The Privacy and Civil Liberties Oversight Board (PCLOB) is supposed to be an independent body that makes sure that the intelligence community is not abusing its surveillance powers. It was created to go along with the PATRIOT Act, as a sort of counterbalance, except that it initially had basically no power. In 2007, Congress gave it more power and independence and... both the Bush and Obama administrations responded by... not appointing anyone to the PCLOB. Seriously. The Board sat entirely dormant for five whole years before President Obama finally appointed people in late 2012. Thankfully, that was just in time for the Snowden revelations less than a year later.
The PCLOB then proceeded to write a truly scathing report about the NSA's metadata collection under Section 215 of the PATRIOT Act, calling it both illegal and unconstitutional. While the PCLOB was less concerned about the NSA's Section 702 program (which includes both PRISM and "upstream" collection from backbone providers) the group has been working for nearly two years on an investigation into Executive Order 12333 -- which is the main program under which the NSA spies on people.
As I reported, during the passage of Intelligence Authorization last year (which ultimately got put through on the Omnibus bill, making it impossible for people to vote against), Congress implemented Intelligence Community wishes by undercutting PCLOB authority in two ways: prohibiting PCLOB from reviewing covert activities, and stripping an oversight role for PCLOB that had been passed in all versions of CISA.
The new changes are subtle, but problematic. The first is that the PCLOB is limited to spending money only on issues for which Congress has directly approved the spending. In other words, if Congress doesn't want the PCLOB investigating a certain area, no problem, it can just make it clear that funding does not cover that area. That kind of voids the PCLOB's supposedly "independent" nature. The second issue is that it requires that the PCLOB warn intelligence community bosses if they're going to investigate a new program. While these changes may not seem like a big deal, they do suggest a clear attempt to undermine the power and authority of the PCLOB. Perhaps that's why the head of the PCLOB, David Medine, resigned early, before his appointment was up, just a few months ago.
At a time when we need a lot more independent oversight of government surveillance powers, it's unfortunate to see Congress apparently pushing for less oversight.
from the shame-this-whole-system-of-checks-and-balances-can't-just-be-eradicated dept
Late last week, the Office of the Director of National Intelligence released a stack of documents from Yahoo's challenge of the NSA's internet dragnet. The new declassified and unsealed documents have been dumped into one, 309-page PDF along with everything the ODNI has already released -- one of the small things the office routinely does to slow the dissemination of previously-unseen information.
What she's uncovered is more evidence the agency considers itself accountable to no one. Not only was Yahoo expected to be litigating blindly -- what with the government's multiple ex parte submissions and its general refusal to discuss any specifics of its PRISM program -- but apparently the FISA court was expected to adjudicate blindly. The NSA's refusal to provide Reggie Walton with the information he needed to render decisions resulted in this irritated order.
The Court is issuing this ex parte order to the Government requiring it to provide clarification concerning the impact on this case of various government filings that have been made to the FISC under separate docket.
lt is HEREBY ORDERED that the government shall file a brief no later than February 20. 2008, addressing the following questions:
1. Whether the classified appendix that was provided to the Court in December 2007 constitutes the complete and up-to-date set of certifications and supporting documents (to include affidavits, procedures concerning the location of targets, and minimization procedures) that are applicable to the directives at issue in this proceeding. If the answer to this question is .. yes,'” the government's brief may be filed ex parte. If the government chooses to serve Yahoo with a copy of the brief, it shall serve a copy of this Order upon Yahoo as well.
2. If the answer to question number one is “no,” the Government shall state what additional documents it believes are currently in effect and applicable to the directives to Yahoo that are at issue in this proceeding. The government shall file copies of any such documents with the Court concurrent with filing its brief. The government shall serve copies of this Order, its brief, and any additional documents upon Yahoo, unless the government moves this Court for leave to file its submission ex parte, either in whole or in part. If the government files such a motion with the Court, it shall serve a copy of its motion upon Yahoo. The government shall also serve a copy of this Order upon Yahoo, unless the government establishes good cause for not doing so within the submission it seeks to file ex parte.
The government's testy response was to point out it has never been obligated to provide anyone but the court with documents pertaining to its surveillance efforts..
Under the Protect America Act, then, the government has an unqualified right to have the Court review a classified submission ex parte and in camera which, of course, includes the unqualified right to keep that submission from being disclosed to any party in an adversarial proceeding before this Court.
