NSA Makes Pitch For Section 702 Approval While Its 702 Requests Aren't Being Approved By The Court

from the all-perfectly-lawful,-all-running-into-issues-during-approval dept

Section 702 -- the statute that allows the NSA to collect internet communications and data in bulk -- is up for renewal at the end of this year. The NSA, thanks to Ed Snowden, faced more of an uphill battle than usual when renewing Section 215 (bulk metadata collections). For the first time in its existence, the NSA ended up with a compromise (the USA Freedom Act), rather than a straight renewal.

The Intelligence Community appears to be trying to get out ahead of straight renewal opponents. The Office of the Director of National Intelligence has released a Section 702 Q&A at millennial watering hole Tumblr. By returning its own soft serve questions with canned talking points, the ODNI is hoping to show just how lawful its upstream collection is.

It also hopes to obscure something that's been around since the 2008 FISA Amendments Act: backdoor searches. Other government agencies have had the ability to peruse the NSA's collections, which were ostensibly gathered solely for national security use. The FBI is the most frequent backdoor searcher, seeing as it has rebranded as a counterterrorism unit over the past several years, which has allowed it to expand its surveillance capabilities and increase exploitation of the NSA's data stores.

The ODNI's Q&A document sort of admits this, but tries to downplay the implications of allowing a domestic law enforcement agency free access to national security-focused surveillance intake.

The government’s minimization procedures restrict the ability of analysts to query the databases that hold “raw” Section 702 information (i.e., where information identifying a U.S. person has not yet been minimized for permanent retention) using an identifier, such as a name or telephone number, that is associated with a U.S. person. Generally, queries of raw content are only permitted if they are reasonably designed to identify foreign intelligence information, although the FBI also may conduct such queries to identify evidence of a crime. As part of Section 702’s extensive oversight, DOJ and ODNI review the agencies’ U.S. person queries of content to ensure the query satisfies the legal standard. Any compliance incidents are reported to Congress and the FISC.

It still sort of sounds like a backdoor search, even with supposed strict oversight, but the ODNI adds a footnote claiming it isn't:

Queries of Section 702 data using U.S. person identifiers are sometimes mischaracterized in the public discourse as “backdoor searches.”

Oh, that crazy "public discourse." Won't it get anything right? Here's Emptywheel's Marcy Wheeler to explain what the ODNI won't.

While it’s true that NSA and CIA minimization procedures impose limits on when an analyst can query raw data for content (but not for metadata at CIA), that’s simply not true at FBI, where the primary rule is that if someone is not cleared for FISA themselves, they ask a buddy to access the information. As a result — and because FBI queries FISA data for any national security assessment and “with some frequency” in the course of criminal investigations. In other words, partly because FBI is a domestic agency and partly because it has broader querying authorities, it conduct a “substantial” number of queries as opposed to the thousands done by CIA.

Wheeler goes on to point to the Privacy and Civil Liberty Oversight Board's (RIP) report on Section 702 as evidence of this common FBI practice. While the PCLOB mostly punted on Section 702, finding it to be less blatantly-unconstitutional than the Section 215 program, it still found the FBI perused raw NSA collections quite frequently, both for foreign intelligence information and evidence of criminal activity. The PCLOB was unable to assess how frequently these "none dare call it a backdoor" searches occurred because the FBI has no way of tracking how often it dips into the NSA's collections. With no data and no reporting, it's pretty disingenuous to claim there's effective oversight over the Section 702 program.

Marcy Wheeler also noticed something unusual in the brand new FISC Section 702 report -- newly-required by the USA Freedom Act. According to the numbers released by the FISA Court, zero 702 applications were approved in 2016.

Wheeler points out the process for Section 702 approval runs much like that of Section 215, with applications either being approved by the FISA court or sent back for fixes. Once approved, extensions can be requested, but only for up to 60 days at a time. As she notes, the last 702 submission wouldn't have been able to coast through 2016 without a renewal.

The prior approval before last year was November 6, 2015, so it would only have had to have been extended 2 months to get into this year. So that seems to suggest there was at least a three month (application time plus extension) delay in approving the certifications for this year.

Note, too, that the report shows the only amicus appointed last year was Marc Zwillinger for a known PRTT application, so this hold up wasn’t even related to an amicus complaint.

In any case, this may reflect significant issues with 702.

The Snowden documents -- along with some from other unidentified leakers -- generated far more scrutiny of Section 702 than the NSA has ever experienced. It's not tough to imagine at least a couple of FISA judges being surprised with the scope of what they were approving. The number of submissions is redacted, but the footnote attached makes it clear the government submitted more than one application. This span with zero approvals dates back to the middle of last year, so it's been a bit of a dry run for the NSA.

The NSA has run into issues before with Section 702, the last time being in 2011, when the FISA court found the "upstream collection" of internet data to be "deficient on constitutional and statutory grounds." The NSA obtained extensions and apparently modified the order until it reached the FISA court's standards. This long delay between approvals could suggest the NSA is back in constitutionally-deficient waters, which definitely isn't where it wants to be as the program heads for renewal.

