The Office of the Director of National Intelligence (ODNI) has been going through something of an awkward phase the last few years. The Office, which is a part of the White House, and is supposed to direct and coordinate various parts of the intelligence community, has been trying to figure out how to be more open and "transparent" to the public since the Snowden documents began flowing. Given that historically the intelligence community has focused on being as secret as is humanly possible, it's not very good at this whole transparency thing. And sometimes it's just really, really awkward. Just try (really) to watch this video it put out on Wednesday, telling US travelers abroad to fear everyone and everything.
That's not to say that there isn't some good advice mixed in there, but it's mixed in with some ridiculous claims, an overreaching level of paranoia, and some incredibly bad acting. The basic premise, though, is that wherever you go, even if you're visiting a US ally country, basically every person you meet has an ulterior motive, and it's to get your digital stuff. The border patrol guy who welcomes you to the country clicks a button that says "INITIATE SURVEILLANCE" (literally) and apparently suddenly every living human being in this foreign country now knows to spy on Frank.
He checks into his hotel, and the person at the front desk is friendly, but apparently having been tipped off by border patrol to spy on Frank, she immediately texts his room number to a sketchy guy. We know he's sketchy because he wears a leather jacket. When Frank heads out of his hotel room, he puts his tablet in the room safe, and as soon as he's gone, Mr. Sketchy comes in and opens the safe and downloads everything. To be clear: hotels are not very secure and people get electronics stolen all the time. And, yes, if you're a serious target, people may target your electronics. Of course, many of those people may actually work for the US government. Isn't that part of how the NSA hacks into various global companies? It seems like this video is giving up more US procedures than anything else.
Then the video just gets weirder. A smug asshole shows up claiming he's someone who "knows better" and tells Frank not to bring so many electronic gadgets with him. He actually recommends getting a burner phone and a throwaway email address for travel overseas. Yes, this is part of the same US intelligence community that has talked about how burner phones have created problems for its surveillance efforts, though which these days also is pretty good at connecting burner phones to individuals by merging various databases together. Smug guy also says not to post on Facebook (or, rather, "Friend Basket" in the video) that you'll be travelling overseas. Now, that's also not necessarily a bad recommendation, but it depends on context quite a bit. If the fear is that you're alerting foreigners to target you, given the earlier paranoia in the video, it's unlikely that those targeting you are finding out because of your social media posts.
Then, the paranoia goes deeper. Frank meets a woman and they agree to go for drinks. Smug Jackass basically says that anyone that friendly to Frank must be evil. Then, he reminds Frank never to send a work email, even though he's traveling for work. And then he actually says: "Besides, who's got time for work? You're traveling! Get out there! Live a little!" Remember that literally a minute earlier, Smug Guy was berating Frank for doing exactly that.
Yes, there are certainly some people where this kind of thing applies to them when travelling abroad. But this video isn't likely to help them, and it applies to a fairly limited population of people. Meanwhile, this video really kinda reveals the paranoia with which the US intelligence community lives. They spy on absolutely everyone, so they assume that absolutely everyone is getting spied on everywhere as well. It's also somewhat bizarre that they're pushing disposable email and burner phones on people while warning about terrorists using the same.
The key messages: the US intelligence community is creepy and smug, and they want you to be deathly terrified of anyone you encounter in a foreign country.
from the shame-this-whole-system-of-checks-and-balances-can't-just-be-eradicated dept
Late last week, the Office of the Director of National Intelligence released a stack of documents from Yahoo's challenge of the NSA's internet dragnet. The new declassified and unsealed documents have been dumped into one, 309-page PDF along with everything the ODNI has already released -- one of the small things the office routinely does to slow the dissemination of previously-unseen information.
What she's uncovered is more evidence the agency considers itself accountable to no one. Not only was Yahoo expected to be litigating blindly -- what with the government's multiple ex parte submissions and its general refusal to discuss any specifics of its PRISM program -- but apparently the FISA court was expected to adjudicate blindly. The NSA's refusal to provide Reggie Walton with the information he needed to render decisions resulted in this irritated order.
The Court is issuing this ex parte order to the Government requiring it to provide clarification concerning the impact on this case of various government filings that have been made to the FISC under separate docket.
lt is HEREBY ORDERED that the government shall file a brief no later than February 20. 2008, addressing the following questions:
1. Whether the classified appendix that was provided to the Court in December 2007 constitutes the complete and up-to-date set of certifications and supporting documents (to include affidavits, procedures concerning the location of targets, and minimization procedures) that are applicable to the directives at issue in this proceeding. If the answer to this question is .. yes,'” the government's brief may be filed ex parte. If the government chooses to serve Yahoo with a copy of the brief, it shall serve a copy of this Order upon Yahoo as well.
2. If the answer to question number one is “no,” the Government shall state what additional documents it believes are currently in effect and applicable to the directives to Yahoo that are at issue in this proceeding. The government shall file copies of any such documents with the Court concurrent with filing its brief. The government shall serve copies of this Order, its brief, and any additional documents upon Yahoo, unless the government moves this Court for leave to file its submission ex parte, either in whole or in part. If the government files such a motion with the Court, it shall serve a copy of its motion upon Yahoo. The government shall also serve a copy of this Order upon Yahoo, unless the government establishes good cause for not doing so within the submission it seeks to file ex parte.
