Tag Archives: Patriot Act

Oh What a Tangled Web Spies Weave

After the 9-11 attacks on The World Trade Center Twin Towers, the Pentagon and Shanksville, PA,  Congress quickly and without much discussion, passed the Patriot Act, the single biggest spying operation likely ever.  Under the Patriot Act, the government was able to collect information on Internet traffic, mostly of foreigners.  The amount of data that they collected and are collecting is staggering, forcing the NSA to build a huge new data center in the Utah desert.

The law was supposed to expire in 4 years, but Congress has renewed renewed the act twice, once under President Bush and once under President Obama.  A couple of parts were allowed to expire and a few tweaks have been made to the law, but basically it continues to operate.  Parts of the act were due to expire on December 31, 2019, but Congress snuck a three month extension to the parts that were due to expire into the recently passed government funding bill, so as to give Congress more time to discuss it.   In general, this is probably a good idea, but sneaking it into another bill, a popular habit of Congress when they think their votes might attract undo attention, is something that I am not so fond of.

One section that is due to expire is Section 702, which allows for bulk data collection.  Actually it is metadata – information like WHO you are calling, when and for how long, but NOT the actual conversation.

In theory, the FBI is only supposed to access this data in cases of terrorism or suspected terrorism, but in their excitement over a new data source, they accessed it at least tens of thousands of times in cases that had nothing to do with terrorism.

A federal court ruled that the way the FBI was using this database was likely unconstitutional, but they did not make them stop it.  What they did say is that you need to do a better job of creating paperwork to justify document what you are doing.  This involved a case of a US citizen who was jailed for and admitted to giving material support to a terrorist organization – someone who would not generate a lot of sympathy.

Still, it is useful to shed some light on the inner workings of the government.  The appeals court said that gathering the data under section 215 was likely legal, but using that data to obtain information on a US citizen without a warrant is a no-no.  This aligns the court with two recent Supreme Court decisions on the subject of privacy.

The interesting thing is that, apparently, it is pretty difficult for the NSA to collect data only on foreigners, so difficult that last year they had to purge the entire database and right now, the NSA says that they don’t need or want this ability any more.

However, the Director of National Intelligence, a role who’s fundamental job is to collect and analyze as much data as is possible, says not only should Congress renew it, but they should make it permanent so they don’t have to justify it every 4 or 5 years.  See details here.

We are likely to hear more about this in the next couple of months, so if privacy and government spying is an issue that is import to you, then becoming educated and communicating with your elected officials is something you should do.

FISA Court Affirms FBI Does NOT Need A Warrant To Read Your EMail

The Foreign Intelligence Surveillance Court or FISA Court has affirmed that the Feds do not need a warrant to search your email.  Of course, if that email is encrypted – not like GMail, but with real encryption – then while they may have the FISA court’s permission to look at it, they will have to figure out how do decrypt it first.

FISA Court Judge Thomas Hogan, in an opinion from last November that was recently declassified, said that Section 702 of the Patriot Act, including as amended by the FISA Amendments Act allows the government to keep any emails from American citizens that they hoover up as part of their mass data collection if that email is evidence of a crime.  Evidence of a crime is a pretty low bar.  After all, a lot of evidence would never convince a jury of anything.

This confirms a couple of things.

First, you should not say incriminating things in email.  To me, this falls into the “DUH!” category.

And second, Section 702 of the FISA Amendments Act allows the government to hoover up a lot of email and keep it and share it if they think it could be evidence of a crime.

The implication of this is that if you expect your email to be private, that would require extraordinary steps on your part to make sure that it is.

In that same opinion, the criticized the NSA for not destroying old surveillance data in spite of rules that require them to do that.

“Perhaps”, Judge Hogan wrote, ” more disappointing that the NSA’s failure to purge this information for more than four years, was the Government’s failure to convey to the Court, explicitly during that time that the NSA was continuing to retain this information,”.

Let me translate that to English.

Ye Olde Judge is pissed that the NSA lied to him when they certified that they were complying with the rules for Section 702,  when in fact, they were not compliant.  I am gathering that the judge is saying that this was not an oopsie.

The NSA replied to the ruling by issuing a statement from ODNI Director James Clapper that said “prior representations could have been clearer”. – i.e., we lied and got caught at it.  My bad.  Sorry.

And some people are wondering why some citizens don’t trust the government.  Seems pretty clear why some people don’t trust the government.

Information for this post came from SC Magazine.