Filed Under: fisa court, fisc, mass surveillance, nsa, section 702, surveillance

Oh, Sure, Now Congress Is Serious About Asking NSA About Surveillance On Americans

from the about-freaking-time,-goodlatte dept

For many, many years, Senator Ron Wyden has been directly asking the US intelligence community a fairly straightforward question (in his role as a member of the Senate Intelligence Committee): just how many Americans are having their communications swept up in surveillance activities supposedly being conducted on foreigners under the FISA Amendments Act (FISA being Foreign Intelligence Surveillance Act). Wyden started asking way back in 2011 and got no answers. His continued questioning in 2013 resulted in Director of National Intelligence James Clapper lying to Congress in a public hearing, which Ed Snowden later claimed was a big part of the inspiration to make him leak documents to the press.

Just last month, we noted that Wyden had renewed his request for an accurate depiction of how many Americans have had their communications swept up, this time asked to new Director of National Intelligence, Dan Coats. Unfortunately, for all these years, it's basically felt like Senator Wyden tilting at a seeming windmill, with many others in Congress basically rolling their eyes every time the issue is raised. I've never understood why people in Congress think that these kinds of things can be ignored. There have been a few attempts by others -- notably on the House Judiciary Committee -- to ask similar questions. Almost exactly a year ago, there was a letter from many members of the HJC, and there was a followup in December. But, notably, while there were a number of members from both parties on that letter, the chair of the House Judiciary Committee, Bob Goodlatte, did not sign the letter, meaning that it was unlikely to be taken as seriously.

Suddenly, though, it seems that the ins-and-outs of Section 702, and how the "incidental" information it collects on Americans is used has taken on a much wider interest, following President Trump's misleading suggestion that President Obama tapped his phone lines, and some Trump supporters trying to twist typical 702 surveillance to justify those remarks. Either way, if that leads people to actually look at 702, that may be a good result out of a stupid situation. And, thus, we get to this surprising moment, in which Goodlatte has actually sent a similar letter to Coats (along with ranking member John Conyers) asking about the impact of 702 surveillance on Americans. And since (for reasons that are beyond me) Reuters refuses to link to the actual source materials, you can read the full letter here or embedded below.

The letter demands an answer by April 24th. And, yes, it's notable that Goodlatte has signed on, because Section 702 is up for reauthorization at the end of the year, and if Goodlatte is not on board with reauthorization, then the NSA is going to have some difficulty in getting it through.

You have described reauthorization of Section 702 as your "top legislative priority." Although Congress designed this authority to target non-U.S. persons located outside of the United States, it is clear that Section 702 surveillance programs can and do collect information about U.S. persons, on subjects unrelated to counterterrorism. It is imperative that we understand the size of this impact on U.S. persons as our Committee proceeds with the debate on reauthorization.

The letter then even points to Coats' response to Wyden during Coats' confirmation hearing that he was "going to do everything I can to work with Admiral Rogers in NSA to get you that number." Of course, back in December, it was said that the intelligence community might finally deliver that number... in January. And it's now April. Still, with Goodlatte finally taking an interest in this, it's a sign that the NSA can't just coast by and continue to completely ignore this.

Filed Under: bob goodlatte, dan coats, fbi, fisa amendments act, house judiciary committee, nsa, ron wyden, section 702, surveillance

Once Again, Senator Wyden Wants To Know How Many Americans Are Being Surveilled By The NSA

from the why-is-this-so-difficult dept

Many people seem to forget that before Ed Snowden came along, Senator Ron Wyden was beating the drum in Congress about how the NSA was abusing Section 702 of the FISA Amendments Act to spy on Americans. Here's a story we did back in 2011 concerning Wyden raising concerns about the failure of the Director of National Intelligence to say how Section 702 was being used on Americans. Even earlier in 2011, we wrote about then Director of National Intelligence, James Clapper, refusing to answer this question, saying that "it is not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed."

Wyden kept up a series of similar requests, famously leading to the 2013 hearing in which Wyden directly asked Clapper about whether or not information was being collected on Americans and Clapper flat out lied. Snowden himself has credited that particular exchange as playing a big role in convincing him to leak documents.

Fast forward to now. Last week, Senator Wyden sent a letter to incoming Director of National Intelligence* Dan Coats, once again asking how many Americans are having their communications watched under Section 702 of the FISA Amendments Act (which, again, is supposed to be used for foreign intelligence, but which we now know is regularly used to do surveillance on Americans).

I and other members of Congress have been seeking an answer to this question since 2011. We posed the question again in the context of the reauthorization of Section 702 in 2012. It is now central to the debate this year over the reauthorization of the program, which you have described as your "top legislative priority."

As Wyden notes:

The lack of information on the extent to which Americans' communications have been collected under Section 702 is relevant not just to the question of whether Section 702 should be reauthorized, but to what reforms may be needed. For example, the government is currently authorized to conduct warrentless queries for Americans' communications collected under Section 702. Without data on the number of Americans' communications available to government, it is impossible to know the full extent to which these queries intrude on the privacy and constitutional rights of Americans.