The government's testy response was to point out it has never been obligated to provide anyone but the court with documents pertaining to its surveillance efforts..
Under the Protect America Act, then, the government has an unqualified right to have the Court review a classified submission ex parte and in camera which, of course, includes the unqualified right to keep that submission from being disclosed to any party in an adversarial proceeding before this Court.
As Wheeler points out, the documents Judge Walton ordered the government to turn over to the court did not arrive in full until after Walton had made it clear he wouldn't force the government to hand these over to Yahoo as well.
The holdout document -- the one that didn't appear until the government was sure it wouldn't have to provide Yahoo with this info -- is key. It shows the government's procedures for handling metadata had been misleadingly portrayed, not just to Yahoo, but possibly to the court as well.
Now, to be fair, in the original release, it was not clear that the government offered this much explanation for SPCMA [Special Procedures Concerning Metadata Analysis], making it clear that the procedural change involved making American metadata visible. But the government very clearly suggested — falsely — that SPCMA had no Fourth Amendment implications because they didn’t make Americans overseas more likely to be targeted (which the government already knew was the key thrust of Yahoo’s challenge).
The opposite is true: by making US person metadata visible, it ensured the government would be more likely to focus on communications of those with whom Americans were communicating. These procedures — which were approved more than two months, one document dump, and one court order agreeing to keep everything secret from Yahoo earlier — were and remain the key to the Fourth Amendment exposure for Americans, as was argued just last year. And they weren’t given to even the judge in this case until he asked nicely a few times.
The NSA has very little in the way of effective oversight. It has even less opposition in terms of checks and balances even when facing a judge clearly exhausted by the agency's obfuscation and abuse. An effective challenge of NSA surveillance in court -- even a regular one -- is an uphill battle. In the FISA court, where it's allowed an "unqualified right" to present all its assertions and evidence without facing anything more adversarial than a FISC judge, it's completely impossible. Yahoo fought with pretty much every appendage tied behind its back. An unsuccessful challenge was a foregone conclusion. But, if nothing else, its long tangle with the NSA dragged some of its so-called secrets out of the shadows. That's not a win but it's far better than the alternative -- where the government's foremost intelligence agency is allowed to rewrite the rules as it goes along with the administration's implicit support -- and keep the public from ever finding out just how much domestic surveillance slack it's managed to cut for itself.
Preferred Citation: Robert S. Litt, The Fourth Amendment in the Information Age, 126YALE L.J. F. 8 (2016), http://www.yalelawjournal.org/forum/fourth-amendment-information-age.
To be fair, Litt never says we're all wrong about the Fourth Amendment and the Third Party Doctrine. He only says Judge Leon is. Judge Leon was the single district court judge who found the bulk collection of phone metadata to be unconstitutional.
Technically, we're not all wrong, but we may as well be, because no court has found the collection unconstitutional save Judge Leon's and Litt doesn't agree with it. Several paragraphs follow, but the crux of Litt's argument is nothing new: it's just 1979's Smith v. Maryland decision all over again.
I do not think that Judge Leon’s efforts to distinguish Smith were successful. First, while Judge Leon is certainly right that metadata can be very revealing of personal activities, there is nothing new about that insight. Justice Stewart dissented from the decision in Smith itself in part because he recognized that metadata “easily could . . . reveal the most intimate details of a person’s life.” The point of Smith was not that metadata is innocuous, but that you have chosen to reveal it to a third party. To use an analogy, if you give a document to a third party, you have lost your expectation of privacy in that document, whether it is a laundry ticket or a confession of mortal sin. Moreover, the fact that cell phones today contain a lot of information beyond metadata does not seem relevant when the government did not actually search or collect any of that other information.
[I] find it hard to understand the alchemy by which information that you choose to disclose to a third party develops an expectation of privacy because you have chosen to disclose a lot of that information. That seems counter-intuitive to say the least. For all of these reasons, if you accept Smith’s holding that there was no expectation of privacy in the telephone metadata in that case because it had been voluntarily exposed to a third party, you can’t conclude there was an expectation of privacy in the metadata in this case.
The thing is that while people may voluntarily agree to hand over certain information to service providers (and it's safe to say the "agreement" is anything but "voluntary"), they do not naturally assume the service provider will share this -- no questions asked or warrants demanded -- with anyone else who comes asking for it. That's where the reliance on Smith v. Maryland fails. "Choose to disclose" is much different than "forced to disclose." And it's not as if it can truly be said phone users relinquish all ownership of that data. It's specifically tied to them and they "share" it with service providers -- which if that's how Litt wants to interpret the interaction, he should at least be honest and give both parties some sort of ownership, along with the privacy expectations that go with it.
A lot of the rest of it is given over to Litt's displeasure that courts have even granted plaintiffs standing in bulk metadata program lawsuits. Whatever the Third Party Doctrine doesn't shut down, the plaintiffs' inability to claim anything more than theoretical rights violations by programs the government refused to discuss publicly should have seen the cases tossed immediately. He agrees the framework is there for massive violations of privacy but these actually damaging acts simply never occurred. But abuses did occur and were covered up by the NSA, nearly resulting in the program being shut down back in 2008 by FISC Judge Reggie Walton.
This fact undercuts Litt's assertions in defense of the now-curtailed program.
