Posts

On Jim Baker’s Non-Prosecution for Leaking

The WaPo provides details on something that right wing propagandists had used to slam FBI General Counsel Jim Baker (who, the article notes, is being reassigned within FBI). The leak investigation into Baker must pertain to the Yahoo scan.

For months, Baker had become caught up in what some law enforcement officials considered a particularly frustrating probe of a leak involving the FBI, the National Security Agency and stories that appeared about a year ago involving surveillance techniques for a particular email provider, according to people familiar with the matter.

Some NSA officials were concerned that too much had been revealed about a classified program in an effort to correct a prior report, these people said.

“Jim was distressed about it but was confident he hadn’t leaked anything’’ and would be cleared, one U.S. official said.

A respected veteran prosecutor was assigned to the case, but people close to the matter said the investigation had petered out recently and charges were not expected to be filed.

The leak probe frustrated some law enforcement officials, who said officials were caught up in it only because they had tried to prevent misinformation about surveillance capabilities from spreading among the public and lawmakers. Others said the very existence of the investigation was mostly due to a disagreement between two agencies, according to people familiar with the matter.

The story that the government had obtained authority to scan all of Yahoo’s emails for some signature tied to either a foreign government or a terrorist organization (or most likely, Iran, which the US considers both) was first broken by Reuters, which claimed the scan happened under Section 702. But as I laid out here, Charlie Savage (who has written an entire billion page book on such matters) reported, more plausibly, that it was done under a targeted FISA order. Not only did the discrepancy in stories raise concerns about how Section 702 was being applied, but it led a lot of surveillance critics who had heretofore not understood things they were lobbying about to newly examine what the term “facility” meant.

From the context, it seems likely that Baker was trying to correct initial reports that the scan occurred under Section 702, which probably had a salutary effect on this year’s debate; no one has raised questions about that Yahoo scan (though surveillance critics have proven that they didn’t internalize the lesson  of the exchange to learn that the government has long interpreted facility more broadly than they understood).

If all that’s right, the spooks should be happy that Baker corrected the record. Heck, Baker could probably point to my work for proof that the definition of “facility” was actually known to people he hasn’t ever spoken with.

[S]tarting in 2004 and expanded in 2010, “facility” — the things targeted under FISA — no longer were required to tie to an individual user or even a location exclusively used by targeted users.

When Kollar-Kotelly authorized the Internet dragnet, she distinguished what she was approving, which did not require probable cause, from content surveillance, where probable cause was required. That is, she tried to imagine that the differing standards of surveillance would prevent her order from being expanded to the collection of content. But in 2007, when FISC was looking for a way to authorize Stellar Wind collection — which was the collection on accounts identified through metadata analysis — Roger Vinson, piggybacking Kollar-Kotelly’s decision on top of the Roving Wiretap provision, did just that. That’s where “upstream” content collection got approved. From this point forward, the probable cause tied to a wiretap target was freed from a known identity, and instead could be tied to probable cause that the facility itself was used by a target.

There are several steps between how we got from there to the Yahoo order that we don’t have full visibility on (which is why PCLOB should have insisted on having that discussion publicly). There’s nothing in the public record that shows John Bates knew NSA was searching on non-email or Internet messaging strings by the time he wrote his 2011 opinion deeming any collection of a communication with a given selector in it to be intentional collection. But he — or FISC institutionally — would have learned that fact within the next year, when NSA and FBI tried to obtain a cyber certificate. (That may be what the 2012 upstream violation pertained to; see this post and this post for some of what Congress may have learned in 2012.) Nor is there anything in the 2012 Congressional debate that shows Congress was told about that fact.

One thing is clear from NSA’s internal cyber certificate discussions: by 2011, NSA was already relying on this broader sense of “facility” to refer to a signature of any kind that could be associated with a targeted user.

The point, however, is that sometime in the wake of the 2011 John Bates opinion on upstream, FISC must have learned more about how NSA was really using the term. It’s not clear how much of Congress has been told.

The leap from that — scanning on telephone switches for a given target’s known “facility” — to the Yahoo scan is not that far. In his 2010 opinion reauthorizing the Internet dragnet, Bates watered down the distinction between content and metadata by stripping protection for content-as-metadata that is also used for routing purposes. There may be some legal language authorizing the progression from packets to actual emails (though there’s nothing that is unredacted in any Bates opinion that leads me to believe he fully understood the distinction). In any case, FISCR has already been blowing up the distinction between content and metadata, so it’s not clear that the Yahoo request was that far out of the norm for what FISC has approved.

Which is not to say that the Yahoo scan would withstand scrutiny in a real court unaware of the FISC precedents (including the ones we haven’t yet seen). It’s just to say we started down this path 12 years ago, and the concept of “facilities” has evolved such that a search for a non-email signature counts as acceptable to the FISC.

Of course, the better option is to stop playing word games and explain to everyone what facility actually means, and point out that that interpretation has been in place since 2007.

All that said, this is yet another example where a cherished government official can engage in behavior that others go to prison for. As I’ve pointed out, for example, the Jeffrey Sterling case codified the precedent that someone can go to prison for four minutes and 11 seconds of phone conversations during which you provide unclassified tips about classified information they know.

The Fourth Circuit just codified the principle that you can go to prison for four minutes and 11 seconds of phone calls during which you tell a reporter to go find out classified details you know about.

That’s probably pretty close to what Baker got investigated for. Obviously, doing so as a General Counsel is a different function than as a whistleblower. And whatever conversations Baker had probably took place in DC, so outside of the Fourth Circuit where that precedent stands.

I have no doubt that non-prosecution, if I’ve gotten the facts of the case correct, is the correct decision. But so should it be for others in similar situations, others treated differently because they’re not part of the FBI.

More importantly, the government’s so-called transparency should be such that experts like the surveillance critics who didn’t know how facility is used don’t have to get leaks to understand basic facts about the surveillance they discuss.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

A Dragnet of emptywheel’s Most Important Posts on Surveillance, 2007 to 2017

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten this week.

To celebrate, the emptywheel team has been sharing some of our favorite work from the last decade. This is my massive dragnet of surveillance posts.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2007

Whitehouse Reveals Smoking Gun of White House Claiming Not to Be Bound by Any Law

Just days after opening the new digs, I noticed Sheldon Whitehouse entering important details into the Senate record — notably, that John Yoo had pixie dusted EO 12333 to permit George Bush to authorize the Stellar Wind dragnet. In the ten years since, both parties worked to gradually expand spying on Americans under EO 12333, only to have Obama permit the sharing of raw EO 12333 data in its last days in office, completing the years long project of restoring Stellar Wind’s functionalities. This post, from 2016, analyzes a version of the underlying memo permitting the President to change EO 12333 without providing public notice he had done so.

2008

McConnell and Mukasey Tell Half Truths

In the wake of the Protect America Act, I started to track surveillance legislation as it was written, rather than figure out after the fact how the intelligence community snookered us. In this post, I examined the veto threats Mike McConnell and Michael Mukasey issued in response to some Russ Feingold amendments to the FISA Amendments Act and showed that the government intended to use that authority to access Americans’ communication via both what we now call back door searches and reverse targeting. “That is, one of the main purposes is to collect communications in the United States.”

9 years later, we’re still litigating this (though, since then FISC has permitted the NSA to collect entirely domestic communications under the 2014 exception).

