bulk metadata – Techdirt (original) (raw)

Pentagon's Watchdog In Charge Of NSA Oversight Admits He Was 'Not Aware' Of NSA's Bulk Data Collection

from the oversight! dept

We hear it over and over again from defenders of the NSA: the programs, such as the bulk collection of call metadata are perfectly legal in part because of oversight from “all three branches” of government. Of course, that’s long since been debunked (especially seeing that all three branches have also demanded reforms to the very same programs). But one of the key points is that this “oversight” is usually not actually oversight at all, because the all important details are obfuscated or otherwise totally hidden from the overseers. And while this has been covered in fairly great detail about the lack of real oversight from Congress and the courts, what about the executive branch?

Well, wonder no more. The main guy in charge of supposedly “overseeing” the NSA’s efforts and making sure that they’re within the law (even if right up to the edges of it) is the Defense Department’s Inspector General (currently Anthony C. Thomas), and he’s just admitted that had no idea that the NSA was collecting bulk metadata on a huge swath of phone calls inside the US. According to a report by Spencer Ackerman at The Guardian:

“From my own personal knowledge, those programs, in and of themselves, I was not personally aware,” Thomas said.

He also admitted that the DOD isn’t currently, nor does it have any plans to investigate the NSA’s bulk surveillance efforts. Basically, he just leaves that up to the NSA’s own Inspector General:

“If the NSA IG is looking into something and we feel that their reporting, their investigation is ongoing, we’ll wait to see what they find or what they don’t find, and that may dictate something that we may do. In the course of a planning process, we may get a hotline [call], or we may get some complaint that may dictate an action that we may or not take,” Thomas said.

Specifically on bulk NSA surveillance, Thomas said he was “waiting to see the information that the NSA IG brings forward with the investigations that are going on, and what we often do not want to do is conflict.”

So, this guy, who is in charge of the Pentagon’s oversight of the NSA is basically taking a hands off approach to the NSA issue, letting them work out their own solution to what has been declared illegal and unconstitutional activities by two separate executive branch review panels. That doesn’t inspire confidence. In fact, it inspires something entirely different: cynicism and a general distrust in government. For a government that keeps saying that the NSA has to rebuild “trust” with the American public, you’d think that it would start by actually having the people who have the mandate for oversight actually do something.

Filed Under: anthony thomas, bulk metadata, defense department, dod, inspector general, nsa, oversight, pentagon, section 215, surveillance, watchdog

NSA, Which Once Claimed It Needed Every Phone Record, Now Claims It Actually Gets Less Than 20%

from the is-that-supposed-to-be-comforting? dept

Ever since the first Snowden leaks about the way the NSA interpreted Section 215 of the PATRIOT Act to allow it to collect all call records from various telcos, one of the key arguments that has been made by the program’s defenders is that it was necessary to have every single call record to make the important connections between terrorists. Multiple officials have argued that to find the “needle in the haystack” they need to be able to collect the whole haystack. In fact, that was part of the argument made by the few judges who have reviewed and approved this program. In the very first FISC ruling that actually analyzed the legality of the program (as opposed to earlier approvals that never bothered with an analysis), the court clearly indicated that it was necessary to collect everything:

The government depends on this bulk collection because if production of the information were to wait until the specific identifier connected to an international terrorist group were determined, most of the historical connections (the entire purpose of this authorization) would be lost. The analysis of past connections is only possible “if the Government has collected and archived a broad set of metadata that contains within it the subset of communications that can later be identified as terrorist-related.” Because the subset of terrorist communications is ultimately contained within the whole of the metadata produced, but can only be found after the production is aggregated and then queried using identifiers determined to be associated with identified international terrorist organizations, the whole production is relevant to the ongoing investigation out of necessity.

That legal tapdancing aside, it basically argues that the only way this data makes sense is if the NSA has all of it. Similarly, when Judge William Pauley found the program legal late last year, he too relied on the argument that the NSA needed all the data.

And yet… it appears that they’re actually not getting that much data. A new report from the Washington Post claims that the NSA is actually only getting between 20 to 30% of the data. The Wall Street Journal rushed out a quick story claiming it’s actually less than 20%.

Apparently, while the NSA has gotten approvals to get data on landline calls from Verizon and AT&T, it actually hasn’t yet gone after the same data from most mobile phone calls. For example, even though it gets Verizon landlines, it apparently does not collect the data on Verizon Wireless. Nor does it collect the data from T-Mobile. There are somewhat conflicting reports as to why this is, but the Washington Post piece suggests that the incident in 2009 in which FISC chief judge Reggie Walton nearly shut the whole program down over compliance failures has basically stopped the NSA from updating the program, because everywhere they look there have been more (you guessed it) compliance failures, and they’re simply not set up to handle mobile phone data. Update: And some are questioning the whole claim here, noting that the orders that have been revealed do appear to request IMEI and IMSI data — information that is only associated with mobile phones.

“It’s not simply the ability to go to the court and order some vendor to give you more records, but you have to make sure that the [agency’s collection system] is prepared and ready to take the data and meet all the requirements of the court,” the former official said. “You don’t want to turn it on and get hundreds of millions of records, only to find out that you’ve got the moral equivalent of raw sewage spilling into the Chesapeake Bay.”

The process of preparing the system can take months, said the senior U.S. official, adding that mobile calls have different data elements than land-line calls. “That’s a really detailed set of activities where we get sample data in, and we march it through our systems,” the official said. “We do that again and again and again. We put in auditing procedures to make sure it works. So before we turn on that mobility data, we make sure it works. . . . It’s very complex.”

Compounding the challenge, the agency in 2009 struggled with compliance issues, including what a surveillance court found were “daily violations of the minimization procedures set forth in [court] orders” designed to protect Americans’ call records that “could not otherwise have been legally captured in bulk.”

As a result, the NSA’s director, Gen. Keith Alexander, ordered an “end-to-end” review of the program, during which additional compliance incidents were discovered and reported to the court. The process of uncovering problems and fixing them took months, and the same people working to address the compliance problems were the ones who would have to prepare the database to handle more records.

Basically, there have been so many compliance problems that the NSA has had to work overtime to try to fix their systems and prepare for an influx of mobile phone data. The Wall Street Journal version of the report says that part of the problem is the NSA can’t figure out how to strip location data from mobile phone data, and because collecting that information might lead to compliance issues, they haven’t been able to figure out how to do it without running into more trouble down the road.

