Posts

If Patrick Leahy Wants to End Bulk Collection, He Needs to Amend His USA Freedom Act

The other day, the government obtained another Primary Order to collect all our phone records.

In response, Senator Patrick Leahy released this statement:

Congress must ensure that this is the last time the government requests and the court approves the bulk collection of Americans’ records.  We can make this a reality in the Senate if we act swiftly to pass the bipartisan USA FREEDOM Act.  Stakeholders from across the political and ideological spectrum have urged us for months to do just that.  We cannot wait any longer, and we cannot defer action on this important issue until the next Congress.  This announcement underscores, once again, that it is time for Congress to enact meaningful reforms to protect individual privacy.

I heartily agree with Leahy that the government has to stop obtaining authorization to collect Americans’ records in bulk.

But I think Leahy is misleading when he says we can “make this a reality” by passing USA FREEDOM Act — at least as currently written. While USA Freedom Act prohibits the government from collecting Americans’ phone records in bulk, it doesn’t prevent the government from collection Americans’ records from non-communications companies in what normal people would call bulk.

The language in the bill prohibiting the use of a company name as a selector only applies to electronic communication service providers.

(II) a term identifying an electronic communication service provider (as that term is defined in section 701) or a provider of remote computing service (as that term is defined in section 2711 of title 18, United States Code), when not used as part of a specific identifier as described in clause (i), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

The limit of this language to communications companies makes it clear that the bill envisions the use of a corporate person (persons are permitted for traditional Section 215 orders) names — so long as they aren’t communications providers — as a selector. You can’t get all records from Verizon, as the government does, but you can get all one-side foreign records from Western Union, as the government also currently does.

In this case, the secret surveillance court has authorized the Federal Bureau of Investigation to work with the CIA to collect large amounts of data on international transactions, including those of Americans, as part of the agency’s terrorism investigations.

The data collected by the CIA doesn’t include any transactions that are solely domestic, and the majority of records collected are solely foreign, but they include those to and from the U.S., as well. In some cases, it does include data beyond basic financial records, such as U.S. Social Security numbers, which can be used to tie the financial activity to a specific person. That has raised concerns among some lawmakers who learned about the program this summer, according to officials briefed on the matter.

Former U.S. government officials familiar with the program said it has been useful in discovering terrorist relationships and financial patterns. If a CIA analyst searches the data and discovers possible suspicious terrorist activity in the U.S., the analyst provides that information to the FBI, a former official said.

[snip]

The data is obtained from companies in bulk, then placed in a dedicated database. Then, court-ordered rules are applied to “minimize,” or mask, the information about people in the U.S. unless that information is deemed to be of foreign-intelligence interest, a former U.S. official said.

Moreover, even if this is the only financial program that exists right now, the only limit on such programs would be the imagination of the Intelligence Community and the indulgence of the FISA Court. James Clapper and John Bates both objected to interpreting the transparency provisions of USAF to include similar applications to new targets. Particularly as the fearmongering surrounding ISIS increases, they’ll be ratcheting up the domestic spying again.

In any case, there is abundant reason to believe the government also collects the records of certain bomb precursors — fertilizer, acetone and hydrogen peroxide in large quantities, and pressure cookers — to cross-reference with suspect targets. And while the government collects flight information directly, there may well be bulk travel record collection as well.

The bill enables this kind of bulk collection in its “transparency” provisions as well. Those provisions only conduct individualized counts for communications related orders under traditional Section 215, not for non-communications related orders.

(D) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of—
(i) the number of targets of such orders;
(ii) the number of individuals whose communications were collected pursuant to such orders; and
(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

This is obviously all by design (otherwise these two passages wouldn’t have this symmetry). And perhaps all it does is serve to hide this one (probably two, maybe three) programs. But again, there’s no guarantee that won’t change in the future, and the transparency provisions don’t do enough to ensure  this would be properly briefed.

Of course the fix for this would be easy: extend the same prohibition against using a corporate person as a selector to all corporate persons, and extend the individualized reporting under traditional Section 215 to all Section 215 orders.

If Senator Leahy wants to prevent bulk collection, he needs to treat tangible things — the name of the provision at hand!!! — of all sorts, communications and non-communications — as the bill currently treats just communications-related orders.

Leahy’s Freedom Act May Not Change Status Quo on Records Other than Call Records

Update: According to the DOJ IG NSL Report released today, the rise in number of Section 215 orders stems from some Internet companies refusing to provide certain data via NSL; FBI has been using Section 215 instead. However they’re receiving it now, Internet companies, like telephone companies, should not be subject to bulk orders as they are explicitly exempted. 

