Tag: FISA

‘Geolocation’? ‘Geotagging’? What is This Stuff?

If the Army is educating recruits about “geolocation,” maybe you should know about it too. In fact, the U.S. Army primer entitled “Geotags and Location-Based Social Networking” is a pretty good basic resource. Check it out.

Understand this: Your mobile phone sends out signals to cell towers, creating records of where you go throughout your day. If it is enabled with GPS, it can produce even more precise location information.

Law enforcement and intelligence agencies are rushing to exploit the potential of geolocation data, acquiring details of people’s movements and activities that once required costly, 24/7 surveillance. Uses of these data range from tracking fugitives, to reconstructing suspects’ travels, to analyzing the movements of whole populations in search of “suspicious” behavior patterns.

Senator Ron Wyden (D-OR) is drafting legislation to set standards for government access to geolocation data under both criminal law and the Foreign Intelligence Surveillance Act. On Wednesday, January 26th, Cato will host him at an event we’ve titled “Location-Tracking Technology and Privacy.”

We’ll ask you to silence your cell phone when the program starts. You might consider turning it off on the way here…

Register now.

FISA Applications Are Down, but Is Surveillance?

The invaluable Main Justice blog notes that we’ve just gotten our annual dribble of information from the Foreign Intelligence Surveillance Court, showing that the number of surveillance applications sought and approved by the court dropped for a second consecutive year, to their lowest  level since 2002. Applications fell to 1,376—down from 2007’s record high of 2,370.

So does that mean there’s less FISA surveillance going on? Nope—according to an anonymous source at the Justice Department, you can’t infer much from the raw numbers, especially given the passage of the FISA Amendments Act of 2008, which empowered the executive branch to authorize broad programs of surveillance with slight court oversight:

“The number of Foreign Intelligence Surveillance Act applications submitted to the Foreign Intelligence Surveillance Court decreased in 2008 and again in 2009 due to significant changes in the legal authorities that govern FISA surveillance — specifically, the enactment of the FISA Amendments Act in 2008 — and shifting operational demands, but the fluctuation in the number of applications does not in any way reflect a change in coverage,” the official said.

I note with some disappointment that the normally astute folks at Main Justice repeat the canard that the FISA Amendments Act were a response to a 2007 court ruling that “surveillance of purely foreign communications that pass through a U.S. communications node was illegal without a warrant.” Boosters of broader executive power trumpeted that line, but as we learned in 2008, the court’s limitations were really centrally about certain kinds of e-mail traffic; it has never been the case that purely foreign communications in general required a warrant if they passed through the U.S.—and indeed, nobody reading the plain text of the FISA law could possibly believe that to be the case.

In any event, as I suggested recently when last year’s criminal wiretap figures were released, this is one more reason to suspect that current reporting requirements amount to so much oversight theater—giving us the illusion that we have some understanding of the real scope of electronic surveillance, while providing (at best) a spotty and incomplete picture.

Your Year in Wiretaps

The 2009 Wiretap Report has just been released by the Administrative Office of the U.S. Courts. The headline findings: 2,376 wiretaps were authorized for criminal investigations last year, of which 663 were federal and 1,713 were issued at the state level. (NB: These numbers don’t include Foreign Intelligence Surveillance Act wiretaps, “pen register” requests for communications metadata, or orders to acquire stored e-mails sitting on a server.)  The vast majority of wiretaps—86 percent—were part of the drug war, with the average wiretap bill running about $52,200.

In line with recent years, only about 19 percent of intercepted communications contained anything incriminating. As you can see by eyeballing the chart, the 2009 numbers reflect a sharp 70 percent increase in federal taps over the previous year, but only because 2008 was a decade low-point. Though the number is still relatively high, criminal federal wiretap warrants were long ago eclipsed by broader and more secretive intelligence wiretaps under FISA—of which there were 2,082 in 2008.