For several years, and with judicial authorization, the NSA collected metadata in bulk about U.S. phone calls from telephone companies for counterterrorism purposes. The metadata was kept in secure databases. It could only be accessed by a few specially trained NSA analysts, and then only to identify telephone numbers in contact with so-called “seed” numbers as to which there was a reasonable and articulable suspicion of an association with terrorism—such as, for example, a number used by a suspected terrorist.
First off, the program was accessed by more than just a "few" specially trained analysts. It was a free-for-all until the FISA Court shut that down. Second, the reasonable, articulable suspicion standard wasn't always applied to searches of the database. For a period of time, NSA analysts ran searches against an "Alert List" of numbers the FISA Court had never approved for use -- i.e., no RAS declaration was made by the NSA to support additions to the list used for searches of the bulk data. Some of these numbers were added simply because they were two or three hops away from an RAS-supported number, meaning there was nothing supporting the use of these "connected" numbers as new "seeds" for database searches and contact chaining.
What Litt does get right is that the NSA has done itself no favors with its decades of opacity.
Where we fell short was on the third leg of the stool, transparency. There would have been less damage to the Intelligence Community from the disclosures of the last couple of years had we been more forthcoming about our activities before those leaks. Obviously, intelligence activities have to be conducted with some degree of secrecy, and the same is true of some law enforcement activities. Specific methods and targets of surveillance have to be protected. But if we don’t discuss what we are doing and how we are regulating it even in general terms, we cede the field to those who are hostile to intelligence activities.
And, perhaps inadvertently, Litt lets us know President Obama is just as big a fan of the NSA as his predecessor was.
A decision by Congress to authorize certain activities under certain controls, made after discussion and debate, should be a strong factor in support of the reasonableness of those activities. Congress is going to have a number of opportunities to address these issues. For example, Section 702 expires at the end of 2017, and there are continued efforts to modernize the Stored Communications Act. It may be too much to hope that in the current political environment, Congress could have a dispassionate and comprehensive discussion about such weighty issues, but the Executive Branch would welcome such a discussion.
Given the selection of presidential frontrunners, I have no reason to believe Litt's assessment of the situation will be any less accurate by the time the Section 702 expiration date rolls around.
from the a-fine-guest-post-full-of-classic-debunkables dept
Just when we thought some surveillance reforms might stick, the administration announced it was expanding law enforcement access to NSA data hauls. This prompted expressions of disbelief and dismay, along with a letter from Congressional representatives demanding the NSA cease this expanded information sharing immediately.
This backlash prompted Office of the Director of National Intelligence General Counsel Robert Litt to make an unscheduled appearance at Just Security to explain how this was all a matter of everyone else getting everything wrong, rather than simply taking the administration at its word.
There has been a lot of speculation about the content of proposed procedures that are being drafted to authorize the sharing of unevaluated signals intelligence. While the procedures are not yet in final form, it would be helpful to clarify what they are and are not. In particular, these procedures are not about law enforcement, but about improving our intelligence capabilities.
As Litt explains it, everything about this is lawful and subject to a variety of policies and procedures.
These procedures will thus not authorize any additional collection of anyone’s communications, but will only provide a framework for the sharing of lawfully collected signals intelligence information between elements of the Intelligence Community. Critically, they will authorize sharing only with elements of the Intelligence Community, and only for authorized foreign intelligence and counterintelligence purposes; they will not authorize sharing for law enforcement purposes. They will require individual elements of the Intelligence Community to establish a justification for access to signals intelligence consistent with the foreign intelligence or counterintelligence mission of the element. And finally, they will require Intelligence Community elements, as a condition of receiving signals intelligence, to apply to signals intelligence information the kind of strong protections for privacy and civil liberties, and the kind of oversight, that the National Security Agency currently has.
So, this all sounds like it has nothing to do with law enforcement. Just intelligence "elements" from the community. Except that law enforcement and intelligence agencies are hardly separate entities. We already know the NSA is allowed to "tip" data to the FBI if it might be relevant to criminal investigations. There's no clear dividing line between intelligence and law enforcement -- not with law enforcement's steady encroachment into national security territory. When Litt says "only intelligence agencies," he's actually referring to several law enforcement agencies, as Marcy Wheeler points out.
As a threshold matter, both FBI and DEA are elements of the intelligence community. Counterterrorism is considered part of FBI’s foreign intelligence function, and cyber investigations can be considered counterintelligence and foreign intelligence (the latter if done by a foreigner). International narcotics investigations have been considered a foreign intelligence purpose since EO 12333 was written.
In other words, this sharing would fall squarely in the area where eliminating the wall between intelligence and law enforcement in 2001-2002 also happened to erode fourth amendment protections for alleged Muslim (but not white supremacist) terrorists, drug dealers, and hackers.
So make no mistake, this will degrade the constitutional protections of a lot of people, who happen to be disproportionately communities of color.
And, to go back to Litt's statement, the whole thing starts with a dodge:
These procedures will thus not authorize any additional collection of anyone’s communications…
This is something no one has actually claimed. What people are concerned about is the NSA using its massive collection abilities to become an extension of domestic law enforcement, rather than the foreign-focused entity it's supposed to be.