As Wheeler points out, the documents Judge Walton ordered the government to turn over to the court did not arrive in full until after Walton had made it clear he wouldn't force the government to hand these over to Yahoo as well.
The holdout document -- the one that didn't appear until the government was sure it wouldn't have to provide Yahoo with this info -- is key. It shows the government's procedures for handling metadata had been misleadingly portrayed, not just to Yahoo, but possibly to the court as well.
Now, to be fair, in the original release, it was not clear that the government offered this much explanation for SPCMA [Special Procedures Concerning Metadata Analysis], making it clear that the procedural change involved making American metadata visible. But the government very clearly suggested — falsely — that SPCMA had no Fourth Amendment implications because they didn’t make Americans overseas more likely to be targeted (which the government already knew was the key thrust of Yahoo’s challenge).
The opposite is true: by making US person metadata visible, it ensured the government would be more likely to focus on communications of those with whom Americans were communicating. These procedures — which were approved more than two months, one document dump, and one court order agreeing to keep everything secret from Yahoo earlier — were and remain the key to the Fourth Amendment exposure for Americans, as was argued just last year. And they weren’t given to even the judge in this case until he asked nicely a few times.
The NSA has very little in the way of effective oversight. It has even less opposition in terms of checks and balances even when facing a judge clearly exhausted by the agency's obfuscation and abuse. An effective challenge of NSA surveillance in court -- even a regular one -- is an uphill battle. In the FISA court, where it's allowed an "unqualified right" to present all its assertions and evidence without facing anything more adversarial than a FISC judge, it's completely impossible. Yahoo fought with pretty much every appendage tied behind its back. An unsuccessful challenge was a foregone conclusion. But, if nothing else, its long tangle with the NSA dragged some of its so-called secrets out of the shadows. That's not a win but it's far better than the alternative -- where the government's foremost intelligence agency is allowed to rewrite the rules as it goes along with the administration's implicit support -- and keep the public from ever finding out just how much domestic surveillance slack it's managed to cut for itself.
If you're a CIA Director, one would assume that you know how to be cool under fire, right? Apparently that's not the case for current CIA Director John Brennan who seemed to completely freak out when Senator Ron Wyden started asking questions about the CIA's infamous decision to spy on the network and computers of Senate Intelligence Committee staffers who were compiling a report on the CIA's torture program. The details are a bit complex, but the short version is that the Intelligence Committee, which has oversight powers over the CIA, had been set up in a CIA building, with special access to CIA documents, and a special search tool. Apparently, at some point, that search tool returned a document which the CIA had never intended to share with the intelligence committee staffers. That document, called "the Panetta Review" was a draft document that then-CIA chief Leon Panetta had tasked people internal at the CIA to prepare on what the Senate Intelligence Committee staffers were likely to find as they went through the documents.
Yes, this is fairly meta. You had Senate staffers reviewing CIA documents, and at the same time, the CIA reviewing those same documents to try to get out ahead of any controversy -- and to make matters confusing, the Senate staffers then got access to that CIA review document as part of their regular searches. When the CIA was questioned about this Panetta review, they freaked out, wondering how the Senate staffers got their hands on the document, and did what the CIA does: they spied on the Senate staffers' computers and network to try to determine how they got the document in the first place. This was despite a promise from the CIA that the Senate staffers' computers and network were considered off-limits (due to an even earlier incident). That resulted in Senator Dianne Feinstein accusing the CIA of illegally spying on the Senate (its overseers). In response, Brennan first denied the spying altogether, and then insisted that it was the Senate staffers who broke the law, saying they illegally mishandled classified CIA documents in how they handled the Panetta Review.
Eventually, the DOJ decided that there wasn't enough evidence that either side broke the law, and refused to make any criminal charges either way. While both the CIA's Inspector General and a special review board Brennan himself set up found that the CIA did, in fact, spy on the Senate staffers' network and computers, and that this was inappropriate, neither seemed to say that it rose to a truly controversial level. Not surprisingly, the review board Brennan set up himself cleared him of wrongdoing.
Mixed in with all of this are remaining questions about how involved Brennan himself actually was in all of this (he refuses to say) and an ongoing request for an apology. While the CIA's Inspector General claimed that Brennan apologized for the breach, later reporting by Jason Leopold at Vice showed that Brennan had drafted an apology, but never sent it. Instead, he apparently provided a very narrow apology solely to Feinstein and then vice chair Saxby Chambliss, basically of the "I'm sorry if what did upset you" manner.