Since drug dealers seldom have fixed offices, it probably won’t come as any surprise that 96 percent of the orders targeted mobile devices. Since a full wiretap order also permits the acquisition of the highly detailed GPS information phones can provide, it would be nice to know how many of these orders involve the use of a cell phone as a mobile tracking device.  There’s a campaign underway to update our grossly outdated surveillance laws, and better reporting on this relatively novel form of surveillance should be part of a larger geotracking reform providing a single process and a single clear standard for seeking such information, rather than the patchwork of warrants and other sorts of court orders currently employed.

As another data point for the need to reform federal surveillance law, only four of last year’s orders involved any kind of “electronic communication,” as opposed to traditional voice communications.  Does that mean law enforcement agencies are just ignoring the Internet?  Of course not. But current law, perversely, establishes a much higher standard for the interception of “live” communications in transit over the network than for e-mails that have landed on a user’s server. As soon as you open that e-mail, the level of protection it’s afforded by statute is radically diminished, and the constitutional protections given to stored emails are still embarrassingly unclear, at least as far as the courts are concerned.

The irony here is that the outdated federal surveillance laws actually leave us hard pressed to accurately gauge how badly they’re outdated. The primary problem is that the crazy-quilt of statutes and standards doesn’t map the way people actually communicate today, or line up with their real-world expectations of privacy in those communications. But the secondary problem is that the reporting requirements don’t line up either.  I’m probably a little abnormal here, but I communicate via e-mail, Twitter, or IM vastly more than I talk on the telephone. I send dozens of e-mails on an average day (many from a GPS-enabled phone), but I doubt I average more than one actual voice phone call per week. There are, of course, many reasons to expect criminals to prefer the ephemeral nature of voice communication, but the disconnect still ought to be worrying.  The numbers in the Wiretap Report make us feel as though we have a handle on the scope of government surveillance, when in fact we probably don’t have a very clear picture at all.

How Much Government Snooping? Google It Up!

The secrecy surrounding government surveillance is a constant source of frustration to privacy activists and scholars: It’s hard to have a serious discussion about policy when it’s like pulling teeth to get the most elementary statistics about the scope of state information gathering, let alone any more detailed information. Even when reporting is statutorily required, government agencies tend to drag their heels making statistics available to Congress – and it can take even longer to make the information more widely accessible. Phone and Internet companies, even when they join the fight against excessive demands for information, are typically just as reluctant to talk publicly about just how much of their customers’ information they’re required to disclose. That’s why I’m so pleased at the news that Google has launched their Government Requests transparency tool.  It shows a global map on which users can see how many governmental demands for user information or content removal have been made to Google’s ever-growing empire of sites – now including Blogger, YouTube, and Gmail – starting with the last six months.

So far, the information up there is both somewhat limited and lacking context.  For instance, it might seem odd that Brazil tops the list of governmental information hounds until you bear in mind that Google’s Orkut social network, while little-used by Americans, is the Brazilian equivalent of Facebook.

There are also huge gaps in the data: The United States comes in second with 3,580 requests from law enforcement at all levels, but that doesn’t include intelligence requests, so National Security Letters (tens of thousands of which are issued every year) and FISA warrants or “metadata” orders (which dwarf ordinary federal wiretaps in number) aren’t part of the tally. And since China considers all such government information requests to be state secrets – whether for criminal or intelligence investigations – no data from the People’s Republic is included.

Neither is there any detail about the requests they have counted – how many are demands for basic subscriber information, how many for communications metadata, and how many for actual e-mail or chat contents. The data on censorship is similarly limited: They’re counting governmental but not civil requests, such as takedown notices under the Digital Millennium Copyright Act.

For all those limits – and the company will be striving to provide some more detail, within the limits of the law – this is a great step toward bringing vital transparency to the shadowy world of government surveillance, and some nourishment to the data-starved wretches who seek to study it. We cannot have a meaningful conversation about whether censorship or invasion of privacy in the name of security have gone too far if we do not know, at a minimum, what the government is doing. So, for a bit of perspective, we know that U.S. courts reported a combined total of 1,793 (criminal, not intel) wiretaps sought by both federal and state authorities. Almost none of these (less than 1 percent) were for electronic interception.

This may sound surprising, unless you keep in mind that federal law establishes a very high standard for the “live” interception of communications over a wire, but makes it substantially easier – under some circumstances rather terrifyingly easy – to get stored communications records. So there’s very little reason for police to jump through all the hoops imposed on wiretap orders when they want to read a target’s e-mails.

