Group items tagged

The Justice Department recently submitted proposed new rules on the procedures and practices of the department’s agencies and bureaus. Among the suggested changes is a modification of the Federal Rules of Criminal Procedure Rule 41(b), which empowers a federal court to issue a warrant allowing the federal government to conduct a search of a computer or computer network involved in a criminal investigation. Under current regulations, a warrant issued by a federal court is only valid in that court’s district. As there are 94 federal judicial districts, investigating a widespread attack may require either petitioning dozens of district courts or acting extrajudicially by not seeking a warrant. An extrajudicial investigation, however, cannot be used if criminal convictions are sought, as evidence gathered in this manner is not typically admissible in court. The Justice Department is seeking to make remote access warrants to search, seize and copy electronic information valid for all federal districts.

The Justice Department argues that due to the sophistication of cyber-criminals, an offending computer or computer cluster can sit in a district separate from the district where the hackers that infected the target computer anonymously are and separate from the investigators’ district. “Criminals are using multiple computers in many districts simultaneously as part of complex criminal schemes, and effectively investigating and disrupting these schemes often requires remote access to Internet-connected computers in many different districts,” wrote then-acting Assistant Attorney General Mythili Raman in a September letter to the Advisory Committee on the Criminal Rules. “Botnets are a significant threat to the public: they are used to conduct large-scale denial of service attacks, steal personal and financial data, and distribute malware designed to invade the privacy of users of the host computers,” Raman continued. In the letter, Raman cited an investigation of a child porn site that uses The Onion Router Network, or Tor, to anonymize its traffic. The Justice Department argues that it knows the site’s hosting server location, but without a warrant local to the server, the department is prevented from retrieving the server’s user records — including IP and MAC addresses. In most cases, however, law enforcement do not know the physical location of the site’s server, making it impossible to request a specific warrant.

In these cases, the Justice Department could request a blanket warrant. This would allow the department to set up a “zero-day” attack on the server — an attack exploiting a manufacturer-unknown or -permitted security flaw, allowing access to the system’s operating software. However, a Texas judge denied the FBI access to such a warrant, saying the Justice Department’s use of “zero-day” attacks in its investigation exposes the public and the target to unknown risks. One typical type of a “zero-day” attack is an infected email that could affect a large number of innocent people if the target used a public computer to access his email. The FBI planned to install a Remote Administration Tool, or RAT, which would distribute such emails in a partially-targeted spam mail distribution. Last year, Federal Magistrate Judge Stephen Smith of the Houston Division of the Southern District of Texas ruled that this was a gross overreach of investigatory intrusion, blocking the plan temporarily. A “zero-day” attack has the potential to activate and control the targeted computer’s peripherals, such as webcams and microphones.

The latest revelations will add to the intense public and congressional debate around the extent of NSA surveillance programs. They come as senior intelligence officials testify to the Senate judiciary committee on Wednesday, releasing classified documents in response to the Guardian's earlier stories on bulk collection of phone records and Fisa surveillance court oversight.

but reading the new documents, which include a secret FISA court order that amounts to a gift certificate for one year of warrant-free spying, it becomes clear that many more “United States persons” have their communications monitored, and on much vaguer grounds, than the Obama Administration has acknowledged. “What I can say unequivocally is that, if you are a U.S. person, the N.S.A. cannot listen to your telephone calls, and the N.S.A. cannot target your e-mails,” the President said earlier this week. A 2009 memorandum signed by Eric Holder establishes a broader criteria, referring to people “reasonably believed” to be located abroad. That reasonable belief, as it turns out, can be quite shaky. Among the information that the N.S.A. is told to use includes having had a phone or e-mail connection with a person “associated with a foreign power or foreign territory,” or being in the “‘buddy list’ or address book” of such a person. It won’t be lost on anyone that Americans whose families include recent immigrants will be disproportionately vulnerable to such intrusions. (So, incidentally, will journalists.) The defaults in the analysis are telling: a person

whose location is unknown, will not be treated as a United States person unless such person can be positively identified as such, or the nature or circumstances of the person’s give rise to a reasonable belief that such person is a United States person. (The extent to which the N.S.A. can spy on a wide range of foreigners is its own, important discussion.) The criteria also show the interaction of various N.S.A. programs: the Administration has defended the collection of telephony metadata by saying that if it ever produces an interesting match, investigators would have to go to court to get a proper warrant to look more closely. But metadata is mentioned in these documents as a basis for picking a target for the surveillance under what appears to be a blanket FISA order—not an individualized one.

