Tag: surveillance

FBI’s New Guidelines Further Loosen Constraints on Monitoring

The New York Times’s Charlie Savage reports that the FBI is preparing to release a new Domestic Investigations and Operations Guide (DIOG), further relaxing the rules governing the Bureau’s investigation of Americans who are not suspected of any wrongdoing.

This comes just three years after the last major revision of FBI manual, which empowered agents to employ a broad range of investigative techniques in exploratory “assessments” of citizens or domestic groups, even in the absence of allegations or evidence of wrongdoing, which are needed to open an “investigation.” The FBI assured Congress that it would conduct intensive training, and test agents to ensure that they understood the limits of the new authority—but the Inspector General found irregularities suggestive of widespread cheating on those tests.

Agents can already do quite a bit even without opening an “assessment”: They can consult the government’s own massive (and ever-growing) databases, or search the public Internet for “open source” intelligence. If, however, they want to start digging through state and local law enforcement records, or plumb the vast quantities of information held by commercial data aggregators like LexisNexis or Acxiom, they currently do have to open an assessment. Again, that doesn’t mean they’ve got to have evidence—or even an allegation—that their target is doing anything illegal, but it does mean they’ve got to create a paper trail and identify a legitimate purpose for their inquiries. That’s not much of a limitation, to be sure, but it does provide a strong deterrent to casual misuse of those databases for personal reasons. That paper trail means an agent who might be tempted to use government resources for personal ends—to check up on an ex or a new neighbor—has good reason to think twice.

Removing that check means there will be a lot more digging around in databases without any formal record of why. Even though most of those searches will be legitimate, that makes the abuses more likely to get lost in the crowd. Indeed, a series of reports by the Inspector General’s Office finding “widespread and serious misuse” of National Security Letters, noted that lax recordkeeping made it extremely difficult to accurately gauge the seriousness of the abuses or their true extent—and, of course, to hold the responsible parties accountable. Moreover, the most recent of those reports strongly suggests that agents engaged in illegal use of so-called “exigent letters” resisted the introduction of new records systems precisely because they knew (or at least suspected) their methods weren’t quite kosher.

The new rules will also permit agents to rifle through a person’s garbage when conducting an “assessment” of someone they’d like to recruit as an informant or mole. The reason, according to the Times, is that “they want the ability to use information found in a subject’s trash to put pressure on that person to assist the government in the investigation of others.” Not keen into being dragooned into FBI service? Hope you don’t have anything embarrassing in your dumpster! Physical surveillance squads can only be assigned to a target once, for a limited time, in the course of an assessment under the current rules—that limit, too, falls by the wayside in the revised DIOG.

The Bureau characterizes the latest round of changes as “tweaks” to the most recent revisions. That probably understates the significance of some of the changes, but one reason it’s worrying to see another bundle of revisions so soon after the last overhaul is precisely that it’s awfully easy to slip a big aggregate change under the radar by breaking it up into a series of “tweaks.”

We’ve seen such a move already with respect to National Security Letters, which enable access to a wide array of sensitive financial, phone, and Internet records without a court order—as long as the information is deemed relevant to an “authorized investigation.” When Congress massively expanded the scope of these tools under the USA Patriot Act, legislators understood that to mean full investigations, which must be based on “specific facts” suggesting that a crime is being committed or that a threat to national security exists. Just two years later, the Attorney General’s guidelines were quietly changed to permit the use of NSLs during “preliminary” investigations, which need not meet that standard. Soon, more than half of the NSLs issued each year were used for such preliminary inquiries (though they aren’t available for mere “assessments”… yet).

The FBI, of course, prefers to emphasize all the restrictions that remain in place. We’ll probably have to wait a year or two to see which of those get “tweaked” away next.