And, as for Litt's claims that everything is subject to clearly-defined rules on minimization, those are also false. First off, the expanded permissions originate under Executive Order 12333, which has been revised in secret on more than one occasion -- all without the full participation of Congressional oversight. Not only that, but agencies that are recipients of unminimized data from the NSA are supposed to apply their own minimization procedures to better ensure "strong protections for privacy and civil liberties." Wheeler notes that two recipients have yet to put any minimization procedures in place, despite having had years to do so.
I also suspect that Treasury will be a likely recipient of this data; as of February 10, Treasury still did not have written EO 12333 protections that were mandated 35 years ago (and DEA’s were still pending at that point).
The backdoor search loophole has yet to be closed (which gives the FBI access to unminimized data and communications obtained via Section 702) and these agencies -- along with two consecutive, very compliant administrations -- have been tearing down any walls between the NSA and law enforcement for several years now.
Litt's reassurances are worthless. It namechecks all the stuff we know is mostly worthless: oversight, minimization procedures, the frankly laughable idea that the FBI cares more about privacy and civil liberties than making busts, etc. and asks us to believe that a tangled thicket of secretive agencies and even-more-secretive laws are all designed to protect us from government overreach.
Intelligence agencies that discover a threat to a person’s life or safety are obliged to alert the intended target in most cases as long as they can do so without compromising intelligence sources and methods, a new intelligence community directive instructs.
A U.S. intelligence agency “that collects or acquires credible and specific information indicating an impending threat of intentional killing, serious bodily injury, or kidnapping directed at a person or group of people shall have a duty to warn the intended victim or those responsible for protecting the intended victim, as appropriate,” the new directive states. “This includes threats where the target is an institution, place of business, structure, or location.”
The directive also covers, remarkably, non-US persons. The broad wording that pulls a lot of non-person "persons" under the "duty to warn" umbrella raises some questions about the included agencies' (FBI, NSA, CIA) duty to warn private companies about attacks of the "cyber" variety. Marcy Wheeler of emptywheel:
As I have noted, NSA has secretly defined “serious bodily harm” to include threat to property — that is, threats to property constitute threats of bodily harm.
If so, a serious hack would represent a threat of bodily harm (and under NSA’s minimization procedures they could share this data). While much of the rest of the Directive talks about how to accomplish this bureaucratically (and the sources and methods excuses for not giving notice), this should suggest that if a company like Sony is at risk of a major hack, NSA would have to tell it (and the Directive states that the obligation applies for US persons and non-US persons, though Sony is in this context a US person).
So shouldn’t this amount to a mandate for cybersharing, all without the legal immunity offered corporations under CISA?
It would appear to order the NSA and other government intelligence agencies to be forthcoming about impending (or ongoing) attacks. If interpreted in this fashion by the ODNI, it would appear to make CISA-ordained sharing redundant and ask the intelligence community to put aside its own interest in exploitables and preserving "means and methods" in favor of a "duty to warn."
Or not. There are several exceptions.
a. The intended victim, or those responsible for ensuring the intended victim's safety, is already aware of the specific threat; b. The intended victim is at risk only as a result of the intended victim's participation in an insurgency, insurrection, or other armed conflict; c. There is a reasonable basis for believing that the intended victim is a terrorist, a direct supporter of terrorists, an assassin, a drug trafficker, or involved in violent crimes; d. Any attempt to warn the intended victim would unduly endanger U.S. government personnel, sources, methods, intelligence operations, or defense operations; e. The information resulting in the duty to warn determination was acquired from a foreign government with whom the U.S. has formal agreements or liaison relationships, and any attempt to warn the intended victim would unduly endanger the personnel, sources, methods, intelligence operations, or defense operations of that foreign government; or f. There is no reasonable way to warn the intended victim.
So, this voluntary assumption of a mostly-moral obligation to warn others of danger does not cover most criminals (apparently, the ODNI is fine with criminals killing/harming each other) or any situation where warning an entity of an impending attack would compromise intelligence agencies and their objectives. This would seem to eliminate warnings of cyberattacks, seeing as most relevant information would be hopelessly entangled in the cybersecurity efforts of multiple government agencies.
Marcy Wheeler points out that these exceptions could explain the FBI's lack of interest in warning Occupy Wall Street members of an assassination plot. Of course, the directive didn't officially take effect until July 21, 2015. At the point the FBI decided against warning certain American citizens of assassination threats, the "duty to warn" was nothing more than an altruistic ideal. It was under no legal obligation to do so, and its investigation of Occupy Wall Street probably justified its unwillingness to keep these "insurrectionists" out of harm's way.
The new directive doesn't really make this any more mandatory than it was back when it was unwritten and completely voluntary. Steven Aftergood points out the DNI's directive mentions both the National Security Act of 1947 and Executive Order 12333, but neither of these contain any wording that would legally compel intelligence agencies to honor a "duty to warn."
A US citizen who was mixing good deeds (water supply work) with proselytizing (handing out Bibles to Iraq citizens) found himself the target of the Iranian Islamic Revolutionary Guards Corp. The IRGC implemented a Bible "buy-back" program, offering $5 for every Bible handed out by this "do-gooder." Iraqis soon turned this into a revenue stream, selling Bibles to the Guards and heading back to the missionary for fresh copies. The IRGC then decided it was sick of spending money to make money zero headway in the religious superiority game and decided to kill the Bible supplier. This news made its way back to the CIA task force, which then attempted to pass the warning on to the do-gooding Bible pusher. Incongruity ensued.