And what happens when the N.S.A. realizes that it is reading and listening to an American’s communications? It is supposed to stop, at least until it gets a different kind of FISA order—which, based on what it has already heard, may be all the easier. And if it finds something that is interesting in any one of a half-dozen ways, it can analyze the communications further, and hold on to them for five years. Maybe an American’s e-mails contain “significant foreign intelligence information”; or maybe they don’t, but are “reasonably believed” to contain evidence of a crime. There are a lot of crimes on the books, and the N.S.A. is also allowed to count one it thinks might be “about to be committed.” It can also “disseminate” the information to other agencies, and find out more about the American if it seems that the person might have access to secrets, or be a target of foreigners, or just do business with them. This includes communications between someone under indictment and his or her lawyer—the words can’t be used in a prosecution, but can be to gather intelligence. And what the N.S.A. happens to see can also be used in leak investigations. Does this still seem too narrow, not enough to keep us all safe? The documents note that the private data of Americans that the N.S.A. can hold on to “include electronic communications acquired because of limitations on NSA’S ability to filter communications.” In other words, if it fails to fine-tune its targeting, it can keep what it sweeps up anyway. Also, if the N.S.A. decides on its own that there is an “immediate threat,” it can temporarily put all these minimization procedures aside and figure it out later.

A Senate bill promoted as a surveillance reform would codify the ability of the National Security Agency to search its troves of foreign phone and email communications for Americans’ information, and permit law enforcement agencies to search the vast databases as well. The Fisa Improvements Act, promoted by Dianne Feinstein, the California Democrat who chairs the Senate intelligence committee, would both make permanent a loophole permitting the NSA to search for Americans’ identifying information without a warrant – and, civil libertarians fear, contains an ambiguity that might allow the FBI, the DEA and other law enforcement agencies to do the same thing. “For the first time, the statute would explicitly allow the government to proactively search through the NSA data troves of information without a warrant,” said Michelle Richardson, the surveillance lobbyist for the ACLU.

“It may also expand current practices by allowing law enforcement to directly access US person information that was nominally collected for foreign intelligence purposes. This fourth amendment back door needs to be closed, not written into stone.” Feinstein’s bill passed the committee on an 11 to 4 vote on 31 October. An expanded report on its provisions released by the committee this week added details about the ability of both intelligence and law enforcement to sift through foreign communications databases that it accumulates under section 702 of the Fisa Amendments Act of 2008. Section 6 of Feinstein’s bill blesses what her committee colleague Ron Wyden, the Oregon Democrat and civil libertarian, has called the “backdoor search provision,” which the Guardian revealed thanks to a leak by Edward Snowden.  The section permits intelligence agencies to search “the contents of communications” collected primarily overseas for identifying information on US citizens, resident aliens and people inside the US, provided that the “purpose of the query is to obtain foreign intelligence information or information necessary to understand foreign intelligence information or to assess its importance.”

Section 6 bills itself as a “restriction,” but it would not stop the NSA from performing the warrantless search, merely requiring intelligence agencies to log their queries and make them “available for review” to Congress, the Fisa court, the Justice Department and inspectors general inside the executive branch. Additionally, the report on Section 6 explicitly states that the provision “does not limit the authority of law enforcement agencies to conduct queries of data acquired pursuant to Section 702 of Fisa for law enforcement purposes.” There is ambiguity surrounding whether the FBI can currently search through the NSA’s foreign communications databases, or is reliant on the NSA to pass on information from the databases relevant to the bureau. A declassified Fisa court document from 2011 refers to “FBI minimization procedures,” but it is unclear what those procedures are. A copy of the FBI minimization procedures from 2009, acquired by the ACLU under the Freedom of Information Act is almost completely redacted. So is the section in the government’s most recent report on its Section 702 collection dealing with the FBI’s role, though it contains references to how the FBI “receive[s] … unminimized Section 70 acquired communications” from the NSA. 

The 29-year-old former NSA contractor and source of the Guardian's NSA files coverage will – with the help of Glenn Greenwald – take your questions today on why he revealed the NSA's top-secret surveillance of US citizens, the international storm that has ensued, and the uncertain future he now faces. Ask him anything.

I did not reveal any US operations against legitimate military targets. I pointed out where the NSA has hacked civilian infrastructure such as universities, hospitals, and private businesses because it is dangerous. These nakedly, aggressively criminal acts are wrong no matter the target. Not only that, when NSA makes a technical mistake during an exploitation operation, critical systems crash. Congress hasn't declared war on the countries - the majority of them are our allies - but without asking for public permission, NSA is running network operations against them that affect millions of innocent people. And for what? So we can have secret access to a computer in a country we're not even fighting? So we can potentially reveal a potential terrorist with the potential to kill fewer Americans than our own Police? No, the public needs to know the kinds of things a government does in its name, or the "consent of the governed" is meaningless.

