Tattoo it on your forearm—or better, that of your favorite legislator—for easy reference in the next debate over wiretapping: government surveillance is a security breach—by definition and by design. The latest evidence of this comes from Germany, where there’s growing furor over a hacker group’s allegations that government-designed Trojan Horse spyware is not only insecure, but packed with functions that exceed the limits of German law:

On Saturday, the CCC (the hacker group) announced that it had been given hard drives containing “state spying software,” which had allegedly been used by German investigators to carry out surveillance of Internet communication. The organization had analyzed the software and found it to be full of defects. They also found that it transmitted information via a server located in the United States. As well as its surveillance functions, it could be used to plant files on an individual’s computer. It was also not sufficiently protected, so that third parties with the necessary technical skills could hijack the Trojan horse’s functions for their own ends. The software possibly violated German law, the organization said.

Back in 2004–2005, software designed to facilitate police wiretaps was exploited by unknown parties to intercept the communications of dozens of top political officials in Greece. And just last year, we saw an attack on Google’s e-mail system targeting Chinese dissidents, which some sources have claimed was carried out by compromising a backend interface designed for law enforcement.

Any communications architecture that is designed to facilitate outsider access to communications—for all the most noble reasons—is necessarily more vulnerable to malicious interception as a result. That’s why technologists have looked with justified skepticism on periodic calls from intelligence agencies to redesign data networks for their convenience. At least in this case, the vulnerability is limited to specific target computers on which the malware has been installed. Increasingly, governments want their spyware installed at the switches—making for a more attractive target, and more catastrophic harm in the event of a successful attack.

The Lives of Others 2.0 is a post from Cato @ Liberty - Cato Institute Blog

Since this spring’s blink-and-you-missed-it debate over reauthorization of several controversial provisions of the Patriot Act, Senators Ron Wyden (D-OR) and Mark Udall (D-CO) have been complaining to anyone who’d listen about a “Secret Patriot Act“—an interpretation of one of the law’s provisions by the classified Foreign Intelligence Surveillance Court granting surveillance powers exceeding those an ordinary person would understand to be conferred from the text of the statute itself. As I argued at the time, there is an enormous amount of strong circumstantial evidence suggesting that this referred to a “sensitive collection program” involving cell phone location tracking—potentially on a mass scale—using Patriot’s “Section 215″ or “business records” authority.

Lest anyone think they’d let the issue drop, Wyden and Udall last week released a sharply-worded letter to Attorney General Eric Holder, blasting the Justice Department for misleading the public about the scope of the government’s surveillance authority. The real audience for an open letter of this sort, of course, is not the nominal recipient, but rather the press and the public. Beyond simply reminding us that the issue exists, the letter confirms for the first time that the “secret law” of which the senators had complained does indeed involve Section 215. But there are some additional intriguing morsels for the attentive surveillance wonk.

The letter focuses particularly on “highly misleading” statements by Justice Department officials analogizing Section 215 powers to grand jury subpoenas. “As you know,” Wyden and Udall write, “Section 215 authorities are not interpreted in the same way that grand jury subpoena authorities are, and we are concerned that when Justice Department officials suggest that the two authorities are ‘analogous’ they provide the public with a false understanding of how surveillance law is interpreted in practice.”

Now, this is a little curious on its face. Ever since the original debate over the passage of the Patriot Act, its defenders have tried to claim that a variety of provisions allowing the FBI to more easily obtain sensitive records and documents were no big deal, because grand juries have long enjoyed similarly broad subpoena powers. The comparison has been specious all along: grand juries are an arm of the judicial branch designed (at leas in theory) to serve as a buffer between the power of prosecutors and the citizenry. It exists for the specific purpose of determining whether grounds for a criminal indictment exist, and is granted those broad subpoena powers precisely on the premise that it is not just another executive branch investigative agency. To argue, then, that it would make no difference if the FBI or the police could secretly exercise the same type of authority is to miss the point of how our system of government is meant to work in a pretty stunning way. It’s akin to suggesting that, since juries can sentence people to life in prison, it would be no big deal to give the president or the director of the FBI the same power.

That’s not what Wyden and Udall are stressing here, however. Rather, they seem to be suggesting that the scope of the 215 authority itself has been secretly interpreted in a way that goes beyond the scope of the grand jury subpoena power. Now that ought to be striking, because the grand jury’s power to compel the production of documents really is quite broad. Yet, what Wyden and Udall appear to be suggesting is that there is some kind of limit or restriction that does apply to grand jury subpoenas, but has been held by the secret court not to apply to Section 215 orders. One possibility is that the FISC may have seen fit to issue prospective 215 orders, imposing an ongoing obligation on telecommunications companies or other recipients to keep producing records related to a target as they’re created, rather than being limited to records and documents already in existence. But given the quantity of evidence that already suggests the “Secret Patriot Act” involves location tracking, I find it suggestive that the very short list of specific substantive limits on grand jury subpoena power in the U.S. Attorneys’ Manual includes this:

It is improper to utilize the grand jury solely as an investigative aid in the search for a fugitive in whose testimony the grand jury has no interest. In re Pedro Archuleta, 432 F. Supp. 583 (S.D.N.Y. 1977); In re Wood, 430 F. Supp. 41 (S.D.N.Y. 1977), aff’d sub nom In re Cueto, 554 F.2d 14 (2d Cir. 1977). … Since indictments for unlawful flight are rarely sought, it would be improper to routinely use the grand jury in an effort to locate unlawful flight fugitives.

As the manual makes clear, the constraints on the power of the grand jury generally are determined by its purpose and function, but locating subjects for the benefit of law enforcement (rather than as a means of securing their testimony before the grand jury) is one of the few things so expressly and specifically excluded. Could this be what Wyden and Udall are obliquely referring to?

On a possibly related note, the Director of National Intelligence’s office sent Wyden and Udall a letter back in July rebuffing his request for information about the legal standard governing geolocation tracking by the intelligence community. While refusing to get into specifics, the letter explains that “there have been a diverse set of rulings concerning the quantum of evidence and the procedures required to obtain such evidence.” Now, a bit of common sense here: it is inconceivable that any judge on the secret court would not permit cell phone geolocation tracking of a target who was the subject of a full-blown FISA electronic surveillance warrant based on probable cause. There would be no “diversity” if the intelligence agencies were uniformly using only that procedure and that “quantum of evidence.” This claim only makes sense if the agencies have sought and, under some circumstances, obtained authorization to track cell phones pursuant to some other legal process requiring a lower evidentiary showing. (Again, you would not have “diversity” if the court had consistently responded to all such requests with: “No, get a warrant.”)

The options here are pretty limited, because the Foreign Intelligence Surveillance Act only provides for a few different kinds of orders to be issued by the FISC. There’s a full electronic surveillance warrant, requiring a probable cause showing that the target is an “agent of a foreign power.” There’s a warrant for physical search, with the same standard, which doesn’t seem likely to be relevant to geotracking. The only other real options are so-called “pen register” orders, which are used to obtain realtime communications metadata, and Section 215. Both require only that the information sought be “relevant” to an ongoing national security investigation. For pen registers, the applicant need only “certify” that this is the case, which leaves judges with little to do beyond rubber-stamping orders. Section 215 orders require a “statement of facts showing that there are reasonable grounds” to think the information sought is “relevant,” but the statute also provides that any records are automatically relevant if they pertain to a suspected “agent of a foreign power,” or to anyone “in contact with, or known to” such an agent, or to the “activities of a suspected agent of a foreign power who is the subject of [an] authorized investigation.” The only way there can logically be “a diverse set of rulings” about the “quantum of evidence and the procedures required” to conduct cell phone location tracking is if the secret court has, on at least some occasions, allowed it under one or both of those authorities. Perhaps ironically, then, this terse response is not far short of a confirmation.

In criminal investigations, as I noted in a previous post, the Justice Department normally seeks a full warrant in order to do highly accurate, 24-hour realtime location, though it is not clear they believe this is constitutionally required. With a court order for the production of records based on “specific and articulable facts,” they can get call records generally indicating the location of the nearest cell tower when a call was placed—a much less precise and intrusive form of tracking, but one that is increasingly revealing as providers store more data and install ever more cell towers. For realtime tracking that is less precise, they’ll often seek to bundle a records order with a pen register order, to create a “hybrid” tracking order. Judges are increasingly concluding that these standards do not adequately protect constitutional privacy interests, but you’d expect a”diverse set of rulings” if the FISC had adopted a roughly parallel set of rules—except, of course, that the standards for the equivalent orders on the intelligence side are a good deal more permissive. The bottom line, though, is that this makes it all but certain the intelligence agencies are secretly tracking people—and potentially large numbers of people—who it does not have probable cause to believe, and may not even suspect, are involved in terrorism or espionage. No wonder Wyden and Udall are concerned.

