Federal Court Says NSA PRISM Surveillance Good And Legal Because The Gov't Said It Was Good And Legal

from the 'those-DOJ-guys-are-real-straight-shooters' dept

Three years after its inception, a prosecution involving possibly unlawful FISA-authorized surveillance, hints of parallel construction, and a very rare DOJ notification of Section 702 evidence has reached a (temporary) dead end. The defendants challenged the evidence on multiple grounds — many of which weren’t possible before the Snowden leaks exposed the breadth and depth of the NSA’s domestic surveillance.

The federal judge presiding over the case — which involved material support for terrorism charges — has declared there’s nothing wrong with anything the NSA or FISA Court did, so long as the surveillance was authorized and possibly had something to do with national security. (via FourthAmendment.com)

First, the defendants — all accused of providing material support to Al Qaeda (remember them?) — asserted the constitutionality of the NSA’s upstream collections should be revisited in light of the Snowden leaks. The court [PDF] says these more-recent exposures are no reason to upset the precedential apple cart.

Controlling precedent decides this issue. In 2005, the Sixth Circuit rejected a Fourth Amendment challenge to FISA’s procedures. The court explained in Damrah that the defendant’s Fourth Amendment challenge lacked merit, as “FISA has uniformly been held to be consistent with the Fourth Amendment.” Damrah has not been overturned or altered in light of the public disclosures regarding PRISM and upstream collections. And consequently, Damrah forecloses Defendants’ constitutional challenge.

So, to add this all up: leaked documents from 2013 onward, exposing routinely-abused programs that massively expanded following the 2008 FISA Amendments Act, mean nothing when stacked up against a 2005 case predating the NSA’s admissions of surveillance abuse and the exposure of the FBI’s backdoor searches of domestic communications.

Furthermore, the court declares — based on documents provided by the government directly to the court, but not to the defendants (in ex parte hearings) — the FISA-authorized surveillance was on the up-and-up because the government provided documents declaring the FISA-authorized surveillance was on the up-and-up.

The court is sympathetic to those on the other side of the deck it helped stack, but only barely.

I recognize the challenge faced by a defendant in making a substantial preliminary showing that a FISA application contains a false statement when the defendant does not have access to the application. But the threshold burden exists nonetheless. […] And here, Defendants have failed to satisfy that burden.

Oddly, the court then decides, after pulling from a 2005 decision and ignoring every FISA-related development since then, that previous domestic surveillance violations by the FBI have no bearing on this case.

The Government’s errors from more than a decade ago [referring to a 2004 IG report about post-9/11 surveillance] do not amount to a substantial preliminary showing that an application for FISA collection relevant to this case contains a false statement which was knowingly or recklessly made and necessary to the finding of probable case.

Yes, this is true. These are not comparable things. But with the defendants unable to review the FISA applications, they’re left with the judge’s take as guided by government submissions — submissions the defendants are also unable to review or even argue.

As for the Fourth Amendment challenge to Section 702 surveillance generally, the court says there’s really no Fourth Amendment issues as this does not apply to “aliens in foreign territory.” The court goes even further, though, suggesting the collection of communications outside of the country does not even require a warrant, even if it “inadvertently” sweeps up Americans’ communications during the process.

Since the court has also unilaterally decided it can — unaided by anyone but the government — decipher the government’s FISA-related submissions, there are no due process violations even if the defendants are prevented from viewing, analyzing, or rebutting the claims made by the government during these ex parte sessions. In the end, there’s nothing left for the defendants to do but appeal, which will certainly happen what with the court dismissing out of hand the evidence provided by multiple leaked documents and documents officially released by the Director of National Intelligence. To buy the government’s claims of above-board surveillance in secret court sessions and declare those NATSEC Kosher seems like a very close-minded move that grants the government more deference than documents the government released publicly itself shows it has earned.

Filed Under: 4th amendment, fisa, fisa court, fisc, mass surveillance, nsa, prism, privacy, surveillance

Basically All Big Tech Companies Deny Scanning Communications For NSA Like Yahoo Is Doing

from the getting-more-interesting dept

So, the big story yesterday was clearly the report that Yahoo had secretly agreed to scan all email accounts for a certain character string as sent to them by the NSA (or possibly the FBI). There has been lots of parsing of the Reuters report (and every little word can make a difference), but there are still lots of really big questions about what is actually going on. One big one, of course, is whether or not other tech companies received and/or complied with similar demands. So it seems worth nothing that they’ve basically all issued pretty direct and strenuous denials to doing anything like what Yahoo has been accused of doing.

Twitter initially gave a “federal law prohibits us from answering your question” answer — and a reference to Twitter’s well documented lawsuit against the US government over its desire to reveal more details about government requests for info. However, it later clarified that it too was not doing what Yahoo was doing and had never received such a request. Microsoft’s response was interesting in that it says it’s not doing what Yahoo is, but refused to say if it had ever received a demand to do so. Google said it had never received such a request and would refuse to comply if it had. Facebook has also denied receiving such a request, and, like Google, says it would fight against complying. This still leaves lots of unanswered questions about why Yahoo gave in. Again, historically, Yahoo had been known to fight against these kinds of requests, which makes you wonder what exactly was going on here.

Former GCHQ infosecurity guy Matt Tait has one of the more more interesting threads about this news, arguing (in some ways) that it’s both less and more than everyone is making it out to be. His basic argument is that this is an expansion of the PRISM program to include “about” targets. This has been discussed in the past, but under PRISM, the NSA could give tech companies “selectors” in the form of specific addresses and the companies were compelled to hand over emails “to” or “from” them — but according to the PCLOB’s report on the Section 702 program it did not include anyone emailing “about” the selector. Upstream collections (i.e., tapping the backbones from folks like AT&T) did include “about” selectors (and this information also flowed into other areas, enabling so called backdoor searches. And, as I speculated yesterday, Tait says that this latest news appears to be Yahoo now agreeing to use “about” selectors on its emails, which means that it’s still part of PRISM, with a massive expansion.

Tait then notes that if James Clapper wants to clear this up, he should state publicly whether or not “about” collection is a part of PRISM. And if that’s the case, he should also explain when and why PRISM was expanded to include this. But, of course, Clapper and the Intelligence Community tend not to want to explain very much of anything, leaving lots of people in the dark.

And, frankly, that’s stupid. The Intelligence Community thinks that this keeps “bad guys” on edge, not knowing what’s safe and what’s not. But that’s dumb. They mostly know to use more encrypted/secret means of communication when they need to. Instead, what you end up with is keeping the public on edge and not trusting services. I can almost guarantee that one of the early comments on this post will be some of you insisting that all the companies denying doing this are flat out lying. I don’t agree with that, because the companies don’t have a history of outright lying on things like this, but the way the NSA and other parts of the US government have repeatedly tried to pressure them and gag them, it’s much tougher to take anything at face value any more. And that’s not good for anyone.