I was debriefed by Glenn and his peers over a number of days, and not all of those conversations were recorded. The statement I made about earnings was that $200,000 was my "career high" salary. I had to take pay cuts in the course of pursuing specific work. Booz was not the most I've been paid.

For more than six months, Edward Snowden’s revelations about the National Security Agency (NSA) have been pouring out from the Washington Post, the New York Times, the Guardian, Germany’s Der Spiegel, and Brazil’s O Globo, among other places.  Yet no one has pointed out the combination of factors that made the NSA’s expanding programs to monitor the world seem like such a slam-dunk development in Washington.  The answer is remarkably simple.  For an imperial power losing its economic grip on the planet and heading into more austere times, the NSA’s latest technological breakthroughs look like a bargain basement deal when it comes to projecting power and keeping subordinate allies in line -- like, in fact, the steal of the century.  Even when disaster turned out to be attached to them, the NSA’s surveillance programs have come with such a discounted price tag that no Washington elite was going to reject them.

What exactly was the aim of such an unprecedented program of massive domestic and planetary spying, which clearly carried the risk of controversy at home and abroad? Here, an awareness of the more than century-long history of U.S. surveillance can guide us through the billions of bytes swept up by the NSA to the strategic significance of such a program for the planet’s last superpower. What the past reveals is a long-term relationship between American state surveillance and political scandal that helps illuminate the unacknowledged reason why the NSA monitors America’s closest allies. Not only does such surveillance help gain intelligence advantageous to U.S. diplomacy, trade relations, and war-making, but it also scoops up intimate information that can provide leverage -- akin to blackmail -- in sensitive global dealings and negotiations of every sort. The NSA’s global panopticon thus fulfills an ancient dream of empire. With a few computer key strokes, the agency has solved the problem that has bedeviled world powers since at least the time of Caesar Augustus: how to control unruly local leaders, who are the foundation for imperial rule, by ferreting out crucial, often scurrilous, information to make them more malleable.

Once upon a time, such surveillance was both expensive and labor intensive. Today, however, unlike the U.S. Army’s shoe-leather surveillance during World War I or the FBI’s break-ins and phone bugs in the Cold War years, the NSA can monitor the entire world and its leaders with only 100-plus probes into the Internet’s fiber optic cables. This new technology is both omniscient and omnipresent beyond anything those lacking top-secret clearance could have imagined before the Edward Snowden revelations began.  Not only is it unimaginably pervasive, but NSA surveillance is also a particularly cost-effective strategy compared to just about any other form of global power projection. And better yet, it fulfills the greatest imperial dream of all: to be omniscient not just for a few islands, as in the Philippines a century ago, or a couple of countries, as in the Cold War era, but on a truly global scale. In a time of increasing imperial austerity and exceptional technological capability, everything about the NSA’s surveillance told Washington to just “go for it.”  This cut-rate mechanism for both projecting force and preserving U.S. global power surely looked like a no-brainer, a must-have bargain for any American president in the twenty-first century -- before new NSA documents started hitting front pages weekly, thanks to Snowden, and the whole world began returning the favor.

Concluding Thoughts

This case well illustrates both the challenges faced by modern law enforcement in retrieving information it needs to pursue and prosecute wrongdoers, and the threat to the privacy of innocent parties from a vigorous criminal investigation. At the time of Tamura, most individuals and enterprises kept records in their file cabinets or similar physical facilities. Today, the same kind of data is usually stored electronically, often far from the premises. Electronic storage facilities intermingle data, making them difficult to retrieve without a thorough understanding of the filing and classification systems used—something that can often only be determined by closely analyzing the data in a controlled environment. Tamura involved a few dozen boxes and was considered a broad seizure; but even inexpensive electronic storage media today can store the equivalent of millions of pages of information. 1176*1176 Wrongdoers and their collaborators have obvious incentives to make data difficult to find, but parties involved in lawful activities may also encrypt or compress data for entirely legitimate reasons: protection of privacy, preservation of privileged communications, warding off industrial espionage or preventing general mischief such as identity theft. Law enforcement today thus has a far more difficult, exacting and sensitive task in pursuing evidence of criminal activities than even in the relatively recent past. The legitimate need to scoop up large quantities of data, and sift through it carefully for concealed or disguised pieces of evidence, is one we've often recognized. See, e.g., United States v. Hill, 459 F.3d 966 (9th Cir.2006).