Wyden was hoping to get an answer to this question, prior to Coats' being voted in. That, of course, did not happen. However, Wyden gave one of his big speeches about this issue:

In it, he calls out these issues quite clearly:

But I want it understood that the reason that I’m going through this background is that I believe the American people deserve a fully informed debate about the Foreign Intelligence Surveillance Act reauthorization. You cannot have that debate — you cannot ensure that the American people have security and liberty unless you know the impact of section 702 of that bill on the constitutional rights of law-abiding Americans.

So for six years, Mr. President, in this body Democrats and Republicans — in the other body, Democrats and Republicans — have been asking the same question: How many law-abiding Americans are having their communications swept up in all of this collection?

Without even an estimate of this number, I don’t think it’s possible to judge what section 702 means for the core liberties of law-abiding Americans.

Without this information, the Congress can’t make an informed decision about whether to reauthorize section 702 or what kind of reforms might be necessary to ensure the protection of the individual liberties of innocent Americans.

There's a lot more in the nearly 50-minute speech (the transcript is in the link above). But it's truly incredible that the executive branch refuses to give Congress this information that it needs for oversight:

Mr. President, how many law-abiding Americans — innocent, law-abiding Americans are getting swept up in these searches? It will be an increasingly important issue, as the nature of telecommunications companies continues to change because it is now a field that is globally interconnected. We don’t have telecommunications systems just stopping at national borders.

So getting the number of Americans whose communications have been collected in the first place is the prerequisite to doing real oversight on this law and doing our job at a time when it is being reauthorized and the American people want both security and liberty and understand that the two are not mutually exclusive. So, Director Clapper then suggested reviewing the classified number of targets that were later determined to be located in the United States. But the question has never been about the targets of section 702, although the mistaken targeting of Americans and the people in our country is another serious question.

The question that Democrats and Republicans have been asking is about how many Americans are being swept up by a program that, according to the law, is supposed to only target foreigners overseas. So let me repeat that. That’s what the law says. The Foreign Intelligence Surveillance Act says that the targets are supposed to be foreigners overseas. And Democrats and Republicans want to know how many law-abiding Americans who might reside in Alaska or Oregon or anywhere else are getting swept up in these searches. So this bipartisan coalition has kept asking.

Wyden goes on to explain how many in the intelligence community are misleading the public on how broad the powers and searches under Section 702 really are. He even highlights the claims that some have made that anyone against 702 must be part of a "bad guy caucus." But the issue is that, as currently used, Section 702 can and likely is being used to broadly conduct warrantless surveillance on Americans:

I’ve heard my colleagues on the other side talk frequently. Well, you know, if law-abiding Americans are having their communications swept up, we shouldn’t get all concerned about that because this array of Americans’ communications is being minimized, and somehow that means that it’s not getting out. It’s being hidden. That’s not what necessarily happens.

To begin with, all that collection does not stay at the National Security Agency. All the e-mails collected through the PRISM component of section 702 go to several other agencies, including the C.I.A. and the F.B.I. Then you have those three agencies in particular authorized to conduct searches through all the data for communications that are to, from, or about Americans. Look for an American’s name, telephone number, e-mail address, even a key word or phrase. They can do that without any warrant. There doesn’t have to be even a suspicion, even a suspicion that an American is engaged in any kind of wrongdoing.

The F.B.I.’s authorities are even broader. The F.B.I. can also conduct searches for communications that are to, from, or about an American to seek evidence of a crime. Unlike the National Security Agency and the Central Intelligence Agency, the F.B.I. doesn’t even report how many searches for Americans it’s conducting. Moreover, neither the F.B.I. Nor the C.I.A. Reports on the number of searches for Americans it conducts using metadata collected under section 702.

Now, the authority to conduct searches for Americans’ communications in section 702 data is new. Before 2011, the FISA court prohibited, prohibited queries for U.S. persons. I’m going to repeat that: Under the Bush Administration and the first two years of the Obama Administration, it was not possible to conduct these back-door, warrantless searches of law-abiding Americans. Then the Obama Administration sought to change the rules and obtained authority to conduct them.

In April, 2014, the Director of National Intelligence in response to questions from myself and Senator Mark Udall publicly acknowledged these warrantless searches, and my June, the House voted overwhelmingly to prohibit them. That prohibition didn’t become law, but I can tell you it’s sure going to be considered in the context of this reauthorization, and the House voted overwhelmingly, overwhelmingly to prohibit these warrantless searches. So the question really is what exactly is the privacy impact of these warrantless searches for Americans?

There's a lot more in the speech as well, but this post is getting to be long enough. Unfortunately, of course, the speech will get little attention. It's not the exciting sort of political football that cable news likes to cover. There's no partisan horse race element to it. It's just the kind of thing that impacts the basic Constitutional rights of all Americans. And, apparently, only a few people actually seem to care about it -- and none of them seem to be in roles where they can stop this kind of 4th Amendment violation from happening again.

* Clapper, astoundingly, was never fired or otherwise punished for lying to Congress, and only left at the beginning of this year with the change in administrations.