Filed Under: about collection, about selectors, mass surveillance, nsa, prism, section 702, upstream
Companies: facebook, google, microsoft, twitter, yahoo

Snowden Docs Show NSA, New Zealand Spied On Pro-Democracy Activists

from the we-love-democracy,-not-so-much-those-who-advocate-for-it dept

The Intercept has published a few more documents from the Snowden stash — these ones detailing the NSA’s partnership with New Zealand’s top intelligence agency to place pro-democracy activists under surveillance.

As part of the spy mission, the NSA used its powerful global surveillance apparatus to intercept the emails and Facebook chats of people associated with a Fijian “thumbs up for democracy” campaign. The agency then passed the messages to its New Zealand counterpart, Government Communications Security Bureau, or GCSB.

One of the main targets was [Tony] Fullman, a New Zealand citizen, whose communications were monitored by the NSA after New Zealand authorities, citing secret evidence, accused him of planning an “an act of terrorism” overseas.

The “act of terrorism” claims were odd, considering Fullman’s activism was aligned with the New Zealand government’s own views: opposition to neighboring Fiji’s authoritarian ruler, Frank Bainimarama. Utilizing PRISM, the NSA intercepted Fullman’s Gmail and Facebook messages, along with gathering everything it could from his public postings — including this data on his apparently terrorism-related personal vehicle.

Both the NSA and its New Zealand partner have refused to comment on the misguided surveillance, stating only that everything done was performed lawfully.

The erroneous assumptions of terrorism seem to be linked to Fullman’s lifelong friendship with a top Fijian military official. Fullman grew up in Fiji, where he met Ratu Tevita Mara in the 1960s. Fullman moved to New Zealand while in his 20s before returning to take a government position in 2009. By that point, Mara had moved up in the military to a position as the Fijian army’s chief of staff. Mara, however, drew heat from the Fijian government for his opposition to the current regime.

Mara was dissatisfied with the leadership and, in May 2011, he became embroiled in a high-profile dispute with the Bainimarama regime. He was accused of plotting to overthrow the government and charged with uttering a seditious comment. He was hauled before a court, where he was threatened with imprisonment for allegedly uttering the words, “This government is fuck all.”

Mara fled Fiji, remaining in contact with Fullman, who also left Fiji after being questioned by local authorities about his relationship with Mara. A visit to New Zealand with Mara resulted in Fullman’s life being turned upside down.

At 7am on July 17, 2012, about a week after Fullman had returned to Australia from the trip to New Zealand, a team of more than a dozen Australian security agents and two Australian federal police detectives arrived at his sister’s home in Sydney looking for weapons and other evidence of the suspected plot.

They seized computers, phones and documents from the premises and confiscated Fullman’s passport on behalf of the New Zealand authorities. Teams of New Zealand Security Intelligence Service officers and police simultaneously raided Fullman’s former apartment in the Wellington suburb of Karori and the homes of at least three other Fiji Freedom and Democracy movement supporters in Auckland, seizing their computers and other property.

In addition, Fullman’s passport was revoked by the New Zealand government, which claimed Fullman was part of a group planning to violently overthrow the Fijian government. New Zealand’s intelligence agency asked the NSA for assistance in digging up info on Fullman and keeping him under surveillance. The documents published today make Tony Fullman the first confirmed target of the NSA’s PRISM surveillance.

According to the documents viewed by The Intercept, the NSA couldn’t seem to decide how to classify its surveillance of Fullman, alternating between listing him as a “foreign government” target (even though Fullman no longer worked for the Fijian government) and a “counter-terrorism” target.

Months of surveillance efforts — shared with New Zealand intelligence operatives — produced nothing more than what could likely have been observed without all the intercepted emails/Facebook messages, harvested bank statements, and precise GPS data on Fullman’s Mitsubishi station wagon.

[T]here was not a single hint of any plans for violence or other clandestine activity.

It would soon become clear that there was no evidence to support the New Zealand authorities’ suspicions. And gradually, their case would fall apart.

Ten months after placing Fullman under surveillance and stripping him of his passport, New Zealand’s government returned it to him and declared him to be “no longer” of “national security concern.” This determination came two months after Fullman began taking legal action against the New Zealand government for its raid of his sister’s home and the cancellation of his passport.

That’s not the only bit of suspicious timing: Fullman believes the raid was politically-motivated.

Four days after the raids on Fullman and his fellow campaigners, New Zealand foreign minister Murray McCully traveled to Fiji for trade talks. Fullman believes that the timing was no coincidence — and that the raids targeting the pro-democracy group were used by the New Zealand government as a bargaining chip to curry favor with the Bainimarama regime. “The minister can go to Fiji and say, ‘look we saved you, let’s be friends again, let’s start talking about how we can help each other again’,” Fullman says. “It was part of the frame up.”

The New Zealand government may have felt its efforts fell into “no harm, no foul” territory after it reinstated Fullman’s passport and dropped its surveillance. But Fullman points out the high-profile raid it carried out damaged his reputation by erroneously linking him to an assassination plot. On top of that, Fullman is still subjected to additional security screening any time he travels. Fullman was never informed he was under surveillance by a foreign intelligence agency and he has never been compensated, much less apologized to, for his treatment at the hands of his own government.

The surveillance detailed here shows the NSA is willing to help foreign governments spy on their own citizens for politically-motivated reasons involving what would normally be considered protected forms of expression. It also shows that when governments do this sort of thing, they’re unlikely to admit any wrongdoing, even when they tacitly admit they placed the wrong person(s) under surveillance.

Filed Under: ed snowden, gcsb, new zealand, nsa, prism, snowden docs, surveillance, tony fullman

Expanding Unconstitutional Backdoor Searches Of Surveillance Data Is Easy: Just Change What Words Mean

from the some-language-tricks-and-funny-games dept

I already wrote a post about how the FISA Court rejected the arguments of the public advocate that it appointed to review the legality and constitutionality of the infamous backdoor searches. However, I wanted to put up a second post as well, digging a little deeper into what the ruling itself means, rather than just focusing on the public advocate part of it. Because it’s pretty scary. We already knew that, once that data was collected under the Section 702 PRISM program, the NSA opened it up to both the CIA and FBI to search on for other purposes.