WaPo’s MonkeysCage blog just posted a response I did to a debate between H.L. Pohlman and Gabe Rottman over whether Patrick Leahy’s USA Freedom includes a big “backdoor” way to get call records. The short version: the bill would prevent bulk — but not bulky — call record collection. But it may do nothing to end existing programs, such as the reported collection of Western Union records.

In the interest of showing my work, he’s a far more detailed version of that post.

Leahy’s Freedom still permits phone record collection under the existing authority

Pohlman argues correctly that the bill specifically permits the government to get phone records under the existing authority. So long as it does so in a manner different from the Call Detail Record newly created in the bill, it can continue to do so under the more lenient business records provision.

To wit: the text “carves out” the government’s authority to obtain telephone metadata from its more general authority to obtain “tangible things” under the PATRIOT Act’s so-called business records provision. This matters because only phone records that fit within the specific language of the “carve out” are subject to the above restrictions on the government’s collection authority.  Those restrictions apply only “in the case of an application for the production on a daily basis of call detail records created before, on, or after the date of the application relating to an authorized investigation . . . to protect against international terrorism.”

This means that if the government applies for a production order of phone records on a weekly basis, rather than on a “daily basis,” then it is falls outside the restrictions. If the application is for phone records created “before, on, [and] after” (instead of “or after”) the date of the application, ditto. If the investigation is not one of international terrorism, ditto.

However, neither Pohlman nor Rottman mention the one limitation that got added to USA Freedumber in Leahy’s version which should prohibit the kind of bulk access to phone records that currently goes on.

Leahy Freedom prohibits the existing program with limits on electronic service providers

The definition of Specific Selection Term “does not include a term that does not narrowly limit the scope of the tangible things … such as–… a term identifying an electronic communication service provider … when not used as part of a specific identifier … unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.”

In other words, the only way the NSA can demand all of Verizon’s call detail records, as they currently do, is if they’re investigating Verizon. They can certainly require Verizon and every other telecom to turn over calls two degrees away from, say, Julian Assange, as part of a counterintelligence investigation. But that language pertaining to electronic communication service provider would seem to prevent the NSA from getting everything from a particular provider, as they currently do.

So I think Rottman’s largely correct, though not for the reasons he lays out, that Leahy’s Freedom has closed the back door to continuing the comprehensive phone dragnet under current language.

But that doesn’t mean it has closed a bunch of other loopholes Rottman claims have been closed.

FISC has already dismissed PCLOB (CNSS) analysis on prospective collection 

For example, Rottman points to language in PCLOB’s report on Section 215 stating that the statutory language of Section 215 doesn’t support prospective collection. I happen to agree with PCLOB’s analysis, and made some of the same observations when the phone dragnet order was first released. More importantly, the Center for National Security Studies made the argument in an April amicus brief to the FISC. But in an opinion released with the most recent phone dragnet order, Judge James Zagel dismissed CNSS’ brief (though, in the manner of shitty FISC opinions, without actually engaging the issue).

In other words, while I absolutely agree with Rottman’s and PCLOB’s and CNSS’ point, FISC has already rejected that argument. Nothing about passage of the Leahy Freedom would change that analysis, as nothing in that part of the statute would change. FISC has already ruled that objections to the prospective use of Section 215 fail.

Minimization procedures may not even protect bulky business collection as well as status quo

Then Rottman mischaracterizes the limits added to specific selection term in the bill, and suggests the government wouldn’t bother with bulky collection because it would be costly.

The USA Freedom Act would require the government to present a phone number, name, account number or other specific search term before getting the records—an important protection that does not exist under current law. If government attorneys were to try to seek records based on a broader search term—say all Fedex tracking numbers on a given day—the government would have to subsequently go through all of the information collected, piece by piece, and destroy any irrelevant data. The costs imposed by this new process would create an incentive to use Section 215 judiciously.

As I pointed out in this post, those aren’t the terms permitted in Leahy Freedom. Rather, it permits the use of “person, account, address, or personal device, or another specific identifier.” Not a “name” but a “person,” which in contradistinction from the language in the CDR provision — which replaces “person” with “individual” — almost certainly is intended to include “corporate persons” among acceptable SSTs for traditional Section 215 production.

Like Fedex. Or Western Union, which several news outlets have reported turns over its records under Section 215 orders.