Filed Under: 4th amendment, dan coats, fisa amendments act, james clapper, nsa, ron wyden, section 702

Judge In Twitter Lawsuit Over Surveillance Disclosure Dings DOJ For Cut-And-Paste Legal Argument

from the government-control-c dept

As you will hopefully recall, there is an ongoing case between Twitter and the government over exactly how specific or not the social media service can be regarding the number of government surveillance requests it receives. Most of the rest of the big internet companies reached a settlement with the DOJ, including rules how specific companies could be (not very) in revealing such requests. Those rules basically were an attempt by the government to get tech companies to play hide-the-ball on transparency issues, in which the more specific a service attempted to be about how many individuals would be impacted by government orders, the more additional orders had to be lumped into those specifics, rendering the information useless.

Twitter, to its credit, was alone in saying that the proposed settlement wasn't good enough, and continued its fight with the DOJ. Essentially, the fight is over whether Twitter can be specific when it discloses how many orders it has received, or whether it must only disclose "bands" or ranges of orders. Recent arguments made by both sides do a nice job of highlighting the absurdity of the government's argument.

Twitter has argued that just as it has been precise in other areas of its transparency report, so too should it be allowed to say how many national security orders it has received from American authorities.

"Even under the most generous First Amendment standard, there is nothing in there that it is a national security harm to say that we received 44 as opposed to 0 to 499," Lee Rubin, a lawyer representing Twitter, said during the Tuesday hearing.

In court filings, DOJ lawyers have said that allowing Twitter to provide this specific level of information would be detrimental to national security. This assertion is according to a declaration filed by Michael Steinbach, the executive assistant director of the national security branch of the FBI, where he argued that "the disclosure of the information at issue would provide our adversaries a clear picture of the Government’s surveillance activities pertaining to national security investigations."

The DOJ has been conditioned through the acceptance of the argument by far too many courts, as well as the court of public opinion, to simply shout "national security" at any challenge to disclosing anything at all. And that's what it's doing here, as well. So much so, in fact, that the judge presiding over the case pointed out that the legal filings the DOJ had offered didn't address any of the specifics Twitter was arguing.

During the Tuesday hearing, US District Judge Yvonne Gonzalez Rogers, an Obama-appointed judge, seemingly rebuked the government at one point and noted that its legal responses did not directly address Twitter’s arguments. "The analysis that has been provided to the court is generic to any company," she said, explaining that there was "nothing in here that is specific to Twitter.

"If I had five different cases, one by Twitter, one my Microsoft, one by Facebook and all the other groups that do this social media stuff that none of us judges do, [Steinbach] could have taken this exact same declaration and cut and paste the declaration, switched out the names of the company and I would have the same generic explanation for why it is that the government wants to do what it wants to do."

There's no ruling yet, although one is expected in the coming months. Still, it doesn't look good to have the judge dinging the DOJ for failing to address Twitter's argument that there is no national security risk in disclosing a specific number of NSLs it receives, as opposed to a range. Perhaps more importantly, it's refreshing to see a challenge to the longstanding tradition of the government being able to simply shout "national security!" at any attempt at transparency to make it go away.

Filed Under: disclosure, doj, first amendment, nsls, section 702, surveillance
Companies: twitter

James Clapper's Office To Finally Reveal NSA's 'Incidental Collection' Numbers

from the and-only-a-half-decade-since-it-was-first-asked! dept

Prior to the Snowden leaks making it unignorable, the NSA denied the incidental collection of Americans' communications was much of a problem. Ron Wyden and Mark Udall were two of the few members of the NSA's oversight willing to ask tough questions. One of the questions they asked -- all the way back in 2011 -- was how many Americans were spied on by the NSA's programs. The answer may shock you cause uncontrollable eyerolling.

What's never made sense is why the feds simply refuse to admit how many Americans they've spied on under the law. In the past, the Director of National Intelligence has basically told Wyden and Udall that he wouldn't answer because he didn't want to. But the latest answer really takes the insanity to stunning new levels. As initially revealed at Wired, the NSA has refused to answer claiming that, not only would it be too much work to figure it out, but that figuring it out would violate the privacy of Americans.

It's a terrible answer. But it's still better than the one the ODNI gave the senators earlier. Basically, James Clapper said it would be difficult to give the senators the information they sought because the NSA really didn't want to hand over that information. Not "difficult" in the technical sense, but "difficult" in the "no desire to" sense.

A leaked document showed the NSA didn't think incidental collection was a big deal. Slides from an internal presentation told analysts such collections were inevitable and not to worry about the reporting collected US persons' communications to the Inspector General. Hence why the Inspector General felt it might take a bit of effort to collect this information: it never had collected or received this information previously.

As the re-up for Section 702 approaches, legislators are taking a renewed interest in these still-unrevealed numbers. And Clapper's office has decided to comply:

"The timely production of this information is incredibly important to informed debate on Section 702 in the next Congress— and, without it, even those of us inclined to support reauthorization would have reason for concern," said the letter signed by 11 lawmakers, all members of the House Judiciary Committee.

The letter was sent on Friday to National Intelligence Director James Clapper. It said his office and National Security Agency (NSA) officials had already briefed congressional staff about how the intelligence community intends to comply with the disclosure request.