Stalking the Secret Patriot Act is a post from Cato @ Liberty - Cato Institute Blog

Want to understand a big chunk of what Washington, D.C. does? Learn about “moral panic.”

Moral panic is a dynamic in the political and media spheres in which some threat to social order—often something taboo—causes a response that goes far beyond meeting the actual threat. It’s a socio-political stampede, if you will. You might be surprised to learn how easily stampeded your society is.

Take a look at H.R. 1981, the Protecting Children from Internet Pornographers Act of 2011. It’s got everything: porn, children, the Internet. And it’s got everything: financial services providers dragooned into law enforcement, data retention requirements heaped on Internet service providers, expanded “administrative subpoena” authority. (Administrative subpoenas are an improvisation to accommodate the massive power of the bureaucracy, and they’ve become another end-run around the Fourth Amendment. If it’s “administrative” it must be reasonable, goes the non-thinking…)

This isn’t a bill about child predation. It’s a bald-faced attack on privacy and limited government. Congress can move legislation like this, even in the era of the Tea Party movement, because child predation is a taboo subject. The inference is too strong in too many minds that opposing government in-roads on privacy is somehow supporting child exploitation. Congress and its allies use taboos to cow the populace into accepting yet more government growth and yet more surveillance.

I’m not turned to mush by taboos, so the question I’m most interested in having asked at tomorrow’s hearing on the bill in the House Judiciary Committee is: “Under what theory of the Commerce Clause is this bill within the power of the federal government?”

Moral Panic and Your Privacy is a post from Cato @ Liberty - Cato Institute Blog

The New York Times‘s Charlie Savage reports that the FBI is preparing to release a new Domestic Investigations and Operations Guide (DIOG), further relaxing the rules governing the Bureau’s investigation of Americans who are not suspected of any wrongdoing.

This comes just three years after the last major revision of FBI manual, which empowered agents to employ a broad range of investigative techniques in exploratory “assessments” of citizens or domestic groups, even in the absence of allegations or evidence of wrongdoing, which are needed to open an “investigation.” The FBI assured Congress that it would conduct intensive training, and test agents to ensure that they understood the limits of the new authority—but the Inspector General found irregularities suggestive of widespread cheating on those tests.

Agents can already do quite a bit even without opening an “assessment”: They can consult the government’s own massive (and ever-growing) databases, or search the public Internet for “open source” intelligence. If, however, they want to start digging through state and local law enforcement records, or plumb the vast quantities of information held by commercial data aggregators like LexisNexis or Acxiom, they currently do have to open an assessment. Again, that doesn’t mean they’ve got to have evidence—or even an allegation—that their target is doing anything illegal, but it does mean they’ve got to create a paper trail and identify a legitimate purpose for their inquiries. That’s not much of a limitation, to be sure, but it does provide a strong deterrent to casual misuse of those databases for personal reasons. That paper trail means an agent who might be tempted to use government resources for personal ends—to check up on an ex or a new neighbor—has good reason to think twice.

Removing that check means there will be a lot more digging around in databases without any formal record of why. Even though most of those searches will be legitimate, that makes the abuses more likely to get lost in the crowd. Indeed, a series of reports by the Inspector General’s Office finding “widespread and serious misuse” of National Security Letters, noted that lax recordkeeping made it extremely difficult to accurately gauge the seriousness of the abuses or their true extent—and, of course, to hold the responsible parties accountable. Moreover, the most recent of those reports strongly suggests that agents engaged in illegal use of so-called “exigent letters” resisted the introduction of new records systems precisely because they knew (or at least suspected) their methods weren’t quite kosher.

The new rules will also permit agents to rifle through a person’s garbage when conducting an “assessment” of someone they’d like to recruit as an informant or mole. The reason, according to the Times, is that “they want the ability to use information found in a subject’s trash to put pressure on that person to assist the government in the investigation of others.” Not keen into being dragooned into FBI service? Hope you don’t have anything embarrassing in your dumpster! Physical surveillance squads can only be assigned to a target once, for a limited time, in the course of an assessment under the current rules—that limit, too, falls by the wayside in the revised DIOG.

The Bureau characterizes the latest round of changes as “tweaks” to the most recent revisions. That probably understates the significance of some of the changes, but one reason it’s worrying to see another bundle of revisions so soon after the last overhaul is precisely that it’s awfully easy to slip a big aggregate change under the radar by breaking it up into a series of “tweaks.”

We’ve seen such a move already with respect to National Security Letters, which enable access to a wide array of sensitive financial, phone, and Internet records without a court order—as long as the information is deemed relevant to an “authorized investigation.” When Congress massively expanded the scope of these tools under the USA Patriot Act, legislators understood that to mean full investigations, which must be based on “specific facts” suggesting that a crime is being committed or that a threat to national security exists. Just two years later, the Attorney General’s guidelines were quietly changed to permit the use of NSLs during “preliminary” investigations, which need not meet that standard. Soon, more than half of the NSLs issued each year were used for such preliminary inquiries (though they aren’t available for mere “assessments”… yet).

The FBI, of course, prefers to emphasize all the restrictions that remain in place. We’ll probably have to wait a year or two to see which of those get “tweaked” away next.

FBI’s New Guidelines Further Loosen Constraints on Monitoring is a post from Cato @ Liberty - Cato Institute Blog

Barack Obama’s AutoPen has signed another four-year extension of three Patriot Act powers, but one silver lining of this week’s lopsided battle over the law is that mainstream papers like The New York Times have finally started to take note of the growing number of senators who have raised an alarm over a “secret interpretation” of Patriot’s “business records” authority (aka Section 215). It would appear to be linked to a “sensitive collection program” referenced by a Justice Department official at hearings during the previous reauthorization debate—one that would be disrupted if 215 orders were restricted to the records of suspected terrorists, their associates, or their “activities” (e.g., large purchases of chemicals used to make bombs). Naturally, lots of people are starting to wonder just what this program, and the secret interpretation of the law that may be associated with it, are all about.

All we can do is speculate, of course: only a handful of legislators and people with top-secret clearances know for sure. But a few of us who closely monitor national security and surveillance issues have come to the same conclusion: it probably involves some form of cellular phone geolocation tracking, potentially on a large scale. The evidence for this is necessarily circumstantial, but I think it’s fairly persuasive when you add it all up.

First, a bit of background. The recent fiery floor speeches from Sens. Wyden and Udall are the first time widespread attention has been drawn to this issue—but it was actually first broached over a year ago, by Sen. Richard Durbin and then-Sen. Russ Feingold, as I point out in my new paper on Patriot surveillance. Back in 2005, language that would have required Section 215 business record orders to pertain to terror suspects, or their associates, or the “activities” of a terror group won the unanimous support of the Senate Judiciary Committee, though was not ultimately included in the final reauthorization bill. Four years later, however, the Justice Department was warning that such a requirement would interfere with that “sensitive collection program.” As Durbin complained at the time:

The real reason for resisting this obvious, common-sense modification of Section 215 is unfortunately cloaked in secrecy. Some day that cloak will be lifted, and future generations will ask whether our actions today meet the test of a democratic society: transparency, accountability, and fidelity to the rule of law and our Constitution.

Those are three pretty broad categories of information—and it should raise a few eyebrows to learn that the Justice Department believes it routinely needs to get information outside its scope for counterterror investigations. Currently, any record asserted to be “relevant” to an investigation (a standard so low it’s barely a standard) is subject to Section 215, and records falling within those three categories enjoy a “presumption of relevance.” That means the judges on the secret Foreign Intelligence Surveillance Court lack discretion to evaluate for themselves whether such records are really relevant to an investigation; they must presume their relevance. With that in mind, consider that the most recent report to Congress on the use of these powers shows a record 96 uses of Section 215 in 2010, up from 22 the previous year. Perhaps most surprisingly though, the FISC saw fit to “modify” (which almost certainly means “narrow the scope of”) 42 of those orders. Since the court’s discretion is limited with respect to records of suspected terrorists and their associates, it seems probable that those “modifications” involved applications for orders that sweep more broadly. But why would such records be needed? Hold that thought.