2009

FISA + EO 12333 + [redacted] procedures = No Fourth Amendment

The Government Sez: We Don’t Have a Database of All Your Communication

After the FISCR opinion on what we now know to be the Yahoo challenge to Protect American Act first got declassified, I identified several issues that we now have much more visibility on. First, PAA permitted spying on Americans overseas under EO 12333. And it didn’t achieve particularity through the PAA, but instead through what we know to be targeting procedures, including contact chaining. Since then we’ve learned the role of SPCMA in this.

In addition, to avoid problems with back door searches, the government claimed it didn’t have a database of all our communication — a claim that, narrowly parsed might be true, but as to the intent of the question was deeply misleading. That claim is one of the reasons we’ve never had a real legal review of back door searches.

Bush’s Illegal Domestic Surveillance Program and Section 215

On PATRIOTs and JUSTICE: Feingold Aims for Justice

During the 2009 PATRIOT Act reauthorization, I continued to track what the government hated most as a way of understanding what Congress was really authorizing. I understood that Stellar Wind got replaced not just by PAA and FAA, but also by the PATRIOT authorities.

All of which is a very vague way to say we probably ought to be thinking of four programs–Bush’s illegal domestic surveillance program and the PAA/FAA program that replaced it, NSLs, Section 215 orders, and trap and trace devices–as one whole. As the authorities of one program got shut down by exposure or court rulings or internal dissent, it would migrate to another program. That might explain, for example, why Senators who opposed fishing expeditions in 2005 would come to embrace broadened use of Section 215 orders in 2009.

I guessed, for example, that the government was bulk collecting data and mining it to identify targets for surveillance.

We probably know what this is: the bulk collection and data mining of information to select targets under FISA. Feingold introduced a bajillion amendments that would have made data mining impossible, and each time Mike McConnell and Michael Mukasey would invent reasons why Feingold’s amendments would have dire consequences if they passed. And the legal information Feingold refers to is probably the way in which the Administration used EO 12333 and redacted procedures to authorize the use of data mining to select FISA targets.

Sadly, I allowed myself to get distracted by my parallel attempts to understand how the government used Section 215 to obtain TATP precursors. As more and more people confirmed that, I stopped pursuing the PATRIOT Act ties to 702 as aggressively.

2010

Throwing our PATRIOT at Assange

This may be controversial, given everything that has transpired since, but it is often forgotten what measures the US used against Wikileaks in 2010. The funding boycott is one thing (which is what led Wikileaks to embrace Bitcoin, which means it is now in great financial shape). But there’s a lot of reason to believe that the government used PATRIOT authorities to target not just Wikileaks, but its supporters and readers; this was one hint of that in real time.

2011

The March–and April or May–2004 Changes to the Illegal Wiretap Program

When the first iteration of the May 2004 Jack Goldsmith OLC memo first got released, I identified that there were multiple changes made and unpacked what some of them were. The observation that Goldsmith newly limited Stellar Wind to terrorist conversations is one another reporter would claim credit for “scooping” years later (and get the change wrong in the process). We’re now seeing the scope of targeting morph again, to include a range of domestic crimes.

Using Domestic Surveillance to Get Rapists to Spy for America

Something that is still not widely known about 702 and our other dragnets is how they are used to identify potential informants. This post, in which I note Ted Olson’s 2002 defense of using (traditional) FISA to find rapists whom FBI can then coerce to cooperate in investigations was the beginning of my focus on the topic.

2012

FISA Amendments Act: “Targeting” and “Querying” and “Searching” Are Different Things

During the 2012 702 reauthorization fight, Ron Wyden and Mark Udall tried to stop back door searches. They didn’t succeed, but their efforts to do so revealed that the government was doing so. Even back in 2012, Dianne Feinstein was using the same strategy the NSA currently uses — repeating the word “target” over and over — to deny the impact on Americans.

Sheldon Whitehouse Confirms FISA Amendments Act Permits Unwarranted Access to US Person Content

As part of the 2012 702 reauthorization, Sheldon Whitehouse said that requiring warrants to access the US person content collected incidentally would “kill the program.” I took that as confirmation of what Wyden was saying: the government was doing what we now call back door searches.

2013

20 Questions: Mike Rogers’ Vaunted Section 215 Briefings

After the Snowden leaks started, I spent a lot of time tracking bogus claims about oversight. After having pointed out that, contrary to Administration claims, Congress did not have the opportunity to be briefed on the phone dragnet before reauthorizing the PATRIOT Act in 2011, I then noted that in one of the only briefings available to non-HPSCI House members, FBI had lied by saying there had been no abuses of 215.

John Bates’ TWO Wiretapping Warnings: Why the Government Took Its Internet Dragnet Collection Overseas

Among the many posts I wrote on released FISA orders, this is among the most important (and least widely understood). It was a first glimpse into what now clearly appears to be 7 years of FISA violation by the PRTT Internet dragnet. It explains why they government moved much of that dragnet to SPCMA collection. And it laid out how John Bates used FISA clause 1809(a)(2) to force the government to destroy improperly collected data.

Federated Queries and EO 12333 FISC Workaround

In neither NSA nor FBI do the authorities work in isolation. That means you can conduct a query on federated databases and obtain redundant results in which the same data point might be obtained via two different authorities. For example, a call between Michigan and Yemen might be collected via bulk collection off a switch in or near Yemen (or any of the switches between there and the US), as well as in upstream collection from a switch entering the US (and all that’s assuming the American is not targeted). The NSA uses such redundancy to apply the optimal authority to a data point. With metadata, for example, it trained analysts to use SPCMA rather than PATRIOT authorities because they could disseminate it more easily and for more purposes. With content, NSA appears to default to PRISM where available, probably to bury the far more creative collection under EO 12333 for the same data, and also because that data comes in structured form.

Also not widely understood: the NSA can query across metadata types, returning both Internet and phone connection in the same query (which is probably all the more important now given how mobile phones collapse the distinction between telephony and Internet).

This post described how this worked with the metadata dragnets.

The Purpose(s) of the Dragnet, Revisited

The government likes to pretend it uses its dragnet only to find terrorists. But it does far more, as this analysis of some court filings lays out.

2014

The Corporate Store: Where NSA Goes to Shop Your Content and Your Lifestyle

There’s something poorly understood about the metadata dragnets NSA conducts. The contact-chaining isn’t the point. Rather, the contact-chaining serves as a kind of nomination process that puts individuals’ selectors, indefinitely, into the “corporate store,” where your identity can start attracting other related datapoints like a magnet. The contact-chaining is just a way of identifying which people are sufficiently interesting to submit them to that constant, ongoing data collection.

SPCMA: The Other NSA Dragnet Sucking In Americans

I’ve done a lot of work on SPCMA — the authorization that, starting in 2008, permitted the NSA to contact chain on and through Americans with EO 12333 data, which was one key building block to restoring access to EO 12333 analysis on Americans that had been partly ended by the hospital confrontation, and which is where much of the metadata analysis affecting Americans has long happened. This was my first comprehensive post on it.

The August 20, 2008 Correlations Opinion

A big part of both FBI and NSA’s surveillance involves correlating identities — basically, tracking all the known identities a person uses on telephony and the Internet (and financially, though we see fewer details of that), so as to be able to pull up all activities in one profile (what Bill Binney once called “dossiers”). It turns out the FISC opinion authorizing such correlations is among the documents the government still refuses to release under FOIA. Even as I was writing the post Snowden was explaining how it works with XKeyscore.