FISC already imposes minimization procedures on most of its orders

Rottman’s trust that minimization procedures will newly restrain bulky collection is even more misplaced. That’s because, since 2009, FISC has been imposing minimization procedures on Section 215 collection with increasing frequency; the practice grew in tandem with greatly expanded use of Section 215 for uses other than the phone dragnet.

While most of the minimization procedure orders in 2009 were likely known orders fixing the phone dragnet violations, the Attorney General reports covering 2010 and 2011 make it clear in those years FISC modified increasing percentages of orders by imposing minimization requirements and required a report on compliance with them

The FISC modified the proposed orders submitted with forty-three such applications in 2010 (primarily requiring the Government to submit reports describing implementation of applicable minimization procedures).

The FISC modified the proposed orders submitted with 176 such applications in 2011 (requiring the Government to submit reports describing implementation of applicable minimization procedures).

That means the FISC was already requiring minimization procedures for 176 orders in 2011, only 5 of which are known to be phone dragnet orders. Read more

Leahy USA Freedom’s Bulky Corporate Persons

As I said in my post the other day, the definition of Specific Selection Term in the Leahy version of USA Freedom addresses almost all my concerns about bulk collection under USA Freedom Act.

But not all of them.

I have two concerns.

First, some background. The bill actually uses two definitions of “specific selection term.” The definition as it applies to traditional Section 215, PRTT, and NSL collection is,

(i) means a term that specifically identifies a person, account, address, or personal device, or another specific identifier, that is used by the Government to narrowly limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things; and [my emphasis]

It defines “address” this way:

ADDRESS.—The term ‘address’ means a physical address or electronic address, such as an electronic mail address, temporarily assigned network address, or Internet protocol address.

That’s my first concern. IP addresses can represent entire companies. And who knows what the NSA might consider “temporarily assigned network addresses”?

Then there’s the difference between that definition of “specific selection term” and the more narrow one used with the prospective contact chaining at telecoms, which is:

CALL DETAIL RECORD APPLICATIONS.—For purposes of an application submitted under subsection (b)(2)(C), the term ‘specific selection term’ means a term that specifically identifies an individual, account, or personal device. [my emphasis]

You’ll note the bill targets “individual” for its contact chaining, but “person” for the rest of Section 215 collection. The obvious reason to do that is if you’re collecting on an entire corporate person, like Western Union (which WSJ and NYT reported CIA uses Section 215 to collect on).

The bill does include limits on what kinds of corporate persons can be collected. The bill explicitly prohibits using electronic communication service providers and cloud providers as specific selection terms, unless they are being investigated.

(II) a term identifying an electronic communication service provider (as that term is defined in section 701) or a provider of remote computing service (as that term is defined  in section 2711 of title 18, United States Code), when not used as part of a specific identifier as described in clause (i), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

That still seems to leave a whole slew of corporate persons who can be the selection term for collection.

The bill limits that collection in another way, through minimization procedures.

‘(C) for orders in which the specific selection term does not specifically identify an individual, account, or personal device, procedures that prohibit the dissemination, and require the destruction within a reasonable time period (which time period shall be specified in the order), of any tangible thing or information therein that has not been determined to relate to a person who is—

(i) a subject of an authorized investigation;

(ii) a foreign power or a suspected agent of a foreign power;

(iii) reasonably likely to have information about the activities of—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation; or

(iv) in contact with or known to—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation,

unless the tangible thing or information therein indicates a threat of death or serious bodily harm to any person or is disseminated to another element of the intelligence community for the sole purpose of determining whether the tangible thing or information therein relates to a person who is described in clause (i), (ii), (iii),  or (iv)

This language is almost certainly not new — as CDT’s otherwise decent analysis suggests. We know the FISC has been modifying orders more and more in recent years. We don’t know — we have to rely on Congress, blindly — whether these minimization procedures are more strict or (likely, because other parts of this bill are) less restrictive than what the FISC itself has been imposing.

But even the existence of this language — and the differential use of “person” and “individual” — makes it clear the bill still permits the bulk collection of data. It just requires the agency in question to purge the data … sometime.

The question is whether this “agency protocol” — what Chief Justice John Roberts said was not enough to protect Americans’ privacy — is sufficient to protect Americans’ privacy.

I don’t think it is.

First, it doesn’t specify how long the NSA and FBI and CIA can keep and sort through these corporate records (or what methods it can use to do so, which may themselves be very invasive).