However, as Elizabeth Goitein explains over at Just Security, even then there were some limitations:

 The Justice Department, having worked Section 702 into the foreign intelligence exception by certifying that the government?s targets were not Americans and that the surveillance had a foreign intelligence purpose, and having met the constitutional reasonableness requirement by noting that incidentally collected information about Americans would be ?minimized,? was allowing the FBI to run queries of Section 702 data to obtain information about Americans in ordinary criminal cases. Edward Snowden?s disclosures confirmed this practice, and the Privacy and Civil Liberties Oversight Board?s (PCLOB) report on Section 702 revealed that it was routine.

Many commentators (myself included) have noted that this loophole creates an end run around the warrant requirement in ordinary criminal cases. Until recently, however, there was at least one substantive limitation on the FBI?s ability to query Section 702 data. As reported by the PCLOB, the FBI?s minimization procedures provided that queries must be ?reasonably designed? to ?find and extract? either ?foreign intelligence? or ?evidence of a crime.? This was a far cry from the probable cause that would be needed to obtain a warrant, but it was something. The FBI, at least on paper, could not simply go on a fishing expedition through the warrantlessly obtained data.

But the details of this newly revealed ruling show that that limitation has gone away — basically because the FBI changed its own minimization procedures in part to pretend English words don’t mean what they really mean. In the past, the NSA has reinterpreted many English words to mean things different than their plain English meaning. In this case, the FBI has decided to redefine the word “query”:

Displaying the intelligence community?s penchant for defining well-understood terms to mean something entirely different, the FBI?s most recent minimization procedures, in the FISC?s words, ?clarify that a search of an FBI storage system containing raw-FISA acquired information does not constitute a ?query? within the meaning of the procedures if the user conducting the search does not receive access to unminimized Section 702-acquired information in response to the search.? This includes instances in which the search does return unminimized Section 702-acquired information, and the agent is notified of that fact but is not authorized to access the data. Because such searches are deemed not to constitute ?queries,? they presumably are not subject to the requirement that ?queries? must be reasonably designed to return foreign intelligence or evidence of a crime.

The new procedures also ?clarify? what happens if an agent performs a search that returns Section 702 information the agent is not authorized to access. In such cases, an agent who is authorized to access the information may re-run the search and determine whether the information ?reasonably appears . . . to be foreign intelligence information, to be necessary to understand foreign intelligence information, or to be evidence of a crime.? If so, the information is passed along to the original agent.

This ?clean team? approach is no substitute for a limitation on the initial search. It is analogous to claiming that searches of homes are not ?searches,? and thus do not require warrants, if the agents performing the search find nothing ? or if an elite team steps in to perform the search and can turn over what it finds to prosecutors only if it is evidence of a crime. Previously, the procedures did not allow fishing expeditions; now they do, and it seems somewhat beside the point that the fisherman only gets to keep the fish if he catches one.

Got that? A query is no longer a query and the FBI has much broader authority to do backdoor searches than was previously known. As the EFF notes in response to this, this seems to fly in the face of legal precedent and the Constitution:

This is a constitutional problem. Quite apart from the bait and switch opportunities it creates for the FBI, it’s like saying it’s OK for school officials to set up a drug testing program for non-law enforcement purposes, and then once it?s set up, they can completely abandon that purpose and start testing students to simply to put them in jail. Or that the government can set up a program to test pregnant women for drugs with a goal to get them into treatment, but also hand the information over to the police and use the threat of prosecution as additional leverage.

The Supreme Court rejected the latter scenario as unconstitutional in Ferguson v. City of Charleston in 2001. Other Supreme Court cases make clear that even holistic, programmatic assessments of Fourth Amendment “reasonableness”?like the one the FISC engages in here?must take into account the invasiveness of these programs. Searching vast databases containing the full content of emails and every website visited by nonsuspect Americans without a warrant is about as invasive as it gets.

And it’s not just the FBI that gets much broader access to these backdoor searches. Marcy Wheeler points out that the decision reveals that the NSA and CIA basically wrote themselves a note last summer saying that they no longer needed to follow minimization procedures… and the judge is cool with that. Here’s the paragraph in the ruling:

The NSA and CIA Minimization Procedures included as part of the July 15, 2015 Submission each contain new language stating that ?[n]othing in these procedures shall prohibit the retention, processing, or dissemination of information reasonably necessary to comply with specific constitutional, judicial, or legislative mandates.? See NSA Minimization Procedures at 1; CIA Minimization Procedures at 4-5. These provisions were not included in the draft procedures that were submitted to the Court in June 2015, but appear to have been added by the government thereafter. They are not discussed in the July 15, 2015 Memorandum.

As Wheeler notes, this is just the NSA and CIA deciding unilaterally that they can ignore minimization. The judge even pointed out that this move “could undermine the Court’s ability to find the procedures satisfy the above-described statutory requirement.” However, the judge, Thomas Hogan, then decides that this is kind of okay because government lawyers told him informally (yes, really!) that they don’t intend to abuse this very much:

The Court understands based on informal communications between Court staff and attorneys for the government that NSA and CIA intend to apply the similar provisions at issue here in the same narrow manner.

Wheeler has a lot more on this particular part of the ruling and how troubling it is. But, in short, it has also broadened the ability of the government to snoop through these massive troves of data. The reliance on informal promises not to take it too far mean very little. As former NSA and CIA director Michael Hayden has said, his job was to push up as close to the boundaries of what was legal as possible. Once Congress or the courts told him what was legal (or, in some cases, the President unilaterally), he would make use of that. Why would that not be the case here? Or, as Wheeler explains more vividly:

I?m not sure how that?ll be effective when President Trump decides he can pass an Executive Order requiring NSA to keep all the US person data it collects but not tell FISC about it, because the order they report on this to him is part of the minimization procedures they say they can blow off.

And, of course, none of this can be appealed, because even though there are the arguments from the public advocate (which didn’t include this last part about ignoring minimization), only the government itself can appeal a ruling, and they got everything they wanted here (and possibly more).

The only actual way to fix it at this point is for Congress to step in and rewrite the law, but the chances of that happening appear to be slim to none.

Filed Under: 4th amendment, backdoor search, backdoor searches, cia, definitions, fbi, fisa court, fisc, law enforcement, mass surveillance, nsa, prism, query, section 702

FISA Court Rejects Arguments By First Public Advocate To Argue NSA PRISM Backdoor Searches Are Unconstitutional

from the so-that's-a-shame dept

On Tuesday, the Office of the Director of National Intelligence released some redacted versions of three previously secret FISA Court rulings. There are a few interesting things in them, but one notable point, found in a ruling from last November regarding the NSA’s 702 PRISM program, is that the FISC took advantage of the provision in the USA Freedom Act to appoint a public advocate to argue on behalf of the public. One of the big complaints in the past, is that the FISA Court is no court at all. Only one side — the government — gets to present its case, and then the judges decide.