If and when Google were to break down that information about requests – to show how many were “full content” as opposed to metadata requests – we would begin to have a far more accurate picture of the true scope of governmental spying. Should other major players like Yahoo and Facebook be inspired to follow Google’s admirable lead here, it would be better still.  Already, though, that one data point from a single company – showing more than twice as many data requests as the total number of phone wiretaps reported for the entire country – suggests that there is vastly more actual surveillance going on than one might infer from official wiretap numbers.

The Latest ‘Intelligence Gap’

Stop me if you think you’ve heard this one before. The Washington Post reports that the National Security Agency has halted domestic collection of some type of communications metadata—the details are predictably fuzzy, though I’ve got a guess—in order to allay the concerns of the secret FISA Court that the NSA’s activity might not be technically permissible under the Foreign Intelligence Surveillance Act. Naturally, there’s the requisite quote from the anonymous concerned intel official:

“This is a basic tool we used to have, and it’s now gone,” said one intelligence official familiar with the impasse. “Every day, every week that goes by, there’s just one more week of information that we’re not collecting. You sit there and say, ‘This is unbelievable that we have this gap.’”

I want to take claims like these with due gravity, but I can’t anymore.  Because we’ve heard them again and again over the past decade, and they’ve proven to be bogus every time.  We were told that the civil liberties restrictions built into pre-9/11 surveillance law kept the FBI from searching “20th hijacker” Zacarias Moussaoui’s laptop—but a bipartisan Senate panel found it wasn’t true. We were told limits on National Security Letters were FBI delaying agents seeking vital records in their investigations—but the delay turned out to have been manufactured by the FBI itself. Most recently, we were warned that the FISA Court had somehow imposed a requirement that a warrant be obtained in order to intercept purely foreign telephone calls that were traveling through U.S. wires.  Anyone who understood the FISA law realized that this couldn’t possibly be right—and as Justice Department officials finally admitted under pressure, that wasn’t true either.  But this time there’s a really real for serious “intelligence gap” and we’ll all be blown up by scary terrorists any minute if it’s not fixed?  Pull the other one.

That said, Republicans are claiming the problem requires a mere “technical fix” to FISA, so we should at least be able to get a rough sense of what the issue is, if Congress actually decides to act.  Democrats, by contrast, appear to think NSA can “address the court’s concerns without resorting to legislation.” The word “resort” here seems depressingly apt: They’ll ask for a legislative tweak if there’s absolutely no way to shoehorn what they want to do into the statute through clever lawyering in an ex parte proceeding in front of a highly deferential court, but it’s a last resort.

As for what the problem might be, I can think of a couple of possibilities off the top of my head.  A few years back, the FISA pen register provision was amended to effectively build into the legal order for a standard pen register, which records data about calls or e-mails made and received, language mirroring a legal demand for subscriber records known as a 2703(d) order in the criminal context.  Law enforcement routinely uses that combination of a 2703(d) plus a pen register to get location tracking information for cell phones. But the evidentiary standard for getting a 2703(d) order is (very) slightly higher than the standard for a pen register alone, and federal law prohibits the use of a pen register alone to gather location data. So there might be a question about whether FISA pen registers alone can be used for cell phone location tracking purposes.

Alternatively, given that Internet communications aren’t just “metadata” and “content” but rather a whole series of layers containing different types of information, there could be a question about just how far down “metadata” goes. This might be especially tricky for protocols where quite a lot of information about the content of the communication—which is supposed to require a full probable cause warrant—can be gleaned from sophisticated analysis of the size and timing of packets in the stream.

These are, of course, blind guesses.  What’s disturbing is how much blind guessing the FISA court itself may be doing.  The new hiatus, the Post tells us via an anonymous source, came about when the FISA Court “got a little bit more of an understanding”of what the NSA was up to. Their enhanced understanding concerns data that NSA has been getting with the court’s approval for “several years,” according to the Post. And there you have the real “intelligence gap” in modern surveillance: We have a Court going through a pantomime of oversight over thousands of highly technologically sophisticated interception programs, but it may take a few years for them to really understand what they’ve been signing off on.

