Tag: surveillance

School Laptop Spycams Took 56,000 Pictures

Last week, I wrote that we’d learned that the Lower Merion School District may have gathered many more photos of more students than had previously been revealed. Now, the Philadelphia Inquirer has put a number on it: A security program installed on laptops assigned to students captured 56,000 images over the course of two years, including screenshots (showing programs in use and private messages being sent) and surreptitious webcam photos of students at home.

Many of these images, it should be noted at the outset, do appear to have come from laptops that really had been stolen. Almost two-thirds of the total came from six laptops that had been stolen from a high school gym, and which kept transmitting for  almost six months, though even there it’s a close question whether a warrant should have been obtained. (Why it took six months to recover the laptops with an active security program running is a good question for another time.) But many of those pictures seem much harder to justify:

[I]n at least five instances, school employees let the Web cams keep clicking for days or weeks after students found their missing laptops, according to the review. Those computers - programmed to snap a photo and capture a screen shot every 15 minutes when the machine was on - fired nearly 13,000 images back to the school district servers.

Emphasis added. The district also says it only once activated the tracking program because a student had not paid the $55 insurance fee required before taking a laptop home. Blake Robbins, the student whose lawsuit brought the story to national attention, says that one case was his.  That raises obvious questions about whether school officials might have exercised their discretion to activate the tracking program more readily in the case of particular students. The activation procedure itself hardly imbues one with great confidence: Apparently 10 school officials had the authority to request laptop tracking, which they might do with a simple informal e-mail.

Just turn this over in your head for a moment. You’ve got ten different administrators—and in practice, the network techs themselves—able to turn a child’s home laptop into a remote surveillance camera just by sending an e-mail reporting that a laptop is missing, or that a fee didn’t get paid on time. The laptop can take thousands of photos over the course of days or weeks, with neither parents nor students any the wiser until a scandal forces closer scrutiny. If Robbins hadn’t been confronted, or if administrators had made a point of deleting these pictures of children at home rather than keeping them lying around in storage indefinitely, there’s no reason to think anyone would ever have known.  How many tens of thousands of parents have kids in one-to-one school laptop programs now? What don’t they know?

The Latest ‘Intelligence Gap’

Stop me if you think you’ve heard this one before. The Washington Post reports that the National Security Agency has halted domestic collection of some type of communications metadata—the details are predictably fuzzy, though I’ve got a guess—in order to allay the concerns of the secret FISA Court that the NSA’s activity might not be technically permissible under the Foreign Intelligence Surveillance Act. Naturally, there’s the requisite quote from the anonymous concerned intel official:

“This is a basic tool we used to have, and it’s now gone,” said one intelligence official familiar with the impasse. “Every day, every week that goes by, there’s just one more week of information that we’re not collecting. You sit there and say, ‘This is unbelievable that we have this gap.’”

I want to take claims like these with due gravity, but I can’t anymore.  Because we’ve heard them again and again over the past decade, and they’ve proven to be bogus every time.  We were told that the civil liberties restrictions built into pre-9/11 surveillance law kept the FBI from searching “20th hijacker” Zacarias Moussaoui’s laptop—but a bipartisan Senate panel found it wasn’t true. We were told limits on National Security Letters were FBI delaying agents seeking vital records in their investigations—but the delay turned out to have been manufactured by the FBI itself. Most recently, we were warned that the FISA Court had somehow imposed a requirement that a warrant be obtained in order to intercept purely foreign telephone calls that were traveling through U.S. wires.  Anyone who understood the FISA law realized that this couldn’t possibly be right—and as Justice Department officials finally admitted under pressure, that wasn’t true either.  But this time there’s a really real for serious “intelligence gap” and we’ll all be blown up by scary terrorists any minute if it’s not fixed?  Pull the other one.

That said, Republicans are claiming the problem requires a mere “technical fix” to FISA, so we should at least be able to get a rough sense of what the issue is, if Congress actually decides to act.  Democrats, by contrast, appear to think NSA can “address the court’s concerns without resorting to legislation.” The word “resort” here seems depressingly apt: They’ll ask for a legislative tweak if there’s absolutely no way to shoehorn what they want to do into the statute through clever lawyering in an ex parte proceeding in front of a highly deferential court, but it’s a last resort.