So, I get the tasking to warn Doug under the "duty to warn" policy. I gather up a few of our Kurdish guard force and another American to go to the village and pass the warning on to Doug. I can imagine his confusion. We roll into town, something like a cross between the Rat Patrol and Pancho Villa, Toyota pickups with mounted 12.7mm’s, Alanis Morissette blaring on the CD player - you get the picture.
I knocked on the door (I asked the locals, "Wayn al-Amrikan?" [Where's the American?]) and a gringo answers. I ask if he is Doug so-and-so. He says he is, but looking at our obviously loaded-for-bear entourage, asks who we are.
I reply, "We’re from the State Department."
He looks at us, AK-47’s and Browning High-Powers all over the place.
I quietly said, "Just work with us here, Doug."
"What exactly do you want?" he asks. Obviously he was not a fan of the CIA mucking around in "his" area.
I explain, "We have information that the Iranians, who believe you are proselytizing Christianity, are planning to kill you. We are advising you to leave Iraq for your own safety and that of your family (he had actually brought his Dutch wife and 10-year old son with him)."
Incredulously, he asked me, "Do you have anything more specific, more concrete than the fact they plan to kill me?"
I was a bit taken aback - "The IRGC is going to kill you - Doug so-and-so. How much more specific do we have to be?"
So, altruism exists. And inasmuch as it doesn't interfere too greatly with national security aims and/or ongoing investigations, people will be warned. But the ODNI's new "directive" doesn't add any additional obligations that weren't in place earlier. In fact, it seems to have been put down on paper mainly to explicitly list all the times the intelligence community won't be obligated to warn others of danger.
from the you-sort-of-won!-what-more-do-you-want? dept
Just as James Clapper's office was officially announcing the death of the bulk phone metadata program (ending November 29th, with three months of post-wind-down wind-down for data analysts), the DOJ was filing a motion in the Second Circuit Court of Appeals basically arguing that its finding that the program was illegal really doesn't matter anymore.
According to the DOJ, there really is no program -- at least if you don't count the six months the NSA has to make the move to the more targeted USA Freedom version. So this discussion about which program isn't authorized by which PATRIOT Act provision is… well, not completely moot, but like pretty much literally weeks away from moot, so why are we wasting our time here [EXASPERATED SIGH].
Plaintiffs’ claims will be moot when the bulk collection of telephony metadata under Section 215 ends on November 29, 2015, though they are not moot right now. On that date, the statutory authority for the Section 215 bulk telephony-metadata program will expire, and the data previously collected and held under that program will not be used in the future for intelligence-gathering or law-enforcement purposes. In the meantime, however, the Court should respect Congress’s decision to create an orderly transition away from the Section 215 bulk telephony-metadata program. Especially in light of Congress’s considered judgment that this program should continue for this limited period, plaintiffs are not entitled to any of the relief they request.
In support of its argument that the court should ignore its own findings and just listen to what the FISA Court said (and what legislators didn't say, but obviously intended), the government points to its own Tumblr post (certainly a historical moment in its own right) detailing the specifics of the end of Section 215.
On July 27, 2015, the Office of the Director of National Intelligence (ODNI) issued a public statement that the NSA has determined that “analytic access to that historical metadata collected under Section 215 . . . will cease on November 29, 2015,” at the end of the transition period. See Statement by ODNI on Retention of Data Collected Under Section 215 of the USA PATRIOT Act, available at http:// icontherecord.tumblr.com/post/125179645313/ statement-by-the-odni-on-retention-of-data (ODNI July 27 Statement). Thus, after that date, no further bulk collection of telephony metadata will take place under the Section 215 program, and the historical telephony metadata will not be used for intelligence or law-enforcement purposes and will not be disseminated.
To sum up: these past abuses should no longer be of concern as the data is going to be flushed (for the most part) within the next nine months. To better enable said data flush, the Second Circuit Court might want to wrap up the ACLU's suit (and hasten the end of the EFF's) so that no data is still being "preserved" past the November 2015 dump point.
To that end, the DOJ constantly reminds the Second Circuit that the FISA Court really has a handle on these sort of things and why don't we just leave it to the pros.
The FISC was right that Congress authorized the Section 215 bulk telephony-metadata program to continue during the six-month transition period. [p. 6]
As the FISC correctly noted, Congress’s decision to delay that ban for six months is a powerful indication that it intended to permit bulk collection in the interim period. [p. 9]
The FISC was thus correct when it observed that “after lengthy public debate, and with crystal clear knowledge of the fact of ongoing bulk collection of call detail records” Congress “chose to allow a 180-day transitional period . . . .” June 29 FISC Op. at 11. This Court need not and should not determine whether Congress “ ‘ratif[ied] the FISA Court’s interpretation of ’ ” Section 215. [p. 11]
This filing, like its Tumblr statement announcing the official end of the collection, emphasizes the single aspect of the Section 215 bulk collections that has been the focus of this litigation and most legislative efforts: phone metadata. The authorization, even in its altered, post-USA Freedom Act form -- provides for much more than just this one type of collection. The DOJ goes so far as to call the USA Freedom Act a "ban" on bulk, untargeted collections, when it actually doesn't go quite that far.