Senate Passes USA Freedom Act

UPDATED: 02 Jun 2015 2216 EDT

The Senate, in a 67-32 vote, passed the same bill they were unable to pass before they went on vacation, restoring some of the expired provisions of the Patriot Act. The bill now goes to President Obama who said he would sign it.

Gone is the bulk collection of phone records, replaced with a much more targeted collection and added are changes to the super secret FISA court.


President Obama has already signed the bill into law, just a few hours after the Senate passed it (see CNN article).

The fight over the bill came between the House Republicans who wanted to reign in the NSA and the Senate Republicans who wanted to actually give the NSA even more power.   Mitch McConnell, who led the fight in the Senate for more NSA powers wound up being the big loser in this case.  He got nothing that he fought for, had the NSA waste needless money winding down and starting back up their data collection operations and got the same bill approved that was handed to him weeks ago.

What does the USA Freedom Act provide?

First, it provides a six month transition period where business runs as usual – just like before Section 215 expired.  Sort of.

The NSA still needs to go back to the FISA court and ask permission to start collecting data again.  This would be a slam dunk if it were not for the decision from the Second Circuit Appeals court (see here) that ruled that what the NSA was doing did not comply with what Section 215 said – which is what some people have been saying since the fact that the NSA was doing this was revealed.  The decision of the appeals court is not binding on the FISA court, but if the NSA does start up the data collection again, the plaintiffs in that decision could ask the second circuit for a stay or they could go to the guys in the black robes in DC – the Supremes – and no, I don’t mean the musical group.

Ultimately, what the USA Freedom Act requires is that the NSA must ask the FISA court for a targeted warrant which will allow them to get the data they want from the phone companies.  This is dependent on whether or not the phone companies can show, in the next six months, that they can collect, store and produce the data requested by the NSA.  Otherwise, things stay as is.

Analysis of the details of the USA Freedom Act will no doubt take days or weeks, but one provision is clear – that the NSA has to request data for a specific person, organization or device and only if they convince the FISA court that the person is associated with a foreign power or terrorist group (see here).

The bill will also allow tech companies to talk more about how much data they are turning over, require the NSA to talk more about how much data they are collecting, allow civil liberty advocates to lobby the FISA court and require major decisions of the court to be declassified.







Section 215 Of The Patriot Act Has Expired

As expected, Congress was not able to come to a consensus regarding renewing three provisions of the Patriot Act, which expired about 30 minutes ago.

The three provisions – bulk data collection of metadata of all phones calls in the U.S., roving wiretap warrants (warrants on people, rather than a particular phone number) and the ability to use certain tools to track lone wolf terrorists that that cannot be tied to a particular terrorist group all expired at midnight eastern time on May 31st.

Congress will now go through the process of potentially passing a new law to address these issues.  The USA Freedom Act, which makes changes to Section 215 but does not eliminate it, was passed by the House last week, but the Senate was not willing to go along with the House version.

CNN has reported on the story here; both sides have their version, which I will not subject you to in detail.

The President and the Department of Justice say they want the tool and it is valuable, but opponents say that it is an overreach and violates the 4th Amendment to the Constitution.  Some courts have agreed with those opponents.

Plan on hearing a lot noise from both sides;  I assume that Congress will eventually come up with some plan.  What that plan is, however, is unclear.

Some people say that the country is less safe now, but that is not completely clear. Several review boards have said that Section 215 was not essential to thwarting a single terror plot and the roving wiretap is only used about a hundred times a year.

We shall see what comes of this.


FBI Admits No Major Terrorism Cases Solved Using Section 215

The DoJ IG just released an assessment of the FBI’s use of the mass data collection powers of section 215 of The Patriot Act, renewal of which is currently being debated in Congress and the report says that no case developments resulted from the use of Section 215 orders.  The Inspector General said:

"As with our previous reviews, the agents we interviewed did not identify any major case developments that resulted from the use of the records obtained in response to Section 215 orders, but told us that the material produced pursuant to Section 215 orders was valuable in that it is used to support other investigative requests, develop investigative leads and corroborate other information."

To be fair, the FBI’s use of Section 215 is minimal although increasing.

Also, the national security community (the NSA and related agencies) probably issued a lot more Section 215 requests than the FBI and this report does not include data on that.  Of course a request could say, as it did to Verizon, provide every single call record for these three months.  One order, lots of data.