A Yahoo! Lesson for USA Freedom Act: Mission Creep

This is another post I refer back to constantly. It shows that, between the time Yahoo first discussed the kinds of information they’d have to hand over under PRISM in August 2007 and the time they got directives during their challenge, the kinds of information they were asked for expanded into all four of its business areas. This is concrete proof that it’s not just emails that Yahoo and other PRISM providers turn over — it’s also things like searches, location data, stored documents, photos, and cookies.

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal

Confession: I have an entire chapter of the start of a book on the Yahoo challenge to PRISM. That’s because so much about it embodied the kind of dodgy practices the government has, at the most important times, used with the FISA Court. In this post, I showed that the documents that the government provided the FISCR hid the fact that the then-current versions of the documents had recently been modified. Using the active documents would have shown that Yahoo’s key argument — that the government could change the rules protecting Americans anytime, in secret — was correct.

2015

Is CISA the Upstream Cyber Certificate NSA Wanted But Didn’t Really Get?

Among the posts I wrote on CISA, I noted that because the main upstream 702 providers have a lot of federal business, they’ll “voluntarily” scan on any known cybersecurity signatures as part of protecting the federal government. Effectively, it gives the government the certificate it wanted, but without any of the FISA oversight or sharing restrictions. The government has repeatedly moved collection to new authorities when FISC proved too watchful of its practices.

The FISA Court’s Uncelebrated Good Points

Many civil libertarians are very critical of the FISC. Not me. In this post I point out that it has policed minimization procedures, conducted real First Amendment reviews, taken notice of magistrate decisions and, in some cases, adopted the highest common denominator, and limited dissemination.

How the Government Uses Location Data from Mobile Apps

Following up on a Ron Wyden breadcrumb, I figured out that the government — under both FISA and criminal law — obtain location data from mobile apps. While the government still has to adhere to the collection standard in any given jurisdiction, obtaining the data gives the government enhanced location data tied to social media, which can implicate associates of targets as well as the target himself.

The NSA (Said It) Ate Its Illegal Domestic Content Homework before Having to Turn It in to John Bates

I’m close to being able to show that even after John Bates reauthorized the Internet metadata dragnet in 2010, it remained out of compliance (meaning NSA was always violating FISA in obtaining Internet metadata from 2002 to 2011, with a brief lapse). That case was significantly bolstered when it became clear NSA hastily replaced the Internet dragnet with obtaining metadata from upstream collection after the October 2011 upstream opinion. NSA hid the evidence of problems on intake from its IG.

FBI Asks for at Least Eight Correlations with a Single NSL

As part of my ongoing effort to catalog the collection and impact of correlations, I showed that the NSL Nick Merrill started fighting in 2004 asked for eight different kinds of correlations before even asking for location data. Ultimately, it’s these correlations as much as any specific call records that the government appears to be obtaining with NSLs.

2016

What We Know about the Section 215 Phone Dragnet and Location Data

During the lead-up to the USA Freedom Debate, the government leaked stories about receiving a fraction of US phone records, reportedly because of location concerns. The leaks were ridiculously misleading, in part because they ignored that the US got redundant collection of many of exactly the same calls they were looking for from EO 12333 collection. Yet in spite of these leaks, the few figured out that the need to be able to force Verizon and other cell carriers to strip location data was a far bigger reason to pass USAF than anything Snowden had done. This post laid out what was known about location data and the phone dragnet.

While It Is Reauthorizing FISA Amendments Act, Congress Should Reform Section 704

When Congress passed FISA Amendments Act, it made a show of providing protections to Americans overseas. One authority, Section 703, was for spying on people overseas with help of US providers, and another was for spying on Americans overseas without that help. By May 2016, I had spent some time laying out that only the second, which has less FISC oversight, was used. And I was seeing problems with its use in reporting. So I suggested maybe Congress should look into that?

It turns out that at precisely that moment, NSA was wildly scrambling to get a hold on its 704 collection, having had an IG report earlier in the year showing they couldn’t audit it, find it all, or keep it within legal boundaries. This would be the source of the delay in the 702 reauthorization in 2016, which led to the prohibition on about searches.

The Yahoo Scan: On Facilities and FISA

The discussion last year of a scan the government asked Yahoo to do of all of its users was muddled because so few people, even within the privacy community, understand how broadly the NSA has interpreted the term “selector” or “facility” that it can target for collection. The confusion remains to this day, as some in the privacy community claim HPSCI’s use of facility based language in its 702 reauthorization bill reflects new practice. This post attempts to explain what we knew about the terms in 2016 (though the various 702 reauthorization bills have offered some new clarity about the distinctions between the language the government uses).

2017

Ron Wyden’s History of Bogus Excuses for Not Counting 702 US Person Collection

Ron Wyden has been asking for a count of how many Americans get swept up under 702 for years. The IC has been inventing bogus explanations for why they can’t do that for years. This post chronicles that process and explains why the debate is so important.

The Kelihos Pen Register: Codifying an Expansive Definition of DRAS?

When DOJ used its new Rule 41 hacking warrant against the Kelihos botnet this year, most of the attention focused on that first-known usage. But I was at least as interested in the accompanying Pen Register order, which I believe may serve to codify an expansion of the dialing, routing, addressing, and signaling information the government can obtain with a PRTT. A similar codification of an expansion exists in the HJC and Lee-Leahy bills reauthorizing 702.

The Problems with Rosemary Collyer’s Shitty Upstream 702 Opinion

The title speaks for itself. I don’t even consider Rosemary Collyer’s 2017 approval of 702 certificates her worst FISA opinion ever. But it is part of the reason why I consider her the worst FISC judge.

It Is False that Downstream 702 Collection Consists Only of To and From Communications

I pointed out a number of things not raised in a panel on 702, not least that the authorization of EO 12333 sharing this year probably replaces some of the “about” collection function. Most of all, though, I reminded that in spite of what often gets claimed, PRISM is far more than just communications to and from a target.

UNITEDRAKE and Hacking under FISA Orders

A document leaked by Shadow Brokers reveals a bit about how NSA uses hacking on FISA targets. Perhaps most alarmingly, the same tools that conduct such hacks can be used to impersonate a user. While that might be very useful for collection purposes, it also invites very serious abuse that might create a really nasty poisonous tree.

A Better Example of Article III FISA Oversight: Reaz Qadir Khan

In response to Glenn Gerstell’s claims that Article III courts have exercised oversight by approving FISA practices (though the reality on back door searches is not so cut and dry), I point to the case of Reaz Qadir Khan where, as Michael Mosman (who happens to serve on FISC) moved towards providing a CIPA review for surveillance techniques, Khan got a plea deal.

The NSA’s 5-Page Entirely Redacted Definition of Metadata

In 2010, John Bates redefined metadata. That five page entirely redacted definition became codified in 2011. Yet even as Congress moves to reauthorize 702, we don’t know what’s included in that definition (note: location would be included).

FISA and the Space-Time Continuum

This post talks about how NSA uses its various authorities to get around geographical and time restrictions on its spying.