I believe both ACLU and EFF’s phone dragnet client Counsel on American Islamic Relations, had not only standing as clients of dragnetted companies, but probably got swept up in the two-degree dragnet. But CAIR probably has an even stronger case, because it is public that FISC approved a traditional FISA order against CAIR founder Nihad Awad. Any traditional FISA target has always been approved as a RAS seed to check the dragnet, and NSA almost certainly used that more back when Awad was tapped, which continued until 2008. In other words, CAIR has very good reason to suspect the entire organization has been swept up in the dragnet and subjected to all of NSA’s other analytical toys.
EFF, remember, is the one NGO that has a preservation order, which got extended from its earlier NSA lawsuits (like Jewel) to the current dragnet suit. So when I Con the Record says it can’t destroy all the data yet, it’s talking EFF, and by extension, CAIR. So this announcement — in addition to preparing whatever they’ll file to get the Second Circuit off its back — is likely an effort to moot that lawsuit, which in my opinion poses by far the biggest threat of real fireworks about the dragnet (not least because it would easily be shown to violate a prior SCOTUS decision prohibiting the mapping of organizations).
This announcement by Clapper's office, followed shortly thereafter on the same day by the filing of its response in the Second Circuit case, certainly gives the appearance that the NSA has lifted the corner of the rug and is just waiting for the signal to start sweeping any undiscovered abuses -- along with those previously exposed -- under it. That the expiration of the authority and the passage of the USA Freedom Act may have provided it with a better broom is unexpectedly fortuitous.
NSA has determined that analytic access to that historical metadata collected under Section 215 (any data collected before November 29, 2015) will cease on November 29, 2015. However, solely for data integrity purposes to verify the records produced under the new targeted production authorized by the USA FREEDOM Act, NSA will allow technical personnel to continue to have access to the historical metadata for an additional three months.
Caveats apply. Data will still be held as required by a handful of ongoing lawsuits. With the "bulk" part of the bulk records program shut down (but not completely), the government is obviously hoping for a speedy end to the litigation resulting from the Snowden leaks. That's the other motivating factor behind this public statement that not only states an end date, but the additional restrictions past that point.
This is a pretty remarkable moment in the security v. privacy battle, but there are still reasons to be concerned. The bulk telephony metadata program has received a majority of the focus since Snowden's initial leak and the NSA, at times, has seemed almost too willing to let this program act as a scapegoat for its multiple privacy-violating surveillance programs.
Not that there haven't been seriously heated (and seriously misguided) arguments offered in support of this program, but if you take a close look at the history of the debate over Section 215, the most-spirited defenses have not been raised by the NSA, but by legislators and former intelligence officials. The program appears to have been sacrificed in order to prevent more intrusive surveillance programs from being subjected to more intense scrutiny.
And it's not even the totality of what can be collected under Section 215. The statement from the ODNI specifically addresses only one kind of "tangible thing."
The telephony metadata preserved solely because of preservation obligations in pending civil litigation will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.
We don't know what else is being collected in bulk under the PATRIOT Act provision -- the same authority that expired this year and was replaced with the stipulations of the USA Freedom Act -- but we know it's more than just "telephony metadata." "Tangible things" encompasses far more than phone metadata ("books, records, papers, documents, and other items"), but this statement -- as well as arguments it's made in court in support of the six-month wind-down period -- only address phone records.
The Second Circuit Court found that the bulk collection of records under Section 215 was likely illegal. That opinion called into question anything collected under this authority, but the government here (and in its recent filing in the Second Circuit Court) acts as though the "illegal" collection activity is limited solely to phone records.
Other NSA programs are going to be far more useful in gathering data and intelligence than the collection of phone records. Phone calls may never go away entirely, but the shift to mobile communications (followed shortly thereafter by the shift to feature phones and smartphones) has made phone calls the least used feature on these devices. Messaging programs and social media platforms now carry the bulk of everyday communications. And the NSA has programs in place to sweep up these as well, whether as content or metadata. So, all of this focus on "telephony" only serves to obscure what else it may still collect with the revamped program, as well as everything else it does under much more secretive legal authorities.
By now, one hopes, you've seen this video of James Clapper lying to Senator Ron Wyden and the American public while testifying before Congress in early 2013:
Here's the key transcript:
Wyden: Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?
Clapper: No sir.
Wyden: It does not?
Clapper: Not wittingly. There are cases where they could, inadvertently perhaps, collect—but not wittingly.
This was a lie. Many people believed it was a lie at the time, but that was confirmed thanks to the documents leaked by Ed Snowden, who later claimed that seeing that bit of testimony helped convince him that he needed to go through with his plan to leak this information.
James Clapper, of course, is the Director of National Intelligence, and the heads of the various intelligence agencies basically report in to him. He's still in that job, which many people argue is a complete travesty. He flat out lied to Congress and got away with it.
What's been really odd is that the story as to why Clapper lied seems to keep changing. When questioned about this, Clapper's initial response was that he thought that Wyden was asking about collection of email information, which is clearly not the case if you just listen to the actual question. Wyden, pretty clearly, says "any type of data at all." About a week later, Clapper changed his story, saying that he believed the question was an unfair "loaded question" (he compared it to the "when did you stop beating your wife" type of question -- even though it's not that at all) and then said that he gave "the least untruthful answer."