There are more specifics to this, which make it more useful than the normal publicized internal memo swap. First, the legislators want this expressed in real numbers, not a meaningless percentage of the total Section 702 take. Second, the letter serves to "memorialize" Clapper's agreement to not only hand over these numbers to legislators, but to the public as well.

This data should contain everyone swept up by PRISM or the NSA's upstream collection -- the latter of which pulls communications directly from domestic internet backbones. The upstream collection has no targets. Instead, it grabs everything it can (including audio communications) it can and sorts through it for targeted terms, as well as anything related to the targeted terms NSA analysts add to the filter.

The potential for incidental collection in either program is huge. So it may actually involve a bit of effort to collect this data. Of course, the effort put into this may also involve making the final numbers a bit more palatable by applying internal rules as to what should or shouldn't be considered an incidental collection. Just as certainly as NSA collections are laundered (via parallel construction) before being introduced in court, one should expect the final incidental collection numbers to be purged of anything that might make them larger than the IC would like to admit publicly.

Filed Under: james clapper, mass surveillance, nsa, odni, ron wyden, section 702, surveillance

Convicted FBI Sting Target Challenges Investigation, Domestic Surveillance; Ends Up With Nothing

from the entrapment-will-continue-until-national-security-improves dept

The Ninth Circuit Court of Appeals has upheld [PDF] a terrorism conviction, despite its own concerns about the government's behavior during the investigation. (h/t Brad Heath)

Mohamed Osman Mohamud appealed his conviction for attempting to detonate a bomb during a Christmas tree lighting ceremony in Portland, Oregon, raising several arguments -- one of those being entrapment. But the court had this to say about the FBI's sting operation.

The panel held that the district court properly rejected Mohamud’s defense of entrapment as a matter of law. The panel could not say that no reasonable jury could have concluded that Mohamud was predisposed to commit the charged offense. Rejecting Mohamud’s alternative argument that the case should be dismissed because the government overreached in its “sting,” the panel wrote that while the government’s conduct was quite aggressive at times, it fell short of a due process violation.

As we've noted here before, courts have given the government plenty of leeway in its investigations. Entrapment is a popular defense but even the DEA's predilection for setting up desperate rubes to rob fake stash houses (and asking for sentences based on imaginary quantities of nonexistent drugs) has seldom been troubled by defendants' challenges. The courts have also ordained much, much more questionable tactics, like the FBI's creation of a child porn catalog it mailed to sting targets -- even going so far as to "fulfill" the recipients' orders. This predated the FBI's current courtroom difficulties resulting from its stint as the administrators of a seized child porn website, which it kept operational for two weeks while it deployed its hacking tool.

Mohamud's experience with the FBI began in an unlikely way: with a phone call to the agency from his parents.

His father begged him to stay in the United States, but Mohamud told him it was too late—he had his passport, visa, and ticket ready to go. When his parents confirmed that his passport was missing, they feared that Mohamud might return to Somalia, his place of birth. And when they could not reach Mohamud, they called the FBI and asked an agent to stop their son from leaving the country. Eventually, Mohamud’s mother got in touch with her son, scolded him, and brought him home. Mohamud did not actually have a visa or plane ticket, and he returned his passport to his parents.

A few days later, Mohamud’s father called the FBI agent back and told him that Mohamud had agreed to finish college and would not leave the country until he graduated. He also explained that his son had wanted to go to Yemen to study Arabic and Islam. Mohamud’s father forwarded the FBI an email from his son about a school in Yemen, which allowed the FBI to identify Mohamud as the user of the truthbespoken email account.

Using that email account, the FBI began looking into Mohamud. One of the investigative tools it utilized was communications collected by the NSA's Section 702 program. The use of these communications was also challenged by Mohamud.

The FBI's initial impression of Mohamud, after being contacted by his parents, was that he was no threat -- just a mixed-up college kid going through some ideological growing pains. But rather than leave him alone and let his parents keep an eye on him, the FBI decided to make him a sting target. Its first attempt went nowhere. Communications between Mohamud and "Bill Smith" tapered off as Mohamud apparently tried to shift his focus back to his studies.

The FBI kept going. It sent two more informants after Mohamud to determine how serious he was about participating in a terrorist attack. Mohamud seemed enthusiastic about the idea, but the details and funding all came from the undercover agents. This makes it seem unlikely Mohamud would have done anything on his own. Worse, the FBI took a tip from Mohamud's parents and rather than steer him away from terroristic leanings, it decided to turn him into a sting target.

Still, there was no entrapment, according to both courts who have reviewed the case. Mohamud showed his own inclination to commit terroristic acts -- both in terms of previous writings and statements made to undercover agents. Combined with the courts' deference to the means and methods of investigative agencies, Mohamud's entrapment defense fails.

The Section 702 evidence similarly has no effect on Mohamud's conviction. This evidence was introduced belatedly by the government, but the Appeals Court finds its late arrival wasn't prejudicial to Mohamud's defense. It's interesting that it showed up late, considering the government always had access to it. There appears to have been plenty of behind-the-scenes discussion within the government as to whether or not it actually wanted to use this "702-derived" evidence in court.