Given this, during a rare open Senate Intelligence Committee hearing, Wyden decided to quiz Brennan about all of this, leading to a rather sarcastic and testy exchange that needs to be watched to be believed:
Immediately, Brennan gets snarky, noting that "This is the annual threat assessment, is it not? Yes?" implying that he doesn't think it's appropriate for Wyden to be bringing up this "other" topic in such a hearing. And it only gets worse from there. He immediately jumps to the argument, again, that it was the Senate staffers' fault for getting access to a document he didn't want them to see. He then says the CIA therefore had an "obligation" to find out how that happened. And then he, somewhat insultingly, suggests that Senator Wyden had not actually read the IG's account, or the report of the review panel that Brennan himself set up.
Wyden cuts him off, quoting directly from the report and notes that other agencies have all said it would be inappropriate to review Senate oversight computer systems, and asks Brennan if he disagrees. Brennan is clearly pissed off:
Brennan: Yes, I think you mischaracterize both their comments as well as what's in those reports. And I apologized to the Chairman and the Vice Chairman about the de minimis access and inappropriate access that CIA officers made to five emails or so of Senate staffers during that investigation. And I apologized to them for that very specific inappropriate action that was taken as part of a very reasonable investigative action. But do not say that we spied on Senate computers or files. We did not do that. We were fulfilling our responsibilities.
Wyden: I read the exact words of the Inspector General and the Review Board. You appointed the Review Board! They said nobody ought to be punished, but they said there was improper access. And my point is, in our system of government, we have responsibilities to do vigorous oversight. And we can't do vigorous oversight if there are improper procedures used to access our files.
Wyden then admits his time is up... but Brennan's so angry that he won't give up. He breaks all proper Senate hearing protocol and jumps back in, asking Wyden to say, again, that it was the Senate staffers' fault for accessing the Panetta Review:
Do you not agree there was improper access that senate staffers had to CIA internal deliberative documents? Was that not inappropriate or unauthorized?
Wyden angrily points out that everything the Senate staffers did was appropriate, and anyway, he's now asking about the CIA's activities, and points to the Inspector General review and the other review board... all the while with Brennan angrily shaking his head at Wyden. When Wyden finishes, Brennan goes back to being snarky, saying:
And I'm still awaiting the review that was done by the Senate to take a look at what the staffers actions were.
And then there's this:
Separation of powers between the executive, legislative branches, Senator, goes both ways.
In short: even if you have oversight over us, don't mess with the CIA, Senator. That's quite a statement.
He then goes on to again claim that Wyden is mischaracterizing everything, and that what the CIA did was entirely appropriate. Wyden concludes:
It's pretty hard to mischaracterize word for word quotes that use the words "improper access."
from the we'll-get-to-the-bottom-of-this-thing-that-was-only-supposed-to-happen-to-ot dept
Once again, it appears the only way to make our nation's intelligence oversight committees care about surveillance is to include them in the "fun."
Fervent surveillance apologist Dianne Feinstein had zero fucks to give about the steady stream of leaks until it became apparent that the CIA was spying on her staffers while they put together the Torture Report. Likewise, many members of the House Intelligence Committee couldn't be bothered to care much about domestic surveillance until they, too, were "inadvertently" included in the NSA's dragnet.
The U.S. House Intelligence Committee will consider whether new safeguards are needed for handling communications intercepted by the National Security Agency that involve U.S. lawmakers or other Americans, the top Democrat on the panel said on Wednesday.
Yes, these legislators are unhappy their phone calls with foreign officials might have been collected on the regular by the nation's foremost interceptor of communications. And, in what is certainly viewed as largesse by this committee, the proposed rules (whatever they are) will be extended to non-elected Americans.
The Office of the Director of the National Intelligence further clarified the proposed changes discussed during the closed-door briefing by declining to comment on the "classified" proceedings.
One thing is clear, though. Changes will be happening, presumably to further protect the content of legislators' phone calls from the NSA, or at the very least, toughen up minimization procedures. The official statement from the Committee appends "all Americans" after an ellipsis ("explore whether any additional safeguards are necessary when it comes to incidental collection—not only for members of Congress... but for all Americans") so the smart money is on trickle-down surveillance protection. Presumably, we'll all be apprised of any additional protections on a need-to-know basis.