The Senate Intelligence Committee 702 Bill Is a Domestic Spying Bill

This is one of the most important posts on FISA I’ve ever written. It explains how in 2014, to close an intelligence gap, the NSA got an exception to the rule it has to detask from a facility as soon as it identifies Americans using the facility. The government uses it to collect on Tor and, probably VPN, data. Because the government can keep entirely domestic communications that the DIRNSA has deemed evidence of a crime, the exception means that 702 has become a domestic spying authority for use with a broad range of crimes, not to mention anything the Attorney General deems a threat to national security.

“Hype:” How FBI Decided Searching 702 Content Was the Least Intrusive Means

In a response to a rare good faith defense of FBI’s back door searches, I pointed out that the FBI is obliged to consider the least intrusive means of investigation. Yet, even while it admits that accessing content like that obtained via 702 is extremely intrusive, it nevertheless uses the technique routinely at the assessment level.

Other Key Posts Threads

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

10 Years of emptywheel: Key Non-Surveillance Posts 2011-2012

10 Years of emptywheel: Key Non-Surveillance Posts 2013-2015

10 Years of emptywheel: Key Non-Surveillance Posts 2016-2017

10 Years of emptywheel: Jim’s Dimestore

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

On 702, NSA Wants to Assure You You’re Not a Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target

NSA just released a touchy-feely Q&A, complete with a touchy-feely image of the NSA, explaining “the Impact of Section 702 on the Typical American.”

I shall now shred it.

First note that this document deals with 702? It should be dealing with Title VII, because the entire thing gets reauthorized by 702 reauthorization. That means Sections 704 and 705(b), which are used to target Americans, will be reauthorized. And they have had egregious problems in recent years (even if the problems only affect some subset of around 300 Americans). Sure, Paul Manafort and Carter Page are not your “typical” Americans, but abuses against them would be problematic for reasons that could affect Americans (not least that they could fuck up the Mueller probe if FISA disclosure for defendants weren’t so broken).

The piece starts by talking about how the IC uses 702 to “hunt” for information on “adversaries,” which it suggests include terrorists and hackers.

The U.S. Intelligence Community relies on Section 702 of the Foreign Intelligence Surveillance Act in the constant hunt for information about foreign adversaries determined to harm the nation or our allies. The National Security Agency (NSA), for example, uses this law to target terrorists and thwart their plans. In a time of increasing cyber threats, Section 702 also aids the Intelligence Community’s cybersecurity efforts.

Somehow, it neglects to mention the foreign government certificate — which can target people who aren’t “adversaries” at all, but instead foreign muckety mucks we want to know about — or the counterproliferation certificate — which can target businesses of all kinds that deal in dual use technologies. Not to mention the SysAdmins that it might target for all these purposes.

The piece then lays out in two paragraphs and six questions (I include just one below) the basic principles that 702 can only “target” foreigners overseas.

Under Section 702, the government cannot target a U.S. person anywhere in the world, or any person located in the United States.

Under Section 702, NSA can target foreigners reasonably believed to be located outside the United States only if it has a basis to believe it will acquire certain types of foreign intelligence information that have been authorized for collection.

[snip]

Q: Can I, as an American, be the target of Section 702 surveillance?

A: No. As an American citizen, you cannot be the target of surveillance under Section 702. Even if you were not an American, you could not be targeted under Section 702 if you were located in the United States.

Effectively, this passage might as well say, “target target target target target target target target target target
target target target target target target target target target,” which is how many times (19) the word is used in the touchy-feely piece. The word “incidental” appears just once, where it entertains what happens if one of “Mary’s” foreign relatives were in a terrorist organization.

Q: One of Mary’s foreign relatives in South America is a member of an international terrorist group. Could Mary’s conversations with that relative be collected under Section 702?

A: Yes, it’s possible, if the U.S. government is aware of the relative’s membership in a terrorist group and the relative is one of the 106,000 targets under Section 702. However, even if this scenario occurred, there would still be protections in place for Mary, a U.S. citizen, if her conversations with that target were incidentally intercepted. For example:

U.S. intelligence agencies’ court-approved minimization procedures are specifically designed to protect the privacy of U.S. persons by, among other things, limiting the circumstances in which NSA can include the identity of a U.S. person in an intelligence report. Moreover, even where those procedures allow the NSA to include the identity of a U.S. person in an intelligence report, NSA frequently substitutes the U.S. person identity with a generic phrase or term, such as “U.S. person 1” or “a named U.S. person.” NSA calls this “masking” the identity of the U.S. person.

There are also what’s known as “age-off requirements”: After a certain period of time, the IC must delete any unminimized Section 702 information, regardless of the nationality of the communicants.

I guess the NSA figured if they used “Fatima,” whose relatives were in Syria, this scenario would be too obvious?

Yet in this, the only discussion of “incidental” collection, the NSA doesn’t explain how it is used — for example to find informants (meaning Fatima might be coerced into informing on her mosque if she discussed her tax dodging with her cousin) or to find 2nd degree associates (meaning Fatima’s friend in the US, Mohammed, might get an FBI visit because Fatima’s cousin in Syria is in ISIS). It also doesn’t explain that the “age-off” is five years, if Fatima is lucky enough to avoid having the FBI deem her conversations with her cousin in Syria interesting. If not, the data will sit on an FBI server for 30 years, ready to provide an excuse to give Fatima extra attention next time some bigot gets worried because he sees her taking pictures at Disney World.

Curiously, while the NSA doesn’t address the disproportionate impact of 702 on Muslims, it does pretend to address the disproportionate impact on Asians or their family members — people like like Xiaoxiang Xi and Keith Gartenlaub.

Q: Could the government target my colleague, who is a citizen of an Asian country, as a pretext to collect my communications under Section 702?

A: No. That would be considered “reverse targeting” and is prohibited.

Thanks to Ron Wyden, we know how cynically misleading this answer is. He explained in the SSCI 702 reauthorization bill report that the government may,

conduct unlimited warrantless searches on Americans, disseminate the results of those searches, and use that information against those Americans, so long as it has any justification at all for targeting the foreigner.

Effectively, the government has morphed the “significant purpose” logic from the PATRIOT Act onto 702, meaning collecting foreign intelligence doesn’t have to be the sole purpose of targeting a foreigner; learning about what an American is doing, such as a scientist engaging in scientific discussion, can be one purpose of the targeting.

After dealing with unmasking, the NSA then performs the always cynical move of asking whether the NSA can query US person content.

Q: Can NSA use my information to query lawfully collected 702 data?

A: NSA can query already lawfully collected Section 702 information using a U.S. person’s name or identifier (such as an e-mail account or phone number) only if the query is reasonably designed to identify foreign intelligence information.

However, a U.S. person is still afforded protection. The justification for the query must be documented. The process for conducting a query is also subject to internal controls. Such queries are reviewed by the Department of Justice and the Office of the Director of National Intelligence to ensure they meet the relevant legal requirements. Additionally, if the query was subsequently identified as being improper, it would be reported to the Foreign Intelligence Surveillance Court and to Congress.

This passage is absolutely correct. But also absolutely beside the point, because NSA sends a significant chunk of its collection to the FBI where it can be searched to assess leads and search for evidence of crimes, and where queries get nowhere near the kind of oversight that NSA queries get.

Then the piece tries to explain the need for all the secrecy.