Fast forward to this week. We hear Sen. Wyden warning that “When the American people find out how their government has secretly interpreted the Patriot Act, they will be stunned and they will be angry,” a warning echoed by Sen. Udall. We know that this surprising and disturbing interpretation concerns one of the three provisions that had been slated for sunset. Lone Wolf remains unused, so that’s out, leaving roving wiretaps and Section 215. In the context of remarks by Sens. Feingold and Durbin, and the emphasis recently placed on concerns about Section 215 by Sen. Udall, the business records provision seems like a safe bet. By its explicit terms, that authority is already quite broad: What strained secret interpretation of it could be surprising to both legislators and the general public, but also meet with the approval of the FISC and the Office of Legal Counsel?

For one possible answer, look to the criminal context, where the Department of Justice has developed a novel legal theory, known as the “hybrid theory,” according to which law enforcement may do some types of geolocation tracking of suspects’ cellular phones without obtaining a full-blown probable cause warrant. The “hybrid theory” involves fusing two very different types of surveillance authority. “Pen registers” allow the monitoring, in real time, of the communications “metadata” from phones or other communications devices (phone numbers dialed, IP addresses connected to). For cellular phones, that “metadata” would often make it possible to pinpoint at least approximately—and, increasingly, with a good deal of precision, especially in urban areas—the location of the user. Federal law, however, prohibits carriers from disclosing location information “solely” pursuant to a pen register order. Another type of authority, known as a 2703(d) order, is a bit like Patriot’s business records authority (though only for telecommunications providers), and is used to compel the production of historical (as opposed to real-time/prospective) records, without any exclusion on location information. The Justice Department’s novel theory—which I discussed at a recent Cato event with Sen. Wyden on geolocation tracking—is that by bundling these two authorities in a new kind of combination order, they can do real-time geolocation tracking without the need to obtain a full Fourth Amendment warrant based on probable cause. Many courts have been skeptical of this theory and rejected it—but at least some have gone along with this clever bit of legal origami. Using the broad business records power of Patriot’s Section 215 in a similar way, to enable physical tracking of anyone with a cellphone, would seem to fit the bill, then: certainly surprising and counterintuitive, not what most people think of when we talk about “obtaining business records,” but nevertheless a maneuver with a legal track record of convincing some courts.

Now, consider that Sen. Wyden has also recently developed a concern with the practice of mobile location tracking, which has become so popular that the U.S. Marshall Service, now the federal government’s most prolific (known) user of pen register orders, of which it issued over 6,000 last year, employs the “hybrid theory” to obtain location information by default with each such order. Wyden has introduced legislation that would establish standards for mobile location tracking, which has two surprising and notable feature. First, while the location tracking known to the public all involves criminal investigations subject to the Electronic Communications Privacy Act (ECPA), that’s not where Wyden’s bill makes its primary modifications. Instead, the key amendments are made directly to the Foreign Intelligence Surveillance Act—which language is then incorporated by reference into ECPA. Second, even though one section establishes the “exclusive means” for geolocation tracking, the proposal goes out of its way to additionally modify the FISA pen register provision and the Section 215 business records provision to explicitly prohibit their use to obtain geolocation information—as though there is some special reason to worry about those provisions being used that way, requiring any possible ambiguity to be removed.

Sen. Udall, meanwhile, always uses the same two examples when he talks about his concerns regarding Section 215: he warns about “unfettered” government access to “business records ranging from a cell phone company’s phone records to an individual’s library history,” even when the records relate to people with no connection to terrorism.  The reference to libraries is no surprise, because the specter of Section 215 being used to probe people’s reading habits was raised so insistently by librarians that it became common to see it referenced as the “library provision.” The other example is awfully specific though: he singles out cell phone records, even though many types of sensitive phone records can already be obtained without judicial oversight using National Security Letters. But he doesn’t just say “phone records”—it’s cell phone records he’s especially concerned about. And where he talks about “an individual’s” library records, he doesn’t warn about access to “an individual’s” cell phone records, but rather the company’s records.  As in, the lot of them.

Tracking the location of suspected terrorists, and perhaps their known associates, might not seem so objectionable—though one could argue whether Section 215′s “relevance” standard was sufficient, or whether a full FISA electronic surveillance warrant (requiring a showing of probable cause) would be a more appropriate tool. But that kind of targeted tracking would not require broad access to records of people unconnected to terror suspects and their known associates, which is hinted at by both Sen. Udall’s remarks and the high rate of modifications imposed on Section 215 orders by the FISA court. Why might that be needed in the course of a geolocation tracking program?

For a possible answer, turn to the “LocInt” or “Location Intelligence” services marketed to U.S. law enforcement and national security clients by the firm TruePosition. Among the capabilities the company boasts for its software (drawn from both its site and a 2008 white paper the company sponsored) are:

● the ability to analyze location intelligence to detect suspicious behavioral patterns,
● the ability to mine historical mobile phone data to detect relationships between people, locations, and events,
● TruePosition LOCINT can mine location data to find out if the geoprofile of a prepaid phone matches the geoprofile of a potential threat and identify it as such, and
● leveraging location intelligence, officials can identify mobile phones of interest that frequently communicate with each other, or are within close proximity, making it easier to identify criminals and their associates. [Emphasis added.]

Certainly one can see how these functions might be useful: terrorists trained in counterintelligence tactics might seek to avoid surveillance, or identification of co-conspirators, by communicating only in person. Calling records would be useless for revealing physical meetings—but location records are another story. What these functions have in common, however, is that like any kind of data mining, they require access to a large pool of data, not just the records of a known suspect. You can find out who your suspect is phoning by looking at his phone records. But if you want to know who he’s in close physical proximity to—with unusual frequency, and most likely alone—you need to sift through everyone’s phone location records, or at any rate a whole lot of them.  The interesting thing is, it’s not obvious there’s any legal way to actually do all that: full-fledged electronic surveillance warrants would be a non-starter, since they require probable cause for each target. But clearly the company expects to be able to sell these capabilities to some government entity. The obvious candidate is the FBI, availing itself of the broad authority of Section 215—perhaps in combination with FISA pen registers when the tracking needs to happen in real time.

As a final note of interest, the Office of the Inspector Generals’ reports on National Security Letter contain numerous oblique references to “community of interest [REDACTED]” requests. Traditional “community of interest” analysis means looking at the pattern of communications of not just the primary suspect of an investigation, but their whole social circle—the people the suspect communicates with, and perhaps the people they in turn communicate with, and so on. Apparently the fact that the FBI does this sort of traditional CoI analysis is not considered secret, because that phrase remains unredacted. What, then, could that single omitted word be? One candidate that would fit in the available space is “location” or “geolocation”—meaning either location tracking of people called by the suspect or perhaps the use of location records to build a suspect’s “community of interest” by “identify[ing] mobile phones…within close proximity” to the suspects. The Inspector General reports cover the first few years following passage of the Patriot Act, before an opinion from the Office of Legal Counsel held that NSLs could not properly be used to obtain the full range of communications metadata the FBI had been getting under them. If NSLs had been used for location-tracking information prior to that 2008 opinion, it would likely have been necessary to rely on Section 215 past that point, which would fit the timeline.

Is all of that conclusive? Of course not; again, this is speculation. But a lot of data points fit, and it would be quite surprising if the geolocation capabilities increasingly being called upon for criminal investigations were not being used for intelligence purposes. If they are, Section 215 is the natural mechanism.

Even if I’m completely wrong, however, the larger point remains: while intelligence operations must remain secret, a free and democratic society is not supposed to be governed by secret laws—and substantive judicial interpretations are no less a part of “the law” than the text of statutes. Whatever power the government has arrogated to itself by an “innovative” interpretation of the Patriot Act, it should be up to a free citizenry to consider the case for it, determine whether it is so vital to security to justify the intrusion on privacy, and hold their representatives accountable accordingly. Instead, Congress has essential voted blind—reauthorizing powers that even legislators, let alone the public, do not truly understand. Whether it’s location tracking or something else, this is fundamentally incompatible with the preconditions of both democracy and a free society.

Atlas Bugged: Why the “Secret Law” of the Patriot Act Is Probably About Location Tracking is a post from Cato @ Liberty - Cato Institute Blog

This morning, the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law had a hearing entitled: “Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy.”

Among the witnesses was Deputy Assistant Attorney General Jason Weinstein from the Department of Justice’s Criminal Division. Weinstein made a gallingly Orwellian pitch: If you want privacy protection, increase government surveillance.

From his written statement:

ISPs may choose not to store IP records, may adopt a network architecture that frustrates their ability to track IP assignments and network transactions back to a specific account or device, or may store records for only a very short period of time. In many cases, these records are the only evidence that allows us to investigate and assign culpability for crimes committed on the Internet. In 2006, forty-nine Attorneys General wrote to Congress to express “grave concern” about “the problem of insufficient data retention policies by Internet Service Providers.”