But fear not, surveillance state lovers, the NSA is getting ready and its goal is to get back to collecting nearly every phone record from every phone provider. Once the systems are in place, they appear to fully intend to send over some requests to the FISA court to get all those mobile operators to comply as well. One hopes that, this time, with so much more awareness of what’s going on, at least one of those mobile operators will fight back.

Either way, this whole thing actually shows just how ridiculous the NSA’s claims are that it absolutely needs all this data to keep us safe. The very fact that this report is coming out in both the Washington Post and the Wall Street Journal at nearly the same time suggests a stupid sort of PR attempt on the part of the NSA, which seems to think that after months of insisting they need it all, they can now placate people by saying “well, we really only collect about 20% of the data (though we’re hoping to collect it all).” Not only does this actually highlight the widespread compliance problems with this data, it further shows that the argument that somehow collecting it all is necessary to keep us safe is just completely wrong.

Filed Under: bulk metadata, cell phones, compliance issues, location data, mobile phones, nsa, phone records, section 215, surveillance

FISA Court Agrees To Changes That Limit NSA's Ability To Query Phone Records

from the it's-something dept

While we were mostly disappointed by President Obama’s speech concerning his plans for reforming surveillance efforts, there were a few significant suggestions, with the most major one being a limit from being able to explore “3 hops” down to “2 hops.” That might not sound that big, but it is a pretty big limitation when you dig into the math. Furthermore, he said that there should be a court reviewing each request to query the phone records database. He left open a pretty big loophole, saying that this judicial review could be skipped in a “true emergency,” but it’s still something.

In response, the Justice Department actually went to the FISA Court and filed a motion to revise the current order approving the telephone records collection (under Section 215 of the PATRIOT Act, sometimes called the “bulk metadata” program), to change it to put in place these restrictions. The FISA Court has now approved that request, and will release a (possibly redacted) version of the order within the next week and a half or so.

This is a small change, but it is still a meaningful change that creates both more oversight and greater limits on how this data can be used. It’s a small step in the right direction.

Filed Under: bulk metadata, fisa, fisc, james clapper, nsa, phone records, section 215, surveillance, three hops, two hops

ODNI Tasks Researchers With Figuring Out How To Store Section 215 Collections Off-Site

from the still-looking-at-the-symptoms,-rather-than-the-sickness,-however dept

One of the few stipulations in Obama’s NSA reforms was to transfer the Section 215 collections to a third party and out of the NSA’s direct control. The assumption is that these records will be held by those generating them — the telcos. But the telcos have made it apparent that, while they have no problem asking “how high” whenever the NSA says, “jump,” they have no interest in storing the records onsite. The administration didn’t specifically order anyone to take control of the records, basically punting the issue to Congress and the DOJ and “allowing” them to sort it out.

For better or worse, the ODNI has already taken action toward fulfilling the president’s order.

The Office of the Director of National Intelligence has paid at least five research teams across the country to develop a system for high-volume, encrypted searches of electronic records kept outside the government’s possession. The project is among several ideas that could allow the government to store Americans’ phone records with phone companies or a third-party organization, but still search them as needed.

These researchers’ suggestions will be weighed against anything the DOJ or Congress has to offer, albeit with a slight hometeam advantage. There are some protections the ODNI has specified that may make its conclusions preferable to others, in terms of data security at least, and possibly provide more flexibility for shifting records to whatever entity(ies) is left holding the metadata bag.

Under the research, U.S. data mining would be shielded by secret coding that could conceal identifying details from outsiders and even the owners of the targeted databases, according to documents obtained by The Associated Press and interviews with researchers, corporate executives and government officials…

An encrypted search system would permit the NSA to shift storage of phone records to either phone providers or a third party, and conduct secure searches remotely through their databases. The coding could shield both the extracted metadata and identities of those conducting the searches, Bellovin said. The government could use encrypted searches to ensure that its analysts were not leaking information or abusing anyone’s privacy during their data searches. And the technique could also be used by the NSA to securely search out and retrieve Internet metadata, such as emails and other electronic records.

This would ease the logistics problem and (theoretically) reduce the possibility of abuse. But it doesn’t eliminate every problem, including the “why” of collecting and storing millions of irrelevant phone records. While it will reduce the odds of abuse, it doesn’t eliminate that prospect. Another concern is the fact that the use (as opposed to the collection and storage) of the data will still be removed from any meaningful oversight.

On a more positive note, the encrypted search requirement would stave off hacking attempts and prevent the phone companies from knowing which records have been searched. Of course, while preventing the phone companies from knowing what’s going on with their records does some damage to the recently loosened restrictions on government access reporting, it does at least eliminate one of the telcos’ objections to maintaining the collected data onsite. (Although it can be argued that the telcos — Verizon and AT&T especially — have been so compliant over the years that storing data onsite won’t be remarkably different than storing it at NSA data centers.)

There are some pluses to the ODNI’s efforts, but the question of why the collection is needed still hasn’t been answered. The administration’s cosmetic reforms placed a few restrictions on the Section 215 program but completely avoided addressing the overall uselessness of the Fourth Amendment-skirting program. As the program morphs to meet the few requirements given, the NSA’s supporters are likely to greet each change with more proclamations of the damage being done to national security. (Not that they haven’t started already…)

Ultimately, the NSA has no need to keep the data onsite, considering it will now have to seek court approval before searching the database. It will still have some leeway to bypass the judicial constraints thanks to National Security Letters, but for the most part, it’s a return to its 2009 restraints as ordered by FISC judge Reggie Walton after observing “systemic abuse” of the bulk records collections. With this in place, the agency can’t really argue that uninterrupted, direct access is needed as it will be something it no longer has, onsite or not. Placing another small hurdle simply makes it a bit more difficult to abuse the collection and, after having free rein for so many years, a little friction is exactly what the agency needs to experience.