Atlas Bugged: Why the “Secret Law” of the Patriot Act Is Probably About Location Tracking

Barack Obama’s AutoPen has signed another four-year extension of three Patriot Act powers, but one silver lining of this week’s lopsided battle over the law is that mainstream papers like The New York Times have finally started to take note of the growing number of senators who have raised an alarm over a “secret interpretation” of Patriot’s “business records” authority (aka Section 215). It would appear to be linked to a “sensitive collection program” referenced by a Justice Department official at hearings during the previous reauthorization debate—one that would be disrupted if 215 orders were restricted to the records of suspected terrorists, their associates, or their “activities” (e.g., large purchases of chemicals used to make bombs). Naturally, lots of people are starting to wonder just what this program, and the secret interpretation of the law that may be associated with it, are all about.

All we can do is speculate, of course: only a handful of legislators and people with top-secret clearances know for sure. But a few of us who closely monitor national security and surveillance issues have come to the same conclusion: it probably involves some form of cellular phone geolocation tracking, potentially on a large scale. The evidence for this is necessarily circumstantial, but I think it’s fairly persuasive when you add it all up.

First, a bit of background. The recent fiery floor speeches from Sens. Wyden and Udall are the first time widespread attention has been drawn to this issue—but it was actually first broached over a year ago, by Sen. Richard Durbin and then-Sen. Russ Feingold, as I point out in my new paper on Patriot surveillance. Back in 2005, language that would have required Section 215 business record orders to pertain to terror suspects, or their associates, or the “activities” of a terror group won the unanimous support of the Senate Judiciary Committee, though was not ultimately included in the final reauthorization bill. Four years later, however, the Justice Department was warning that such a requirement would interfere with that “sensitive collection program.” As Durbin complained at the time:

The real reason for resisting this obvious, common-sense modification of Section 215 is unfortunately cloaked in secrecy. Some day that cloak will be lifted, and future generations will ask whether our actions today meet the test of a democratic society: transparency, accountability, and fidelity to the rule of law and our Constitution.

Those are three pretty broad categories of information—and it should raise a few eyebrows to learn that the Justice Department believes it routinely needs to get information outside its scope for counterterror investigations. Currently, any record asserted to be “relevant” to an investigation (a standard so low it’s barely a standard) is subject to Section 215, and records falling within those three categories enjoy a “presumption of relevance.” That means the judges on the secret Foreign Intelligence Surveillance Court lack discretion to evaluate for themselves whether such records are really relevant to an investigation; they must presume their relevance. With that in mind, consider that the most recent report to Congress on the use of these powers shows a record 96 uses of Section 215 in 2010, up from 22 the previous year. Perhaps most surprisingly though, the FISC saw fit to “modify” (which almost certainly means “narrow the scope of”) 42 of those orders. Since the court’s discretion is limited with respect to records of suspected terrorists and their associates, it seems probable that those “modifications” involved applications for orders that sweep more broadly. But why would such records be needed? Hold that thought.

Fast forward to this week. We hear Sen. Wyden warning that “When the American people find out how their government has secretly interpreted the Patriot Act, they will be stunned and they will be angry,” a warning echoed by Sen. Udall. We know that this surprising and disturbing interpretation concerns one of the three provisions that had been slated for sunset. Lone Wolf remains unused, so that’s out, leaving roving wiretaps and Section 215. In the context of remarks by Sens. Feingold and Durbin, and the emphasis recently placed on concerns about Section 215 by Sen. Udall, the business records provision seems like a safe bet. By its explicit terms, that authority is already quite broad: What strained secret interpretation of it could be surprising to both legislators and the general public, but also meet with the approval of the FISC and the Office of Legal Counsel?