Q: Terrorists aim to hurt Americans and our allies, so why doesn’t the Intelligence Community share more Section 702 information about how the IC goes after them?

A: The Intelligence Community has dramatically enhanced transparency, especially regarding its implementation of Section 702. Thousands of pages of key documents have been officially released, and are available on IC on the Record. The public has more information than ever before on how the IC uses this critical foreign surveillance authority. That said, the IC must continue to protect classified information. This includes specifics on whether or not it has collected information about any particular individual.

If terrorists could find out that NSA had intercepted their communications, terrorists would likely change their communications methods to avoid further detection.

This is, partly, a straw man. People aren’t really asking to know NSA’s individual targets. They’re asking to know whether the government has back doored their iPhones via demands under FISA, or whether the NSA is collecting on the 430,000 Americans that use Tor every day, or if they’re also using this “foreign intelligence” collection program to hunt Americans buying drugs on Dark Markets or even BLM activists that our racist Attorney General has deemed a threat to national security. And in the name of keeping secrets from terrorists (who actually have the feedback mechanism of observing what gets their associates drone-killed to learn what gets collected), the government is refusing to admit that the answer to all those questions is yes: yes, the government has back doored our iPhones, yes, the government is spying on the 430,000 Americans that use Tor, and yes, for those who use Tor to buy drugs, they may even use 702 data to prosecute you.

Finally, the NSA pretends that everyone else in the world has a program just like this.

Q: Is the U.S. government the only one in the world with intercept programs like 702?

A: No. Many other countries have intelligence surveillance intercept programs, nearly all of which have far fewer privacy protections. Section 702 and its supporting policies and practices stand out in terms of strength of oversight, privacy protections, and public transparency.

It is true that other countries have “intercept programs,” but with the exception of China and Russia’s access to domestic Internet companies, no other country has a program “like 702” that, by virtue of the United States hosting the world’s most popular Internet companies, gives the US the luxury of spying on the rest of the world using a nice note to Google rather than having to hack users individually (or hack all users, as Russia did with Yahoo).

So, yes, the NSA has now offered a picture of itself, literally and metaphorically, that minimizes the scope, the thousands of spies it employs, and the reach, both domestic and global. But it’s a profoundly misleading picture.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Did FBI Plan Russia’s Fire Sale in San Francisco for a Specific Reason?

You’ve no doubt seen pictures of the black smoke rising above Russia’s consulate yesterday, an apparently sour-smelling smoke on a day of record heat in San Francisco. A facility ordered to close in DC sported a more modest fire.

None of that’s surprising. When diplomatic facilities shut down, especially on short notice as happened here, they need to get rid of records, not least all the spying records. We did it in the MENA embassies closed in the face of attacks in 2012, including the facility in Benghazi. We burned documents in our embassy in Moscow in 1991. This is what diplomatic personnel, and spies operating under official cover, are trained to do.

It provides the same kind of spectacle that evicting Russians who’ve long inhabited suburban compounds did in December (and I confess to convincing EFF to sending an intern to sniff the air to figure out what besides paper might be burning). That said, it is to be expected.

But I wonder whether there’s not something more to the way this was carried out. Eli Lake took a break from scolding violence he otherwise champions if used by those he disagrees with to do some actual reporting. He explained that in late July, in an effort to minimize Russia’s reaction to the sanctions Congress pushed through over Trump’s objections, a top State Department official offered Russia a deal: they could have their NY and MD compounds back so long as they promised to use them only for recreation and agreed to let authorities search the compounds. But agreeing to those criminal searches was too much for Russia to agree to, which led State to revert to the normal processes.

U.S. officials tell me that Undersecretary of State Tom Shannon, a career foreign service official appointed during the Obama administration, made a last-minute effort to stop the Russians from retaliating against the new sanctions, a response to Russia’s election meddling that Trump reluctantly signed.

At the end of July, Shannon presented a “non-paper,” a proposal with no official diplomatic markings, to his Russian counterpart that offered the return of two diplomatic compounds President Barack Obama shuttered in December.

[snip]

Almost no one else in the government knew about Shannon’s efforts. Two U.S. officials who work closely on Russia told me that the FBI’s spy hunters in particular were furious when they found out Shannon had made the unofficial offer to return the compounds closed in December. Fiona Hill, the National Security Council’s senior director for European and Russian affairs, was also unaware of the offer, according to these officials.

Shannon’s non-paper was not a total giveaway. It included tougher terms for how the Russians could use their compounds, specifying they could only be used for recreational activities. It also explicitly gave U.S. authorities the right to enter the compounds if there was suspicion of criminal activity or espionage.

That apparently was too much for Moscow. They went ahead with the diplomatic expulsions anyway. This time when the Trump administration considered its response, it went through a more rigorous inter-agency process, according to U.S. officials who participated in it. The FBI in particular pressed for closing the consulate in San Francisco because it was a center for Russian espionage activities on the West Coast.

It’s this last bit I’m particularly interested in. The WaPo reported earlier this year something I had heard as well: the decisions on expulsions in December had reflected a last minute shift to include more people in San Francisco.

More broadly, the list of 35 names focused heavily on Russians known to have technical skills. Their names and bios were laid out on a dossier delivered to senior White House officials and Cabinet secretaries, although the list was modified at the last minute to reduce the number of expulsions from Russia’s U.N. mission in New York and add more names from its facilities in Washington and San Francisco.

And I’ve heard Russians pushed to have their Houston consulate shut down in lieu of the San Francisco one, to no avail.

It’s what came next that is really interesting. In both San Francisco and DC, apparently after the Russians had vacated their property (remember reports that the Russians may have gotten warning about their compounds in December), the US informed them Russians in San Francisco and the facility in DC would be subject to search.

On August 31, the US authorities announced unprecedented restrictive measures against Russian diplomatic and consular missions in the US, requiring us to close, in a matter of two days, the consulate general in San Francisco, one of the largest Russian consulates in the US that provides visa, notary and other consular services to Russian and US nationals from across a number of densely populated states. Russia is also required to close without delay its Trade Representation in Washington, D.C. and its annex in New York. The US also tightened requirements regarding the mobility of Russian diplomats and official delegations.

This move is yet another blatant violation of international law, including the commitments undertaken by the US under the Vienna Conventions on Diplomatic and Consular Relations. It goes far beyond Washington’s previous initiatives, which included the expropriation by the Barack Obama administration in December 2016 of countryside retreats of the Russian Embassy and Permanent Mission to the UN, despite their immunity status.

Following the illegal seizure of high-value Russian state property, we are being pushed to sell them. On top of that, the latest demands announced by the US pose a direct threat to the security and safety of Russian citizens. The US secret services intend to conduct a search of the Consulate General in San Francisco on September 2, including the apartments of its staff who live in the building and have immunity. In this connection, they were ordered to leave the premises for a period of 10 to 12 hours with their families, including small children and even infants. This is an intrusion into a consular office and the residence of diplomatic workers, who are forced outside so as not to stand in the way of the FBI agents.

I believed the Russians are right here — the tit for tat evictions are normal, and so are the fires before vacating a compound. The searches of diplomatic property are likely not (never mind that FBI could get FISA warrants to search them in a cinch — that just wouldn’t permit them to do this so quickly and aggressively).