Filed Under: bulk metadata, james clapper, nsa, odni, patriot act, privacy, section 215, surveillance

Civil Liberties Board Completely Destroys Arguments For Bulk Metadata Collection: Program Is Both Illegal And Unconstitutional

from the which-will-now-be-ignored dept

As expected, the Privacy and Civil Liberties Oversight Board (PCLOB) has come out with it’s quite scathing report concerning the federal government’s interpretation of Section 215 of the PATRIOT Act. The full report is quite readable and well worth reading, no matter how familiar you are with the program. If you’re not familiar, it lays out all the details. If you are familiar, it still may fill in a number of useful gaps as well. While the full recommendations and conclusions were not supported unanimously by the board, the majority did agree that not only is the program unconstitutional, but that it involves a gross misinterpretation of the law. The executive summary makes the point pretty clearly:

Section 215 is designed to enable the FBI to acquire records that a business has in its possession, as part of an FBI investigation, when those records are relevant to the investigation. Yet the operation of the NSA’s bulk telephone records program bears almost no resemblance to that description. While the Board believes that this program has been conducted in good faith to vigorously pursue the government’s counterterrorism mission and appreciates the government’s efforts to bring the program under the oversight of the FISA court, the Board concludes that Section 215 does not provide an adequate legal basis to support the program.

There are four grounds upon which we find that the telephone records program fails to comply with Section 215. First, the telephone records acquired under the program have no connection to any specific FBI investigation at the time of their collection. Second, because the records are collected in bulk — potentially encompassing all telephone calling records across the nation — they cannot be regarded as “relevant” to any FBI investigation as required by the statute without redefining the word relevant in a manner that is circular, unlimited in scope, and out of step with the case law from analogous legal contexts involving the production of records. Third, the program operates by putting telephone companies under an obligation to furnish new calling records on a daily basis as they are generated (instead of turning over records already in their possession) — an approach lacking foundation in the statute and one that is inconsistent with FISA as a whole. Fourth, the statute permits only the FBI to obtain items for use in its investigations; it does not authorize the NSA to collect anything.

In addition, we conclude that the program violates the Electronic Communications Privacy Act. That statute prohibits telephone companies from sharing customer records with the government except in response to specific enumerated circumstances, which do not include Section 215 orders.

Finally, we do not agree that the program can be considered statutorily authorized because Congress twice delayed the expiration of Section 215 during the operation of the program without amending the statute. The “reenactment doctrine,” under which Congress is presumed to have adopted settled administrative or judicial interpretations of a statute, does not trump the plain meaning of a law, and cannot save an administrative or judicial interpretation that contradicts the statute itself. Moreover, the circumstances presented here differ in pivotal ways from any in which the reenactment doctrine has ever been applied, and applying the doctrine would undermine the public’s ability to know what the law is and hold their elected representatives accountable for their legislative choices.

Basically, in those four short paragraphs, the PCLOB dismantles nearly all of the arguments that people have put forth to support the bulk collection of metadata, and make it clear that the DOJ, NSA and FISC are clearly twisting the plain language meaning of Section 215 to support what is ultimately an unconstitutional program.

On that front, the report notes clearly the Constitutional issues:

The NSA’s telephone records program also raises concerns under both the First and Fourth Amendments to the United States Constitution. We explore these concerns and explain that while government officials are entitled to rely on existing Supreme Court doctrine in formulating policy, the existing doctrine does not fully answer whether the Section 215 telephone records program is constitutionally sound. In particular, the scope and duration of the program are beyond anything ever before confronted by the courts, and as a result of technological developments, the government possesses capabilities to collect, store, and analyze data not available when existing Supreme Court doctrine was developed. Without seeking to predict the direction of changes in Supreme Court doctrine, the Board urges as a policy matter that the government consider how to preserve underlying constitutional guarantees in the face of modern communications technology and surveillance capabilities.

While the PCLOB repeatedly states it believes that the government acted in good faith, it nonetheless finds the program immensely troubling. The idea that collecting all phone metadata is okay simply is not supported by what the law itself actually says:

Notably, Section 215 requires that records sought be relevant to “an” authorized investigation. Elsewhere, the statute similarly describes the records that can be obtained under its auspices as those sought “for an investigation.” The use of the singular noun in these passages signals an expectation that the records are being sought for use in a specific, identified investigation. This interpretation is reinforced by the requirement that the FISA court make specific findings about the investigation for which the records are sought — that it is supported by a factual predicate, conducted according to guidelines approved by the Attorney General, and not based solely upon activities protected by the First Amendment when conducted of a U.S. person.

[….] The government’s approach, in short, has been to declare that the calling records being sought are relevant to all of the investigations cited in its applications. This approach, at minimum, is in deep tension with the statutory requirement that items obtained through a Section 215 order be sought for “an investigation,” not for the purpose of enhancing the government’s counterterrorism capabilities generally. Declaring that the calling records are relevant to every counterterrorism investigation cited by the government is little different, in practical terms, from simply declaring that they are relevant to counterterrorism in general.

That is particularly so when the number of calling records sought is not limited by reference to the facts of any specific investigation. At its core, the approach boils down to the proposition that essentially all telephone records are relevant to essentially all international terrorism investigations. The Board does not believe that this approach comports with a fair reading of the statute.

Moreover, this approach undermines the value of an important statutory limitation on the government’s collection of records under Section 215. The statute provides that records cannot be obtained for a “threat assessment,” meaning those FBI investigatory activities that “do not require a particular factual predicate.”201 By excluding threat assessments from the types of investigations that can justify an order, Congress directed that Section 215 not be used to facilitate the broad and comparatively untethered investigatory probing that is characteristic of such assessments. But by collecting the nation’s calling records en masse, under an expansive theory of their relevance to multiple investigations, the NSA’s program undercuts one of the functions of the “threat assessment” exclusion: ensuring that records are not acquired by the government without some reason to suspect a connection between those records and a specific, predicated terrorism investigation. While the rules governing the program limit the use of telephone records to searches that are prompted by a specific investigation, the relevance requirement in Section 215 restricts the acquisition of records by the government.

The PCLOB clearly sees through the feds’ ridiculous re-interpretation of the word “relevant” as well — calling it “untenable” and “dangerously overbroad.”

The government has argued, and the FISA court has agreed, that essentially the entire nation’s calling records are “relevant” to every counterterrorism investigation cited in the government’s applications to the court. This position is untenable. Moreover, the interpretation of Section 215 adopted by the FISA court is dangerously overbroad, leading to the implication that virtually all information may be relevant to counterterrorism and therefore subject to collection by the government.