Without more customer data retention by ISPs, and without greater government access to this data, the government won’t be able to prosecute crimes, some of which threaten privacy, Weinstein said in his spoken comments.

So there you have it. Turn more data over to the government so we can protect your privacy. War is peace. Freedom is slavery.

Want Privacy? Increase Government Surveillance! is a post from Cato @ Liberty - Cato Institute Blog

San Francisco’s Entertainment Commission will soon be considering a jaw-dropping attack on privacy and free assembly. Here are some of the rules the Commission may adopt for any gathering of people expected to reach 100 or more:

3. All occupants of the premises shall be ID Scanned (including patrons, promoters, and performers, etc.). ID scanning data shall be maintained on a data storage system for no less than 15 days and shall be made available to local law enforcement upon request.

4. High visibility cameras shall be located at each entrance and exit point of the premises. Said cameras shall maintain a recorded data base for no less than fifteen (15 days) and made available to local law enforcement upon request.

Would you recognize a police state if you lived in one? How about a police city? The First Amendment right to peaceably assemble takes a big step back when your identity data and appearance are captured for law enforcement to use at whim simply because you showed up. (ht: PrivacyActivism.org)

Surveillance, San Francisco-Style is a post from Cato @ Liberty - Cato Institute Blog

There was an interesting exchange during a Senate Intelligence Committee hearing yesterday concerning the use of the Patriot Act’s §215 orders for business records and other tangible things. FBI Director Robert Mueller hinted that the orders may have been used to track purchases of hydrogen peroxide purchases in the investigation of aspiring bomber Najibullah Zazi, while Sen. Ron Wyden (D-Oreg.) asserted that there is “a huge gap today between how you all are interpreting the PATRIOT Act and what the American people think the PATRIOT Act is all about and it’s going to need to be resolved.”

Let’s leave our curiosity about that by the wayside for the moment, though. I’m curious about one simple empirical claim Mueller made in his testimony: That the provision has been used over 380 times since 2001. I assume he’d know, but that seems inconsistent with what’s been publicly reported to date. It’s worth noting that there are actually minor discrepancies between the numbers provided in Congressional Research Service reports, audits from the Office of the Inspector General, and the Justice Department’s annual reports to Congress. But there are plenty of legitimate reasons these numbers might vary depending on how you count, and the total variance is a difference of about 17 orders total over the years.

We know from those Inspector General reports that the majority of those 215 orders issued were “combination” orders issued in tandem with another type of surveillance order called a “pen register” so that investigators could get subscriber information about the people whose communications patterns they were tracking. When Congress amended the Patriot Act in 2006, it built that authority right into the pen register statute, making it unnecessary to seek those “combination” orders. Prior to the amendment, the government got 173 of those “combination” orders. “Pure” 215 orders, which are now the only type needed, have been used much more sparingly. None were issued at all until 2004, and from 2004 through 2009 (depending on whose tally you want to use) there were between 75 and 92 orders issued (for an average of 12–15 annually since 2004). Throw in the combination orders and the upper-bound number through the end of 2009 is 265 orders.

Unless I’ve miscounted or missed something significant—you can get the reports at the links above and check my math—that leaves 115 orders unaccounted for, assuming Mueller’s number is accurate. There are two possibilities, then: Either the government got ten times as many orders in 2010 as the historical average (the figures should be out sometime in April) or there are a whole lot of these missing from the public reporting. Possibly these have something to do with the “sensitive collection program” in which these orders play a key role, alluded to in a Justice Department official’s testimony at a hearing during the 2009 reauthorization debate. Either alternative seems like it would merit additional scrutiny. I sent an e-mail seeking clarification this morning to some of the experts at the Congressional Research Service responsible for keeping legislators informed on these issues, but haven’t yet heard back.

I’m not belaboring this because it’s inherently hugely significant whether the government has used this authority 265 times or 380. Ideally, in the coming months we’ll see a substantial narrowing of National Security Letter authority, which would predictably lead to a large increase in the number of 215 orders issued. And that would be entirely proper, since it would mean more information being sought pursuant to a judicial order rather than FBI fiat. What I do think is significant, however, is that this reminds us how little we know—and how little the vast majority of legislators know—about the use of these powers. In contrast with criminal investigative tools, these powers are entirely covert: People whose records are swept up by the government almost never learn about it, and the recipients of the orders are subject to an effectively permanent gag on speaking about them. Rulings of the secret FISA Court interpreting the scope of these authorities are never made public. Our assurance that they have been or will continue to be used properly rests entirely on the minimal required reporting to Congress and the findings of internal audits. And yet it’s hard to pin down the facts on even this most elementary factual question about 215 orders: How many times have they been used?

Despite this, we have legislators confident enough that these expanded powers are both so necessary and so well controlled that they’re advocating making them permanent. I wish I were as confident.

How Many 215 Orders? is a post from Cato @ Liberty - Cato Institute Blog

Reports the Los Angeles Times:

A House GOP push to permanently extend expiring provisions of the Patriot Act is running into opposition from conservative and “tea party”-inspired lawmakers wary of the law’s reach into private affairs.

Congress has made a practice of kicking the Patriot Act can down the road, but it could be that the new crop of legislators isn’t inclined to go along.

Julian Sanchez has blogged here about the complexities of this government surveillance law. His podcast on the topic, released yesterday, is titled “The Patriot Act Sneaks to Renewal.” Maybe it can’t sneak through after all…

Patriot Act Extension Runs Into Conservative Opposition is a post from Cato @ Liberty - Cato Institute Blog

Boeing subsidiary Narus reports on its Web site that it “protects and manages” a number of worldwide networks, including that of Egypt Telecom. A recent IT World article entitled “Narus Develops a Scary Sleuth for Social Media” reported on a Narus product called Hone last year:

Hone will sift through millions of profiles searching for people with similar attributes — blogger profiles that share the same e-mail address, for example. It can look for statistically likely matches, by studying things like the gender, nationality, age, location, home and work addresses of people. Another component can trace the location of someone using a mobile device such as a laptop or phone.

Media advocate Tim Karr reports that “Narus provides Egypt Telecom with Deep Packet Inspection equipment (DPI), a content-filtering technology that allows network managers to inspect, track and target content from users of the Internet and mobile phones, as it passes through routers on the information superhighway.”

It’s very hard to know how Narus’s technology was used in Egypt before the country pulled the plug on its Internet connectivity, or how it’s being used now. Narus is declining comment.

So what’s to be done?

Narus and its parent, the Boeing Company, have no right to their business with the U.S. government. On our behalf, Congress is entitled to ask about Narus’s/Boeing’s assistance to the Mubarak regime in Egypt. If contractors were required to refrain from assisting authoritarian governments’ surveillance as a condition of doing business with the U.S. government, that seems like the most direct way to dissuade them from providing top-notch technology capabilities to regimes on the wrong side of history.

Of course, decades of U.S. entanglement in the Middle East have created the circumstance where an authoritarian government has been an official “friend.” Until a few weeks ago, U.S. unity with the Mubarak regime probably had our government indulging Egypt’s characterization of political opponents as “terrorists and criminals.” It shouldn’t be in retrospect that we learn how costly these entangling alliances really are.

Chris Preble made a similar point ably on the National Interest blog last week:

We should step back and consider that our close relationship with Mubarak over the years created a vicious cycle, one that inclined us to cling tighter and tighter to him as opposition to him grew. And as the relationship deepened, U.S. policy seems to have become nearly paralyzed by the fear that the building anger at Mubarak’s regime would inevitably be directed at us.

We can’t undo our past policies of cozying up to foreign autocrats (the problem extends well beyond Egypt) over the years. And we won’t make things right by simply shifting — or doubling or tripling — U.S. foreign aid to a new leader. We should instead be open to the idea that an arms-length relationship might be the best one of all.

Is a U.S. Company Assisting Egyptian Surveillance? is a post from Cato @ Liberty - Cato Institute Blog

Late last week, Attorney General Eric Holder sent a letter to Senate Judiciary Committee Chair Patrick Leahy (D-VT) in which he agreed to implement an array of policies designed to check abuse of USA PATRIOT Act powers. These include more thorough record keeping and more disclosures to Congress, prompt notification of telecommunications companies when gag orders have expired, and updated retention and dissemination procedures to govern the vast quantities of information obtained using National Security Letters.

In itself, this is all to the good. But civil libertarians should pause before popping the champagne corks. Last year, the fight over the reauthorization of several expiring PATRIOT provisions opened the door to the comprehensive reform that sweeping legislation sorely needs to better balance the legitimate needs of intelligence and law enforcement against the privacy and freedom of Americans. Despite serious abuses of PATRIOT powers uncovered by the Justice Department’s Office of the Inspector General, no such major changes were made. Instead, Congress opted for a shorter-term renewal that will require another reauthorization this February—in theory allowing for the question of broader reform to be revisited in the coming months.