As for what the problem might be, I can think of a couple of possibilities off the top of my head.  A few years back, the FISA pen register provision was amended to effectively build into the legal order for a standard pen register, which records data about calls or e-mails made and received, language mirroring a legal demand for subscriber records known as a 2703(d) order in the criminal context.  Law enforcement routinely uses that combination of a 2703(d) plus a pen register to get location tracking information for cell phones. But the evidentiary standard for getting a 2703(d) order is (very) slightly higher than the standard for a pen register alone, and federal law prohibits the use of a pen register alone to gather location data. So there might be a question about whether FISA pen registers alone can be used for cell phone location tracking purposes.

Alternatively, given that Internet communications aren’t just “metadata” and “content” but rather a whole series of layers containing different types of information, there could be a question about just how far down “metadata” goes. This might be especially tricky for protocols where quite a lot of information about the content of the communication—which is supposed to require a full probable cause warrant—can be gleaned from sophisticated analysis of the size and timing of packets in the stream.

These are, of course, blind guesses.  What’s disturbing is how much blind guessing the FISA court itself may be doing.  The new hiatus, the Post tells us via an anonymous source, came about when the FISA Court “got a little bit more of an understanding”of what the NSA was up to. Their enhanced understanding concerns data that NSA has been getting with the court’s approval for “several years,” according to the Post. And there you have the real “intelligence gap” in modern surveillance: We have a Court going through a pantomime of oversight over thousands of highly technologically sophisticated interception programs, but it may take a few years for them to really understand what they’ve been signing off on.

We’ll understand still less about the rationale for any “technical fix” to FISA that Congress might approve, if they deign to go that route. But we’ll be reassured that it’s very important, necessary to keep us safe from the terrorist hordes, and nothing worth bothering our pretty heads about.

Accountability for ‘Exigent Letter’ Abuse At Last?

It is more than three years since the Office of the Inspector General first brought public attention to the FBI’s systematic misuse of the National Security Letter statutes to issue fictitious “exigent letters” and obtain telecommunications records without due process. Nobody at the Bureau has been fined, or even disciplined, for  this systematic lawbreaking and the efforts to conceal it. But the bipartisan outrage expressed at a subcommittee hearing of the House Judiciary Committee this morning hints that Congress may be running out of patience—and looking for some highly-placed heads to roll. Just to refresh, Committee Chairman John Conyers summarized the main abuses in an opening statement:

The IG found that more than 700 times, such information was obtained about more than 2,000 phone numbers by so-called“exigent letters” from FBI personnel. In some cases, the IG concluded, FBI agents sent the letters even though they believed that factual information in the letters was false. For more than 3,500 phone numbers, the call information was extracted without even a letter, but instead by e‐mail, requests on a post‐it note, or “sneak peaks” of telephone company computer screens or other records…. In one case, the FBI actually obtained phone records of Washington Post and New York Times reporters and kept them in a database, leading to an IG conclusion of “serious abuse” of FBI authority and an FBI public apology.

It’s probably actually worse than that: Since these letters often requested a “community of interest” analysis for targeted numbers, the privacy of many people beyond the nominal targets may have been implicated—though it’s hard to be sure, since the IG report redacts almost all details about this CoI mapping.

And as Rep. Jerry Nadler pointed out, the IG report suggests a “clear pattern here of deliberate evasion,” rather than the innocent oversight the Bureau keeps pleading.  Both Nadler and the Republican ex-chair of the committee, Rep. James Sensenbrenner, expressed frustration at their sense that, when the FBI had failed to win legislative approval for all the powers on its wish list, it had simply ignored lawful process, seizing by fiat what Congress had refused to grant. Sensenbrenner, one of the authors of the Patriot Act, even declared that he felt “betrayed.” But we’ve heard similar rhetoric before. It was the following suggestion from Conyers (from my notes, but pretty near verbatim) that really raised an eyebrow:

There must be further investigation as to who and why and how somebody in the Federal Bureau of Investigation could invent a practice and have allowed it to have gone on for three consecutive years.  I propose and hope that this committee and its leadership will join me, because I think there may be grounds for removal of the general counsel of the FBI.