Google for example, publishes data on ranges of the number of requests they get.  For the period January to June 2014 (the last period available), Google said they received less than a thousand FISA court requests covering around 15,000 accounts and less than a thousand National Security Letters covering less than a thousand accounts (see report).  Google should be considered one of the larger recipients of such letters along with Facebook and Microsoft, so the fact that those numbers are small does indicate some discretion in asking for information.

The IG’s report also talked about the FBI’s efforts at data minimization, which were required as part of the 2006 Patriot Act re-authorization.  Generally speaking, the IG said that the FBI was not compliant with the law, but after several reports (different years), the FBI is doing a better job.

All this was announced at a time when Congress is trying to figure out a path forward.  Absent Congressional Action, the provisions of Section 215 and some other sections of the Patriot Act expire on June 1, 2015.  Different groups in Congress have significantly different views on what should happen and one possibility is to kick the can down the road a few months, a technique Congress often uses.

The NSA said that if Congress had not granted them an extension of authority by today (May 22, 2015), that the NSA would begin winding down it’s Section 215 activities to make sure that they were compliant by June 1.

Congress will likely do something in the next week – before the Section 215 provisions expire.  This is one of those places where big, invasive government, national security and personal privacy collide and it is unclear what the result will be.

HR 4681 and government surveillance

HR 4681, the Intelligence Authorization Act for FY 2015 was signed into law on December 19th, 2014 and provides funding for the intelligence community until next September.  The bill and now law contains one section – section 309 – that deals with the collection, retention and sharing of information collected by the intelligence community.  Because Congress wanted to get out of D.C., this bill was not debated and it was voted on under a rules suspension that is used to push through non-controversial bills.  Since no one wants to appear soft on terrorism, this bill fit into that category and it passed 325-100.

Section 309 was an effort to curtail some of the practices of mass data collection and retention of the intelligence community, but it seems to have a lot of wiggle room.  The text of the bill can be found here.

Interestingly, most of the data collection that the intelligence community collects is not done under the Patriot Act or the Foreign Intelligence Surveillance Act, but rather, under a very dusty executive order that President Reagan signed in 1981 called EO 12333.  A primer on the EO is available here.  Since EOs are written by the executive branch with no oversight by Congress, they tend to formalize what the executive branch wants to do anyway and are typically one-sided.   It covers, among other things, mass data collection and the minimization of data collected on U.S. citizens.  Those rules are currently covered by a document called USSID SP0018 which is available here.  In the preface it says that they need to balance the rights under the 4th amendment to the US Constitution against the needs of the government to collect intelligence.  In concept that makes sense, but in the case of both the EO and the USSID, the fox is squarely in charge of guarding the hen house.  EFF, a privacy watchdog, created a primer on it, which is linked to above and suggests that there are a lot of loopholes in these documents which allow for over collection, over retention and not much oversight.  Section 309 was an attempt to begin to reign in some of those activities.

Since Congress did not take the time to debate this bill, there was not much consideration of what section 309 formally codifies.  For the first time, there is a law that says that the intelligence community can collect, share and retain information on U.S. citizens.

It is a start.  Section 309:

  • It defines a covered communication as any electronic or telephone communication collected without the consent of a (only one) party to the communication.
  • It requires that the heads of each part of the intelligence community create policies approved by the Attorney General within the next two years describing how they are going to comply with Section 309.  That means that nothing is likely to change for at least two years and Congress won’t review these procedures.
  • That intelligence collected (including mass intelligence) can only be kept for 5 years unless the fox guarding the hen house decides- in compliance with these procedures that are going to be written in the next two years – that it is (a) foreign intelligence, (b) reasonably believed to be evidence of a crime, (c) encrypted, (d) all parties are reasonably believed to be non US citizens, (e) retention is necessary to protect against an imminent threat to human life (in which case they have to tell Congress about it later), (f) retention is necessary for technical assurance or compliance reasons (in which case they have to write a dusty report every year to the Senate and House Intelligence Committees) or (g) the head of an intelligence community element decides it is necessary to protect the national security (in which case they have to report on some unstated frequency to the intelligence committees again).

So while section 309 is a reasonable start, it appears that there is a lot of wiggle room and, for the first time, legally says that the intelligence community can keep encrypted communications forever and that if they think the intercepted communication is reasonably believed to be evidence of a crime, they can share it with unspecified law enforcement agencies, without a warrant and with no guidelines as to what reasonable means.  It also creates a process to keep that intelligence forever if something thinks it is important.

There is clearly no room for abuse in section 309.  So, while I think this is a good start, we are definitely no where near done yet.