Later, the report argues that the government’s interpretation “is circular and deprives the word ‘relevant’ of any interpretive value.”

All records become relevant to an investigation, under this reasoning, because the government has developed an investigative tool that functions by collecting all records to enable later searching. The implication of this reasoning is that if the government develops an effective means of searching through everything in order to find something, then everything becomes relevant to its investigations. The word “relevant” becomes limited only by the government’s technological capacity to ingest information and sift through it efficiently.

The PCLOB also totally debunks the line trotted out by numerous NSA defenders that this program is no different than a grand jury subpoena. Not so, says the board:

To determine what might be the outer limits of a grand jury subpoena, we have examined both the cases cited by the government and others. There has never been a grand jury subpoena as broad as the FISA court’s Section 215 orders. And contrary to the government’s suggestion, the case law does not hold that the breadth of a grand jury subpoena is unlimited, but rather that a subpoena must be designed to address the circumstances of a specific investigation.

One decision, In re Grand Jury Proceedings, merely explains that district courts assessing the relevance of subpoenaed materials should not proceed “document-by-document,” but should instead evaluate whether each “broad category” of requested materials could contain possibly relevant documents. The former approach would “unduly disrupt the grand jury’s broad investigatory powers” and force the government “to justify the relevancy of hundreds or thousands (or more) of individual documents, which it has not yet even seen[.]” Often the government “is not in a position to establish the relevancy with respect to specific documents,” because “it may not know the precise content of the requested documents” and “it may not know precisely what information is or is not relevant at the grand jury investigative stage.” Accepting the “incidental” production of irrelevant documents, when measured by the hundreds or thousands, does not support the legitimacy of the Section 215 calling records program, in which the NSA potentially collects billions of records per day with full knowledge that virtually all of them are irrelevant.

It goes on to point to a number of other cases and how the government’s interpretation of them is simply bogus.

It also points out that screaming “but… but… terrorism!” is no excuse either:

Finally, the heightened importance of counterterrorism investigations, as compared with typical law enforcement matters, does not alter the equation. Items either are relevant to an investigation or they are not — the significance of that investigation is a separate matter. No matter how critical national security investigations are, therefore, some articulable principle must connect the items sought to those investigations, or else the word “relevant” is robbed of meaning. Congress added a relevance requirement to Section 215 in 2006 knowing full well that the statute governs national security investigations. It cannot, therefore, have meant for the importance of such investigations to efface that requirement entirely.

There’s also an interesting tidbit, noting that Section 215 was designed specifically and solely for the FBI, not the NSA — yet it is used here by the NSA (who then may share the info with lots of other agencies):

Section 215 expressly allows only the FBI to acquire records and other tangible things that are relevant to its foreign intelligence and counterterrorism investigations. Its text makes unmistakably clear the connection between this limitation and the overall design of the statute. Applications to the FISA court must be made by the director of the FBI or a subordinate. The records sought must be relevant to an authorized FBI investigation. Records produced in response to an order are to be “made available to,” “obtained” by, and “received by” the FBI.

[….] Under the bulk telephone records program, however, the FBI does not receive any records in response to the FISA court’s orders. While FBI officials sign every application seeking to renew the program, the calling records produced in response to the court’s orders are never “made available to the Federal Bureau of Investigation” or “received by the Federal Bureau of Investigation,” as called for by the statute.335 Instead, the FISA court’s orders specifically direct telephone companies to “produce to NSA” their calling records — thwarting congressional intentions regarding the role each agency is to play in counterterrorism efforts that involve the collection of information within the United States about Americans.

In compliance with the FISA court’s orders, telephone companies that are subject to this program transmit their calling records to the NSA. The records are not delivered to the FBI and are never passed on to the FBI by the NSA. Instead, the NSA stores the records in its own databases, conducts its own analysis of them, and provides reports to various federal agencies — including but not limited to the FBI — with information about telephone communications that “the NSA concludes have counterterrorism value.”

In fact, the PCLOB notes, the FISC orders on this program actually prohibit the NSA from giving much of the information to the FBI, despite the fact that the law is only designed to be used by the FBI.

There’s another section detailing how the FISA Court more or less ignores ECPA (the Electronic Communications Privacy Act) which the bulk metadata collection program clearly violates. The report notes that the FISC more or less admits this, and then says that Congress couldn’t really have meant to say what the ECPA law says.

The FISA court concluded that its orders authorizing the NSA’s program were consistent with ECPA. In reaching this conclusion, the court first determined that the terms of Section 215 and ECPA were in tension. Both statutes could not both be given “their full, literal effect,” wrote the court, because Section 215 authorizes the production of “any tangible things,” and applying the prohibitions of ECPA would limit the meaning of the word “any.”

Instead, the PCLOB gives a fairly compelling argument for why the FISC is just wrong on this:

As the FISA court acknowledged, the very statute that created Section 215, the Patriot Act, also amended ECPA “in ways that seemingly re-affirmed that communications service providers could divulge records to the government only in specified circumstances” — without including FISA court orders issued under Section 215. The fact that the same statute both created Section 215 and amended ECPA, but without adding an exception to ECPA for Section 215 orders, undermines the notion that ECPA and Section 215 are in conflict, and provides an additional basis for strictly adhering to ECPA’s prohibitions by not inferring unwritten exceptions to those prohibitions. It also demonstrates that another fundamental canon of statutory construction applies here — that the inclusion of some implies the exclusion of others not mentioned. “Where there is an express exception, it comprises the only limitation on the operation of the statute and no other exceptions will be implied.” Congress did not add an exception to ECPA for Section 215 orders, even though it amended ECPA in other ways at the same time that it created Section 215. That omission should be respected.

As for the claim that because Congress re-enacted Section 215, it clearly approves of the bizarre reinterpretation of it by the FISC and the executive branch, the PCLOB rejects this, claiming it, too, is a “novel proposition” reinterpreting the “reenactment doctrine” beyond its intended purpose. And part of that, of course, is the fact that the FISA and NSA/DOJ interpretations were all kept really secret from Congress:

The “reenactment doctrine” does not trump the plain meaning of a law, but rather is one of many interpretive tools that come into play when statutory ambiguity demands an inquiry into congressional intent. Reenactment, in other words, “cannot save” an administrative or judicial interpretation that contradicts the requirements of the statute itself. And for the many reasons explained above, any interpretation of Section 215 that would authorize the NSA’s telephone records program is irreconcilable with the plain words of the statute, its manifest purpose, and its role within FISA as a whole.