The last time Putin spoke of retaliation like this came shortly before the NotPetya worm, and raised in the context of kompromat by a power that collected kompromat on Trump and the Republicans, may well be backed by a real ability to deliver on the threat.

So I’m wondering if the FBI had more specific reasons to use the opportunity of Russia refusing our sweetheart deal to want to close this consulate and flush whatever and whoever is in it out into the open? That’s true, especially given the criminal hacking cases targeting Silicon Valley companies we’re trying out there (the Yahoo and the Nikulin one both may have tangential ties to the DNC hack).

Undoubtedly, this is all happening because FBI believes it will make Russian spying, particularly that targeting our tech industry, far more difficult. But I wonder if some specific goal made the difference to really taking a hard line?

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Reality Winner Claims NSA’s Collection on Russians Had Already Been Compromised

I guess today is Reality Winner day.

As Trevor Timm describes, Winner is trying to get comments she made in an interview with the FBI thrown out, arguing she was for legal purposes in custody yet did not receive a Miranda warning. In support of that argument, she submitted a declaration describing what happened to her that day — basically how 10 male FBI agents showed up to search her house, with two taking her to a back room to interrogate her.

In addition to all the details about how many male FBI agents there were and how they had her stand in the fenced yard when they were done interrogating her, she describes how she answered when they asked whether she believed she had compromised sources and methods.

16. Law enforcement specifically asked me whether I believed the disclosure of the document compromised the “sources and methods” contained in the document, to which I advised that it was likely those “sources and methods” had already been compromised.

17. I specifically told law enforcement that, “whatever we were using had already been compromised, and that this report was just going to be like a one drop in the bucket.”

Critics will argue that this wasn’t Winner’s operational judgment to make, though it does reveal that even in this interview, she attested that she didn’t think her leak would damage intelligence.

But I’m interested in her claim that these collection points were already burned.

While many people complain that the IC has withheld too much information about the Russian hack, there are some details that have been released that are downright surprising. Sure, we don’t know who leaked the Steele dossier, but it may have led to the exposure (and possible execution) of his sources. We do know, however, that DOJ itself revealed (in the Yahoo indictment) that it collected email conversations of FSB officers among themselves. We’ve heard vague reporting, too, that Russians figured out they were tapped and went silent accordingly. One early report I got about Russia’s involvement in the DNC hack explained that the suspected hackers rolled up a good deal of their infrastructure after it was exposed.

But Winner (who’s an analyst, remember, not a technical person) claims, that “whatever we were using had already been compromised” with apparent confidence.

Which raises questions whether that’s based on actual knowledge of how Russians were responding to our spying.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

On Trump’s Impenetrable Cyber Security Unit to Guard Election Hacking

Man oh man did Vladimir Putin hand Trump his ass in their meeting the other day. While most the focus has been on Trump’s apparent refusal to confront Putin on the election hack (which Trump is now trying to spin — pity for him he excluded his credible aides who could tell us how it really went down or maybe that was precisely the point).

But I was more interested in Putin and Sergei Lavrov’s neat trick to get Trump to agree to a “joint working group on cybersecurity.”

Lavrov says Trump brought up accusations of Russian hacking; Moscow and DC will set up joint working group on cybersecurity.

Here’s how Trump has been talking about this in an [unthreaded] rant this morning.

People who’re just discovering this from Trump’s tweets are suitably outraged.

But I think even there they’re missing what a master stroke this was from Putin and Lavrov.

First, as I noted at the time, this comes at the moment Congress is trying to exclude Kaspersky Lab products from federal networks, accompanied by a more general witch hunt against the security firm. As I have said, I think the latter especially is problematic (and probably would have been designed at least partly to restore some asymmetry on US spying on the world, as Kaspersky is one of the few firms that will consistently ID US spying), even if there are reasons to want to keep Kaspersky out of sensitive networks. Kaspersky would be at the center of any joint cyber security effort, meaning Congress will have a harder time blackballing them.

Then there’s the fact that cooperation has been tried. Notably, the FBI has tried to share information with the part of FSB that does cyber investigations. Often, that ends up serving to tip off the FSB to which hackers the FBI is most interested in, leading to them being induced to spy for the FSB itself. More troubling, information sharing with US authorities is believed to partly explain treason charges against some FSB officers.

Finally, there’s the fact that the Russians asked for proof that they hacked our election.

SECRETARY TILLERSON: The Russians have asked for proof and evidence. I’ll leave that to the intelligence community to address the answer to that question. And again, I think the President, at this point, he pressed him and then felt like at this point let’s talk about how do we go forward. And I think that was the right place to spend our time, rather than spending a lot of time having a disagreement that everybody knows we have a disagreement.

If the US hadn’t been represented by idiots at this meeting, the obvious follow-up would be to point to Russia’s efforts to undermine US extradition of Russians against whom the US has offered proof, at least enough to get a grand jury to indict, most notably of the three Russians involved in the Yahoo hack, as well as Yevgeniy Nikulin. The US would be all too happy to offer proof in those cases, but Russia is resisting the process that will end up in that proof.

But instead, Trump and his oil-soaked sidekick instead agreed to make future hacking of the US easier.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Europe Gets Impatient for Yahoo Answers

As I’ve noted, James Clapper’s office has been irresponsibly silent about what kind of scan FBI asked Yahoo to subject all of its email users to in 2015. And those in Congress who haven’t been briefed on it are demanding information.

But they’re not the only ones. Europe is too (as Yahoo seemed all too aware when it wrote Clapper asking him to clarify the scan).

And they’ve got a bit more leverage over the Intelligence Community than non-intelligence committee members of Congress do, because the EU prohibits data collected in Europe from being used for mass surveillance.

Dutch MEP Sophia In t’Veld asked the European Commission questions but has thus far gotten no answer.

Yahoo has allegedly scanned customer emails for US intelligence purposes at the request of US intelligence agencies. According to reports, in 2015 Yahoo secretly built a custom software program allowing it to search all of its customers’ incoming emails for specific information requested by US intelligence officials. In the Schrems judgment, the Safe Harbour programme allowing EU personal data to be transferred to the US was declared invalid, among other reasons because of the mass surveillance protocols used by US intelligence services.

Will the Commission investigate these reports and ask clarification from the US administration?

Was the Commission aware of these alleged activities by Yahoo at the time it adopted the Privacy Shield decision? If not, do these revelations prompt the Commission to reconsider its decision on Privacy Shield?

Does the Commission consider Yahoo to have violated the terms of Safe Harbour, does the Commission consider that these practices would be allowed under Privacy Shield, and how will the Commission verify that violations in this regard do not take place?

And the Article 29 Working Party — the data protection authorities — last week asked Yahoo directly.

In addition, the WP29 was also informed that Yahoo has scanned customer emails for US
intelligence purposes at the request of US intelligence agencies. According to reports, in
2015 Yahoo searched all of its customers’ incoming emails for specific information
requested by US intelligence officials.

The reports are concerning to WP29 and it will be important to understand the legal
basis and justification for any such surveillance activity, including an explanation of how
this is compatible with EU law and protection for EU citizens.

 

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

In Spying, “Things like phone numbers or emails” Turn Out to Be Far More

According to Reuters, the Intelligence Community doesn’t intend to share any details of the Yahoo scan revealed several weeks back with anyone outside of the FISA oversight committees — the House and Senate Intelligence and Judiciary Committees.