Heading up this new-found enthusiasm for small-batch surveillance reform is Devin Nunes, the Chairman of the Intelligence Committee. His previous efforts on behalf of Americans and their civil liberties include:
Attempting to prevent the Privacy and Civil Liberties Oversight Board from doing its job; and
The DOJ's Inspector General Michael Horowitz has a thankless job. His office must look into improper actions by a variety of government agencies that have no interest in being independently overseen, much less inspected generally. The DEA and FBI have both played an instrumental part in undermining his investigations -- so much so that Horowitz has taken his complaints to Congress and suggested legislators punch the unhelpful agencies right in the pocketbook.
The OIG has just released its semi-annual report for 2015, which sums up the highlights and lowlights of six months of investigations. There's more bad news than good, but that's to be expected considering a) the Inspector General is supposed to look into the DOJ's problems, not its heroics and b) the DEA, FBI et al haven't improved their attitude toward being inspected/implementing OIG recommendations.
Case in point on the last one:
The FBI has always received data "tipped" by the NSA from the Section 215 collection. During the same period (2007-2009) the NSA was getting chewed out by FISC Judge Reggie Walton for its abuse of the program, the FBI was having its own issues. IG Horowitz wasn't able to look into this as quickly as he wanted to because the FBI stonewalled him, refusing to grant access to pertinent documents. Horowitz hoped to get to the bottom of this before the Patriot Act reauthorization came up in May, but was unable to.
However, he was able to put the following together. The FBI had put inadequate minimization procedures in place back in 2006, shortly after another Patriot Act reauthorization. The OIG told the FBI to update its procedures in 2008, in order to comply with the reauthorization. The FBI got right on it.
Nevertheless, the OIG found that by mid- 2009, DOJ had not replaced the interim procedures, and FISA Court judges began to issue Supplemental Orders in Section 215 matters requiring DOJ to report to the FISA Court on the implementation of the interim procedures. The Attorney General ultimately adopted final minimization procedures in March 2013.
Which lead the IG to this obvious conclusion:
Given the significance of minimization procedures in the Reauthorization Act, the OIG does not believe that DOJ should have taken until 2013 to meet this statutory obligation.
That's basically seven years of the FBI using minimization procedures that did not meet statutory requirements. (The Patriot Reauthorization Act of 2005 went into effect in March of 2006.)
The OIG is still looking into other aspects of the FBI's participation in the Section 215 program, but any conclusions it draws will be of historical interest only now that the program is officially dead. These are listed in the "Ongoing Work" section.
The FBI’s use of Section 215 authority under the FISA from 2012 through 2014, including the effectiveness of Section 215 as an investigative tool and the FBI’s compliance with the minimization procedures DOJ approved and implemented in 2013.
The FBI’s use of information derived from the National Security Agency’s (NSA) collection of telephony metadata obtained from certain telecommunications service providers under Section 215 of the Patriot Act.
The FBI isn't the only DOJ agency partaking in broad surveillance efforts. The DEA is also collecting tons of data and information without a warrant.
The DEA’s use of administrative subpoenas to obtain broad collections of data or information, including the existence and effectiveness of any policies and procedural safeguards established with respect to the collection, use, and retention of the data.
Other works-in-progress include an examination of the ATF's confidential informant program, the DEA's handling of drug seizures, nepotism and favoritism at the US Marshals Service, issues with the Bureau of Prisons' private contractors and an investigation of the ATF's controversial "Storefront" program, which has taken heat recently because of agents' decisions to turn intellectually-disabled people into shills for fake drug/weapon sales operations before arresting them for their "complicity."
But all of this won't lead to much unless Congress acts to roll back a DOJ policy backed by an Office of Legal Counsel decision.
In particular, in July, DOJ’s Office of Legal Counsel (OLC) issued its opinion, 14 months after it was requested by the then Deputy Attorney General (DAG), which found that Section 6(a) of the IG Act does not entitle the OIG to obtain independent access to grand jury, wiretap, and credit information in DOJ’s possession that is necessary for the OIG to perform oversight of DOJ. Indeed, the OLC opinion concludes that such records can only be obtained by the OIG in certain—but not all—circumstances through disclosure exceptions in specific laws related to those records.