The USA Freedom Act, however, added the ability of the FISC to appoint a public advocate. Many have been quite reasonably skeptical about this — in terms of how often it would be used, who would be appointed and how seriously the FISC would take the public advocate. In this case, we see that the public advocate did, in fact, argue that parts of the PRISM program were unconstitutional… and the FISC then rejected that. In this case, the court appointed Amy Jeffress, a former federal prosecutor and DOJ official — which might make some skeptical of her willingness to actually advocate for the public — however, this ruling shows that she did, in fact argue that the program was unconstitutional (her actual arguments have not been released).

It appears that the FISC specifically asked Jeffress for her thoughts on the so-called “backdoor searches” that we’ve discussed before. Specifically, while the NSA is only supposed to collect info on non-US persons, it can collect and then hang onto a huge swath of information under the 702/PRISM program, including what’s referred to as “about” information (i.e., any information “about” a suspected terrorist — meaning your emails mentioning a terrorist could get sucked up). Historically, if the NSA came across any US person’s information this way they’re supposed to dump it. But through some twists and turns, these days the information gets kept… and is considered “incidentally” collected. Oh and the FBI and CIA then get access to all of that data as well for searching.

In this analysis, the FISC was examining how constitutional that whole thing is (and we’ll have another more detailed post on that as well). The FISC specifically asked Jeffress for an analysis of two specific issues here. Did either of the following two things violate the 4th Amendment: (1) the searches of the information collected in this manner that might return information concerning US persons, and (2) information that is preserved under this system for “litigation purposes” that might otherwise be required to be destroyed under so-called minimization rules. The second one is basically the issue that came up in some EFF cases, where the EFF is challenging the legality of the NSA collecting this data at all, but the NSA started deleting the data in question, because it’s required to delete data after five years. So there’s a question of whether or not that data can legally be kept, even if it needs to be kept for the lawsuit. On this, it appears the court is fine with holding onto data for such litigation preservation.

However, on question number (1), Jeffress apparently noted that the FBI being able to do these backdoor searches appears to go way beyond what’s allowed. Remember, this information was collected specifically for the purposes of national security. The whole 702 program was designed and approved on the basis that it was about national security. Yet, it appears that once the FBI gets its hands on it, it’s used for all sorts of other stuff. This is just what everyone had assumed before when first learning about these backdoor searches. Jeffress starts off by arguing that these kinds of searches simply go beyond what the law itself allows:

Amicus curiae Amy Jeffress has raised concerns regarding the querying provisions of the FBI Minimization Procedures…. Ms. Jeffress does not specifically assert that the querying provisions render the procedures inconsistent with the applicable statutory definition of minimization procedures. Nevertheless, she contends that the FBI Minimization Procedures “go far beyond the purpose for which the Section 702-acquired information is collected in permitting queries that are unrelated to national security.” …

However, the court doesn’t buy it:

The Court respectfully disagrees.

There is no statutory requirement that all activities involving Section 702 data serve solely a foreign intelligence national security purpose. To be sure, Section 702 was enacted to permit “the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.”… But even at the time of acquisition, the statute does not require the government to have as its sole purpose obtaining foreign intelligence information. Rather, the AG and DNI need certify only that obtaining foreign intelligence information is “a significant purpose” of the acquisition. Under the “significant purpose” standard, an acquisition under Section 702 is permissible “even if ‘foreign intelligence’ is only a significant — not a primary — purpose” of the targeting decision….

Nor does FISA foreclose any examination or use of information acquired pursuant to Section 702 that lacks a purpose relating to foreign intelligence. It is true that the govemment’s minimization procedures must be “reasonably designed in light of the purpose and technique of the [collection], to minimize the . . . retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information,” and must limit the dissemination of nonpublicly available information identifying unconsenting United States persons to certain circumstances…. Notwithstanding these requirements, however, FISA states that the minimization procedures must also “allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes.” … Hence, FISA does not merely contemplate, but expressly requires, that the government’s procedures provide for the retention and dissemination of Section 702-acquired information that is evidence of crime for law enforcement purposes. This requirement applies whether or not the crime in question relates to foreign intelligence or national security.

The counter argument to this, from Jeffress, appears to be that this is a misreading of the law in question. While it does say such information may be retained and disseminated for the purpose of law enforcement, that doesn’t mean that bulk collection data can be queried for the purpose of law enforcement. This is an important distinction. Jeffress’ reading of the law is basically “okay, if in the process of going through this for legitimate foreign intelligence purposes you ALSO come across evidence of domestic criminal activity, you don’t need to ignore it and can pass it on to law enforcement.” But that’s worlds away from what we actually have today, which is that the NSA basically says “boo, terrorism!” and collects a ton of useless information, but then lets the FBI trawl through for any evidence of criminal behavior.

Unfortunately, the FISC just doesn’t see that argument.

It would be a strained reading of the definition of minimization procedures to permit FBI personnel to retain and disseminate Section 702 information constituting evidence of a crime implicating a United States person for law enforcement purposes, but to prohibit them from querying Section 702 data in a manner designed to identify such evidence. And such an interpretation would lead to anomalous results: FBI personnel who came across one communication acquired under Section 702 that incriminates a United States person perhaps because it was responsive to a query for foreign intelligence information would be prohibited from running queries tailored to identify additional communications obtained under Section 702 pertaining to the same criminal activity, even though Section 1801(h)(3) explicitly authorizes the retention and dissemination of such information for law enforcement purposes.

This seems like a stretch to me. There are lots of situations where law enforcement may be able to lawfully access some information, but not lawfully access other information. Hell, under the scenario described, it seems like the FBI could use the information obtained from a legitimate national security query to then issue a subpoena or warrant for the other information, since we’re mostly talking about information held by 3rd parties anyway.

Jeffress also made the constitutional arguments… which also fell flat.

Amicus curiae Amy Jeffress urges the Court to reconsider its prior Fourth Amendment assessments and to reach “a different conclusion” in light of the provisions of the FBI Minimization Procedures, discussed above, permitting agents and to query the Section 702-acquired information in the possession using United States-person information for the purpose of finding evidence of crimes unrelated to foreign intelligence…. Ms. Jeffress asserts that without additional safeguards, such querying is inconsistent with the requirements of the Fourth Amendment:

The querying procedures effectively treat Section 702-acquired data like any other database that can be queried for any legitimate law enforcement purpose. The minimization procedures do not place any restrictions on querying the data using U.S. person identifiers. . . . As a result, the FBI may query the data using U.S. person identifiers for purposes of any criminal investigation or even an assessment. There is no requirement that the matter be a serious one, nor that it have any relation to national security. . . . [T]hese practices do not comply with . . . . the Fourth Amendment.