Even if Section 215 were sufficiently ambiguous to justify an inquiry into congressional intent, the circumstances presented here are unlike any in which the reenactment doctrine has ever been applied — and the differences are pivotal. First, there was no judicial interpretation of Section 215 of which Congress could have been aware in 2010 or 2011: at that time the FISA court had never issued any opinion explaining the legal rationale for the NSA’s program under Section 215, but had merely signed orders authorizing the program. Second, even if the FISA court’s orders, combined with the government’s applications to the court, are viewed as an “interpretation” of Section 215, members of Congress may have been prohibited from reading those orders and those applications (except for members of the intelligence and judiciary committees) by operation of committee rules. Thus, to apply the reenactment doctrine here, Senators and Congressmen must be presumed to have adopted an “interpretation” that they had no ability to read for themselves. Third, even if being apprised of the NSA’s program were equivalent to being made aware of a judicial interpretation of a statute, applying the reenactment doctrine is improper where members of Congress must try to comprehend a secret legal interpretation without the aid of their staffs or outside experts and advocates. That scenario robs lawmakers of a meaningful opportunity to gauge the legitimacy and implications of the legal interpretation in question. Fourth, Congress did not reenact Section 215 at all in 2010 and 2011, but merely delayed its expiration. To our knowledge, no court has applied the reenactment doctrine under a combination of circumstances remotely like this.

Oh, and then there’s this:

Finally, even if Section 215 were ambiguous about whether it authorizes the NSA’s bulk collection of telephone records, and even if the reenactment doctrine could be extended to the novel circumstances presented here, doing so would undermine the ability of the American public to know what the law is, and to hold their elected representatives accountable for their legislative choices. Applying the reenactment doctrine to legitimize the government’s interpretation of Section 215, therefore, is both unsupported by legal precedent and unacceptable as a matter of democratic accountability.

In other words, no, you can’t have secret laws and secret interpretations.

Moving on to the constitutional questions, the PCLOB takes a look at the 4th Amendment and the third party doctrine. Unlike many knee jerk NSA defenders, the PCLOB notes that there are significant problems with applying the infamous Smith v. Maryland ruling to the bulk metadata collection program:

[Smith v. Maryland] does not provide a good fit for the telephone records program, particularly in light of rapid technological changes and in light of the nationwide, ongoing nature of the program. The NSA’s Section 215 program gathers significantly more information about each telephone call and about far more people than did the pen register surveillance approved in Smith (essentially everyone in the country who uses a phone) and it has collected that data now for nearly eight years without interruption.441 In contrast, the pen register approved in Smith v. Maryland compiled only a list of the numbers dialed from Michael Lee Smith’s telephone. It did not show whether any of his attempted calls were actually completed — thus it did not reveal whether he engaged in any telephone conversations at all. Naturally, therefore, the device also did not indicate the duration of any conversations. Furthermore, the pen register provided no information about incoming telephone calls placed to Smith’s home, only the outbound calls dialed from his telephone.

The pen register was in operation for no more than two days. And finally, the device recorded only the dialing information of one person: Smith himself. The police had no computerized ability to aggregate Smith’s dialing records with those of other individuals and gain additional insight from that analysis.

In contrast, for each of the millions of telephone numbers covered by the NSA’s Section 215 program, the agency obtains a record of all incoming and outgoing calls, the duration of those calls, and the precise time of day when they occurred. When the agency targets a telephone number for analysis, the same information for every telephone number with which the original number has had contact, and every telephone number in contact with any of those numbers. And, subject to regular program renewal by the FISA court, it collects these records every day, without interruption, and retains them for a five year time period. Sweeping up this vast swath of information, the government has explained, allows the NSA to use “sophisticated analytic tools” to “discover connections between individuals” and reveal “chains of communication” — a broader power than simply learning the telephone numbers dialed by a single targeted individual.

To illustrate the greater scope of the NSA’s program, the pen register discussed in Smith might have shown that, during the time that Michael Lee Smith’s telephone was monitored, he dialed another number three times in a single day. That information could have simply evinced three failed attempts to reach the other number. The NSA’s collection program, however, would show not only whether each attempted call connected but also the precise duration and time of each call. It also would reveal whether and when the other telephone number called Smith and the length and time of any such calls. Because the NSA collects records continuously and stores them for five years, it would be in a position to see how frequently those two numbers contacted each other during the preceding five years and the pattern of their contact. And because the agency would have full access to the calling records of the other telephone number as well, it could examine the activity of that other number and see, for instance, whether it ever communicated with any of the same numbers as Smith over a five-year period, or what numbers it communicated with around the time of its calls with Smith. The agency could then do the same thing for every other number that Smith had communicated with in the past five years, employing what it calls contact-chaining analysis. It could then go further and analyze the complete calling records of every number that was called by any of the numbers that ever communicated with Smith — going three “hops” from the original number.

But, that’s not all. The report (like many others) slams the Supreme Court’s reasoning in Smith, quotes “the leading academic treatise” and even third party doctrine supporter Orin Kerr, highlighting how almost no serious scholar thinks the Supreme Court’s reasoning in Smith v. Maryland makes much sense. It quotes numerous other Supreme Court justices and other courts who find the majority ruling in Smith to be profoundly nonsense, and a dangerous attack on the 4th Amendment. And then points out why all of those critics were right:

The implications of this all-or-nothing approach to privacy have grown since the 1970s, as Americans increasingly must share personal information with companies in order to avail themselves of services and products that have become typical features of modern living. Another major criticism of the third-party doctrine, which has gained increased salience in light of these developments, challenges the notion that a customer of such companies, simply by “revealing his affairs to another,” truly chooses to risk “that the information will be conveyed by that person to the Government.” This criticism rejects the idea that conducting business that is essential to contemporary life represents a voluntary decision to lay bare the details of one’s habits to governmental scrutiny.

“For all practical purposes,” Justice Brennan observed in his Miller dissent, “the disclosure by individuals or business firms of their financial affairs to a bank is not entirely volitional, since it is impossible to participate in the economic life of contemporary society without maintaining a bank account.”