The OLC opinion also provides that, in all instances, DOJ employees will decide whether access by the OIG is warranted— placing agency staff in the position of deciding whether to grant, or deny, the Inspector General access to information necessary to conduct its oversight. Requiring an Inspector General to obtain permission from agency staff in order to access agency information turns the principle of independent oversight that is contained within the IG Act on its head.
This won't just make it more difficult for the OIG to do its job. It will also discourage DOJ employees from coming forward with information about abuse and misconduct.
Such a shift in mindset could deter whistleblowers from directly providing information to Inspectors General about waste, fraud, abuse, or mismanagement because of concern that the agency may later claim that the disclosure was improper and use that decision to retaliate against the whistleblower.
I'm sure the DOJ feels there's no problem on its end as it pertains to this new policy. But independent oversight is one of the few things standing between DOJ components and incredible amounts of misconduct and abuse. There's far too much power vested in these agencies and the OLC has made it even easier for them to abuse this power and get away with it.
After Edward Snowden's revelations about the extent of spying being carried out around the world by the NSA and its Five Eyes friends, there have been a number of attempts in other countries to find out what has been going on. One of the most thoroughgoing of these is in Germany, where there is a major parliamentary inquiry into NSA activities in that country. As Techdirt reported back in May, a surprising piece of information to emerge from this is that Germany's secret service has been carrying out spying on behalf of the NSA, which sent across various "selectors" -- search terms -- that it wanted investigated in the German spies' surveillance databases.
The German Foreign Intelligence Services, supported by the government, tapped the German Internet Exchange Point Decix, the largest internet exchange point globally. While the G10 Commission had approved the blanket tapping, they were unaware that some of the tapped data were forwarded to the NSA, the US National Security Agency, based on a list of so-called "selectors" -- names or numbers the NSA sent to their German colleagues.
Understandably annoyed, the G10 Commission demanded to see a complete list of those selectors so that it could check what information had been passed to the NSA, and whether any laws had been broken. The German government said that it would not disclose them. After misleading the oversight body about who would have access to information obtained from the Decix tapping, the German government's refusal to provide the selectors adds insult to injury. So much so, that it has apparently driven the G10 Commission to take unprecedented action: hauling the German government before the country's constitutional court, which decides weighty matters of this kind.
Since this is uncharted territory -- the G10 Commission had to find out whether taking legal action against the government in this way was even possible -- nobody really knows what might come of the move. But at the very least, it's yet another indication of the seismic shifts that are still occurring throughout the world of surveillance as a result of Snowden's unprecedented leaks.
The Commissioner of the Intelligence Services was slow to respond to hacking. Many of the concerns the Commissioner raised in his 2014 report [published July 2015] are the subject of PI's legal complaint, including whether it is lawful to use broad "thematic warrants" to justify the hacking of people in the UK. The Commissioner questioned this practice in depth. He was concerned that current law "does not expressly allow for a class of authorisation", and therefore the warrants were too broad. As a result, the Commissioner was worried that the Secretary of State was unable to properly assess whether the warrant authorised activity was necessary and proportionate. [ibid, p18] This means that GCHQ could get a warrant in the UK to hack the computer of everyone in Birmingham with little meaningful oversight.
Broad warrants at home -- signed by someone who may not have had any idea exactly what they were authorizing. No warrants, for the most part, for extraterritorial hacking. Testimony on behalf of the GCHQ by its director of cyber-security points out that the Secretary of State (who handles surveillance warrants) is rarely consulted when the target is foreign. The only exceptions are if the GCHQ feels the target may be "sensitive" or "politically risky." Otherwise, the GCHQ grants itself permission to carry out these attacks.
Two other agencies that write their own hacking orders (MI5 and the Secret Intelligence Service) also do what they can to eliminate whatever minimal paper trail these actions might generate.
The Intelligence and Security Committee Report in March 2015 called MI5's and SIS's failure to keep accurate records of their overseas hacking activities "unacceptable", [ISC report, p.66] as it makes effective oversight impossible [Witness Statement of Ciaran Martin, 71L].