Many of the milder reforms proposed during the last reauthorization debate now appear to have been voluntarily adopted by Holder. Unfortunately, this may make it politically easier for legislators to push ahead with a straight reauthorization that avoids locking in those reforms via binding statutory language—and entirely bypasses the vital discussion we should be having about a more comprehensive overhaul. If that happens, it will serve to confirm the thesis of Chris Mooney’s 2004 piece in Legal Affairs, which persuasively argued that “sunset” provisions, far from serving as an effective check on expansion of government power, often make radical “temporary” measures more politically palatable, only to create a kind of policy inertia that makes it highly unlikely those measures will ever be allowed to expire.

With the loss of Sen. Russ Feingold (D-WI), who whatever his other faults has been the Senate’s most vocal opponent of our metastasizing surveillance state, the prospects for placing more than cosmetic limits on the sweeping powers granted since 2001 appear to have dimmed. If there’s any cause for optimism, it’s that the recent fuss over intrusive TSA screening procedures appear to have reminded some conservatives that they used to believe in limits on government power even when that power was deployed in the name of fighting terrorism.

Good News and Bad on PATRIOT Reform is a post from Cato @ Liberty - Cato Institute Blog

There are too few periodical venues for good short fiction these days, so I’d normally be enthusiastic about the Wall Street Journal‘s decision to print works of fantasy. Unfortunately, they’ve opted to do so on their editorial page—starting with a long farrago of hypotheticals concerning the putative role of the Foreign Intelligence Surveillance Court in hindering the detection and apprehension of failed Times Square bomber Faisal Shahzad. In fairness to the editors, they acknowledge near the end of the piece that much of it is unvarnished speculation, but their flights of creative fancy extend to many claims presented as fact.

Let’s begin with the acknowledged fiction. The Journal editors wonder whether Shahzad might have been under surveillance before his botched Times Square attack, and posit that the NSA might have intercepted communications from “Waziristan Taliban talking about ‘our American brother Faisal,’ which could have been cross-referenced against Karachi flight manifests,” or “maybe Shahzad traded seemingly innocuous emails with Pakistani terrorists, and minimization precluded analysts from detecting a pattern.”  Anything is possible. But it’s a leap to make this inference merely because investigators appear to have had fairly specific knowledge about his contacts with terrorists after he had already been identified.  They would not have needed to “retroactively to reconstruct his activities from other already-gathered foreign wiretaps:” Once they had zeroed in on Shahzad, his calling patterns could have been reconstructed from phone company calling records whether or not he or his confederates were being targeted at the time the communications occurred, and indeed, those records could have been obtained by means of a National Security Letter without any oversight from the FISA Court.

This is part of a more general strategy we often see deployed by advocates of expanded surveillance powers. After the fact, one can always tell a story about how a known terrorist might have been detected by means of more unfettered spying authority, just as one can always tell a story about how any particular calamity would have been averted if the right sort of regulation were in place. Sometimes the story is even plausible. But if we look at the history of recent intelligence failures, it’s almost invariably the case that the real problem was the inability to connect the right set of data points from the flood of data already obtained, not insufficient ability to collect. The problem is that it’s easy and satisfying to call for legislation lifting the restraints on surveillance—and lifting still more when intelligence agencies fail to exhibit perfect clairvoyance—but difficult if not impossible, certainly for those of us without high-level clearances, to say anything useful about the internal process reforms that might help make better use of existing data. The pundit in me empathizes, but these just-so stories are a poor rationale for further diluting civil liberties protections.

Let’s move on to the unacknowledged fictions, of which there are many.  Perhaps most stunning is the claim that “U.S. intelligence-gathering capability has been substantially curtailed in stages over the last decade.” They mean, one supposes, that Congress ultimately imposed a patina of judicial oversight on the lawless program of warrantless wiretapping and data program authorized by the Bush administration in the aftermath of the 9/11 attacks. But the claim that somehow intelligence gathering is more constrained now than it was in 2000 just doesn’t pass the straight face test. In addition to the radical expansion of the aforementioned National Security Letter authorities, Congress approved roving wiretaps for domestic intelligence, broad FISA orders for the production of “any tangible thing,” so-called “sneak and peek” searches, looser restraints on existing FISA wiretap powers, and finally, with the FISA Amendments Act of 2008, executive power to authorize broad “programs” of surveillance without specified targets. In a handful of cases, legislators have rolled back slightly their initial grants of power or imposed some restraints on powers the executive arrogated to itself, but it is ludicrous to deny that the net trend over the decade has been toward more, rather than less, intelligence-gathering capability.

Speaking of executive arrogation of power, here’s how the Journal describes Bush’s warrantless Stellar Wind program:

Via executive order after 9/11, the Bush Administration created the covert Terrorist Surveillance Program. TSP allowed the National Security Agency to monitor the traffic and content of terrorist electronic communications overseas, unencumbered by FISA warrants even if one of the parties was in the U.S.

This is misleading.  There was no such thing as the “Terrorist Surveillance Program.”  That was a marketing term concocted after the fact to allow administration officials to narrowly discuss the components of Stellar Wind initially disclosed by the New York Times.  It allowed Alberto Gonzales to claim that there had been no serious internal dissent about the legality of “the program” by arbitrarily redefining it to exclude the parts that had caused the most controversy, such as the vast data mining effort that went far beyond suspected terrorists. It was this aspect of Stellar Wind, and not the monitoring of overseas communication, that occasioned the now-infamous confrontation at Attorney General John Ashcroft’s hospital bed described in the editorial’s subsequent paragraph. We continue:

In addition to excessive delays, the anonymous FISA judges demanded warrants even for foreign-to-foreign calls that were routed through U.S. switching networks. FISA was written in an analog era and meant to apply to domestic wiretaps in the context of the Cold War, not to limit what wiretaps were ever allowed.

Forgive me if I’m a broken record on this, but the persistence of the claim in that first sentence above is truly maddening.  It is false that “FISA judges demanded warrants even for foreign-to-foreign calls that were routed through U.S. switching networks.”  Anyone remotely familiar with the FISA law would have known it was false when it was first bandied about, and a Justice Department official confirmed that it was false two years ago. FISA has never required a warrant for foreign-to-foreign wire communications, wherever intercepted, though there was a narrower problem with some e-mail traffic.  To repeat the canard at this late date betrays either dishonesty or disqualifying ignorance of elementary facts. Further, while it’s true that a great deal of surveillance has always, by design, remained beyond the scope of FISA, it is clearly false that it was “meant to apply to domestic wiretaps” if by this we mean only “wiretaps where all parties to the communication are within the United States.” The plain text and legislative history of the law make it clear beyond any possible doubt that Congress meant to impose restraints on the acquisition of all U.S.-to-foreign wire communications, as well as radio communications targeting U.S. persons. (The legislative history further suggests that they had hoped to tighten up the restraints on radio communications, though technical considerations made it difficult to craft functional rules.) We continue:

The 2008 FISA law mandates “minimization” procedures to avoid targeting the communications of U.S. citizens or those that take place entirely within the U.S. As the NSA dragnet searches emails, mobile phone calls and the like, often it will pick up domestic information. Intelligence officials can analyze, retain and act on true smoking guns. But domestic intercepts must be effectively destroyed within 72 hours unless they indicate “a threat of death or serious bodily harm to any person” or constitute “evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes.”

This means that potentially useful information must be discarded if it is too vague to obtain a traditional judicial warrant. Minimization is the FISA equivalent of a fishing license that requires throwing back catches that don’t meet the legal limit. Yet the nature of intelligence analysis is connecting small, suggestive and often scattered clues.

The kernel of truth here is that the FISA Amendments Act did impose some new constraints on the surveillance of Americans abroad. But the implication that “minimization” is some novel invention is just false. Minimization rules have always been part of FISA, and they exist precisely because the initial scope of FISA acquisition is so incredibly broad. And those minimization rules give investigators enormous latitude.  As the FISA Court itself explained in a rare published ruling:

Minimization is required only if the information “could not be” foreign intelligence. Thus, it is obvious that the standard for retention of FISA-acquired information is weighted heavily in favor of the government.