This pressing need of law enforcement for broad authorization to examine electronic records, so persuasively demonstrated in the introduction to the original warrant in this case, see pp. 1167-68 supra, creates a serious risk that every warrant for electronic information will become, in effect, a general warrant, rendering the Fourth Amendment irrelevant. The problem can be stated very simply: There is no way to be sure exactly what an electronic file contains without somehow examining its contents—either by opening it and looking, using specialized forensic software, keyword searching or some other such technique. But electronic files are generally found on media that also contain thousands or millions of other files among which the sought-after data may be stored or concealed. By necessity, government efforts to locate particular files will require examining a great many other files to exclude the possibility that the sought-after data are concealed there. Once a file is examined, however, the government may claim (as it did in this case) that its contents are in plain view and, if incriminating, the government can keep it. Authorization to search some computer files therefore automatically becomes authorization to search all files in the same sub-directory, and all files in an enveloping directory, a neighboring hard drive, a nearby computer or nearby storage media. Where computers are not near each other, but are connected electronically, the original search might justify examining files in computers many miles away, on a theory that incriminating electronic data could have been shuttled and concealed there.

The top lawyer for the US intelligence community and the National Security Agency said on Wednesday that the spy agencies are giving new consideration to the privacy rights of non-Americans in the wake of a diplomatic row over the surveillance of foreign leaders. Speaking at a conference on national security law sponsored by the American Bar Association on Thursday, the general counsel for the office of the director of national intelligence, Robert Litt, said intelligence chiefs were giving "a lot of thought" to the issue. His comments came a day after General Keith Alexander, the NSA director, stated that the spy agency is open to scaling back some of its operations on foreign leaders, following an unfolding diplomatic crisis sparked by revelations that the NSA spied on German chancellor Angela Merkel. 

US law provides greater legal protection to those defined as "US persons", which includes American citizens and foreigners living in the US. "On the issue of US person versus non-US person, that’s an issue we’re giving a lot of thought to now,” said Litt. “It’s not surprising that the law gives more protections to US citizens or persons who are in this country,” Litt added. “That doesn’t mean that we have no protection for non-US persons, and the principal protection we have is the requirement that the collection, retention and dissemination of information has to be for a valid foreign intelligence purpose.” Litt said the intelligence agencies were “giving some thought to whether there are ways that we can both introduce a little more rigor into that requirement and perhaps a little more transparency into how we enforce that requirement.” Litt and NSA general counsel Rajesh De would not answer a question from the Guardian about the legal basis for a different, unfolding NSA controversy: the new allegation that the NSA intercepts data transiting between the foreign data centers of Google and Yahoo, two longtime NSA partners, published in the Washington Post.

But De took issue with a suggestion that the Post story prompted that the NSA interception would at times rely on a seminal executive order that defines basic powers and operations of the intelligence agencies, known as Executive Order 12333, rather than the relatively restrictive Foreign Intelligence Surveillance Act, or Fisa. “The implication, the insinuation, the suggestion or the outright statement that an agency like NSA would use authority under Executive Order 12333 to evade, skirt or go around Fisa is simply inaccurate,” De said. On Tuesday, the director of national intelligence, James Clapper, testified to the House intelligence panel that they considered US corporations to be “US persons,” meaning their communications and associated data enjoyed legal privileges associated with citizenship. But neither Litt nor De would explain whether that category protected communications data transiting between the data centers of US companies.

Now that the United States government has cracked open an iPhone that belonged to a gunman in the San Bernardino, Calif., mass shooting without Apple’s help, the tech company is under pressure to find and fix the flaw.But unlike other cases where security vulnerabilities have cropped up, Apple may face a higher set of hurdles in ferreting out and repairing the particular iPhone hole that the government hacked.The challenges start with the lack of information about the method that the law enforcement authorities, with the aid of a third party, used to break into the iPhone of Syed Rizwan Farook, an attacker in the San Bernardino rampage last year. Federal officials have refused to identify the person, or organization, who helped crack the device, and have declined to specify the procedure used to open the iPhone. Apple also cannot obtain the device to reverse-engineer the problem, the way it would in other hacking situations.

Laura K. Donohue is a professor at Georgetown University Law Center and director of Georgetown’s Center on National Security and the Law. The National Security Agency’s recently revealed surveillance programs undermine the purpose of the Foreign Intelligence Surveillance Act, which was established to prevent this kind of overreach. They violate the Fourth Amendment’s guarantee against unreasonable search and seizure. And they underscore the dangers of growing executive power.