That would be Valerie Caproni, one of the hearing’s two witnesses, and an executive-level official whose dismissal would be the first hint of an administration response commensurate with the gravity of the violations that occurred. Caproni’s testimony, consistent with previous performances, was an awkward effort to simultaneously minimize the seriousness of FBI’s abuses—she is fond of saying “flawed” when le mot juste is “illegal”—and also to assure legislators that the Bureau was treating it with the utmost seriousness already. Sensenbrenner appeared unpersuaded, at one point barking in obvious irritation: “I don’t think you’re getting the message; will you get the message today?” The Republican also seemed to indirectly echo Conyers’ warning, declaring himself “not unsympathetic” to the incredulous chairman’s indictment of her office. Of course, the FBI has it’s own Office of Professional Responsibility which is supposed to be in charge of holding agents and officials accountable for malfeasance, but apparently the wheels there are still grinding along.

It’s also worth noting that Inspector General Glenn Fine, who also testified, specifically urged Congress to look into a secret memo issued in January by the Office of Legal Counsel, apparently deploying some novel legal theory to conclude that many of the call records obtained by the FBI were not covered by federal privacy statutes after all. This stood out just because my impression is that OIG usually limits itself to straight reporting and leaves it to Congress to judge what merits investigation, suggesting heightened concern about the potential scope of the ruling, despite FBI’s pledge not to avail itself of this novel legal logic without apprising its oversight committees. Alas, the details here are classified, but Caproni did at one point in her testimony conclude that “disclosure of approximately half of the records at issue was not forbidden by ECPA and/or was
connected to a clear emergency situation.”  There were 4,400 improperly obtained “records at issue” in the FBI’s internal review, of which about 150 were ultimately retained on the grounds that they would have qualified for the emergency exception in the Electronic Communications Privacy Act.  Since that tally didn’t include qualifying records for which legitimate process had nevertheless been issued at some point, the number of “real” emergencies is probably slightly higher, but that still suggests that the “half” Caproni alludes to are mostly in the “disclosure…not forbidden by ECPA” category.  Since ECPA is fairly comprehensive when it comes to telecom subscriber records—or at least, so we all thought until recently—we have to assume she means that these are the types of records the OLC opinion has removed from FISA’s protection. If those inferences are correct, and the new OLC exception covers nearly half of the call detail records FBI obtains, that would not constitute a “loophole” in federal electronic privacy law so much as its evisceration.

Of course, it’s possible that the specific nature of the exception would allay civil libertarian fears. What’s really intolerable in a democratic society is that we don’t know. Operational facts about specific investigations, and even specific investigatory techniques, are rightly classified. But an interpretation of a public statute so significant as to potentially halve its apparent protections cannot be kept secret without making a farce of the rule of law.

State Secrets, Courts, and NSA’s Illegal Wiretapping

As Tim Lynch notes, Judge Vaughn Walker has ruled in favor of the now-defunct Al-Haramain Islamic Foundation—unique among the many litigants who have tried to challenge the Bush-era program of warrantless wiretapping by the National Security Agency because they actually had evidence, in the form of a document accidentally delivered to foundation lawyers by the government itself, that their personnel had been targeted for eavesdropping.

Other efforts to get a court to review the program’s legality had been caught in a kind of catch-22: Plaintiffs who merely feared that their calls might be subject to NSA filtering and interception lacked standing to sue, because they couldn’t show a specific, concrete injury resulting from the program.

But, of course, information about exactly who has been wiretapped is a closely guarded state secret. So closely guarded, in fact, that the Justice Department was able to force the return of the document that exposed the wiretapping of Al-Haramain, and then get it barred from the court’s consideration as a “secret” even after it had been disclosed. (Contrast, incidentally, the Supreme Court’s jurisprudence on individual privacy rights, which often denies any legitimate expectation of privacy in information once revealed to a third party.) Al-Haramain finally prevailed because they were ultimately able to assemble evidence from the public record showing they’d been wiretapped, and the government declined to produce anything resembling a warrant for that surveillance.