Similarly, the redaction of identifying information about U.S. persons is not required when that information is needed to properly interpret the intelligence, so the idea that analysts would have scrubbed mention of “our American brother Faisal” from an intercept of Taliban communications cannot be taken too seriously.  It’s not entirely clear what the editors are referring to when they say “domestic intercepts must be effectively destroyed within 72 hours:” Do they mean “inadvertent” intercepts of entirely domestic communications, or one-end domestic communications legitimately acquired under the FAA, or what? Either way, that’s not really consistent with what we know about FISA minimization in practice: At least as of 2005, it appears that “minimized” communications were at least sometimes retained in ultimately retrievable form, though not logged.  In any event, if I’m reading them correctly, the Journal is suggesting that NSA should be broadly sweeping up and retaining even the apparently innocent domestic communications of Americans, on the off chance that they might later prove useful? I can imagine being that consumed by terror, but I think I would be ashamed to admit it in public.  Moving on:

Meanwhile, the FISA court reported in April that the number of warrant applications fell to 1,376 in 2009, the lowest level since 2003. A change in quantity doesn’t necessarily mean a change in intelligence quality—though it might.

As it happens, I covered this in a post just the other day.  As a Justice Department official explained to the bloggers at Main Justice, the numerical decline is “due to significant changes in the legal authorities that govern FISA surveillance — specifically, the enactment of the FISA Amendments Act in 2008 — and shifting operational demands, but the fluctuation in the number of applications does not in any way reflect a change in coverage.”  Finally:

These constraints are being imposed at the same time that domestic terror plots linked to, or inspired by, foreigners are increasing. Our spooks did manage to pre-empt Najibullah Zazi and his co-conspirators in a plot to bomb New York subways, but they missed Shahzad and Nidal Hasan, as well as Umar Farouk Abdulmutallab’s attempt to bring down Flight 253 on Christmas Day.

Abdulmutallab was a non-U.S. person who didn’t set foot in the country until after setting his underpants aflame; there is no reason whatever to believe that FISA restrictions would have posed an obstacle to monitoring him. As for Nidal Hasan, investigators did intercept his e-mails with radical cleric Anwar al Awlaki. While it seems clear in retrospect that the decision not to investigate further was an error in judgment, they were obviously not destroyed after the fact, since they were later quoted in various press accounts. Maybe those exchanges really did seem legitimately related to Hasan’s research at the time, or maybe investigators missed some red flags. Either way, the part of the process the Journal is wringing its hands about worked: The intercepts were retained and disseminated to the Joint Terrorism Task Force, which concluded that Hasan was “not involved in terrorist activities or terrorist planning” and, along with Army officials, declined to open an investigation. Rending already gossamer-thin minimization requirements is not going to avoid errors of that sort.

The Journal closes out their fantasy by melodramatically asking “whether FISA is in practice giving jihadists a license to kill.” But the only “license” I see here is of the “creative” variety; should they revisit the topic in the future, the editors might consider taking less of it.

The Wall Street Journal’s Surveillance Fantasies is a post from Cato @ Liberty - Cato Institute Blog

The invaluable Main Justice blog notes that we’ve just gotten our annual dribble of information from the Foreign Intelligence Surveillance Court, showing that the number of surveillance applications sought and approved by the court dropped for a second consecutive year, to their lowest  level since 2002. Applications fell to 1,376—down from 2007′s record high of 2,370.

So does that mean there’s less FISA surveillance going on? Nope—according to an anonymous source at the Justice Department, you can’t infer much from the raw numbers, especially given the passage of the FISA Amendments Act of 2008, which empowered the executive branch to authorize broad programs of surveillance with slight court oversight:

“The number of Foreign Intelligence Surveillance Act applications submitted to the Foreign Intelligence Surveillance Court decreased in 2008 and again in 2009 due to significant changes in the legal authorities that govern FISA surveillance — specifically, the enactment of the FISA Amendments Act in 2008 — and shifting operational demands, but the fluctuation in the number of applications does not in any way reflect a change in coverage,” the official said.

I note with some disappointment that the normally astute folks at Main Justice repeat the canard that the FISA Amendments Act were a response to a 2007 court ruling that “surveillance of purely foreign communications that pass through a U.S. communications node was illegal without a warrant.” Boosters of broader executive power trumpeted that line, but as we learned in 2008, the court’s limitations were really centrally about certain kinds of e-mail traffic; it has never been the case that purely foreign communications in general required a warrant if they passed through the U.S.—and indeed, nobody reading the plain text of the FISA law could possibly believe that to be the case.

In any event, as I suggested recently when last year’s criminal wiretap figures were released, this is one more reason to suspect that current reporting requirements amount to so much oversight theater—giving us the illusion that we have some understanding of the real scope of electronic surveillance, while providing (at best) a spotty and incomplete picture.

FISA Applications Are Down, but Is Surveillance? is a post from Cato @ Liberty - Cato Institute Blog

In a piece at Politico today, David Rittgers raised a number of important points on the role of surveillance cameras in law enforcement, about which I blogged yesterday at Politico Arena and Cato@Liberty. To add still more to the subject, David is quite right: the cop on the beat, assuming he’s there, will be better than the camera at preventing crime. In at least two cases, however, cameras can fight crime not only ex post but ex ante as well. First, cameras monitored in real time — as private cameras often are in apartment buildings, casinos, warehouses, and elsewhere — can facilitate crime prevention by alerting monitors to suspicious activity. And second, would-be criminals who are concerned about being caught may think twice if they suspect they’re being monitored. Cameras will not deter suicide bombers, of course; nor will they deter those who are unaware they’re being monitored, as may have been the case with the incompetent bomb maker in Times Square – who seems at this writing (we await more facts) to have wanted to “get away,” all the way to Pakistan.

But to add further to the civil liberties point I made yesterday, not only are surveillance tapes usually more accurate that eyewitness accounts in identifying criminals, thereby lessening the very real problem of mistaken prosecutions and convictions, but they aid also in the equally real problem of police (and even prosecutorial) abuse. Two weeks ago David blogged about the recent University of Maryland case involving the notorious Prince George’s County police department, where a video showed police brutality that the police later falsified in their report. And surveillance tapes can work in the other direction too — to protect police from false accusations of brutality. So the civil liberties implications of surveillance cameras are many, and often not what they seem on first impression.

Surveillance Cameras and Civil Liberties II is a post from Cato @ Liberty - Cato Institute Blog

Last week, I wrote that we’d learned that the Lower Merion School District may have gathered many more photos of more students than had previously been revealed. Now, the Philadelphia Inquirer has put a number on it: A security program installed on laptops assigned to students captured 56,000 images over the course of two years, including screenshots (showing programs in use and private messages being sent) and surreptitious webcam photos of students at home.

Many of these images, it should be noted at the outset, do appear to have come from laptops that really had been stolen. Almost two-thirds of the total came from six laptops that had been stolen from a high school gym, and which kept transmitting for  almost six months, though even there it’s a close question whether a warrant should have been obtained. (Why it took six months to recover the laptops with an active security program running is a good question for another time.) But many of those pictures seem much harder to justify:

[I]n at least five instances, school employees let the Web cams keep clicking for days or weeks after students found their missing laptops, according to the review. Those computers – programmed to snap a photo and capture a screen shot every 15 minutes when the machine was on – fired nearly 13,000 images back to the school district servers.

Emphasis added. The district also says it only once activated the tracking program because a student had not paid the $55 insurance fee required before taking a laptop home. Blake Robbins, the student whose lawsuit brought the story to national attention, says that one case was his.  That raises obvious questions about whether school officials might have exercised their discretion to activate the tracking program more readily in the case of particular students. The activation procedure itself hardly imbues one with great confidence: Apparently 10 school officials had the authority to request laptop tracking, which they might do with a simple informal e-mail.

Just turn this over in your head for a moment. You’ve got ten different administrators—and in practice, the network techs themselves—able to turn a child’s home laptop into a remote surveillance camera just by sending an e-mail reporting that a laptop is missing, or that a fee didn’t get paid on time. The laptop can take thousands of photos over the course of days or weeks, with neither parents nor students any the wiser until a scandal forces closer scrutiny. If Robbins hadn’t been confronted, or if administrators had made a point of deleting these pictures of children at home rather than keeping them lying around in storage indefinitely, there’s no reason to think anyone would ever have known.  How many tens of thousands of parents have kids in one-to-one school laptop programs now? What don’t they know?

School Laptop Spycams Took 56,000 Pictures is a post from Cato @ Liberty - Cato Institute Blog

Stop me if you think you’ve heard this one before. The Washington Post reports that the National Security Agency has halted domestic collection of some type of communications metadata—the details are predictably fuzzy, though I’ve got a guess—in order to allay the concerns of the secret FISA Court that the NSA’s activity might not be technically permissible under the Foreign Intelligence Surveillance Act. Naturally, there’s the requisite quote from the anonymous concerned intel official:

“This is a basic tool we used to have, and it’s now gone,” said one intelligence official familiar with the impasse. “Every day, every week that goes by, there’s just one more week of information that we’re not collecting. You sit there and say, ‘This is unbelievable that we have this gap.’”