The introduced 702 evidence poses no Fourth Amendment concerns according to the Ninth Circuit.

Although § 702 potentially raises complex statutory and constitutional issues, this case does not. As explained below, the initial collection of Mohamud’s email communications did not involve so-called “upstreaming” or targeting of Mohamud under § 702, more controversial methods of collecting information. It also did not involve the retention and querying of incidentally collected communications. All this case involved was the targeting of a foreign national under § 702, through which Mohamud’s email communications were incidentally collected.

What Fourth Amendment concerns exist, the court seems barely troubled by them. It trusts the government has procedures in place to minimize incidentally-collected communications and, in any case, would scale back the Fourth Amendment's protections to make room for more national security.

However, the mere fact that more communications are being collected incidentally does not make it unconstitutional to apply the same approach to § 702 collection, though it does increase the importance of minimization procedures once the communications are collected.

[...]

The panel held that Foreign Intelligence Surveillance Court-approved targeting and minimization procedures, which were followed in practice, sufficiently protected Mohamud’s privacy interest, in light of the government’s compelling interest in national security.

The court sums everything up this way -- implying that it's still not altogether comfortable with the government's decision to steer an impressionable person down the path towards terrorism, rather than pull him back, especially when the originating tip was a call from concerned parents.

Many young people think and say alarming things that they later disavow, and we will never know if Mohamud—a young man with promise—would have carried out a mass attack absent the FBI’s involvement. But some “promising” young people—Charles Whitman, Timothy McVeigh, and James Holmes, to name a few from a tragically long list—take the next step, leading to horrific consequences. While technology makes it easier to capture the thoughts of these individuals, it also makes it easier for them to commit terrible crimes. Here, the evidence supported the jury’s verdict, and the government’s surveillance, investigation, and prosecution of Mohamud were consistent with constitutional and statutory requirements.

Marcy Wheeler -- covering Mohamud's sentencing two years ago -- sums it up this way, pointing out that the FBI and other government agencies seem more willing to blow taxpayer cash on mostly-pointless prosecution rather than do anything that might actually counter violent extremism.

So 5 years after Mohamud’s father called the FBI, asking them to help divert his son from his interest in Islamic extremism, the government put Mohamud away for the better part of the rest of his life. Even assuming Mohamud only serves two-thirds of his sentence and pretending inflation doesn’t exist, taxpayers will pay $678,600 to incarcerate Mohamud, on top of the money spent on his 4-year prosecution and the at-least 18 months of informants and undercover officers pursuing the then-teenager.

[...]

If the US can’t imagine a better response when a father calls for help but to spend 18 months catching his son a sting, we can roll out CVE [countering violent extremism] programs every other month and we’re not going to earn trust among the communities we need to.

Engaging with communities seems to rarely be an option -- whether it's the FBI or local police department with a long track record of discriminatory policing. Turning the most impressionable members of these communities into informants or sting targets seems to be the only thing the FBI's actually willing to do, which doesn't seem to be having much of an effect on worldwide terrorism.

Filed Under: 9th circuit, fbi, fisc, mohamud osman mohamed, own plot, section 702, sting operation, surveillance

Appeal Court Revives Lawyer's Lawsuit Against The NSA's Email Dragnet

from the tossed-back-for-another-look dept

Another lawsuit against the NSA has been revived. Previously dismissed by a district court for lack of standing, attorney Elliott Schuchardt's suit against the NSA for its domestic surveillance has been remanded back to the court that tossed it.

Like several other surveillance lawsuits, Schuchardt's springs from the Snowden leaks. Unlike some of the others, it doesn't focus on the NSA's phone metadata collection -- the subject of the first Snowden leak. Instead, his challenges the constitutionality of the NSA's Section 702 collection. With this program, the NSA apparently collects not just metadata on electronic communications, but also the content.

The Appeals Court found the leaks themselves provide enough evidence to make Schuchardt's allegations plausible -- or at least strong enough to survive the government's motion to dismiss. From the opinion [PDF]:

Based on the record he had compiled, Schuchardt’s second amended complaint alleged that because the Government was “intercepting, monitoring and storing the content of all or substantially all of the e-mail sent by American citizens,” his own online communications had been seized in the dragnet. App. 82, 95–99 (emphasis added). In particular, Schuchardt asserted that he was “a consumer of various types of electronic communication, storage, and internet services,” including “the e-mail services provided by Google and Yahoo; the internet search services of Google; the cloud storage services provided by Google and Dropbox; [and] the e-mail and instant message services provided by Facebook.” App. 95–96. Then, relying on the operational details of PRISM made public by the Washington Post and Guardian, he alleged that: (1) the Government “had obtained direct access to the servers” of the companies providing him with these services; (2) the Government was “unlawfully intercepting, accessing, monitoring and/or storing [his] private communications . . . made or stored through such services”; and (3) the Government was “collecting such information in order to ‘data mine’ the nation’s e-mail database.”

The government responded to the cited leaks by citing the PCLOB's report on its PRISM program. First, the government claimed Section 702 only authorized the collection of communications by people outside of the US. Pointing to the oversight report, the government also claimed PRISM wasn't a dragnet, but rather a targeted program.