This didn't make much sense either -- and it made even less sense when Senator Wyden revealed that he didn't just spring this question on Clapper, but had sent it to Clapper's office a day ahead so he could review the question and be aware of what he was to be asked. On top of that, Wyden revealed that after Clapper's answer -- which Wyden knew was false -- Wyden staffers sent a letter to Clapper asking him if he wanted to amend his answer, and Clapper's office refused to do so.
Finally, about a month later, Clapper finally admitted that he lied, now claiming that it was all a "mistake."
"mistakes will happen, and when I make one, I correct it."
Except... he had been given the chance to correct it and he didn't. It was only after it was publicly revealed (via Snowden and Glenn Greenwald) that Clapper was outright lying that he claimed he made "a mistake." But, even then, it only came after pretending he misheard the question, then claiming that it was a loaded question (when it was not). And then, of course, months later, Clapper could pretend, with the benefit of hindsight, that he should have been more forthright about the program, but that's difficult to believe. And none of it matters, because the DOJ refuses to investigate Clapper for lying.
And yet, Clapper's story continues to keep changing. Late last year, he tried to rewrite the story, suggesting that he was sandbagged and caught off-guard, rather than lying:
“When I got accused of lying to congress because of a mistake ... I had to answer on the spot about a specific classified program in a general, unsecure setting.”
“This was not an untruth or a falsehood. This was just a mistake on his part,” Robert Litt, the general counsel for the Office of the Director of National Intelligence, said during a panel discussion hosted by the Advisory Committee on Transparency on Friday.
“We all make mistakes.”
Litt on Friday said that Clapper merely did not have a chance to prepare an answer for Wyden and forgot about the phone records program when asked about it on the spot.
“We were notified the day before that Sen. Wyden was going to ask this question and the director of national intelligence did not get a chance to review it,” Litt said.
“He was hit unaware by the question,” Litt added. “After this hearing I went to him and I said, ‘Gee, you were wrong on this.’ And it was perfectly clear that he had absolutely forgotten the existence of the 215 program.”
Instead, Litt said, Clapper had been thinking about separate programs authorized under Section 702 of the Foreign Intelligence Surveillance Act, which the NSA has used to collect massive amounts of foreigners’ Internet data. The law explicitly prohibits the government from gathering the same kind of data about Americans, unless t is “incidental.”
“If you read his answer it is perfectly clear that he was thinking about the 702 program,” Litt said. “When he is talking about not wittingly collecting, he is talking about incidental collection.”
Litt, he said, also erred after the hearing by not sending a letter to the panel to correct the mistake.
First of all, while Litt at least is admitting that Wyden had sent the question in beforehand, he leaves out the part about Wyden asking Clapper's office the next day if it wanted to amend Clapper's answer. If it's true that Litt immediately told him that Clapper was wrong, then you would think when asked by Wyden if he wanted to amend his answer, he would have done so. He did not. So either Litt told Clapper he was wrong and Clapper said, "Hey, let's let that lie stand," or Litt is not being truthful here either. It wasn't just them not sending a letter correcting the mistake, but it was directly rejecting Wyden's staff specifically asking them if they wanted to correct the record. That shows that any claim that Clapper just "forgot" or even "misspoke" has to be a flat out lie, since he had a clear opportunity to correct the mistake and was even asked to do so, and consciously chose not to do so.
But much more importantly, considering just how much Clapper and others have been prattling on for years about how "crucial" and "important" the bulk phone records collection is in protecting the American public, it is simply unbelievable to argue that Clapper would "forget" about the program. Either that means the program is not important at all... or that someone is lying.
The fact that Clapper's story on this keeps changing suggests he still can't come to admit the obvious answer: he didn't want to reveal his beloved secret program, and so he lied. He just flat out lied. And he's still lying in failing to admit that.
Over a decade has passed since the 9/11 attacks, and the intelligence community still won't let the attack it didn't prevent be laid to rest. It is exhumed over and over again -- its tattered remains waved in front of legislators and the public, accompanied by shouts of, "YOU SEE THIS?!? THIS IS WHAT HAPPENS WHEN WE DON'T GET OUR WAY!"
It's grotesque and ghastly and -- quite frankly -- more than a little tiresome. The NSA's Section 215 program is set to expire on June 1st and James Clapper is making statements in its defense -- statements that read like someone attempting to sound more disappointed than angry. But this is James Clapper speaking, and all prior evidence points to him being unwilling to make any concessions on the domestic surveillance front.
"In the end, the Congress giveth and the Congress taketh away," he said. "If the Congress, in its wisdom, decides the candle isn't worth the flame, the juice isn't worth the squeeze, whatever metaphor you want to use, that's fine."
"The intelligence community will do all we can within the law to do what we can to protect the country. I have to say that every time we lose another tool in our toolkit, it raises the risk," he added. "If that tool is taken away from us, 215, and, some untoward incident happens which should have been thwarted had we had it, I hope everyone involved in that decision assumes the responsibility and it not be blamed, if we have another failure, exclusively on the intelligence community."
The subtext is clear and Jason Koebler at Vice spells it out succinctly: Kill Section 215, but don't blame us if another 9/11 happens.