I want to take claims like these with due gravity, but I can’t anymore.  Because we’ve heard them again and again over the past decade, and they’ve proven to be bogus every time.  We were told that the civil liberties restrictions built into pre-9/11 surveillance law kept the FBI from searching “20th hijacker” Zacarias Moussaoui’s laptop—but a bipartisan Senate panel found it wasn’t true. We were told limits on National Security Letters were FBI delaying agents seeking vital records in their investigations—but the delay turned out to have been manufactured by the FBI itself. Most recently, we were warned that the FISA Court had somehow imposed a requirement that a warrant be obtained in order to intercept purely foreign telephone calls that were traveling through U.S. wires.  Anyone who understood the FISA law realized that this couldn’t possibly be right—and as Justice Department officials finally admitted under pressure, that wasn’t true either.  But this time there’s a really real for serious “intelligence gap” and we’ll all be blown up by scary terrorists any minute if it’s not fixed?  Pull the other one.

That said, Republicans are claiming the problem requires a mere “technical fix” to FISA, so we should at least be able to get a rough sense of what the issue is, if Congress actually decides to act.  Democrats, by contrast, appear to think NSA can “address the court’s concerns without resorting to legislation.” The word “resort” here seems depressingly apt: They’ll ask for a legislative tweak if there’s absolutely no way to shoehorn what they want to do into the statute through clever lawyering in an ex parte proceeding in front of a highly deferential court, but it’s a last resort.

As for what the problem might be, I can think of a couple of possibilities off the top of my head.  A few years back, the FISA pen register provision was amended to effectively build into the legal order for a standard pen register, which records data about calls or e-mails made and received, language mirroring a legal demand for subscriber records known as a 2703(d) order in the criminal context.  Law enforcement routinely uses that combination of a 2703(d) plus a pen register to get location tracking information for cell phones. But the evidentiary standard for getting a 2703(d) order is (very) slightly higher than the standard for a pen register alone, and federal law prohibits the use of a pen register alone to gather location data. So there might be a question about whether FISA pen registers alone can be used for cell phone location tracking purposes.

Alternatively, given that Internet communications aren’t just “metadata” and “content” but rather a whole series of layers containing different types of information, there could be a question about just how far down “metadata” goes. This might be especially tricky for protocols where quite a lot of information about the content of the communication—which is supposed to require a full probable cause warrant—can be gleaned from sophisticated analysis of the size and timing of packets in the stream.

These are, of course, blind guesses.  What’s disturbing is how much blind guessing the FISA court itself may be doing.  The new hiatus, the Post tells us via an anonymous source, came about when the FISA Court “got a little bit more of an understanding”of what the NSA was up to. Their enhanced understanding concerns data that NSA has been getting with the court’s approval for “several years,” according to the Post. And there you have the real “intelligence gap” in modern surveillance: We have a Court going through a pantomime of oversight over thousands of highly technologically sophisticated interception programs, but it may take a few years for them to really understand what they’ve been signing off on.

We’ll understand still less about the rationale for any “technical fix” to FISA that Congress might approve, if they deign to go that route. But we’ll be reassured that it’s very important, necessary to keep us safe from the terrorist hordes, and nothing worth bothering our pretty heads about.

The Latest ‘Intelligence Gap’ is a post from Cato @ Liberty - Cato Institute Blog

It is more than three years since the Office of the Inspector General first brought public attention to the FBI’s systematic misuse of the National Security Letter statutes to issue fictitious “exigent letters” and obtain telecommunications records without due process. Nobody at the Bureau has been fined, or even disciplined, for  this systematic lawbreaking and the efforts to conceal it. But the bipartisan outrage expressed at a subcommittee hearing of the House Judiciary Committee this morning hints that Congress may be running out of patience—and looking for some highly-placed heads to roll. Just to refresh, Committee Chairman John Conyers summarized the main abuses in an opening statement:

The IG found that more than 700 times, such information was obtained about more than 2,000 phone numbers by so-called“exigent letters” from FBI personnel. In some cases, the IG concluded, FBI agents sent the letters even though they believed that factual information in the letters was false. For more than 3,500 phone numbers, the call information was extracted without even a letter, but instead by e‐mail, requests on a post‐it note, or “sneak peaks” of telephone company computer screens or other records…. In one case, the FBI actually obtained phone records of Washington Post and New York Times reporters and kept them in a database, leading to an IG conclusion of “serious abuse” of FBI authority and an FBI public apology.

It’s probably actually worse than that: Since these letters often requested a “community of interest” analysis for targeted numbers, the privacy of many people beyond the nominal targets may have been implicated—though it’s hard to be sure, since the IG report redacts almost all details about this CoI mapping.

And as Rep. Jerry Nadler pointed out, the IG report suggests a “clear pattern here of deliberate evasion,” rather than the innocent oversight the Bureau keeps pleading.  Both Nadler and the Republican ex-chair of the committee, Rep. James Sensenbrenner, expressed frustration at their sense that, when the FBI had failed to win legislative approval for all the powers on its wish list, it had simply ignored lawful process, seizing by fiat what Congress had refused to grant. Sensenbrenner, one of the authors of the Patriot Act, even declared that he felt “betrayed.” But we’ve heard similar rhetoric before. It was the following suggestion from Conyers (from my notes, but pretty near verbatim) that really raised an eyebrow:

There must be further investigation as to who and why and how somebody in the Federal Bureau of Investigation could invent a practice and have allowed it to have gone on for three consecutive years.  I propose and hope that this committee and its leadership will join me, because I think there may be grounds for removal of the general counsel of the FBI.

That would be Valerie Caproni, one of the hearing’s two witnesses, and an executive-level official whose dismissal would be the first hint of an administration response commensurate with the gravity of the violations that occurred. Caproni’s testimony, consistent with previous performances, was an awkward effort to simultaneously minimize the seriousness of FBI’s abuses—she is fond of saying “flawed” when le mot juste is “illegal”—and also to assure legislators that the Bureau was treating it with the utmost seriousness already. Sensenbrenner appeared unpersuaded, at one point barking in obvious irritation: “I don’t think you’re getting the message; will you get the message today?” The Republican also seemed to indirectly echo Conyers’ warning, declaring himself “not unsympathetic” to the incredulous chairman’s indictment of her office. Of course, the FBI has it’s own Office of Professional Responsibility which is supposed to be in charge of holding agents and officials accountable for malfeasance, but apparently the wheels there are still grinding along.

It’s also worth noting that Inspector General Glenn Fine, who also testified, specifically urged Congress to look into a secret memo issued in January by the Office of Legal Counsel, apparently deploying some novel legal theory to conclude that many of the call records obtained by the FBI were not covered by federal privacy statutes after all. This stood out just because my impression is that OIG usually limits itself to straight reporting and leaves it to Congress to judge what merits investigation, suggesting heightened concern about the potential scope of the ruling, despite FBI’s pledge not to avail itself of this novel legal logic without apprising its oversight committees. Alas, the details here are classified, but Caproni did at one point in her testimony conclude that “disclosure of approximately half of the records at issue was not forbidden by ECPA and/or was
connected to a clear emergency situation.”  There were 4,400 improperly obtained “records at issue” in the FBI’s internal review, of which about 150 were ultimately retained on the grounds that they would have qualified for the emergency exception in the Electronic Communications Privacy Act.  Since that tally didn’t include qualifying records for which legitimate process had nevertheless been issued at some point, the number of “real” emergencies is probably slightly higher, but that still suggests that the “half” Caproni alludes to are mostly in the “disclosure…not forbidden by ECPA” category.  Since ECPA is fairly comprehensive when it comes to telecom subscriber records—or at least, so we all thought until recently—we have to assume she means that these are the types of records the OLC opinion has removed from FISA’s protection. If those inferences are correct, and the new OLC exception covers nearly half of the call detail records FBI obtains, that would not constitute a “loophole” in federal electronic privacy law so much as its evisceration.

Of course, it’s possible that the specific nature of the exception would allay civil libertarian fears. What’s really intolerable in a democratic society is that we don’t know. Operational facts about specific investigations, and even specific investigatory techniques, are rightly classified. But an interpretation of a public statute so significant as to potentially halve its apparent protections cannot be kept secret without making a farce of the rule of law.