For one possible answer, look to the criminal context, where the Department of Justice has developed a novel legal theory, known as the “hybrid theory,” according to which law enforcement may do some types of geolocation tracking of suspects’ cellular phones without obtaining a full-blown probable cause warrant. The “hybrid theory” involves fusing two very different types of surveillance authority. “Pen registers” allow the monitoring, in real time, of the communications “metadata” from phones or other communications devices (phone numbers dialed, IP addresses connected to). For cellular phones, that “metadata” would often make it possible to pinpoint at least approximately—and, increasingly, with a good deal of precision, especially in urban areas—the location of the user. Federal law, however, prohibits carriers from disclosing location information “solely” pursuant to a pen register order. Another type of authority, known as a 2703(d) order, is a bit like Patriot’s business records authority (though only for telecommunications providers), and is used to compel the production of historical (as opposed to real-time/prospective) records, without any exclusion on location information. The Justice Department’s novel theory—which I discussed at a recent Cato event with Sen. Wyden on geolocation tracking—is that by bundling these two authorities in a new kind of combination order, they can do real-time geolocation tracking without the need to obtain a full Fourth Amendment warrant based on probable cause. Many courts have been skeptical of this theory and rejected it—but at least some have gone along with this clever bit of legal origami. Using the broad business records power of Patriot’s Section 215 in a similar way, to enable physical tracking of anyone with a cellphone, would seem to fit the bill, then: certainly surprising and counterintuitive, not what most people think of when we talk about “obtaining business records,” but nevertheless a maneuver with a legal track record of convincing some courts.

Now, consider that Sen. Wyden has also recently developed a concern with the practice of mobile location tracking, which has become so popular that the U.S. Marshall Service, now the federal government’s most prolific (known) user of pen register orders, of which it issued over 6,000 last year, employs the “hybrid theory” to obtain location information by default with each such order. Wyden has introduced legislation that would establish standards for mobile location tracking, which has two surprising and notable feature. First, while the location tracking known to the public all involves criminal investigations subject to the Electronic Communications Privacy Act (ECPA), that’s not where Wyden’s bill makes its primary modifications. Instead, the key amendments are made directly to the Foreign Intelligence Surveillance Act—which language is then incorporated by reference into ECPA. Second, even though one section establishes the “exclusive means” for geolocation tracking, the proposal goes out of its way to additionally modify the FISA pen register provision and the Section 215 business records provision to explicitly prohibit their use to obtain geolocation information—as though there is some special reason to worry about those provisions being used that way, requiring any possible ambiguity to be removed.

Sen. Udall, meanwhile, always uses the same two examples when he talks about his concerns regarding Section 215: he warns about “unfettered” government access to “business records ranging from a cell phone company’s phone records to an individual’s library history,” even when the records relate to people with no connection to terrorism.  The reference to libraries is no surprise, because the specter of Section 215 being used to probe people’s reading habits was raised so insistently by librarians that it became common to see it referenced as the “library provision.” The other example is awfully specific though: he singles out cell phone records, even though many types of sensitive phone records can already be obtained without judicial oversight using National Security Letters. But he doesn’t just say “phone records”—it’s cell phone records he’s especially concerned about. And where he talks about “an individual’s” library records, he doesn’t warn about access to “an individual’s” cell phone records, but rather the company’s records.  As in, the lot of them.

Tracking the location of suspected terrorists, and perhaps their known associates, might not seem so objectionable—though one could argue whether Section 215’s “relevance” standard was sufficient, or whether a full FISA electronic surveillance warrant (requiring a showing of probable cause) would be a more appropriate tool. But that kind of targeted tracking would not require broad access to records of people unconnected to terror suspects and their known associates, which is hinted at by both Sen. Udall’s remarks and the high rate of modifications imposed on Section 215 orders by the FISA court. Why might that be needed in the course of a geolocation tracking program?

For a possible answer, turn to the “LocInt” or “Location Intelligence” services marketed to U.S. law enforcement and national security clients by the firm TruePosition. Among the capabilities the company boasts for its software (drawn from both its site and a 2008 white paper the company sponsored) are:

● the ability to analyze location intelligence to detect suspicious behavioral patterns,
● the ability to mine historical mobile phone data to detect relationships between people, locations, and events,
● TruePosition LOCINT can mine location data to find out if the geoprofile of a prepaid phone matches the geoprofile of a potential threat and identify it as such, and
● leveraging location intelligence, officials can identify mobile phones of interest that frequently communicate with each other, or are within close proximity, making it easier to identify criminals and their associates. [Emphasis added.]