Moving on to the First Amendment, the PCLOB also notes serious questions about whether or not the bulk metadata collection violates the prohibition on Congress not to pass laws that infringe on free speech and free association. Citing the NAACP v. Alabama case that clearly stated that having a government reveal groups and associations would violate the First Amendment, the PCLOB takes issue with the collection of so much metadata, that clearly reveals who people associate with:

Although the NSA’s telephone records program does not include an overt disclosure requirement of the type evaluated in such cases as NAACP v. Alabama, its operation similarly results in the compulsory disclosure of information about individuals’ associations to the government. Like the government’s collection of membership lists, its bulk collection of telephone records makes that information available for government analysis and can create a chilling effect on those whose records are being collected.

[….] By indefinitely collecting information about all Americans’ telephone calls, the NSA’s telephone records program clearly implicates the First Amendment freedoms of speech and association. The connections revealed by the extensive database of telephone records gathered under the program will necessarily include relationships established among individuals and groups for political, religious, and other expressive purposes. Compelled disclosure to the government of information revealing these associations can have a chilling effect on the exercise of First Amendment rights.

There’s much more in the report worth reading, but those are many of the highlights. Honestly, much of it could be turned into the legal briefs that could eventually be used in court against the program.

Next up, the PCLOB will be releasing a report looking at Section 702 of the FISA Amendments Act and programs like PRISM that fit under it. I imagine that will be equally interesting.

Filed Under: bulk metadata, civil liberties, pclob, privacy, section 215

2014 Federal Spending Bill Contains Demands For Transparency On NSA Surveillance Programs

from the in-search-of-actual-oversight dept

Hidden in the 1,500+ pages of the $1.1 trillion federal funding bill is a stipulation aimed at giving the NSA’s much-heralded oversight some actual oversight. The wording specifically targets the NSA’s bulk collection programs, and if passed along with the rest of the bill (which is expected to pass shortly), will be the first Congressional action taken against the agency. (There are many, many more in the pipeline.)

Here’s how the accompanying “explanatory statement” breaks it down:

The Director of the National Security Agency (NSA) is directed to provide the following to the congressional intelligence committees, the Senate Committee on the Judiciary, and the House Committee on the Judiciary, not later than 90 days after the enactment of this Act:

1) A report, unclassified to the greatest extent possible, which sets forth for the last five years, on an annual basis, the number of records acquired by the NSA as part of the bulk telephone metadata program authorized by the Foreign Intelligence Surveillance Court, pursuant to section 215 of the USA PATRIOT Act, and the number of such records that have been reviewed by NSA personnel in response to a query of such records. Additionally, this report shall provide, to the greatest extent possible, an estimate of the number of records of United States citizens that have been acquired by NSA as part of the bulk telephone metadata program and the number of such records that have been reviewed by NSA personnel in response to a query.

2) A report, unclassified to the greatest extent possible and with a classified annex if necessary, describing all NSA bulk collection activities, including when such activities began, the cost of such activities, the types of records that have been collected in the past, the types of records that are currently being collected, and any plans for future bulk collection.

3) A report, unclassified to the greatest extent possible and with a classified annex if necessary, listing terrorist activities that were disrupted, in whole or in part, with the aid of information obtained through NSA’s telephone metadata program and whether this information could have been promptly obtained by other means.

The agency has been extremely resistant to the notion of quantifying its bulk collection efforts. The “incidental” collection of American data and communications has been discussed at length, but so far, the agency has refused to offer even an estimate at how much “incidental collection” actually occurs. While it has noted how many RAS-approved numbers it actually searches in its Section 215 database, it has not specified how many of those intersect with wholly domestic communications.

This stipulation goes further than the 215 program, which would add to the body of knowledge needed for Congressional overseers to provide something closer to actual oversight. Much of what’s being collected under other authorities (Section 702, Executive Order 12333) remains somewhat of a mystery. Obviously, the NSA would like it to remain this way, hence its oft-used tactic of purposefully reframing questions about these collections as questions about Section 215.

It’s a small push but it does ask for a level of transparency and accountability the NSA hasn’t experienced to date. The usual “national security” dodge has lost a lot of its effectiveness over the past several months as it’s been repeatedly shown that vast, untargeted metadata collections are next to useless when it comes to preventing terrorist attacks. The other claims that exposing the inner workings will allow the nation’s enemies to route around surveillance are equally weak considering the vast amount of documents Ed Snowden has released to journalists. Chances are, the inner workings will be exposed sooner or later. It would be better to get out ahead of the leaks and allow the Congressional oversight to do its job for a change.

The leaks have exposed the NSA’s true motivations. It doesn’t fear exposure nearly as much as it fears losing any of its surveillance programs, no matter how ineffective they are and how much they add to the problem of too much data.

Filed Under: bulk metadata, congress, nsa, section 215, spending bill, surveillance

NSA Goes From Saying Bulk Metadata Collection 'Saves Lives' To 'Prevented 54 Attacks' To 'Well, It's A Nice Insurance Policy'

from the this-is-why-no-one-trusts-them dept

Want to know why no one trusts anything NSA officials and their defenders have to say any more? When the bulk metadata collection was first revealed, those defenders went on and on about how the program “saved countless lives” and was instrumental in stopping terrorist attacks. Some skeptics then asked what terrorist attacks, and we were told “around 50” though details weren’t forthcoming. Eventually, we were told that the real number was “54 terrorist events” (note: not attacks) and a review of them later revealed that basically none of them were legitimate. There was one “event” prevented via the program on US soil, and it was a taxi driver in San Diego sending some money to a terrorist group in Somalia, rather than an actual terrorist attack.

In fact, both judges and the intelligence task force seemed shocked at the lack of any actual evidence to support that these programs were useful.

And yet, the NSA and its defenders keep insisting that they’re necessary. Director of National Intelligence, James Clapper, a few months ago, tried out a new spin, claiming that effectiveness wasn’t the right metric, but rather “peace of mind.” Of course, the obvious response to that is to point out that spying on everyone makes most of us fairly uneasy, and we’d have a lot more “peace of mind” if they dropped the program.

And, now, the NSA number 2 guy, who’s about to retire, John C. “Chris” Inglis, gave a long interview with NPR, in which he is now claiming that even if the program hasn’t been particularly useful in the past, that “it’s a good insurance policy.”