According to Ms. Jeffress, the querying provisions of the FBl Minimization Procedures should be revised to “require a written justification for each U.S. person query of the database that explains Why the query is relevant to foreign intelligence information or is otherwise justified,” or in some other manner that provides additional protection for the United States- person information in the FBI’s possession.

The court rejects this — and also rejects Jeffress’ claim that each search by the FBI should get its own 4th Amendment scrutiny — saying the whole program can be judged as one. The reason for rejecting the constitutional claim, however, is pretty weak. It basically says, well, the government has to balance national security with privacy and in this case, it’s okay. It also notes that there are some limitations on what the FBI can look at and also the fact that the FBI has rarely actually found evidence of criminal activity while trawling through the database (though I fail to see how that impacts the constitutional question at all…).

So, it does look like Jeffress put forth a decent argument… but the court simply didn’t buy it. That’s obviously going to happen, but the real question is whether or not the FISC will ever take the arguments of a public advocate seriously.

Filed Under: 4th amendment, amy jeffress, cia, fbi, fisa court, fisc, mass surveillance, minimization, nsa, prism, public advocate, section 702

Court Dismisses Wikimedia's Lawsuit Over NSA Surveillance

from the not-over-yet dept

Back in March, we noted that Wikimedia was suing the NSA over its mass surveillance program under Section 702 of the FISA Amendments Act. This is the part of the law that the NSA uses to justify its “upstream” collection — which lets the NSA partner with backbone providers like AT&T and tap their fiber lines at entry/exit points from the country and sniff through all the traffic. The problem in many lawsuits concerning NSA surveillance is that it’s been difficult for the plaintiff to satisfy the requirements necessary to get “standing.” That is, can the plaintiff prove that he/she/it had rights violated by the program. Many earlier attempts failed, because they just presented stories of “well, the NSA is collecting everything, so…” and the courts have said that’s not enough, since it needs to be shown that the plaintiff, in particular, was a target.

Wikimedia (and the ACLU, who is helping with the case), believed they had a smoking gun that could grant them standing. The following slide, which was revealed by Ed Snowden:

See that Wikipedia logo? Wikimedia Foundation and the ACLU argued that this presented evidence that the NSA was targeting Wikipedia users, and thus the Wikimedia Foundation had standing.

Unfortunately, so far, it’s not working. Earlier today, the court tossed out the lawsuit, saying that Wikimedia did not present enough evidence to prove it has standing. The court, not surprisingly, relies heavily on the Supreme Court’s ruling in Clapper v. Amnesty International, in which SCOTUS rejected Amnesty’s similar claim by saying the organization failed to prove it had standing, since it couldn’t prove its team was caught up in dragnet surveillance. Of course, famously, to get to that ruling, the US government flat out lied to the Supreme Court (something it has since admitted), claiming (incorrectly) that if information collected via such surveillance was used in criminal cases, the defendants would be told about it.

But, no matter, the court says that under the Clapper ruling, Wikimedia does not have standing, and basically argues that this case really is no different than that one. It rejects the idea that, thanks to Snowden, we now know a lot more about the NSA’s surveillance program, basically saying that it’s still too speculative.

Plaintiffs cannot provide a sufficient factual basis for their allegations because the scope and scale of Upstream surveillance remain classified, leaving plaintiffs to prop their allegation of actual injury on suppositions and speculation about how Upstream surveillance must operate in order to achieve the government’s “stated goals.” Indeed, plaintiffs cite the government’s “stated goals” in nearly every facet of their argument…. It is, of course, a “possibility” that the NSA conducts Upstream surveillance in the manner plaintiffs allege, but this “bare assertion” is unaccompanied by “factual matter” that raises it “above a speculative level,” and hence does not establish standing.

The court notes that the “speculative chain” may be “shorter” than in the Clapper case, but “it is a chain of speculation nonetheless.”

The court also rejects the claim that since it’s been revealed that the NSA does “about” searches in addition to “to” and “from” searches, that reveals much more broad searches. If you don’t recall, one of the revelations is the fact that the NSA can run queries not just on something like “emails to or from Osama bin Laden” but also “emails about Osama bin Laden” which obviously would include a much larger set of content to sniff through. The court doesn’t think this matters very much:

… plaintiff’s contention that “about surveillance” is like the hypothetical government agent reading every piece of mail misses the mark. Unlike the hypothetical government agent reading every word of every communication and retaining the information, “about surveillance” is targeted insofar as it makes use of only those communications that contain information matching the tasked selector.

In short… it’s not a problem that the NSA sniffs through everything to find all the emails about Osama bin Laden, because it’s not using the data in all the ones it rejects. Besides, the court argues, the argument is still highly speculative.

Finally, the court looks at a few specific arguments for why Wikimedia and some of the other plaintiffs have more direct evidence that situate themselves differently. First, there’s lawyer Joshua Dratel, who is somewhat well known for taking some rather high profile cases, such as handling Ross Ulbricht’s defense over the Silk Road arrest, or defending the widow of Boston Marathon bomber Tamarlane Tsarnaev. Two other clients were Agron Hasbajrami and Sabirhan Hasanoff — and in both cases, the government has admitted those two were subject to Section 702 surveillance. From there, the ACLU argues this means that Dratel’s communications were almost certainly swept up and looked at by the NSA as well. However, the court doesn’t buy it, saying that while it may be true that Dratel’s communications were likely swept up, there’s still not enough evidence that it was swept up by the 702 upstream program that the lawsuit is about:

Plaintiffs in this case… do not allege facts that plausibly establish that the information gathered from the two instances of Section 702 surveillance was the product of Upstream surveillance. In neither of Dratel’s cases did the government indicate whether the information at issue was derived from PRISM or Upstream surveillance, and no factual allegations in the AC plausibly establish that Upstream surveillance–rather than PRISM–was used to collect the information. Moreover, given what is known about the two surveillance programs, it appears substantially more likely that PRISM collection was used in these cases…

The court is probably right here. There are two major surveillance programs under 702. The “Upstream” program that taps the backbone and then PRISM, in which a list of big internet firms agree to hand over certain information pursuant to a FISA court ruling rubber stamp telling them to hand over that information. And it is actually likely that the part of 702 that was used on Dratel’s clients was of the PRISM variety. But the “well, you were surveilled under this other program using the same authority…” reason to dump this argument seems pretty weak. Because it still means surveillance of dubious legality under the same legal authority.