Certainly one can see how these functions might be useful: terrorists trained in counterintelligence tactics might seek to avoid surveillance, or identification of co-conspirators, by communicating only in person. Calling records would be useless for revealing physical meetings—but location records are another story. What these functions have in common, however, is that like any kind of data mining, they require access to a large pool of data, not just the records of a known suspect. You can find out who your suspect is phoning by looking at his phone records. But if you want to know who he’s in close physical proximity to—with unusual frequency, and most likely alone—you need to sift through everyone’s phone location records, or at any rate a whole lot of them.  The interesting thing is, it’s not obvious there’s any legal way to actually do all that: full-fledged electronic surveillance warrants would be a non-starter, since they require probable cause for each target. But clearly the company expects to be able to sell these capabilities to some government entity. The obvious candidate is the FBI, availing itself of the broad authority of Section 215—perhaps in combination with FISA pen registers when the tracking needs to happen in real time.

As a final note of interest, the Office of the Inspector Generals’ reports on National Security Letter contain numerous oblique references to “community of interest [REDACTED]” requests. Traditional “community of interest” analysis means looking at the pattern of communications of not just the primary suspect of an investigation, but their whole social circle—the people the suspect communicates with, and perhaps the people they in turn communicate with, and so on. Apparently the fact that the FBI does this sort of traditional CoI analysis is not considered secret, because that phrase remains unredacted. What, then, could that single omitted word be? One candidate that would fit in the available space is “location” or “geolocation”—meaning either location tracking of people called by the suspect or perhaps the use of location records to build a suspect’s “community of interest” by “identify[ing] mobile phones…within close proximity” to the suspects. The Inspector General reports cover the first few years following passage of the Patriot Act, before an opinion from the Office of Legal Counsel held that NSLs could not properly be used to obtain the full range of communications metadata the FBI had been getting under them. If NSLs had been used for location-tracking information prior to that 2008 opinion, it would likely have been necessary to rely on Section 215 past that point, which would fit the timeline.

Is all of that conclusive? Of course not; again, this is speculation. But a lot of data points fit, and it would be quite surprising if the geolocation capabilities increasingly being called upon for criminal investigations were not being used for intelligence purposes. If they are, Section 215 is the natural mechanism.

Even if I’m completely wrong, however, the larger point remains: while intelligence operations must remain secret, a free and democratic society is not supposed to be governed by secret laws—and substantive judicial interpretations are no less a part of “the law” than the text of statutes. Whatever power the government has arrogated to itself by an “innovative” interpretation of the Patriot Act, it should be up to a free citizenry to consider the case for it, determine whether it is so vital to security to justify the intrusion on privacy, and hold their representatives accountable accordingly. Instead, Congress has essential voted blind—reauthorizing powers that even legislators, let alone the public, do not truly understand. Whether it’s location tracking or something else, this is fundamentally incompatible with the preconditions of both democracy and a free society.

Want Privacy? Increase Government Surveillance!

This morning, the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law had a hearing entitled: “Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy.”

Among the witnesses was Deputy Assistant Attorney General Jason Weinstein from the Department of Justice’s Criminal Division. Weinstein made a gallingly Orwellian pitch: If you want privacy protection, increase government surveillance.

From his written statement:

ISPs may choose not to store IP records, may adopt a network architecture that frustrates their ability to track IP assignments and network transactions back to a specific account or device, or may store records for only a very short period of time. In many cases, these records are the only evidence that allows us to investigate and assign culpability for crimes committed on the Internet. In 2006, forty-nine Attorneys General wrote to Congress to express “grave concern” about “the problem of insufficient data retention policies by Internet Service Providers.”