Based on its review, the PCLOB determined that “[i]n PRISM collection, the government . . . sends selectors—such as an email address—to a United Statesbased electronic communications service provider,” who is then by law “compelled to give the communications sent to or from that selector to the government.” PCLOB Report at 33. Far from being the dragnet that Schuchardt had alleged, therefore, “PRISM collection under Section 702 may be targeted only at non-U.S. persons located abroad who possess or are likely to receive foreign-intelligence information.”

In reviving the suit, the Appeals Court isn't deciding whether the government assertions about the PRISM program are correct, but rather whether Schuchardt's allegations are sufficient to further explore the issue in court.

The Government strenuously disputes the plausibility of Schuchardt’s assertion that PRISM collects “all or substantially all of the e-mail sent by American citizens,” and we address that dispute in detail below. But putting aside for the moment the question of whether Schuchardt’s allegations concerning PRISM are entitled to a presumption of truth, the consequences that he identifies as flowing from the Government’s alleged dragnet are undoubtedly personal to him insofar as he has a constitutional right to maintain the privacy of his personal communications, online or otherwise.

So, the finding is encouraging, if very limited. The court notes that the order encompasses only a very small part of Schuchardt's allegations.

Our decision today is narrow: we hold only that Schuchardt’s second amended complaint pleaded his standing to sue for a violation of his Fourth Amendment right to be free from unreasonable searches and seizures. This does not mean that he has standing to sue, as the Government remains free upon remand to make a factual jurisdictional challenge to Schuchardt’s pleading.

More encouraging is the time spent by the court examining the submitted documents -- leaks provided to the Washington Post and The Guardian -- which point to the possibility that PRISM is more dragnet than targeted collection program, even though the government claims otherwise.

None of this guarantees Schuchardt or anyone else will learn anything new about the NSA's Section 702 collections. The Appeals Court reminds the lower court that the plaintiff is not automatically entitled to discovery in this case, considering its subject matter, and invites the government to use its favorite excuse to make sure its collection techniques stay under wraps.

Finally, nothing in our opinion should be construed to preclude the Government from raising any applicable privileges barring discovery—including the state secrets doctrine—or to suggest how the District Court should rule on any privilege the Government may choose to assert.

It's not incredibly encouraging, but at least the court didn't decide the attorney had no standing to sue. That's the problem with secret surveillance lawsuits. There's zero chance any individual will be able to prove their communications have been swept up by the NSA, but most courts aren't even willing grant plaintiffs the possibility of further exploring even plausible claims of constitutional injury.

Filed Under: elliott schchardt, mass surveillance, nsa, section 702, surveillance

No Matter Who's Elected, Surveillance Powers And Programs Unlikely To Be Scaled Back

from the sorry-constituents,-but-your-concerns-aren't-a-priority dept

The New York Times editorial board speculates on where we're going from here following President Obama's not-doing-much-until-forced-to approach to surveillance and surveillance reform. Two candidates -- neither of them improvements -- are roughly a month away from one of them taking the nation's top office. As the Times' board points out, there's not much in it for anyone hoping the incoming White House will push forward with more reform efforts or better oversight.

The Republican nominee, Donald Trump, has not substantively addressed any of these issues. But he has proposed draconian, unconstitutional measures to keep the nation safe, including carrying out surveillance of mosques and creating a database of Muslims. This is offensive and outrageous. “We’re going to have to do certain things that were frankly unthinkable a year ago,” he said last November.

Hillary Clinton has been more measured in discussing surveillance and encryption. Her campaign has suggested creating a national commission to explore legal and practical questions surrounding encryption. Mrs. Clinton has also said she would like to foster a more constructive relationship with Silicon Valley leaders, who have often been reluctant to collaborate with intelligence agencies. But she has been troublingly vague on specifics.

The Times is far too kind to Clinton. (No one really needs to rehash Trump's inability to form coherent sentences when discussing policy…) Clinton may be more measured, but what she has discussed suggests a return to form when Obama exits office. A return to GEORGE W. BUSH form, really -- basically another 4-8 years of post-2001 fear-based legislating, like her predecessor engaged in.

After the attack in Orlando, Clinton joined Trump in calling for expanded watchlists and denial of Constitutional rights to those placed on them. She has occasionally hinted at vague surveillance reform, but has also made it clear Snowden should hop on the next plane home and spend some time in prison. She has also suggested tech companies partner with the government to create backdoors in encryption -- but in an imaginary "safe" way that won't threaten their customers' security. And she's made it clear that deploying the military is a perfectly acceptable response to state-led cyberattacks.

Either way the election goes, the surveillance business will remain as usual. This is troubling, due to the fact that Section 702 -- which authorizes the NSA's internet backbone-based surveillance dragnet PRISM -- is up for renewal at the end of next year. With recent revelations about Yahoo's very proactive surveillance assistance generating some interesting questions about what the NSA can or can't do under this authority, it would be nice to have someone in the White House that would amplify these concerns, rather than help drown them out.