Accountability for ‘Exigent Letter’ Abuse At Last? is a post from Cato @ Liberty - Cato Institute Blog

As Tim Lynch notes, Judge Vaughn Walker has ruled in favor of the now-defunct Al-Haramain Islamic Foundation—unique among the many litigants who have tried to challenge the Bush-era program of warrantless wiretapping by the National Security Agency because they actually had evidence, in the form of a document accidentally delivered to foundation lawyers by the government itself, that their personnel had been targeted for eavesdropping.

Other efforts to get a court to review the program’s legality had been caught in a kind of catch-22: Plaintiffs who merely feared that their calls might be subject to NSA filtering and interception lacked standing to sue, because they couldn’t show a specific, concrete injury resulting from the program.

But, of course, information about exactly who has been wiretapped is a closely guarded state secret. So closely guarded, in fact, that the Justice Department was able to force the return of the document that exposed the wiretapping of Al-Haramain, and then get it barred from the court’s consideration as a “secret” even after it had been disclosed. (Contrast, incidentally, the Supreme Court’s jurisprudence on individual privacy rights, which often denies any legitimate expectation of privacy in information once revealed to a third party.) Al-Haramain finally prevailed because they were ultimately able to assemble evidence from the public record showing they’d been wiretapped, and the government declined to produce anything resembling a warrant for that surveillance.

If you read over the actual opinion, however it may seem a little anticlimactic—as though something is missing. The ruling concludes that there’s prima facie evidence that Al-Haramain and their lawyers were wiretapped, that the government has failed to produce a warrant, and that this violates the Foreign Intelligence Surveillance Act. But of course, there was never any question about that. Not even the most strident apologists for the NSA program denied that it contravened FISA; rather, they offered a series of rationalizations for why the president was entitled to disregard a federal statute.

There was the John Yoo argument that the president essentially becomes omnipotent during wartime, and that if we can shoot Taliban on a foreign battlefield, surely we can wiretap Americans at home if they seem vaguely Taliban-ish. Even under Bush, the Office of Legal Counsel soon backed away from such… creative… lines of argument. Instead, they relied on the post-9/11 Authorization for the Use of Military Force (AUMF) against al-Qaeda, claiming it had implicitly created a loophole in the FISA law. It was David Kris, now head of DOJ’s National Security Division, who most decisively blew that one out of the water, concluding that it was “essentially impossible” to sustain the government’s reading of the AUMF.

Yet you’ll note that none of these issues arise in Walker’s opinion, because the DOJ, in effect, refused to play. They resisted the court at every step, insisting that a program discussed at length on the front pages of newspapers for years now was so very secret that no aspect of it could be discussed even in a closed setting. They continued to insist on this in the face of repeated court rulings to the contrary. So while Al-Haramain has prevailed, there’s no ruling on the validity of any of those arguments. That’s why I think Marcy Wheeler is probably correct when she predicts that the government will simply take its lumps and pay damages rather than risk an appeal. For one, while Obama administration has been happy to invoke state secrecy as vigorously as its predecessor, it would obviously be somewhat embarrassing for Obama’s DOJ to parrot Bush’s substantive claims of near-limitless executive power. Perhaps more to the point, though, some of those legal arguments may still be operative in secret OLC memos. The FISA Amendments Act aimed to put the unlawful Bush program under court supervision, and even reasserted FISA’s language establishing it as the “exclusive means” for electronic surveillance, which would seem to drive a final stake in the heart of any argument based on the AUMF. But we ultimately don’t know what legal rationales they still consider operative, and it would surely be awkward to have an appellate court knock the legs out from under some of these secret memoranda.

None of this is to deny that the ruling is a big deal—if nothing else because it suggests that the government does not enjoy total carte blanche to shield lawbreaking from review with broad, bald assertions of privilege. But I also know that civil libertarians had hoped that the courts might be the only path to a more full accounting of—and accountability for—the domestic spying program. If the upshot of this is simply that the government must pay a few tens, or even hundreds of thousands of dollars in damages, it’s hard not to see the victory as something of a disappointment.

State Secrets, Courts, and NSA’s Illegal Wiretapping is a post from Cato @ Liberty - Cato Institute Blog

Can I send Time magazine the bill for the new crack in my desk and the splinters in my forehead? Because their latest excretion on the case of Colleen “Jihad Jane” LaRose and its relation to Patriot Act surveillance powers is absolutely maddening:

The Justice Department won’t say whether provisions of the Patriot Act were used to investigate and charge Colleen LaRose. But the FBI and U.S. prosecutors who charged the 46-year-old woman from Pennsburg, Pa., on Tuesday with conspiring with terrorists and pledging to commit murder in the name of jihad could well have used the Patriot Act’s fast access to her cell-phone records, hotel bills and rental-car contracts as they tracked her movements and contacts last year. But even if the law’s provisions weren’t directly used against her, the arrest of the woman who allegedly used the moniker “Jihad Jane” is a boost for the Patriot Act, Administration officials and Capitol Hill Democrats say. That’s because revelations of her alleged plot may give credibility to calls for even greater investigative powers for the FBI and law enforcement, including Republican proposals to expand certain surveillance techniques that are currently limited to targeting foreigners.

Sadly, this is practically a genre resorted to by lazy writers whenever a domestic terror investigation is making headlines. It consists of indulging in a lot of fuzzy speculation about how the Patriot Act might have been crucial—for all we know!—to a successful  investigation, even when every shred of available public evidence suggests otherwise.  My favorite exemplar of this genre comes from a Fox News piece penned by journalist-impersonator Cristina Corbin after the capture of some Brooklyn bomb plotters last spring, with the bold headline: “Patriot Act Likely Helped Thwart NYC Terror Plot, Security Experts Say.” The actual article contains nothing to justify the headline: It quotes some lawyers saying vague positive things about the Patriot Act, then tries to explain how the law expanded surveillance powers, but mostly botches the basic facts.  From what we know thanks to the work of real reporters,  the initial tip and the key evidence in that case came from a human infiltrator who steered the plotters to locations that had been physically bugged, not new Patriot tools.

Of course, it may well be that National Security Letters or other Patriot powers were invoked at some point in this investigation—the question is whether there’s any good reason to suspect they made an important difference. And that seems highly dubious. LaRose’s indictment cites the content of private communications, which probably would have been obtained using a boring old probable cause warrant—and the standard for that is far higher than for a traditional pen/trap order, which would have enabled them to be getting much faster access to more comprehensive cell records. Maybe earlier on, then, when they were compiling the evidence for those tools?  But as several reports on the investigation have noted, “Jihad Jane” was being tracked online by a groups of anti-jihadi amateurs some three years ago. As a member of one group writes sarcastically on the site Jawa Report, the “super sekrit” surveillance tool they used to keep abreast of LaRose’s increasingly disturbing activities was… Google. I’m going to go out on a limb and say the FBI could’ve handled this one with pre-Patriot authority, and a fortiori with Patriot authority restrained by some common-sense civil liberties safeguards.

What’s a little more unusual is to see this segue into the kind of argument we usually see in the wake of an intelligence failure, where the case is then seen as self-evidently justifying still more intrusive surveillance powers, in this case the expansion of the “lone wolf” authority currently applicable only to foreigners, allowing extraordinarily broad and secretive FISA surveillance to be conducted against people with no actual ties to a terror group or other “foreign power.” Yet as Time itself notes:

In fact, Justice Department terrorism experts are privately unimpressed by LaRose. Hers was not a particularly threatening plot, they say, and she was not using any of the more challenging counter-surveillance measures that more experienced jihadis, let alone foreign intelligence agents, use.

Which, of course, is a big part of the reason we have a separate system for dealing with agents of foreign powers: They are typically trained in counterintelligence tradecraft with access to resources and networks far beyond those of ordinary nuts. What possible support can LaRose’s case provide for the proposition that these industrial-strength tools should now be turned on American citizens?  They caught her—and without much trouble, by the looks of it. Sure, this domestic nut may have invoked to Islamist ideology rather than the commands of Sam the Dog or anti-Semitic conspiracy theories… but so what? She’s still one more moderately dangerous unhinged American in a country that has its fair share, and has been dealing with them pretty well under the auspices of Title III for a good while now.

Every Time I Say “Terrorism,” the Patriot Act Gets More Awesome is a post from Cato @ Liberty - Cato Institute Blog

Here’s a great conversation at Slate.com about Shane Harris’ new book The Watchers.

We’ll be having the author here at Cato on March 10th for a similar discussion of his book and the growth of the surveillance state.

Register here.

Shane Harris’ The Watchers at Cato March 10th is a post from Cato @ Liberty - Cato Institute Blog