“I’m not going to give that insurance policy up, because it’s a necessary component to cover a seam that I can’t otherwise cover.”

Basically, we want to keep this information because we want that information, even if it’s not been shown to be at all useful. Of course, that’s the same logic one can use to defend just about any violation of the 4th Amendment. Putting a private drone with a camera and a recording device streaming everything it sees and hears while following around NSA deputy director Chris Inglis may not discover that he’s a corrupt bureaucrat willing to lie to the public, but it seems like a reasonable “insurance policy” to make sure he stays honest. After all, without that, the American public can’t prove that he’s not corrupt — so it seems like a reasonable “insurance policy to cover a seam we can’t otherwise cover.” At least, in the logic of Chris Inglis.

Filed Under: bulk metadata, chris inglis, nsa, reforms, surveillance

NSA More Or Less Admits To Spying On Congress

from the of-course-it-does dept

On Friday, we noted that Senator Bernie Sanders had asked the NSA if it spied on members of Congress. He was very explicit in how he defined “spying” such that the NSA couldn’t legitimately deny it — since the definition included collecting metadata on their calls — something the NSA absolutely does. In response to press requests, it appears that the NSA has issued a statement to a variety of publications, basically admitting that of course it spies on Congress, because it collects everyone’s data.

NSA’s authorities to collect signals intelligence data include procedures that protect the privacy of US persons. Such protections are built into and cut across the entire process. Members of Congress have the same privacy protections as all US persons. NSA is fully committed to transparency with Congress. Our interaction with Congress has been extensive both before and since the media disclosures began last June.

We are reviewing Senator Sanders’s letter now, and we will continue to work to ensure that all members of Congress, including Senator Sanders, have information about NSA’s mission, authorities, and programs to fully inform the discharge of their duties.

The key line: “Members of Congress have the same privacy protections as all US persons.” Meaning, basically, that they have no privacy protections when it comes to the NSA collecting data.

Filed Under: bernie sanders, bulk metadata, congress, nsa, surveillance

Judge Says NSA Bulk Metadata Collection Likely Unconstitutional, Issues Injunction

from the stayed-for-appeal dept

Well, this is big, big news. Judge Richard Leon, a judge in the DC district court, has ruled that the NSA’s bulk metadata collection should be stopped as violating the 4th Amendment, though he’s put the ruling on hold, knowing that it will be appealed. This is the first major court ruling concerning the program, and the judge is pretty clear that it’s a 4th Amendment violation even though the FISA court approved it. The case is actually two different cases brought by Larry Klayman, the founder of Freedom Watch, over the NSA’s activities. Here’s the key bit:

The Court finds that it does… have the authority to evaluate plaintiffs’ constitutional challenges to the NSA’s conduct, notwithstanding the fact that it was done pursuant to orders issued by the Foreign Intelligence Surveillance Court (“FISC”). And after careful consideration of the parties’ pleadings and supplemental pleadings, the representations made on the record at the November 18, 2013 hearings regarding these motions, and the applicable law, the Court concludes that plaintiffs have standing to challenge the constitutionality of the Government’s bulk collection and querying of phone record metadata, that they have demonstrated a substantial likelihood of success on the merits of their Fourth Amendment claim, and that they will suffer irreparable harm absent preliminary injunctive relief.

The ruling is worth reading, going through the legal history and details of the program. While it notes that the plaintiffs and the government (not surprisingly) explain the bulk metadata collection very differently, the court says that even if it accepts the government’s explanation, it still likely violates the 4th Amendment. That’s important.

Even while accepting the government’s description of the system, it appears, thankfully, that Judge Leon is not being confused and suckered by the government’s attempt to mislead. For example, in a footnote (21) the judge shows that he completely understands that the NSA is being exceptionally misleading when it implies that within all of that metadata, it’s just looking at fewer than 300 individuals.

After stating that fewer than 300 unique identifiers met the RAS standard and were used as “seeds” to query the metadata in 2012, Ms. Shea notes that “[b]ecause the same seed identifier can be queried more than once over time, can generate multiple responsive records, and can be used to obtain contact numbers up to three ‘hops’ from the seed identifier, the number of metadata records responsive to such queries is substantially larger than 300, but is still a very small percentage of the total volume of metadata records.” (emphasis added). The first part of this assertion is a glaring understatement, while the second is virtually meaningless when placed in context. First, as the sample numbers I have used in the text above demonstrate, it is possible to arrive at a query result in the millions within three hops while using even conservative numbers–needless to say, this is “substantially larger than 300.” After all, even if the average person in the United States does not call or receive calls from 100 unique phone numbers in one year, what about over a five-year period? And second, it belabors the obvious to note that even a few million phone numbers is “a very small percentage of the total volume of metadata records” if the Government has collected metadata records on hundreds of millions of phone numbers.

But it’s also easy to imagine the spiderweb-like reach of the three-hop search growing exponentially and capturing even higher numbers of phone numbers. Suppose, for instance, that there is a person living in New York City who has a phone number that meets the RAS standard and is approved as a “seed.” And suppose this person, who may or may not actually be associated with any terrorist organization, calls or receives calls from 100 unique numbers, as in my example. But now suppose that one of the numbers he calls is his neighborhood Domino’s Pizza shop. The Court won’t hazard a guess as to how many different phone numbers might dial a given Domino’s Pizza outlet in New York City in a five-year period, but to take a page from the Government’s book of understatement, it’s “substantially larger” than the 100 in the second hop of my example, and would therefore most likely result in exponential growth in the scope of the query and lead to millions of records being captured by the third hop.

Judge Leon is also well aware of the newly declassified rulings from FISC judges Walton and Bates detailing regular and drastic non-compliance by the NSA. While Judge Leon does admit to lacking jurisdiction over claims that the program violates the Administrative Procedures Act, it’s the constitutional questions that are the big ones, and he does not shy away there. He notes that the FISA law does not include an expressed right of judicial review — but neither does it bar it. And, since Congress “should not be able to cut off a citizen’s right to judicial review of… Government action simply because it intended for conduct to remain secret,” he finds that the court has the authority to rule on the constitutional issues.

On the question of standing (where the government often wins since individuals can’t prove they’ve been spied on), the court sides with the plaintiffs — noting that there’s strong evidence to suggest their info has, in fact, been collected.