The intelligence community continues to argue -- without evidence -- that the program has aided in combating terrorism. It can't say how or offer any details as to attacks thwarted, but it makes the assertion all the same. The Privacy and Civil Liberties Oversight Board (PCLOB) has access to intelligence documents most Americans will never see and yet it came to this conclusion: the bulk records program is both useless and a violation of civil liberties.
Clapper's defense of the program seems to be faith-based. In a single clumsy metaphor, Clapper summons the spirit of two Simpsons characters.
"215, to me, is much like my fire insurance policy for my home," he said. "The house never burns down, but I buy fire insurance, just in case."
Lisa Simpson argued against Homer's specious "bear patrol" reasoning by claiming a rock she found on the ground could keep tigers away -- noting that the lack of nearby tigers "proved" the rock worked. This is Clapper's sales pitch: the lack of another 9/11 attack is "proof" the program is necessary. Well, we haven't had a Summer Olympics hosted in this country since 1996, so it could also be claimed that Section 215 of the PATRIOT Act has been instrumental in preventing the US from hosting this extremely destructive parasitemomentous event. After all, the roots of Section 215 also trace back to a 1990s partnership between the NSA and DEA to collect phone records on calls to foreign countries originating in the US.
Ned Flanders -- perhaps the most upstanding (and naïve) Springfieldian -- notably considered insurance coverage to be a form of gambling. Clapper's "gamble" -- his supposed "insurance" -- bets on surveillance state wins while putting Americans' privacy up as collateral. Even when viewed through Clapper's twisted perspective, the metaphor fails.
The difference here, is that the NSA's "insurance" is intrusive information on just about every citizen in the United States, regardless of whether or not they've done anything wrong.
The defenders of the surveillance framework always point to attacks they didn't prevent (like the Boston Bombing) as justification for intrusive spy programs. That argument alone should be greeted with riotous, disbelieving laughter. But they press this even further, giving themselves credit for every lull between major attacks and ignoring every report or investigation that shows their favorite programs do little more than make the job of counterterrorism more difficult.
Clapper seems to believe the death of the Section 215 program will be the death of us all. It's an absurd belief. Unfortunately, it's shared by far too many of those in the position to prevent its expiration.
Bob Litt, the General Counsel for the Office of the Director of National Intelligence (ODNI), gave a speech on Wednesday trying to address the public's ongoing concerns about government surveillance. The speech is long, but it's well worth reading. There's a lot of "yes, we could have done a better job explaining ourselves, and we promise we're learning" kind of talk, but little of real substance. However, at the very end of the speech, he joins the ridiculous bandwagon of ignorant government and law enforcement attacking the idea of encryption the government can't crack. But, similar to the Washington Post's magical golden key (not a backdoor!) proposal, Litt has some wishful thinking about a magic key that only the government can use:
Encryption is a critical tool to protect privacy, to facilitate commerce, and to provide security, and the United States supports its use. At the same time, the increasing use of encryption that cannot be decrypted when we have the lawful authority to collect information risks allowing criminals, terrorists, hackers and other threats to escape detection. As President Obama recently said, “[i]f we get into a situation in which the technologies do not allow us at all to track someone that we’re confident is a terrorist …that’s a problem.” I’m not a cryptographer, but I am an optimist: I believe that if our businesses and academics put their mind to it, they will find a solution that does not compromise the integrity of encryption technology but that enables both encryption to protect privacy and decryption under lawful authority to protect national security.
I'm not sure how many times in how many different ways this needs to be explained, but what they're asking for is a fantasy. You cannot put a backdoor in encryption and create a magic rule that says "only the government can use this in lawful situations." That's just not how it works. At all. The very idea of decryption by a third party "compromises the integrity of the encryption technology," almost by definition.
Separately, Litt's reassurances elsewhere ring incredibly hollow. In trying to respond to concerns about so-called "incidental" collection of information under Section 702 of the FISA Amendments Act (information that the NSA isn't allowed to collect, but does so anyway and then hangs onto it and makes it searchable by a variety of government agencies), he notes that they have "reaffirmed" that such data must be deleted if they're determined to have no foreign intelligence value, but then (no joke!) his own speech has an asterisk with a giant loophole. Here is the speech posted on the ODNI's own Tumblr page:
It's like they're really not even trying to hide the massive loopholes they've built in. In case you're wondering, the loopholes buried in that asterisk include basically everything:
Under the new policy, in addition to any other limitations imposed by applicable law, including FISA, any communication to or from, or information about, a U.S. person acquired under Section 702 of FISA shall not be introduced as evidence against that U.S. person in any criminal proceeding except (1) with the prior approval of the Attorney General and (2) in (A) criminal proceedings related to national security (such as terrorism, proliferation, espionage, or cybersecurity) or (B) other prosecutions of crimes involving (i) death; (ii) kidnapping; (iii) substantial bodily harm; (iv) conduct that constitutes a criminal offense that is a specified offense against a minor as defined in 42 USC 16911; (v) incapacitation or destruction of critical infrastructure as defined in 42 USC 5195c(e); (vi) cybersecurity; (vii) transnational crimes; (or (vii) human trafficking.
Yes, some of the activities covered by this list are pretty bad. But it doesn't change the fact that the NSA isn't supposed to collect such information or retain it at all. Writing in all these exceptions is pretty damn broad, especially given the NSA and its "cute" interpretations of the law.