If you read over the actual opinion, however it may seem a little anticlimactic—as though something is missing. The ruling concludes that there’s prima facie evidence that Al-Haramain and their lawyers were wiretapped, that the government has failed to produce a warrant, and that this violates the Foreign Intelligence Surveillance Act. But of course, there was never any question about that. Not even the most strident apologists for the NSA program denied that it contravened FISA; rather, they offered a series of rationalizations for why the president was entitled to disregard a federal statute.

There was the John Yoo argument that the president essentially becomes omnipotent during wartime, and that if we can shoot Taliban on a foreign battlefield, surely we can wiretap Americans at home if they seem vaguely Taliban-ish. Even under Bush, the Office of Legal Counsel soon backed away from such… creative… lines of argument. Instead, they relied on the post-9/11 Authorization for the Use of Military Force (AUMF) against al-Qaeda, claiming it had implicitly created a loophole in the FISA law. It was David Kris, now head of DOJ’s National Security Division, who most decisively blew that one out of the water, concluding that it was “essentially impossible” to sustain the government’s reading of the AUMF.

Yet you’ll note that none of these issues arise in Walker’s opinion, because the DOJ, in effect, refused to play. They resisted the court at every step, insisting that a program discussed at length on the front pages of newspapers for years now was so very secret that no aspect of it could be discussed even in a closed setting. They continued to insist on this in the face of repeated court rulings to the contrary. So while Al-Haramain has prevailed, there’s no ruling on the validity of any of those arguments. That’s why I think Marcy Wheeler is probably correct when she predicts that the government will simply take its lumps and pay damages rather than risk an appeal. For one, while Obama administration has been happy to invoke state secrecy as vigorously as its predecessor, it would obviously be somewhat embarrassing for Obama’s DOJ to parrot Bush’s substantive claims of near-limitless executive power. Perhaps more to the point, though, some of those legal arguments may still be operative in secret OLC memos. The FISA Amendments Act aimed to put the unlawful Bush program under court supervision, and even reasserted FISA’s language establishing it as the “exclusive means” for electronic surveillance, which would seem to drive a final stake in the heart of any argument based on the AUMF. But we ultimately don’t know what legal rationales they still consider operative, and it would surely be awkward to have an appellate court knock the legs out from under some of these secret memoranda.

None of this is to deny that the ruling is a big deal—if nothing else because it suggests that the government does not enjoy total carte blanche to shield lawbreaking from review with broad, bald assertions of privilege. But I also know that civil libertarians had hoped that the courts might be the only path to a more full accounting of—and accountability for—the domestic spying program. If the upshot of this is simply that the government must pay a few tens, or even hundreds of thousands of dollars in damages, it’s hard not to see the victory as something of a disappointment.

Every Time I Say “Terrorism,” the Patriot Act Gets More Awesome

Can I send Time magazine the bill for the new crack in my desk and the splinters in my forehead? Because their latest excretion on the case of Colleen “Jihad Jane” LaRose and its relation to Patriot Act surveillance powers is absolutely maddening:

The Justice Department won’t say whether provisions of the Patriot Act were used to investigate and charge Colleen LaRose. But the FBI and U.S. prosecutors who charged the 46-year-old woman from Pennsburg, Pa., on Tuesday with conspiring with terrorists and pledging to commit murder in the name of jihad could well have used the Patriot Act’s fast access to her cell-phone records, hotel bills and rental-car contracts as they tracked her movements and contacts last year. But even if the law’s provisions weren’t directly used against her, the arrest of the woman who allegedly used the moniker “Jihad Jane” is a boost for the Patriot Act, Administration officials and Capitol Hill Democrats say. That’s because revelations of her alleged plot may give credibility to calls for even greater investigative powers for the FBI and law enforcement, including Republican proposals to expand certain surveillance techniques that are currently limited to targeting foreigners.

