Tuesday, March 21, 2017

FISA, EO 12333, Bulk Collection, and All That

Some basic questions for the experts:

1. To what extent does EO12333 allow surveillance of US individuals without FISA warrant?

2. To what extent are US voice conversations recorded via bulk collection (and preserved for, e.g., 5 or more years)? The email answer is clear ... But now automated voice recognition and transcription make storage of voice conversations much more scalable.

3. To what extent do Five Eyes intel collaborators have direct access to preserved data?

4. Are "experts" and media pundits and Senators even asking the right questions on this topic? For example, can stored bulk-collected voice data from a US individual be accessed by NSA without FISA approval by invoking 12333? How can one prevent a search query on stored data from producing results of this type?

See, e.g., Overseas Surveillance in an Interconnected World (Brennan Center for Justice at NYU School of Law), ACLU.org, and Executive Order 12333 (epic.org):
EPIC has tracked the government's reliance on EO 12333, particularly the reliance on Section 1:12(b)(13), which authorizes the NSA to provide "such administrative and technical support activities within and outside the United States as are necessary to perform the functions described in sections (1) through (12) above, including procurement." This provision appears to have opened the door for the NSA's broad and unwarranted surveillance of U.S. and foreign citizens.

Executive Order 12333 was signed by President Ronald Reagan on December 4, 1981. It established broad new surveillance authorities for the intelligence community, outside the scope of public law. EO 12333 has been amended three times. It was amended by EO 13284 on January 23, 2003 and was then amended by EO 13555 on August 27, 2004. EO 13555 was subtitled "Strengthened Management of the Intelligence Community" and reflected the fact that the Director of National Intelligence (DNI) now existed as the head of the intelligence community, rather than the CIA which had previously served as the titular head of the IC. EO 13555 partially supplemented and superseded EO 12333. On July 30, 2008, President George W. Bush signed EO 13470, which further supplemented and superseded EO 12333 to strengthen the role of the Director of National Intelligence.

Since the Snowden revaluations there has been a great deal of discussion regarding the activities of the IC community, but relatively little attention has been paid to EO 12333. EO 12333 often serves an alternate basis of authority for surveillance activities, above and beyond Section 215 and 702. As Bruce Schneier has emphasized, "Be careful when someone from the intelligence community uses the caveat "not under this program," or "not under this authority"; almost certainly it means that whatever it is they're denying is done under some other program or authority. So when[NSA General Counsel Raj] De said that companies knew about NSA collection under Section 702, it doesn't mean they knew about the other collection programs." Senator Dianne Feinstein (D-CA), Chair of the Senate Intelligence Committee, has said in August 2013 that, "The committee does not receive the same number of official reports on other NSA surveillance activities directed abroad that are conducted pursuant to legal authorities outside of FISA (specifically Executive Order 12333), but I intend to add to the committee's focus on those activities." In July 2014, a former Obama State Department official, John Napier Tye, wrote an Op-Ed in the Washington Post calling for greater scrutiny of EO 12333. Tye noted that "based in part on classified facts that I am prohibited by law from publishing, I believe that Americans should be even more concerned about the collection and storage of their communications under Executive Order 12333 than under Section 215."
Tye in the WaPo:
... [EO 12333] authorizes collection of the content of communications, not just metadata, even for U.S. persons. Such persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person’s communications are “incidentally” collected (an NSA term of art) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.

[ E.g., NSA could "incidentally" retain the email of a US individual which happens to be mirrored in Google or Yahoo data centers outside the US, as part of bulk collection for an ongoing (never ending) foreign intelligence or anti-terrorism investigation... ]

“Incidental” collection may sound insignificant, but it is a legal loophole that can be stretched very wide. Remember that the NSA is building a data center in Utah five times the size of the U.S. Capitol building, with its own power plant that will reportedly burn $40 million a year in electricity.
See also Mining your data at NSA (source of image at top).

UPDATE: EO12333 + Obama OKs unprecedented sharing of this info as he leaves office = recent leaks? Note the use of the term "incidentally" and the wide dissemination (thanks to Obama policy change as he left office).
WSJ: ... “I recently confirmed that on numerous occasions the intelligence community incidentally collected information about U.S. citizens involved in the Trump transition,” Mr. Nunes said, reading a brief statement to reporters on Capitol Hill on Wednesday afternoon. “Details about U.S. persons associated with the incoming administration—details with little or no apparent foreign intelligence value—were widely disseminated in intelligence community reporting.”

... Mr. Nunes added that it was “possible” the president himself had some of his communication intercepted, and has asked the Federal Bureau of Investigation, National Security Agency and other intelligence agencies for more information.

The change put in place as Obama left office is probably behind the large number of circulating reports that feature "incidentally" captured communications of the Trump team. The NYTimes article below is from February.
NYTimes: ... Until now, National Security Agency analysts have filtered the surveillance information for the rest of the government. They search and evaluate the information and pass only the portions of phone calls or email that they decide is pertinent on to colleagues at the Central Intelligence Agency, the Federal Bureau of Investigation and other agencies. And before doing so, the N.S.A. takes steps to mask the names and any irrelevant information about innocent Americans.

The new system would permit analysts at other intelligence agencies to obtain direct access to raw information from the N.S.A.’s surveillance to evaluate for themselves. If they pull out phone calls or email to use for their own agency’s work, they would apply the privacy protections masking innocent Americans’ information — a process known as “minimization” — at that stage, Mr. Litt said.

... FISA covers a narrow band of surveillance: the collection of domestic or international communications from a wire on American soil, leaving most of what the N.S.A. does uncovered. In the absence of statutory regulation, the agency’s other surveillance programs are governed by rules the White House sets under a Reagan-era directive called Executive Order 12333.

... [it is unclear what] rules say about searching the raw data using names or keywords intended to bring up Americans’ phone calls or email that the security agency gathered “incidentally” under the 12333 surveillance programs ...
It appears that the number of individuals allowed to search bulk, incidentally collected data has been enlarged significantly. Who watches these watchers? (There must now be many thousands...)
Sophos: ... Patrick Toomey, a lawyer for the American Civil Liberties Union (ACLU), put it in an interview with the New York Times, 17 intelligence agencies are now going to be “rooting… through Americans’ emails with family members, friends and colleagues, all without ever obtaining a warrant”.

The new rules mean that the FBI, the CIA, the DEA, and intelligence agencies of the US military’s branches and more, will be able to search through raw signals intelligence (SIGINT): intercepted signals that include all manner of people’s communications, be it via satellite transmissions, phone calls and emails that cross network switches abroad, as well as messages between people abroad that cross domestic network switches.

No comments:

Blog Archive