counsel now lifetime appointed judge Valerie Caproni said the practice did not require Pen Registers.

I find this practice — and FBI’s longstanding unwillingness to forswear it — interesting for two reasons. First, most references to the practice follow “hot number” by a short redaction.

Screen Shot 2016-01-21 at 2.02.30 PM

That suggests “hot number” may just be a partial name. Given that this section makes it clear this was often used with fugitives — just as Stingrays are often most often used — I wonder whether this involved “number” and “site.” That’s especially true since Company C (again, MCI or Verizon) also tracked whether calls were being made from a particular area code or [redacted], suggesting some location tracking function.

I’m also interested in this because “hot numbers” tracks the unauthorized “alert” function the NSA was using with the phone dragnet up until 2009. As you recall, NSA analysts would get an alert if any of thousands of phone numbers got used in a given day, none of which it counted as a contact-chaining session.

In other words, this practice might be related to one or both of these things. And 6 years later, the FBI doesn’t want to forswear the practice.

9/20/2010, A Review of the FBI’s Investigations of Certain Domestic Advocacy Groups

The OIG recommends that the FBI seek to ensure that it is able to identify and document the source of facts provided to Congress through testimony and correspondence, and to the public.

This report (see one of my posts on it) reviewed why the FBI had investigated a bunch of peace and other advocacy groups as international terrorist groups dating back to 2004. ACLU had FOIAed some documents on investigations into Pittsburgh’s peace community. In response, Patrick Leahy started asking for answers, which led to obvious obfuscation from the FBI. And as I noted, even the normally respectable Glenn Fine produced a report that was obviously scoped not to find what it was looking for.

Nevertheless, a key part of the report pertained to FBI’s inability (or unwillingess) to respond to Leahy’s inquiries about what had started this investigation or to explain where the sources of information for their responses came from. (See PDF 56) The FBI, to this day, has apparently refused to agree to commit to be able to document where the information it responds to Congress comes from.

I will have more to say on this now, but I believe this is tantamount to retaining the ability to parallel construct answers for Congress. I’m quite confident that’s what happened here, and it seems that FBI has spent 6 years refusing to give up the ability to do that.

Update:

I didn’t read it when I originally reported in the NSL IG report, but it, like most IG reports, has a response from FBI, which in this case is quite detailed. The FBI claims that it had fulfilled most recommendations well before the report was released.

The response to the open exigent letter recommendation is at PDF 224. It’s not very compelling; it only promised to consider issuing a statement to say “hot number [redacted]” was prohibited.

The response to the 2014 report recommendations start on PDF 226. Of those, the FBI didn’t say they agreed with one part of one recommendations:

  • That the NSL subsystem generate reminders if an agent hasn’t verified return data for manual NSLs (which are sensitive)

In addition, with respect to the data requested with NSLs, FBI has taken out expansive language from manual models for NSLs (this includes an attachment the other discussion of which is redacted), but had not yet from the automated system.