Executive branch officials spoke to staff for members of the Senate and House of Representatives committees overseeing intelligence operations and the judiciary, according to people briefed on the events, which followed Reuters’ disclosure of the massive search.

But attempts by other members of Congress and civil society groups to learn more about the Yahoo order are unlikely to meet with success anytime soon, because its details remain a sensitive national security matter, U.S. officials told Reuters. Release of any declassified version of the order is unlikely in the foreseeable future, the officials said.

On its face, it’s a stupid stance, as I think the scan probably fits within existing legal precedents that have already been made public, even if it stretches those precedents from “packet content as content” to “email content as content” (and it may not even do that).

In addition, given that the scan was approved by a judge (albeit one working within the secret FISA court and relying on prior decisions that were issued in secrecy), by releasing more details about the scan the government could at least claim that a judge had determined the scan was necessary and proportionate to obtain details about the (as described to NYT) state-sponsored terrorist group targeted by the scan. This decision presumably relies on a long line of decisions finding warrantless surveillance justified by special needs precedents, which began to be laid out for FISC in In Re Sealed Case in 2002.

Nevertheless, even given the toll the government’s secrecy is having on Yahoo (and presumably on other providers’ willingness to cooperate with the IC), the government thus far has remained intransigent in its secrecy.

Which suggests that the IC believes it would risk more by releasing more data than by its continued, damaging silence.

I’ve already explained one of the risks they might face: that their quick anonymous description of this as a “state-sponsored terrorist group” might (this is admittedly a wildarsed guess) really mean they hacked all of Yahoo’s users to get to Iranian targets, something that wouldn’t have the same scare power as terrorists like ISIS, especially in Europe, which has a markedly different relationship with Iran than the US has.

But I also think ODNI risks losing credibility because it appears to conflict with what ODNI specifically and other spook officials generally have said in the past, both to the US public and to the international community. As I note here, the definition of “facility” has been evolving at FISC since at least 2004. But the privacy community just released a letter and a quote to Reuters that seems unaware of the change. The letter asserts,

According to reports, the order was issued under Title I of FISA, which requires the government to demonstrate probable cause that its target is a foreign power or an agent of a foreign power (such as a spy or a terrorist), and probable cause that the “facility” at which the surveillance is conducted will carry the target’s communications. If reports are true, this authority to conduct a particularized search has apparently been secretly construed to authorize a mass scan.

Traditional FISA orders haven’t been limited to particularized targets since 2007, when an order targeting Al Qaeda was used to temporarily give Stellar Wind legal sanction. If one order requiring a scan of traffic at  telecom switches could target Al Qaeda in 2007, then surely one order can target Iran’s Revolutionary Guard or a similar organization in 2016. The problem is in the execution of the order, requiring Yahoo to scan all its incoming email, but it’s not clear the legal issues are much worse than in the 2007 execution.

A Reuters source goes even further, suggesting that all of Yahoo is the facility, rather than the specific code tied to the targeted group.

The groups say that Title I of the Foreign Intelligence Surveillance Act, under which sources said the order was issued, requires a finding that the target of such a wiretap is probably an agent of a foreign power and that the facility to be tapped is probably going to be used for a transmission. An entire service, such as Yahoo, has never publicly been considered to be a “facility” in such a case: instead, the word usually refers to a phone number or an email account.

Never mind that under the phone dragnet, Verizon was counted as the targeted selector (which was used by terrorists and everyone else), though admittedly that was just for metadata. Had Yahoo been designed the “place” at which a physical search were conducted this usage might be correct (that said, we know very little about how physical searches, including for stored communication, work in practice), but as Semiannual reports have made clear (admittedly in the Section 702 context), facility has come to be synonymous with selector.

[T]argeting is effectuated by tasking communication facilities (also referred to as “selectors”), including but not limited to telephone numbers and electronic communications accounts, to Section 702 electronic communication service providers.

Facilities are selectors, and here FBI got a selector tied to a kind of usage of email — perhaps an encryption signature — approved as a selector/facility.

In spite of the fact that somewhere among 30 NGOs someone should have been able to make this argument (and ACLU’s litigation side surely could do so), there is good reason for them to believe this.

That’s because the IC has very deliberately avoided talking about how what are called “about” scans but really should be termed signature scans really work.

This is most striking in a March 19, 2014 Privacy and Civil Liberties Oversight Board hearing, which was one of the most extensive discussions of how Section 702 work. Shortly after this hearing, I contacted PCLOB to ask whether they were being fully briefed, including on the non-counterterrorism uses of 702, such as cyber, which use (or used) upstream selectors in a  different way.

Several different times in the hearing, IC witnesses described selectors as “selectors such as telephone numbers or email addresses” or “like telephone numbers or email addresses,” obscuring the full extent of what might be included (Snowden tweeted a list that I included here). Bob Litt did so while insisting that Section 702 (he was referring both to PRISM and upstream here) was not a bulk collection program:

I want to make a couple of important overview points about Section 702. First, there is either a misconception or a mischaracterization commonly repeated that Section 702 is a form of bulk collection. It is not bulk collection. It is targeted collection based on selectors such as telephone numbers or email addresses where there’s reason to believe that the selector is relevant to a foreign intelligence purpose.

I just want to repeat that Section 702 is not a bulk collection program.

Then-Deputy Assistant Attorney General Brad Weigmann said selectors were “really phone numbers, email addresses, things like that” when he defined selector.

A selector would typically be an email account or a phone number that you are targeting. So this is the, you get, you know, terrorists at Google.com, you know, whatever. That’s the address that you have information about that if you have reason to believe that that person is a terrorist and you would like to collect foreign intelligence information, I might be focusing on that person’s account.

[snip]

So that’s when we say selector it’s really an arcane term that people wouldn’t understand, but it’s really phone numbers, email addresses, things like that.

And when then-NSA General Counsel Raj De moved from describing Section 702 generally (“selectors are things like”), to discussing upstream, he mistakenly said collection was based on “particularly phone numbers or emails” then immediately corrected himself to say, “things like phone numbers or emails.”

So there’s two types of collection under Section 702. Both are targeted, as Bob was saying, which means they are both selector-based, and I’ll get into some more detail about what that means. Selectors are things like phone numbers and email addresses.

[snip]

It is also however selector-based, i.e. based on particular phone numbers or emails, things like phone numbers or emails. This is collection to, from, or about selectors, the same selectors that are used in PRISM selection. This is not collection based on key words, for example.

 

That language would — and apparently did — create the false impression that about collection really did just use emails and phone numbers (which is why I called PCLOB, because I knew they were or had also targeted cyber signatures).

Here’s how all that evasiveness appeared in the PCLOB 702 report:

Although we cannot discuss the details in an unclassified public report, the moniker “about” collection describes a number of distinct scenarios, which the government has in the past characterized as different “categories” of “about” collection. These categories are not predetermined limits that confine what the government acquires; rather, they are merely ways of describing the different forms of communications that are neither to nor from a tasked selector but nevertheless are collected because they contain the selector somewhere within them.

That certainly goes beyond the linguistic game the IC witnesses were playing, but stops well short of explaining that this really isn’t all about emails and phone numbers.

Plus, there’s one exchange from that March 2014 hearing that might be taken to rule out about collection from a PRISM provider. In reply to specific prodding from Elisabeth Collins Cook, De said about collection cannot be made via PRISM.