We’ll understand still less about the rationale for any “technical fix” to FISA that Congress might approve, if they deign to go that route. But we’ll be reassured that it’s very important, necessary to keep us safe from the terrorist hordes, and nothing worth bothering our pretty heads about.

State Secrets, Courts, and NSA’s Illegal Wiretapping

As Tim Lynch notes, Judge Vaughn Walker has ruled in favor of the now-defunct Al-Haramain Islamic Foundation—unique among the many litigants who have tried to challenge the Bush-era program of warrantless wiretapping by the National Security Agency because they actually had evidence, in the form of a document accidentally delivered to foundation lawyers by the government itself, that their personnel had been targeted for eavesdropping.

Other efforts to get a court to review the program’s legality had been caught in a kind of catch-22: Plaintiffs who merely feared that their calls might be subject to NSA filtering and interception lacked standing to sue, because they couldn’t show a specific, concrete injury resulting from the program.

But, of course, information about exactly who has been wiretapped is a closely guarded state secret. So closely guarded, in fact, that the Justice Department was able to force the return of the document that exposed the wiretapping of Al-Haramain, and then get it barred from the court’s consideration as a “secret” even after it had been disclosed. (Contrast, incidentally, the Supreme Court’s jurisprudence on individual privacy rights, which often denies any legitimate expectation of privacy in information once revealed to a third party.) Al-Haramain finally prevailed because they were ultimately able to assemble evidence from the public record showing they’d been wiretapped, and the government declined to produce anything resembling a warrant for that surveillance.

If you read over the actual opinion, however it may seem a little anticlimactic—as though something is missing. The ruling concludes that there’s prima facie evidence that Al-Haramain and their lawyers were wiretapped, that the government has failed to produce a warrant, and that this violates the Foreign Intelligence Surveillance Act. But of course, there was never any question about that. Not even the most strident apologists for the NSA program denied that it contravened FISA; rather, they offered a series of rationalizations for why the president was entitled to disregard a federal statute.

There was the John Yoo argument that the president essentially becomes omnipotent during wartime, and that if we can shoot Taliban on a foreign battlefield, surely we can wiretap Americans at home if they seem vaguely Taliban-ish. Even under Bush, the Office of Legal Counsel soon backed away from such… creative… lines of argument. Instead, they relied on the post-9/11 Authorization for the Use of Military Force (AUMF) against al-Qaeda, claiming it had implicitly created a loophole in the FISA law. It was David Kris, now head of DOJ’s National Security Division, who most decisively blew that one out of the water, concluding that it was “essentially impossible” to sustain the government’s reading of the AUMF.

Yet you’ll note that none of these issues arise in Walker’s opinion, because the DOJ, in effect, refused to play. They resisted the court at every step, insisting that a program discussed at length on the front pages of newspapers for years now was so very secret that no aspect of it could be discussed even in a closed setting. They continued to insist on this in the face of repeated court rulings to the contrary. So while Al-Haramain has prevailed, there’s no ruling on the validity of any of those arguments. That’s why I think Marcy Wheeler is probably correct when she predicts that the government will simply take its lumps and pay damages rather than risk an appeal. For one, while Obama administration has been happy to invoke state secrecy as vigorously as its predecessor, it would obviously be somewhat embarrassing for Obama’s DOJ to parrot Bush’s substantive claims of near-limitless executive power. Perhaps more to the point, though, some of those legal arguments may still be operative in secret OLC memos. The FISA Amendments Act aimed to put the unlawful Bush program under court supervision, and even reasserted FISA’s language establishing it as the “exclusive means” for electronic surveillance, which would seem to drive a final stake in the heart of any argument based on the AUMF. But we ultimately don’t know what legal rationales they still consider operative, and it would surely be awkward to have an appellate court knock the legs out from under some of these secret memoranda.

None of this is to deny that the ruling is a big deal—if nothing else because it suggests that the government does not enjoy total carte blanche to shield lawbreaking from review with broad, bald assertions of privilege. But I also know that civil libertarians had hoped that the courts might be the only path to a more full accounting of—and accountability for—the domestic spying program. If the upshot of this is simply that the government must pay a few tens, or even hundreds of thousands of dollars in damages, it’s hard not to see the victory as something of a disappointment.