Then there’s the case of Wikimedia, who argues that given the government’s “stated goals,” and the vast amount of traffic going to Wikipedia, it’s all but certain that Wikipedia has been swept up in the Upstream collection. The court still isn’t buying it:

Plaintiffs’ argument is unpersuasive, as the statistical analysis on which the argument rests is incomplete and riddled with assumptions. For one thing, plaintiffs insist that Wikimedia’s over one trillion annual Internet communications is significant in volume. But plaintiffs provide no context for assessing the significance of this figure. One trillion is plainly a large number, but size is always relative. For example, one trillion dollars are of enormous value, whereas one trillion grains of sand are but a small patch of beach. Here, the relevant universe for comparison purposes is the total number of annual Internet communications, a figure plaintiffs do not provide–nor even attempt to estimate–in the AC. Without defining the universe of the total number of Internet communications, it is impossible to determine whether Wikimedia’s alleged one trillion annual Internet communications is significant or just a drop in the bucket of all annual Internet communications.

Moreover, plaintiffs conclude that there is a greater than 99.9999999999% chance that the NSA has intercepted at least one of their over one-trillion communications on the bases of an arbitrary assumption, namely that there is a 0.00000001% chance the NSA will intercept any particular Internet communication. Plaintiffs provide no basis for the 0.00000001% figure, nor do they explain why the figure is presented as a conservative assumption. Plaintiffs seem to presume a string of zeroes buys legitimacy. It does not. Indeed, a closer look reveals that the number of zeros chosen by plaintiffs leads conveniently to plaintiff’s desired result. If three more zeros are added to plaintiffs’ figure (0.00000000001%), the odds that at least one of Wikimedia’s one trillion annual communications is intercepted drops to approximately 10%. If four more zeros are added (0.000000000001%), the odds that at least one of Wikimedia’s communications is intercepted drops to 1%. In short, plaintiffs’ assumption appears to be the product of reverse engineer; plaintiffs first defined the conclusion they sought–virtual certainty–and then worked backwards to find a figure that would lead to that conclusion. Mathematical gymnastics of this sort do not constitute “sufficient factual matter” to support a “plausible allegation.”

Ouch.

The court also rejects the idea that this kind of ruling means that the Upstream program can never face judicial review, pretending that the fact that the FISA court reviewed it (without any adversarial party) is enough… and (again, incorrectly) that criminal defendants prosecuted with information collected under the program can challenge said collection. And, yes, it’s true that the DOJ has now said that it will start informing defendants, but it didn’t for years.

The ACLU is, not surprisingly upset by the ruling, and I imagine it will be appealed soon.

Filed Under: fisa amendments act, joshua dratel, prism, section 702, standing, surveillance, upstream, wikipedia
Companies: aclu, wikimedia foundation

NSA Screws Up Another Thing: EU Court Of Justice Throws The Internet For A Loop In Ending Safe Harbor

from the well,-now-what? dept

A couple of weeks ago we wrote about the fact that it appeared that the EU Court of Justice was likely to throw out the EU-US data protection safe harbor as invalid, following a case brought over the NSA’s snooping on US tech companies — and now it has happened. The “the EU-US data protection safe harbor” may sound boring, but it’s actually been fairly important in making sure that US internet companies can operate in Europe. It’s been under attack for some time from those who feel that these American companies don’t take European privacy interests seriously enough, but it’s really the NSA and its idiotic “collect it all” mentality that has brought the whole structure crashing down. Many will celebrate this, but probably for the wrong reasons. As it stands right now, this result is undoubtedly bad for the internet. What happens next is key. If you want to blame anyone… blame the NSA. And if the US wants to fix this mess, it needs to stop mass surveillance.

The case was brought by Max Schrems, an Austrian privacy activist who argued that the NSA’s PRISM surveillance program (a program that resulted from Section 702 of the FISA Amendments Act, and enables the NSA to request certain information from internet companies, once approved by the FISA Court) violates the safe harbor. The safe harbor itself was established back in 2000 in order to allow internet companies to transfer data from Europe back to the US, with a promise that the privacy of that data would be kept at a similar level as if it were in Europe. The process for getting such safe harbor protections is something of a joke (we’ve gone through it here at Techdirt), and mostly involves throwing money at an organization that takes money to make sure your policies comply with the safe harbor requirements. Like so many regulations, it really seems to only serve to shift money to those who make sure you comply.

Still, losing those safe harbors can really shake up the internet — and not necessarily in a good way. While I’m sure some (probably short-sighted) privacy advocates will cheer on this result, it’s going to make a mess of things for the time being. Europe has been working on a new data protection directive to update the old one (which the safe harbor is based on) and early indications are that it will be a mess, and potentially hazardous to free speech rights. In addition, the US and EU have been trying to negotiate a new data protection safe harbor anyway, and that hasn’t been going smoothly, and this will continue to throw a wrench into things.

Big companies will likely be able to negotiate their way around this, but there will likely be some legal flareups in one or two countries, creating a mishmash of jurisdictional confusion over privacy rights. Smaller internet companies will now face much greater threats in doing business in Europe. Even worse, some are going to use this as an opportunity to try to fragment the internet, demanding companies keep data locally within country borders — which actually will create more targets for mass surveillance, rather than fewer. Chances are that little will change in the immediate future — as many companies will just keep right on doing what they’re doing and hoping no one really cares. But the potential for people to bring lawsuits could shake things up.

In the specific case here, the Court of Justice found that the safe harbor was invalid, and thus it did not stop Irish officials from considering Schrems’ complaint that Facebook violated his rights in making data available to the NSA. So that specific case still needs to move forward and should be interesting to watch.

In short, though, this is yet more damage directly done by the NSA and the US’s ridiculous attitude towards mass surveillance, without any concern at all to the economic costs that such mass surveillance creates for US companies. As the EFF notes in its response to the news, the US brought this on itself with its idiotic mass surveillance efforts. This end result is a mess that could lead to greater fragmentation of the internet, which won’t do anything to better protect people’s privacy (and, actually, might make it more exposed). The only logical way forward is to move away from mass surveillance and towards a more comprehensive view of privacy that takes into account the public’s rights — including the right to free expression. Danny O’Brien at EFF sums it up nicely:

That would certainly force the companies to re-think and re-engineer how they manage the vast amount of data they collect. It will not, however, protect their customers from mass surveillance. The geographic siloing of data is of little practical help against mass surveillance if each and every country feels that ordinary customer data is a legitimate target for signals intelligence. If governments continue to permit intelligence agencies to indiscriminately scoop up data, then they will find a way to do that, wherever that data may be kept. Keep your data in Ireland, and GCHQ may well target it, and pass it onto the Americans. Keep your data in your own country, and you’ll find the NSA?or other European states, or even your own government? breaking into those systems to extract it.

What will change the equation is for states, including and especially the United States, to realize that dragnet surveillance undermines their national security and the global security of our data. It has economic consequences, as regulators, companies and individuals lose trust in Internet companies and services. It has political consequences as nations vie to keep data out of the hands of other countries, while seeking to keep it trackable by their own intelligence services.