MS. COLLINS COOK: I wanted to ask one additional question about abouts. Can you do about collection through PRISM?

MR. DE: No.

MS. COLLINS COOK: So it is limited to upstream collection?

MR. DE: Correct. PRISM is only collection to or from selectors.

Of course, De was referring to warrantless collection under Section 702. He wasn’t talking at all about what is possible under Title I. But it may have left the impression that one couldn’t order a PRISM provider to do an about scan, even though in 2007 FISA ordered telecoms to do about scans.

Ultimately, though, the IC is likely remaining mum about these details because revealing it would make clear what publicly released opinions do, but not in real detail: that these about scans have gotten far beyond a collection of content based off a scan of readily available metadata. These scans likely replicate the problem identified in 2004, in that the initial scan is not of things that count as metadata to the provider doing the scan.

The IC may have FISC approval for that argument. But they also had FISC approval for the Section 215 dragnet. And that didn’t live up to public scrutiny either.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Yahoo to Clapper: Global, Global, Beyond our Borders, Global

I joked when Yahoo first released its letter to James Clapper the other day, asking that he release details about the 2015 scan first revealed by Reuters. It has the tone of a young woman who is justifiably upset because, after sleeping with her, some jerk is pretending he doesn’t even know her.

But as it happens, I’m in Europe, trying to learn more about Privacy Shield and related issues. So I thought I would call attention to the emphasis Yahoo lawyer Ronald Bell (who was the guy who decided not to challenge this) puts on the international impact of Clapper’s decision, thus far, to remain silent.

As you know, Yahoo consistently campaigns for government transparency about national security requests and for the right to share the number and nature of the requests we receive from all governments. We apply a principled approach to handling government requests for user data, including in the national security context, articulated in our publicly-available Global Principles for Responding to Government Requests and regular transparency reports. Our company not only embraces its privacy and human rights responsibilities, we do so enthusiastically, passionately, and with a deep sense of global and moral responsibility. But transparency is not merely a Yahoo issue: Transparency underpins the ability of any company in the information and communications technology sector to earn and preserve the trust of its customers. Erosion of that trust online implicates the safety and security of people around the world and diminishes confidence and trust in U.S. businesses at home and beyond our borders.

Recent new stories have provoked broad speculation about Yahoo’s approach and about the activities and representations of the U.S. government, including those made by the Government in connection with negotiating Privacy Shield with the European Union. That speculation results in part from lack of transparency and because U.S. law significantly constrain–and severely punish–companies’ ability to speak for themselves about national security related orders even in ways that do not compromise U.S. government investigations.

We trust that the U.S. government recognizes the importance of clarifying the record in this case. On behalf of Yahoo and our global community of users, I respectfully request that the Office of the Director of National Intelligence expeditiously clarify this matter. [bold emphasis mine]

Folks here definitely followed the Yahoo story. Their understanding of what happened leads them to believe the scan violates European prohibitions on mass surveillance. Importantly, they’re not aware that this was done with an “individual” FISA order rather than under Section 702. As I’ve written, “individual” orders have been used for bulk scans since 2007, but in this case, an “individual” order would also mean that a judge had reviewed the scan and found it proportional, which would make a big difference here (at least to authorities; a number of other people are raring to challenge such judgements on whether it is an adequate court or not).

So yeah, by disclosing details of this scan, Yahoo may be in much better position vis a vis European authorities, if not consumers.

But there’s another reason why Clapper’s office — or rather ODNI General Counsel Bob Litt — may be so quiet.

Litt is the one who made many of the representations about US spying to authorities here. Someone — Litt, if he’s still around for a hearing that may take place under President Hillary — may also need to go testify under oath in an Irish court in conjunction with a lawsuit there. Whoever testifies will be asked about the kinds of surveillance implicating European users the government makes US companies do.

In other words, Bob Litt is the one who made certain representations to the European authorities. And now some of those same people are asking questions about how this scan complies with the terms Litt laid out.

Which makes his silence all the more instructive.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Can the Government Use FISA to Get Evidence of Past Criminal Activities?

A terror support case due to start in NYC in December seems to present some interesting questions about the use of EO 12333 and FISA evidence. Ahmed Mohammed El Gammal was arrested last year on charges he helped someone else — who apparently got killed in Syria — travel to and train for ISIL. After almost a year and several continuations, the government provided notice they intended to use material gathered under a FISA physical surveillance order (but not an electronic surveillance order). The case clearly involves a ton of Internet communications; the defense proposed voir dire questions ask if potential jurors are familiar with Twitter, Tango, Whatsapp, Cryptocat, Viber, Skype, Surespot or Snapchat, and asks how much potential jurors use Facebook.

After the government submitted the FISA notice, El Gammal’s lawyers submitted three filings: one seeking access to CIPA information, one seeking to suppress the FISA material, and one asking where all the other surveillance came from.

The FISA complaint, aside from the standard challenge, appears to stem from both the delay in notification and some concerns the government did not adhere to minimization procedures (in the defense reply, they noted that the government had already released minimization procedures but refused to do so here). In addition, the FISA challenge suggests the government used FISA to “was to gather evidence of his past criminal activity,” which it argues is unlawful. His lawyers also seem to question whether there was no other way to obtain the information (which is particularly interesting given the delayed notice).

In addition, the government’s response describes some of the reasons El Gammal’s lawyers suspect the government used some kind of exotic (probably 12333) surveillance against him (some of which are partly or entirely redacted in the defense filings).

The defendant’s motion speculates that the Government relied upon undisclosed techniques when it (1) “appears to have sought information about El Gammal from at least two entities—Verizon and Yahoo—before his identity seems to have become known through the criminal investigation,” (Def. Memo. 3) (2) “seems to have learned about El Gammal before receiving, in the criminal investigation, the first disclosure that would necessarily have identified him,” (Def. Memo. 5) and (3) appeared to have “reviewed the contents of [CC-1’s] [social media] account before [the social media provider] made its Rule 41 return” (Def. Memo. 5). This speculation is baseless. The Government has used a number of investigative techniques in this case. Not all of those techniques require notice or disclosure at this (or any) stage of the investigation.2 And the Government has complied with its notice and disclosure obligations to date.

2 Additional background regarding this investigation is provided in Section IV.A. of the Government’s September 23, 2016 Classified Memorandum in Opposition to the Defendant’s Pretrial Motion to Suppress, and for the Disclosure of the FISA Order, Application, and Related Materials.

It appears that the government had obtained Facebook material (the primary social media involved here) either under Section 702 or EO 12333, then parallel constructed it via warrant. And it appears to suggest the involvement of some kind  of programmatic Verizon and Yahoo collection that may not have been disclosed (El Gammal was in custody before the end of the old phone dragnet).

Particularly given the timing (in the wake of FBI obtaining a way to get into Syed Rezwan Farook’s phone), I had thought the physical search might have been to decrypt El Gammal’s iPhone, but it appears the government had no problems accessing the content of multiple Apple devices.

There’s no reason to think El Gammal will have any more luck obtaining this information than previous defendants seeking FISA and 12333 information have been.

But his lawyers (SDNY’s excellent public defenders office) do seem to think they’re looking at something more programmatic than they’ve seen before. And they do seem to believe those techniques are being parallel constructed.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.