The Census Meets the Patriot Act

The Washington Post reports that the Justice Department recently sent out a letter to the chairs of the Asian Pacific, black, and Hispanic caucuses in Congress, reassuring them that the Patriot Act’s expansion of information-gathering powers, including the controversial Section 215, does not override federal statutes guaranteeing the confidentiality of census data.  DOJ’s view, according to Assistant Attorney General Ronald Weich, is that “if Congress intended to override these protections, it would say so clearly and explicitly.”

Section 215, recall, is colloquially referred to as the “business records” provision of Patriot, though in fact it permits investigators to obtain “any tangible thing” from a designated person or entity by obtaining an order from the secret FISA court, subject only to a showing that the records sought are “relevant” to a national security investigation. As Weich observes, §215 does not contain the “notwithstanding any other law” language present in other parts of the Foreign Intelligence Surveillance Act, which means that it cannot be presumed on face to override other federal privacy statues establishing a higher degree of protection for specific categories of sensitive records. 

What’s interesting to me, however, is that a similar issue arose several years ago, not with respect to the census confidentiality statute, but rather the Family Educational Rights and Privacy Act (aka FERPA, aka the Buckley Amendment). Initially, DOJ attorneys similarly opted not to seek education records under §215 on the grounds that the FISA court might conclude FERPA trumped Patriot in the absence of language giving §215 explicit priority, as the Office of the Inspector General’s initial report on the use of §215 explains. Nevertheless, the Counsel for Intelligence Policy told OIG that his office “would have been willing to present an application to the FISA court for educational records if the FBI considered the information important enough and wanted to press the issue with the FISA Court.” 

Subsequent amendments to the statute alleviated those concerns:

According to [National Secrity Law Branch] and [Office of Intelligence Policy and Review] attorneys, this legal impediment to obtaining educational records has been addressed.  Section 106(a)(2) of the Reauthorization Act amended FISA by ading 50 U.S.C. §1861(a)(3), which specifically addresses educational, medical, tax and other sensitive categories of business records.  The amendment provided that when the FBI is requesting such items, the request must be personally approved by the FBI Director, the FBI Deputy Director, or the Executive Assistant Director for National Security. According to several NSLB and OPPR attorneys we interviewed, because this provision clarifies that educational records are obtainable through the use of a Section 215 order, the non-disclosure provisions of Section 215 apply rather than the notification provisions of the Buckley Amendment.

Census records, of course, are not mentioned, and the statutory language protecting those records from legal process is unusually strong and unqualified. On the other hand, neither does the amended language explicitly override the federal statutes protecting the specified categories of records. Rather, it adds a layer of oversight for several types of requests that are implied to fall within the scope of §215. Indeed, at the time, this portion of the Reauthorization Act was publicly portrayed as increasing protections for sensitive records.

That, at any rate, was the spin the Congressional Research Service gave it. Based on OIG’s account, it sounds as though a reform that had been painted as a concession to civil libertarians actually allowed the acquisition of those sensitive records for the first time, since they’d previously been regarded as off-limits by statute. So I suppose we should be glad they didn’t decide to simultaneously “enhance” the safeguards on census records.

Of course, that doesn’t mean it’s necessarily impossible for those records to ever be obtained via a §215 order. As Weich’s letter clearly says, the Census Act prohibits “the Commerce Secretary and other covered individuals from disclosing protected census information.” But as the Supreme Court clarified in St. Regis Paper v. United States, that confidentiality requirement is only binding on specific covered individuals.  If the government is able to get its hands on a copy of a census record by serving some non-covered individual, the record itself is not off limits.

Since I know approximately nothing about the fine points of record handling protocol within the Census Bureau, I can’t really say how much of a practical difference that makes. Still, given that we’ve seen statutory records protections effectively stripped away under the guise of enhancing those protections, I think it’s reasonable to infer that census records will be considered fair game under §215 if they can be obtained from a source other than the designated officials.