There’s only one way forward to end this battle in a way that keeps the Internet open and preserves everyone’s privacy. Countries have to make clear that mass surveillance of innocent citizens is a violation of human rights law, whether it is conducted inside their borders or outside, upon foreigners or residents. They have to bring their surveillance programs, foreign and domestic, back under control.

The ruling today is not a win for privacy. It creates a bigger mess, but it’s one that needs to be cleaned up at the source, and that’s where governments (and not just the US government) are going with mass surveillance. Unfortunately, there doesn’t seem to be any indication that this is what’s going to happen. Instead, expect the US and EU to try to paper over this by coming up with a new safe harbor plan that won’t change anything, but which may just be more expensive for companies. That’s a mistake. There’s a way to fix this mess and it’s to stop mass surveillance.

Filed Under: data protection directive, eu court of justice, eu us data protection safe harbors, eucj, mass surveillance, max schrems, nsa, prism, privacy, safe harbors, section 702, surveillance
Companies: facebook

Amazon Finally Joins The Transparency Party: Notes That It Did Not Join PRISM

from the yes,-but... dept

Earlier this year, we noted that Amazon was alone among the giant internet companies in refusing to publish a transparency report providing details on government requests for information. Amazon was also absent from the legal fight that many big tech companies filed against the government over the right to disclose such information (a fight that only Twitter is still fighting).

Finally, however, late on Friday, Amazon joined the party with its first ever Transparency Report (though it tries to cover up the fact that it’s the first time it’s ever done this by calling it the company’s “bi-annual report.”) In an accompanying blog post, however, the company plays up its privacy fighting bona fides — something many privacy advocates had long questioned — by highlighting that it “never participated in the NSA’s PRISM program” and that it had challenged government subpoenas for information:

Where we need to act publicly to protect customers, we do. Amazon never participated in the NSA?s PRISM program. We have repeatedly challenged government subpoenas for customer information that we believed were overbroad, winning decisions that have helped to set the legal standards for protecting customer speech and privacy interests. We also advocate in Congress to modernize outdated privacy laws to require law enforcement to obtain a search warrant from a court to get the content of customer communications. That?s the appropriate standard, and it?s the standard we follow.

That may be true, but it’s also been true that Amazon has been noticeably absent from a variety of efforts to stop government surveillance — including many that involve nearly every other big internet company. Hopefully this move, joining the rest of these companies in producing a transparency report, is a step towards being even more engaged on these issues as well. Given just how much infrastructure now runs on Amazon’s web services platform, it needs to be a stronger champion for privacy and against unnecessary surveillance.

Filed Under: nsa, prism, transparency, transparency reports
Companies: amazon

FISA Judge To Yahoo: If US Citizens Don't Know They're Being Surveilled, There's No Harm

from the so,-more-of-the-same,-except-retroactively? dept

A legal battle between Yahoo and the government over the Protect America Act took place in 2008, but details (forced from the government’s Top Secret file folders by FISA Judge Reggie Walton) are only emerging now. A total of 1,500 pages will eventually make their way into the public domain once redactions have been applied. The most recent release is a transcript [pdf link] of oral arguments presented by Yahoo’s counsel (Mark Zwillinger) and the US Solicitor General (Gregory Garre).

Zwillinger opens up the arguments by questioning the government’s methods of determining who should be placed under surveillance.

Why I show this to you is because I think it’s a perfectly fair question for you to ask the Solicitor General of the United States how a name gets on this list. This isn’t reviewed by a — the FISA Court. These names aren’t reviewed by the Attorney General of the United States. The difference between surveilling an account and exposing someone’s most private communications and not is how a name gets on this list; and all we know about it from page 47 of their brief, is that an intelligence analyst puts it on the list.

From this arbitrary beginning springs a wealth of errors.

[REDACTED] of the accounts we have been given do not exist. They aren’t accounts at Yahoo. Whether the government is misinformed, or using stale information, we don’t know; But the fact that [REDACTED] accounts do not exist raises a serious possibility that some of those accounts have already been recycled and are used by other Yahoo users, or that the information that the government has is just wrong, and the wrong is being placed under surveillance.

Zwillinger points out that Yahoo is just one provider and yet has (the number is redacted, but is at least 4 digits with a comma) a large number of accounts under surveillance. He then refers to the multiple errors again, stating that when the government screws up, it’s very likely that American citizens will be mistakenly placed under surveillance.

The difference between a U.S. person and a non-U.S. person in this context could be a letter or a digit in an email address; and if they have it wrong, the consequences will likely be felt here, because more Yahoo users are from the United States than any other single country.

The judges claim minimization procedures eliminate the problem of inadvertent collections, but Zwillinger points out that the surveillance carried out under the Protect America Act actually doesn’t contain protections against use of wrongly swept up US persons’ communications and data.

The government’s response begins by denying that US persons’ data is retained. “There is no database,” says Gregory Garre, before having to admit a few sentences later, that incidental data is retained (and distributed) if there is evidence of other, non-national-security-related criminal activity.

Garre then goes on to explain why the government feels it should have warrantless access to US persons’ communications, routed through and stored at US servers. He refers to satellite communications — something in use when FISA was enacted in 1978. Garre says that even though these communications may have been captured by domestic satellite receivers, it’s the point of origin that matters. Outside the US? No warrant needed, even for US persons. Likewise for emails stored on Yahoo servers.

MR. GARRE: I don’t think anybody would argue that the Fourth Amendment would apply to that communication, even though the email communications go to account in Sunnyvale, California. I haven’t understood Yahoo to argue that the Fourth Amendment would be implicated by that.

And, similarly, the Fourth Amendment isn’t —

JUSTICE SELYA: You mean the interception there by you and Yahoo would not implicate the Fourth Amendment?

MR. GARRE: That Certainly would be the government’s view.

Garre also blames the large number of dead accounts in the court orders on Yahoo’s refusal to immediately comply, while simultaneously spinning it as the unavoidable collateral damage of “efficient” surveillance.

So the fact that accounts have been closed is not significant, and that’s particularly true given that the large number of email accounts here is reflected by the fact that Yahoo is in noncompliance for several months. So, if you go back several months, it’s not surprising that several accounts have been closed.

Garre asserts that if anyone deserves the benefit of a doubt in this situation, it’s the US government. He states that the Executive Branch and the intelligence community have a long-standing history of not violating the rights of US citizens — a statement that wasn’t even mostly true prior to the 9/11 attacks, and is almost laughable in the wake of what’s been uncovered since then. He also points to Congressional oversight and suggests its legislative powers would have been used to rein in the NSA and others if it had actually seen signs of abuse.

In his rebuttal, Zwillinger punches holes in Garre’s narrative.