Arguably, the oversight was never "effective" to begin with. Privacy International's Caroline Wilson Palow points out that Parliament was never notified in the first place by these agencies about their hacking activities. The oversight of three intelligence agencies is pretty much limited to one guy (Sir Mark Waller) who engages in spot checks of warrants periodically. With none of the agencies feeling any particular urge to seek warrants for overseas surveillance, it does cut down on Waller's workload, but it doesn't do much to ensure they aren't abusing their (often) self-awarded privileges.
from the surely-you-can-trust-a-few-thousand-cops? dept
The Pentagon's 1033 program is a case study in unintended consequences. The idea -- put military equipment back into service rather than simply scrapping it -- has some merit. The actual deployment has been a nightmare.
The Dept. of Defense wondered who could possibly make use of military weapons, armor and vehicles, and came to an almost-logical conclusion. Law enforcement agencies became the military's little brother, taking ownership of cheap/free hand-me-downs and putting them to use in the War at Home.
Of course, a militaristic mindset evolved to match the acquired gear. Police departments became armies and citizens, combatants. Worse, the program was badly mismanaged and subject to very little oversight. The DoD had no idea how much equipment it had dispensed and the agencies on the receiving end weren't much better at tracking their own inventories.
Shawn Musgrave has obtained two mostly-depressing spreadsheets from the Dept. of Defense listing law enforcement agencies which are currently suspended from the program, or have been in the past. He sent this "expedited request" during the Ferguson fallout, during which the DOJ itself expressed concern about the military aura the local PD projected. Not that the Pentagon's Defense Logistics Agency cared about the timeliness of its response. 14 months after issuing his "please hurry" request, the DLA has finally responded.
The lists contain plenty of suspensions for lost weapons, which possibly means military-grade weapons are in the hands of private citizens. The lists also contain intriguing redactions and a few moments of WTF-ness.
For instance, an Arkansas county coroner's office is participating in the program for reasons unknown. It could be that it only used the program to obtain harmless office equipment, but if so, it seems these sorts of acquisitions -- no matter how badly handled or poorly inventoried -- would not result in a suspension. The question of why it was suspended remains unanswered.
Reason can not be released at this per State Coordinators request.
And the state of North Carolina appears to have gone rogue. Among the many agencies listed as "terminated" by the DLA is the state's Parks and Recreation department.
North Dakota is possibly headed for a bloodbath, seeing as its Highway Patrol has misplaced a street gang's-worth of weapons.
DURING PCR ON JULY 23, 2013, 159 WEAPONS WERE UNABLE TO BE ACCOUNTED FOR BY A SIGNED CUSTODY RECEIPT
And one wonders how this sort of situation arises, considering the logistics required to make it happen in the first place. (Richland County Sheriff's Office, South Carolina)
Misappropriation of aircraft
The list of agencies no longer suspended from the program isn't exactly heartening. The Searcy (AR) Police Dept. is back in the DLA's good graces despite the ATF serving a search warrant for its (former) police chief.
And we discover that the Richland County Sheriff's Office isn't the only South Carolina agency to abuse 1033 aircraft.
Many of those on the "Unsuspended" list have never recovered weapons they reported as lost or stolen, but have been designated by the Office of the Inspector General as "cold cases." Once the trail goes dead, so does the suspension, apparently.
In other oddities, it appears the entire state of Montana took a year off from performing required 1033 inventories and the nation's biggest, baddest police force -- the NYPD -- faced (briefly) the threat of termination for reasons not detailed in the responsive documents.
So, in other words, it's business as usual for the 1033 program. Even those "responsibly" partaking in the program are loading up with military gear which they then deploy against combatants citizens in war zones their communities.
from the just-another-ho-hum-day-of-bulk-surveillance dept
The US Postal Service has long been the Little Surveillance Agency That Time Forgot. For more than a decade, it has scanned every piece of mail it handles. Its "Mail Isolation and Tracking Control" program went into effect in response to post-9/11 anthrax mailings.
Prior to 2001, it only collected mail data on request. Post-2001, it's much more proactive. The problem with untargeted surveillance efforts is that they dehumanize the millions of people whose mail is scanned on a daily basis. This leads directly to the sort of behavior uncovered by the USPS's Inspector General. When you don't care about your "customers," your work gets sloppy.
These are the safeguards the Post Office has put in place to protect personal information and ensure accountability.
The Postal Inspection Service’s Criminal Investigations Service Center (CISC), the primary administrator of the mail covers program, is responsible for maintaining accountable mail cover documents and Postal Service (PS) Forms 2008 and 2009. PS Form 2008, Letter of Instruction, provides guidance for completing, returning, and safeguarding mail covers. PS Form 2009, Information Regarding Mail Matter, is used to record information from the outside of the mailpiece, such as the sender’s name and address. These forms contain information such as names, addresses, and financial institutions that, if used in the aggregate, could reveal personally identifiable information.