Without more customer data retention by ISPs, and without greater government access to this data, the government won’t be able to prosecute crimes, some of which threaten privacy, Weinstein said in his spoken comments.

So there you have it. Turn more data over to the government so we can protect your privacy. War is peace. Freedom is slavery.

Surveillance, San Francisco-Style

San Francisco’s Entertainment Commission will soon be considering a jaw-dropping attack on privacy and free assembly. Here are some of the rules the Commission may adopt for any gathering of people expected to reach 100 or more:

3. All occupants of the premises shall be ID Scanned (including patrons, promoters, and performers, etc.). ID scanning data shall be maintained on a data storage system for no less than 15 days and shall be made available to local law enforcement upon request.

4. High visibility cameras shall be located at each entrance and exit point of the premises. Said cameras shall maintain a recorded data base for no less than fifteen (15 days) and made available to local law enforcement upon request.

Would you recognize a police state if you lived in one? How about a police city? The First Amendment right to peaceably assemble takes a big step back when your identity data and appearance are captured for law enforcement to use at whim simply because you showed up. (ht: PrivacyActivism.org)

How Many 215 Orders?

There was an interesting exchange during a Senate Intelligence Committee hearing yesterday concerning the use of the Patriot Act’s §215 orders for business records and other tangible things. FBI Director Robert Mueller hinted that the orders may have been used to track purchases of hydrogen peroxide purchases in the investigation of aspiring bomber Najibullah Zazi, while Sen. Ron Wyden (D-Oreg.) asserted that there is “a huge gap today between how you all are interpreting the PATRIOT Act and what the American people think the PATRIOT Act is all about and it’s going to need to be resolved.”

Let’s leave our curiosity about that by the wayside for the moment, though. I’m curious about one simple empirical claim Mueller made in his testimony: That the provision has been used over 380 times since 2001. I assume he’d know, but that seems inconsistent with what’s been publicly reported to date. It’s worth noting that there are actually minor discrepancies between the numbers provided in Congressional Research Service reports, audits from the Office of the Inspector General, and the Justice Department’s annual reports to Congress. But there are plenty of legitimate reasons these numbers might vary depending on how you count, and the total variance is a difference of about 17 orders total over the years.

We know from those Inspector General reports that the majority of those 215 orders issued were “combination” orders issued in tandem with another type of surveillance order called a “pen register” so that investigators could get subscriber information about the people whose communications patterns they were tracking. When Congress amended the Patriot Act in 2006, it built that authority right into the pen register statute, making it unnecessary to seek those “combination” orders. Prior to the amendment, the government got 173 of those “combination” orders. “Pure” 215 orders, which are now the only type needed, have been used much more sparingly. None were issued at all until 2004, and from 2004 through 2009 (depending on whose tally you want to use) there were between 75 and 92 orders issued (for an average of 12–15 annually since 2004). Throw in the combination orders and the upper-bound number through the end of 2009 is 265 orders.

Unless I’ve miscounted or missed something significant—you can get the reports at the links above and check my math—that leaves 115 orders unaccounted for, assuming Mueller’s number is accurate. There are two possibilities, then: Either the government got ten times as many orders in 2010 as the historical average (the figures should be out sometime in April) or there are a whole lot of these missing from the public reporting. Possibly these have something to do with the “sensitive collection program” in which these orders play a key role, alluded to in a Justice Department official’s testimony at a hearing during the 2009 reauthorization debate. Either alternative seems like it would merit additional scrutiny. I sent an e-mail seeking clarification this morning to some of the experts at the Congressional Research Service responsible for keeping legislators informed on these issues, but haven’t yet heard back.