You know, the Solicitor General talks about Congress spoke here, but to the extent Congress has spoken, then they turn around and admit they misspoke. And now they have a Senate report that says we failed to provide adequate protections for U.S. persons, and we are going to pass new legislation. They intentionally let the Protect America Act lapse. So to the extent congressional oversight even exists after February 16, 2008, which I’m not sure it does, it provides no check. Congress can’t do anything differently. The statute has passed. The directives continue all the way until the expiration date, but the statute doesn’t exist any more. It’s not Congress’s current view of how surveillance should he conducted.

But the most surprising assertions made in these oral arguments don’t come from the Solicitor General. They come from Judge Morris S. Arnold, who shows something nearing disdain for the privacy of the American public and their Fourth Amendment rights.

In the first few pages of the oral arguments, while discussing whether or not secret surveillance actually harms US citizens (or the companies forced to comply with government orders), Arnold pulls a complete Mike Rogers:

If this order is enforced and it’s secret, how can you be hurt? The people don’t know that — that they’re being monitored in some way. How can you be harmed by it? I mean, what’s –what’s the — what’s your — what’s the damage to your consumer?

By the same logic, all sorts of secret surveillance would be OK — like watching your neighbor’s wife undress through the window, or placing a hidden camera in the restroom — as long as the surveilled party is never made aware of it. If you don’t know it’s happening, then there’s nothing wrong with it. Right? [h/t to Alex Stamos]

In the next astounding quote, Arnold makes the case that the Fourth Amendment doesn’t stipulate the use of warrants for searches because it’s not written right up on top in bold caps… or something.

The whole thrust of the development of Fourth Amendment law has sort of emphasized the watchdog function of the judiciary. If you just look at the Fourth Amendment, there’s nothing in there that really says that a warrant is usually required. It doesn’t say that at all, and the warrant clause is at the bottom end of the Fourth Amendment, and — but that’s the way — that’s the way it has been interpreted.

What’s standing between US citizens and unconstitutional acts by their government is a very thin wall indeed.

Filed Under: fisa court, fisc, gregory garre, mark zwillinger, morris arnold, nsa, paa, prism, protect america act, section 702, surveillance
Companies: yahoo

More Yahoo vs. The NSA: Government Tried To Deny Standing, Filed Supporting Documents Yahoo Never Got To See

from the blindfolded-and-pickpocketed dept

After having the court documents unsealed and the gag order lifted, Yahoo is finally free to talk about that one time when the government wanted to fine it $250,000 a day [!!] for refusing to comply with a FISA court order to turn over data on its customers. Two of the lawyers (Mark Zwillinger and Jacob Sommer) who represented Yahoo in that court battle, have written a post detailing the behind-the-scenes activity.

First off, they note that it’s kind of amazing they’re even able to discuss it at this point.

Having toiled in secret until recently, and having originally been told we would need to wait 25 years to tell anyone of our experience, it is refreshing to be able to write about the case in detail.

That’s the normal declassification schedule, which at this point would still be nearly 18 years away. Fortunately, Ed Snowden’s leaks have led to an accelerated schedule for many documents related to the NSA’s surveillance programs, as well as fewer judges being sympathetic to FOIA stonewalling and exemption abuse.

We’ve talked several times about how the government makes it nearly impossible to sue it for abusing civil liberties with its classified surveillance programs. It routinely claims that complainants have no standing, ignoring the fact that leaked documents have given us many details on what the NSA does and doesn’t collect. But in Yahoo’s case, it went against its own favorite lawsuit-dismissal ploy.

First, the government’s prior position on standing may be a bit of a surprise. In more recent cases, like Clapper, it has argued that only the provider has standing to challenge surveillance orders under the FISA Amendments Act, not individual users who may have been caught up in the surveillance. But, in this fight, the government argued that Yahoo had no standing to challenge a directive on the basis of the Fourth Amendment rights of its users.

The government definitely would prefer the swift removal of cases rather than actually having to defend its programs’ Constitutionality — so much so that it attempted to push the argument that no one has standing to challenge its collections. But that wasn’t the government’s only angle. The courts refused to entertain this sudden shift in the government’s “standing” argument, so it moved on to levying fines.

A very short time frame to respond was granted to Yahoo, something made even shorter by the government’s foot-dragging.

The FISC issued its decision on April 25, 2008, but we were not permitted to inspect the order until April 29, 2008 (and even then were not allowed to take notes), and did not receive a copy until May 5, 2008, when the government demanded that Yahoo give a same-day answer whether it would comply with the surveillance demand.

Shortly after Yahoo’s response, the government moved for contempt charges and fines. $250,000 per day was the minimum. It asked for constantly-escalating fines that would double each week until Yahoo complied. Even for a tech giant, this fee scale could turn into real money incredibly quickly.

Simple math indicates that Yahoo was facing fines of over $25 million dollars for the 1st month of noncompliance, and fines of over $400 million in the second month if the court went along with the government’s proposal. And practically speaking, coercive civil fines means that the government would seek increased fines, with no ceiling, until Yahoo complied.

While the government was threatening Yahoo with massive fines, it was also filing secret briefs and motions in support of its admittedly “coercive” levies, stating that the company’s resistance was causing “great harm,” apparently on a daily basis.

Finally, the documents that were recently released by the ODNI (and Yahoo itself) contain many that Yahoo — who was directly involved in this court battle — had never seen before August 22.

The government filed ex parte documents in support of its surveillance program, many of which Yahoo had no access to during the legal struggle. Not only did the government force Yahoo to respond on its own schedule, but it kept the company in the dark about its justifications and other aspects of its programs. Yahoo couldn’t ask for these documents in discovery, nor did it even know these existed.

[P]erhaps most importantly, a FISC decision from January 15, 2008 regarding the procedures for the DNI/AG Certification at issue, which Yahoo had never seen. It examines those procedures under a “clearly erroneous” standard of review – which is one of the most deferential standards used by the judiciary. Yahoo did not have these documents at the time, nor the opportunity to conduct any discovery. It could not fully challenge statements the government made, such as the representation to FISCR “assur[ing the Court] it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary.” Nor could Yahoo use the January 15, 2008 decision to demonstrate how potential flaws in the targeting process translated into real world effects.

When it comes to the nation’s security, apparently no legal deck can be stacked high enough. The government forces those who challenge its secret programs to wage courtroom battles with only the barest minimum of information. And, should it decide the defendant isn’t moving fast enough, it can pursue exorbitant (and admittedly coercive) fines until it gets the cooperation it’s seeking.

Filed Under: doj, fines, fisa, fisa court, nsa, paa, prism, privacy, standing, surveillance, threats
Companies: yahoo