Filed Under: donald trump, election, hillary clinton, mass surveillance, nsa, section 702, surveillance

Yahoo Issues Tone Deaf Non-Denial Denial Of Email Scanning Report

from the blink-twice-if-you're-being-forced-to-say-this dept

After basically all the big tech companies have come out with strong and clear denials, Yahoo this morning released a silly mealy mouthed non-denial denial, written by a PR firm, that took almost 24 hours to craft:

Good morning –

We are reaching out on behalf of Yahoo regarding yesterday’s Reuters article. Yahoo said in a statement:

“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”

Best,

The Joele Frank Team

Of course, people are parsing every word of that and noting some... remaining questions. The article is misleading? Okay, how? Which parts? What did it get wrong? You narrowly interpret every government request? Great. So explain what was found here, or explain the specifics of what Yahoo is doing. "Does not exist on our systems"? Did it ever? Does it exist on someone else's system? Does a different mail scanning system exist? Lots of people would like to know.

More importantly, note that they say they want to minimize disclosures. But that's not the key issue here, as Chris Soghoian points out. The Reuters report was on the searching of all emails, not the disclosure bit. Yes, sure, it seems clear that after searching everyone's email, Yahoo likely only "disclosed" a small number to the NSA, but that's not really the point, is it?

I mean, I guess this statement is better than Yahoo's original: "Yahoo is a law abiding company, and complies with the laws of the United States" statement. But, it's not very reassuring. Much more important is what Yahoo could have said, but didn't. But that's not happening. Yahoo has said that it "can't comment further" which either means it doesn't want to comment further or, potentially, that it feels it is legally barred from commenting any further -- which is certainly a possibility (though a disturbing one).

The NSA or the Director of National Intelligence could help clear this up, but so far they're going all Glomar on any questions: And that alone should be a giant warning sign to any tech company that decides not to fight these kinds of demands: when it inevitably leaks to the public (and it will), the intelligence community will let you hang out to dry all by yourself.

Filed Under: email, mass surveillance, non-denial denial, nsa, scanning, section 702
Companies: yahoo

Basically All Big Tech Companies Deny Scanning Communications For NSA Like Yahoo Is Doing

from the getting-more-interesting dept

So, the big story yesterday was clearly the report that Yahoo had secretly agreed to scan all email accounts for a certain character string as sent to them by the NSA (or possibly the FBI). There has been lots of parsing of the Reuters report (and every little word can make a difference), but there are still lots of really big questions about what is actually going on. One big one, of course, is whether or not other tech companies received and/or complied with similar demands. So it seems worth nothing that they've basically all issued pretty direct and strenuous denials to doing anything like what Yahoo has been accused of doing.

Twitter initially gave a "federal law prohibits us from answering your question" answer -- and a reference to Twitter's well documented lawsuit against the US government over its desire to reveal more details about government requests for info. However, it later clarified that it too was not doing what Yahoo was doing and had never received such a request. Microsoft's response was interesting in that it says it's not doing what Yahoo is, but refused to say if it had ever received a demand to do so. Google said it had never received such a request and would refuse to comply if it had. Facebook has also denied receiving such a request, and, like Google, says it would fight against complying. This still leaves lots of unanswered questions about why Yahoo gave in. Again, historically, Yahoo had been known to fight against these kinds of requests, which makes you wonder what exactly was going on here.

Former GCHQ infosecurity guy Matt Tait has one of the more more interesting threads about this news, arguing (in some ways) that it's both less and more than everyone is making it out to be. His basic argument is that this is an expansion of the PRISM program to include "about" targets. This has been discussed in the past, but under PRISM, the NSA could give tech companies "selectors" in the form of specific addresses and the companies were compelled to hand over emails "to" or "from" them -- but according to the PCLOB's report on the Section 702 program it did not include anyone emailing "about" the selector. Upstream collections (i.e., tapping the backbones from folks like AT&T) did include "about" selectors (and this information also flowed into other areas, enabling so called backdoor searches. And, as I speculated yesterday, Tait says that this latest news appears to be Yahoo now agreeing to use "about" selectors on its emails, which means that it's still part of PRISM, with a massive expansion.

Tait then notes that if James Clapper wants to clear this up, he should state publicly whether or not "about" collection is a part of PRISM. And if that's the case, he should also explain when and why PRISM was expanded to include this. But, of course, Clapper and the Intelligence Community tend not to want to explain very much of anything, leaving lots of people in the dark.

And, frankly, that's stupid. The Intelligence Community thinks that this keeps "bad guys" on edge, not knowing what's safe and what's not. But that's dumb. They mostly know to use more encrypted/secret means of communication when they need to. Instead, what you end up with is keeping the public on edge and not trusting services. I can almost guarantee that one of the early comments on this post will be some of you insisting that all the companies denying doing this are flat out lying. I don't agree with that, because the companies don't have a history of outright lying on things like this, but the way the NSA and other parts of the US government have repeatedly tried to pressure them and gag them, it's much tougher to take anything at face value any more. And that's not good for anyone.

Filed Under: about collection, about selectors, mass surveillance, nsa, prism, section 702, upstream
Companies: facebook, google, microsoft, twitter, yahoo