It also permits the retention of data that gets pretty attenuated from actual targets of investigation: agents of foreign powers that might have information on subjects of investigation and people “in contact with or known to” suspected agents associated with a subject of an investigation.

Known to?!?! Hell, Barack Obama is known to all those people. Is it okay to keep his data under these procedures?

Also remember that the government has secretly redefined “threat of death or serious bodily harm” to include “threats to property,” which could be Intellectual Property.

So CIA could (at least under this law — again, we have no idea what the actual FISC orders this is based off of) keep 5 years of Western Union money transfer data until it has contact chained 3 degrees out from the subject of an investigation or any new subjects of investigation it has identified in the interim.

In other words, probably no different and potentially more lenient than what it does now.

The CIA (&etc) Money Orders

NSL v 215Both the NYT (Charlie Savage and Mark Mazzetti) and WSJ (Siobhan Gorman, Devlin Barrett, and Jennifer Valentine-Devries) tell the same story today: the CIA is collecting bulk data on international money transfers. Given that someone has decided to deal this story to two papers at the same time, and given the number of times the Administration has pre-leaked stories to Gorman of late to increasingly spectacular effect (even making most national security journalists forget the very existence of GCHQ’s notoriously voracious taps at cable landings just off Europe) I assume this may be some kind of limited hangout.

It’s not that I doubt in the least that CIA gets and uses financial data. I don’t even doubt the government uses PATRIOT authorities to do so (as both stories assert).

But it would be unlikely that this data comes in through an FBI order and does not also get shared with Treasury and National Counterterrorism Center (if not NSA), both of which would have better infrastructure for analyzing it, and both of which we know to use such data for their known intelligence products. Indeed, in response to a question from both papers about this practice Western Union points to Treasury programs.

 A spokeswoman for one large company that handles money transfers abroad, Western Union, did not directly address a question about whether it had been ordered to turn over records in bulk, but said that the company complies with legal requirements to provide information.

“We collect consumer information to comply with the Bank Secrecy Act and other laws,” said the spokeswoman, Luella Chavez D’Angelo. “In doing so, we also protect our consumers’ privacy.”

And at WSJ a consultant to the industry points even more firmly towards Treasury.

Money-transfer companies are “highly, highly aware of their obligations under the Patriot Act,” said Robert Pargac, a director in global investigations and compliance at Navigant Consulting Inc. who has worked at several such companies. Western Union said last month it would be spending about 4% of its revenue in 2014 on compliance with rules under the Patriot Act, the Treasury Department’s Office of Foreign Assets Control and other anti-money-laundering and terrorist-financing requirements.

We know that, at least until 2008, the FBI maintained that it could share materials that came in through Section 215 with any agency so long as that agency asserted it had a need for the information, and there’s little reason to believe the FBI has changed that policy. So I would assume at least Treasury and NCTC gets this data as well. It may be all this story indicates is that — as they do with much Section 702 data — CIA gets its own access to the data. That’s a minimization story, not a collection story, because we’ve known this data was collected (as WSJ points out).

Then there’s the evidence both papers point to to show that this is a Section 215 program. Read more

Cell Phone Remittances

Given yesterday’s discussion about the Taliban extorting money from Afghan cell phone providers, I wanted to link to today’s story describing the expansion of such cell phone based payment systems in Latin America. 

Sending money back home? Just press "talk."

That’s what Western Union, Radio Shack and the small wireless carrier Trumpet Mobile hope millions of Hispanic immigrants will do with a new service announced yesterday.

[snip]

Under the plan, a customer could buy a Trumpet Mobile phone, which costs $29.99 at Radio Shack. The user can load the phone with money through Western Union. To send money to a relative Nicaragua, for example, a customer would specify the amount and the recipient over the phone. The money would then be debited from the customer’s account and routed to a local agent in Nicaragua, who would dispense the money to the relative.

I guess that answers my question about whether the Taliban were extorting actual currency or just cell phone minutes.

There are several interesting aspects of this story. Barnett Rubin described the cell phone extortion in Afghanistan as a way to work around Western Union–which was quickly co-opted by US intelligence after 9/11. But here, Western Union is one of the three partners. So I suspect this an attempt to avoid losing any more money transfer business to cell phone carriers.

The story also notes that Western Union offers this service in India and Philippines. So between Kashmir, Colombia, and Philippines’ own Islamic extremists, this puts Western Union in several areas with their own terrorist problems.  

I wonder how involved the US is in backing this venture? Anyone know anything about Trumpet Mobile?