Sadly, this is practically a genre resorted to by lazy writers whenever a domestic terror investigation is making headlines. It consists of indulging in a lot of fuzzy speculation about how the Patriot Act might have been crucial—for all we know!—to a successful  investigation, even when every shred of available public evidence suggests otherwise.  My favorite exemplar of this genre comes from a Fox News piece penned by journalist-impersonator Cristina Corbin after the capture of some Brooklyn bomb plotters last spring, with the bold headline: “Patriot Act Likely Helped Thwart NYC Terror Plot, Security Experts Say.” The actual article contains nothing to justify the headline: It quotes some lawyers saying vague positive things about the Patriot Act, then tries to explain how the law expanded surveillance powers, but mostly botches the basic facts.  From what we know thanks to the work of real reporters,  the initial tip and the key evidence in that case came from a human infiltrator who steered the plotters to locations that had been physically bugged, not new Patriot tools.

Of course, it may well be that National Security Letters or other Patriot powers were invoked at some point in this investigation—the question is whether there’s any good reason to suspect they made an important difference. And that seems highly dubious. LaRose’s indictment cites the content of private communications, which probably would have been obtained using a boring old probable cause warrant—and the standard for that is far higher than for a traditional pen/trap order, which would have enabled them to be getting much faster access to more comprehensive cell records. Maybe earlier on, then, when they were compiling the evidence for those tools?  But as several reports on the investigation have noted, “Jihad Jane” was being tracked online by a groups of anti-jihadi amateurs some three years ago. As a member of one group writes sarcastically on the site Jawa Report, the “super sekrit” surveillance tool they used to keep abreast of LaRose’s increasingly disturbing activities was… Google. I’m going to go out on a limb and say the FBI could’ve handled this one with pre-Patriot authority, and a fortiori with Patriot authority restrained by some common-sense civil liberties safeguards.

What’s a little more unusual is to see this segue into the kind of argument we usually see in the wake of an intelligence failure, where the case is then seen as self-evidently justifying still more intrusive surveillance powers, in this case the expansion of the “lone wolf” authority currently applicable only to foreigners, allowing extraordinarily broad and secretive FISA surveillance to be conducted against people with no actual ties to a terror group or other “foreign power.” Yet as Time itself notes:

In fact, Justice Department terrorism experts are privately unimpressed by LaRose. Hers was not a particularly threatening plot, they say, and she was not using any of the more challenging counter-surveillance measures that more experienced jihadis, let alone foreign intelligence agents, use.

Which, of course, is a big part of the reason we have a separate system for dealing with agents of foreign powers: They are typically trained in counterintelligence tradecraft with access to resources and networks far beyond those of ordinary nuts. What possible support can LaRose’s case provide for the proposition that these industrial-strength tools should now be turned on American citizens?  They caught her—and without much trouble, by the looks of it. Sure, this domestic nut may have invoked to Islamist ideology rather than the commands of Sam the Dog or anti-Semitic conspiracy theories… but so what? She’s still one more moderately dangerous unhinged American in a country that has its fair share, and has been dealing with them pretty well under the auspices of Title III for a good while now.

Patriot Act Update

It looks as though we’ll be getting a straight one-year reauthorization of the expiring provisions of the Patriot Act, without even the minimal added safeguards for privacy and civil liberties that had been proposed in the Senate’s watered down bill.  This is disappointing, but was also eminently predictable: Between health care and the economy, it was clear Congress wasn’t going to make time for any real debate on substantive reform of surveillance law. Still, the fact that the reauthorization is only for one year suggests that the reformers plan to give it another go—though, in all probability, we won’t see any action on this until after the midterm elections.

The silver lining here is that this creates a bit of breathing room, and means legislators may now have a chance to take account of the absolutely damning Inspector General’s report that found that the FBI repeatedly and systematically broke the law by exceeding its authorization to gather information about people’s telecommunications activities. It also means the debate need not be contaminated by the panic over the Fort Hood shootings or the failed Christmas bombing—neither of which have anything whatever to do with the specific provisions at issue here, but both of which would have doubtless been invoked ad nauseam anyway.