Here's what the Inspector General discovered. First off, the USPS isn't compiling its accountability paperwork (the PS forms listed above) in a timely fashion. The paperwork must be sent to the CISC within 60 days of the termination of the mail cover request. For external orders, the forms are supposed to be returned by the law enforcement agency making the request. For internal orders, the forms are handled solely by USPS personnel. The same 60-day time limit applies.
We found that Postal Service personnel or external law enforcement agencies did not return accountable documents for 49 of 75 files (65 percent). As of the date of this review, PS Forms 2009 and 2008 were unaccounted for up to 762 days beyond the mail cover period. We also found accountable documents for 16 mail cover files judgmentally selected from FY 2015 were not returned timely, not returned at all, or not retained in the mail cover file.
To add to the problem, the postal employees were closing files despite not having obtained all of the required paperwork.
Postal Inspection Service personnel closed 79 of 120 mail cover files (66 percent) during FYs 2012 through 2014 without PS Forms 2009 being returned… Fifty-one of the 79 mail covers involved preliminary investigations (known as area cases) and the postal inspectors should have returned the documents within 60 days of the end of the mail cover period. For the remaining 28 mail covers, postal inspectors should have returned PS Forms 2009 before CISC officials closed the mail cover files or before the postal inspector closed the investigation.
Not only were the investigative files improperly handled, but in-process mail-scanning orders were treated with a similarly cavalier attitude, exposing personal information related to targeted individuals.
During our visit to a facility in the Chicago District, we observed PS Forms 2008, which had the subject’s name and address posted, on the carrier’s casing station. We also found a mail cover request on the supervisor’s desk, which is on the workroom floor and visible to all employees. The manager stated that the supervisor posted the PS Forms 2008 on the carrier’s casing station as a reminder to perform the mail cover.
When not leaving sensitive documents lying around, supervisors were making up their own rules.
[A]t a facility in the Los Angeles District, a mail cover request was approved for one subject; however, the supervisor instructed the carrier to record mail cover information for all persons residing at the address.
And, as if to confirm the "lazy government employee" stereotype, this happened:
During our visit at another facility in the New York District, we found an unopened mail cover request in the inbox attached to the outside of the manager’s office door, where it was accessible to all employees.
That's not even the worst of it.
We also noted the mail cover was dated September 21, 2014, and our visit was 129 days past the [order's] end date. The manager stated he was not aware that the mail cover request was in his inbox…
It's not really an "inbox" then, is it? It's a black hole. Or a trashcan. Or a happy place where mail cover orders go to escape from the harsh reality of being executed in a timely fashion.
What appears to be a program of massive scope but limited use (if you don't want the government tracking your communications/packages, it seems unlikely you'd use a government agency for delivery) is apparently treated as just another tedious part of the job by USPS personnel -- a job very few want to do correctly, if at all.
This is our second week of doing the Techdirt Reading List (don't miss last week's!). Once again, each week, we'll be discussing a book that we think our community might really enjoy. If you click on the Amazon link in this story and buy it that way, you'll also be supporting Techdirt in the process.
Beyond having a damn good title, the book is a really fantastic discussion about the ways in which data is being collected and used these days -- sometimes for good reasons, but often with not nearly enough concern for security and privacy. It's not a "never give your data away" screed like some privacy extremists prefer, but rather a much more thoughtful look at the real tradeoffs involved, and suggestions on a way forward. The book notes that we shouldn't look at "surveillance" as being a tradeoff with "security." Instead, we should focus on security first, as that will always protect us more than surveillance. And with that, there should be much greater transparency in how data is used -- for both governments and corporations. With real transparency people can better understand the tradeoffs and have a better understanding of what data they're handing over in exchange for what benefits. For governments, there needs to be much greater oversight (real oversight) and accountability for what they're doing with our data.
There's obviously a lot more in the book, and some people may feel it doesn't go far enough, while others may feel it goes too far. But overall, it's a very thoughtful and thought-provoking discussion on how data is being collected all around us, and we haven't fully come to terms with what's happening and who's in control over that data. So, if you haven't read it yet, go check it out!