I’m not belaboring this because it’s inherently hugely significant whether the government has used this authority 265 times or 380. Ideally, in the coming months we’ll see a substantial narrowing of National Security Letter authority, which would predictably lead to a large increase in the number of 215 orders issued. And that would be entirely proper, since it would mean more information being sought pursuant to a judicial order rather than FBI fiat. What I do think is significant, however, is that this reminds us how little we know—and how little the vast majority of legislators know—about the use of these powers. In contrast with criminal investigative tools, these powers are entirely covert: People whose records are swept up by the government almost never learn about it, and the recipients of the orders are subject to an effectively permanent gag on speaking about them. Rulings of the secret FISA Court interpreting the scope of these authorities are never made public. Our assurance that they have been or will continue to be used properly rests entirely on the minimal required reporting to Congress and the findings of internal audits. And yet it’s hard to pin down the facts on even this most elementary factual question about 215 orders: How many times have they been used?

Despite this, we have legislators confident enough that these expanded powers are both so necessary and so well controlled that they’re advocating making them permanent. I wish I were as confident.

Patriot Act Extension Runs Into Conservative Opposition

Reports the Los Angeles Times:

A House GOP push to permanently extend expiring provisions of the Patriot Act is running into opposition from conservative and “tea party”-inspired lawmakers wary of the law’s reach into private affairs.

Congress has made a practice of kicking the Patriot Act can down the road, but it could be that the new crop of legislators isn’t inclined to go along.

Julian Sanchez has blogged here about the complexities of this government surveillance law. His podcast on the topic, released yesterday, is titled “The Patriot Act Sneaks to Renewal.” Maybe it can’t sneak through after all…

Is a U.S. Company Assisting Egyptian Surveillance?

Boeing subsidiary Narus reports on its Web site that it “protects and manages” a number of worldwide networks, including that of Egypt Telecom. A recent IT World article entitled “Narus Develops a Scary Sleuth for Social Media” reported on a Narus product called Hone last year:

Hone will sift through millions of profiles searching for people with similar attributes — blogger profiles that share the same e-mail address, for example. It can look for statistically likely matches, by studying things like the gender, nationality, age, location, home and work addresses of people. Another component can trace the location of someone using a mobile device such as a laptop or phone.

Media advocate Tim Karr reports that “Narus provides Egypt Telecom with Deep Packet Inspection equipment (DPI), a content-filtering technology that allows network managers to inspect, track and target content from users of the Internet and mobile phones, as it passes through routers on the information superhighway.”

It’s very hard to know how Narus’s technology was used in Egypt before the country pulled the plug on its Internet connectivity, or how it’s being used now. Narus is declining comment.

So what’s to be done?

Narus and its parent, the Boeing Company, have no right to their business with the U.S. government. On our behalf, Congress is entitled to ask about Narus’s/Boeing’s assistance to the Mubarak regime in Egypt. If contractors were required to refrain from assisting authoritarian governments’ surveillance as a condition of doing business with the U.S. government, that seems like the most direct way to dissuade them from providing top-notch technology capabilities to regimes on the wrong side of history.

Of course, decades of U.S. entanglement in the Middle East have created the circumstance where an authoritarian government has been an official “friend.” Until a few weeks ago, U.S. unity with the Mubarak regime probably had our government indulging Egypt’s characterization of political opponents as “terrorists and criminals.” It shouldn’t be in retrospect that we learn how costly these entangling alliances really are.

Chris Preble made a similar point ably on the National Interest blog last week:

We should step back and consider that our close relationship with Mubarak over the years created a vicious cycle, one that inclined us to cling tighter and tighter to him as opposition to him grew. And as the relationship deepened, U.S. policy seems to have become nearly paralyzed by the fear that the building anger at Mubarak’s regime would inevitably be directed at us.

We can’t undo our past policies of cozying up to foreign autocrats (the problem extends well beyond Egypt) over the years. And we won’t make things right by simply shifting — or doubling or tripling — U.S. foreign aid to a new leader. We should instead be open to the idea that an arms-length relationship might be the best one of all.