First, as to the collection, the Supreme Court decided Clapper just months before the June 2013 news reports revealed the existence and scope of certain NSA surveillance activities. Thus, whereas the plaintiffs in Clapper could only speculate as to whether they would be surveilled at all, plaintiffs in this case can point to strong evidence that, as Verizon customers, their telephony metadata has been collected for the last seven years (and stored for the last five) and will continue to be collected barring judicial or legislative intervention…. In addition, the Government has declassified and authenticated an April 25, 2013 FISC Order signed by Judge Vinson, which confirms that the NSA has indeed collected metadata from Verizon.

Judge Leon further mocks the Government’s attempts to argue no standing, noting that their own arguments appear to contradict themselves:

Straining mightily to find a reason that plaintiffs nonetheless lack standing to challenge the metadata collection, the Government argues that Judge Vinson’s order names only Verizon Business Network Services (“VBNS”) as the recipient of the order, whereas plaintiffs claim to be Verizon Wireless subscribers. The Government obviously wants me to infer that the NSA may not have collected records from Verizon Wireless (or perhaps any other non-VBNS entity, such as AT&T and Sprint). Curiously, the Government makes this argument at the same time it is describing in its pleadings a bulk metadata collection program that can function only because it “creates an historical repository that permits retrospective analysis of terrorist-related communications across multiple telecommunications networks, and that can be immediately accessed as new terrorist-associated telephone identifiers come to light.”

[….] Put simply, the Government wants it both ways. Virtually all of the Government’s briefs and arguments to this Court explain how the Government has acted in good faith to create a comprehensive metadata database that serves as a potentially valuable tool in combating terrorism–in which case the NSA must have collected metadata from Verizon Wireless, the single largest wireless carrier in the United States, as well as AT&T and Sprint, the second and third-largest carriers…. Yet in one footnote, the Government asks me to find that plaintiffs lack standing based on the theoretical possibility that the NSA has collected a universe of metadata so incomplete that the program could not possibly serve its putative function. Candor of this type defies common sense and does not inspire confidence!

In terms of the actual constitutional analysis, Judge Leon takes on directly the issue of metadata collection in Smith v. Maryland, the key case that the NSA and its defenders repeatedly rely on to insist that there is no 4th Amendment rights in information stored by third parties. Judge Leon notes that issue here is very different.

The question before me is not the same question that the Supreme Court confronted in Smith. To say the least, “whether the installation and use of a pen register constitutes a ‘search’ within the meaning of the Fourth Amendment,” … — under the circumstances addressed and contemplated in that case–is a far cry from the issue in this case.

Indeed, the question in this case can more properly be styled as follows: When do present-day circumstances–the evolutions in the Government’s surveillance capabilities, citizens’ phone habits, and the relationship between the NSA and telecom companies–become so thoroughly unlike those considered by the Supreme Court thirty-four years ago that a precedent like Smith simply does not apply? The answer, unfortunately for the Government, is now.

From there, he relies on the US v. Jones case, which we’ve discussed extensively as well, in which the court found that attaching a GPS device to a car could be a 4th Amendment violation. He notes there that the court similarly looked at the differences in that case as compared to a previous precedent, and notes that the same situation likely applies here, vis-a-vis comparisons to Smith:

For the many reasons discussed below, I am convinced that the surveillance program before me is so different from a simple pen register that Smith is of little value in assessing whether the Bulk Telephony Metadata Program constitutes a Fourth Amendment search. To the contrary, for the following reasons, I believe that bulk telephony metadata collection and analysis almost certainly does violate a reasonable expectation of privacy.

He then goes into a detailed and thorough dismantling of Smith and why it clearly doesn’t apply to this program — noting how Smith was a very limited data collection, rather than a “collect it all” process. He even refers to the current program as “Orwellian.” Furthermore, he implicates the close relationship between the NSA and the telcos, noting that this is entirely different from Smith, where police made a specific request to the telcos to turn over specific information — rather than the telcos automatically handing over all info for the NSA to keep.

It’s one thing to say that people expect phone companies to occasionally provide information to law enforcement; it is quite another to suggest that our citizens expect all phone companies to operate what is effectively a joint intelligence-gathering operation with the Government.

Finally, he points out that the amount of metadata in question is significantly more detailed and revealing than what was captured in the Smith case:

…the ubiquity of phones has dramatically altered the quantity of information that is now available and, more importantly, what that information can tell the Government about people’s lives…. Put simply, people in 2013 have an entirely different relationship with phones than they did thirty-four years ago.

In this, it appears that Judge Leon was convinced by Ed Felten’s declaration which, as we noted, went into great detail about how much metadata could reveal about a person today.

In the end, he says that Smith is simply the wrong case:

In sum, the Smith pen register and ongoing NSA Bulk Telephony Metadata Program have so many significant distinctions between them that I cannot possibly navigate these uncharted Fourth Amendment waters using as my North Star a case that predates the rise of cell phones…. As I said at the outset, the question before me is not whether Smith answers the question of whether people can have a reasonable expectation of privacy in telephony metadata under all circumstances. Rather, the question that I will ultimately have to answer when I reach the merits of this case someday is whether people have a reasonable expectation of privacy that is violated when the Government, without any basis whatsoever to suspect them of any wrongdoing, collects and stores for five years their telephony metadata for purposes of subjecting it to high-tech querying and analysis without any case-by-case judicial approval.

Finally, in looking at the government’s insistence that the program is necessary, Judge Leon is not convinced. He notes examples of them saying it can help them do their job faster, but none of it is actually stopping an attack. In fact, he notes that for all the talk of doing the job faster, there’s not been a single shred of evidence presented that it helped stop an imminent attack, where that kind of speed would matter. In fact, he notes, “none of the three ‘recent examples’ cited by the Government [for the need for this program] involved any apparent urgency.” In short, Judge Leon is calling the government’s bluff. Their only reason for needing the program is the speed it provides, but then they present no evidence of any cases where that speed was important.

Thus, the end result is an injunction against the metadata collection, but recognizing the inevitable appeal, that injunction is stayed pending appeal. This is a very good decision, but this is just the beginning.

Filed Under: 4th amendment, bulk metadata, larry klayman, metadata, nsa, patriot act, richard leon, section 215, smith v. maryland, standing, surveillance