Another program, PRISM, disclosed by the Guardian and The Washington Post, allows the NSA and the FBI to obtain online data including e-mails, photographs, documents and connection logs. The information that can be assembledabout any one person — much less organizations, social networks and entire communities — is staggering: What we do, think and believe.The government defends the programs’ legality, saying they comply with FISA and its amendments. It may be right, but only because FISA has ceased to provide a meaningful constraint.Under the traditional FISA, if the government wants to conduct electronic surveillance, it must make a classified application to a special court, identitying or describing the target. It must demonstrate probable cause that the target is a foreign power or an agent thereof, and that the facilities to be monitored will be used by the target.In 2008, Congress added section 702 to the statute, allowing the government to use electronic surveillance to collect foreign intelligence on non-U.S. persons it reasonably believes are abroad, without a court order for each target. A U.S. citizen may not intentionally be targeted.To the extent that the FISC sanctioned PRISM, it may be consistent with the law. But it is disingenuous to suggest that millions of Americans’ e-mails, photographs and documents are “incidental” to an investigation targeting foreigners overseas.

Another program, PRISM, disclosed by the Guardian and The Washington Post, allows the NSA and the FBI to obtain online data including e-mails, photographs, documents and connection logs. The information that can be assembledabout any one person — much less organizations, social networks and entire communities — is staggering: What we do, think and believe.The government defends the programs’ legality, saying they comply with FISA and its amendments. It may be right, but only because FISA has ceased to provide a meaningful constraint.

A new cybersecurity bill poses serious threats to our privacy, gives the government extraordinary powers to silence potential whistleblowers, and exempts these dangerous new powers from transparency laws. The Cybersecurity Information Sharing Act of 2014 ("CISA") was scheduled to be marked up by the Senate Intelligence Committee yesterday but has been delayed until after next week's congressional recess. The response to the proposed legislation from the privacy, civil liberties, tech, and open government communities was quick and unequivocal – this bill must not go through. The bill would create a massive loophole in our existing privacy laws by allowing the government to ask companies for "voluntary" cooperation in sharing information, including the content of our communications, for cybersecurity purposes. But the definition they are using for the so-called "cybersecurity information" is so broad it could sweep up huge amounts of innocent Americans' personal data. The Fourth Amendment protects Americans' personal data and communications from undue government access and monitoring without suspicion of criminal activity. The point of a warrant is to guard that protection. CISA would circumvent the warrant requirement by allowing the government to approach companies directly to collect personal information, including telephonic or internet communications, based on the new broadly drawn definition of "cybersecurity information."

While we hope many companies would jealously guard their customers' information, there is a provision in the bill that would excuse sharers from any liability if they act in "good faith" that the sharing was lawful. Collected information could then be used in criminal proceedings, creating a dangerous end-run around laws like the Electronic Communications Privacy Act, which contain warrant requirements. In addition to the threats to every American's privacy, the bill clearly targets potential government whistleblowers. Instead of limiting the use of data collection to protect against actual cybersecurity threats, the bill allows the government to use the data in the investigation and prosecution of people for economic espionage and trade secret violations, and under various provisions of the Espionage Act. It's clear that the law is an attempt to give the government more power to crack down on whistleblowers, or "insider threats," in popular bureaucratic parlance. The Obama Administration has brought more "leaks" prosecutions against government whistleblowers and members of the press than all previous administrations combined. If misused by this or future administrations, CISA could eliminate due process protections for such investigations, which already favor the prosecution.

While actively stripping Americans' privacy protections, the bill also cloaks "cybersecurity"-sharing in secrecy by exempting it from critical government transparency protections. It unnecessarily and dangerously provides exemptions from state and local sunshine laws as well as the federal Freedom of Information Act. These are both powerful tools that allow citizens to check government activities and guard against abuse. Edward Snowden's revelations from the past year, of invasive spying programs like PRSIM and Stellar Wind, have left Americans shocked and demanding more transparency by government agencies. CISA, however, flies in the face of what the public clearly wants. (Two coalition letters, here and here, sent to key members of the Senate yesterday detail the concerns of a broad coalition of organizations, including the ACLU.)

New evidence of the intelligence community’s intentionally deceptive use of the English language was released today in the form of a Defense Intelligence Agency document that instructs analysts to use words that do not mean what they appear to mean. The section of the DIA’s “intelligence law handbook” on the “Collection of Information about United States Persons” opens like this: To begin the journey, it is necessary to stop first and adjust your vocabulary. The terms and words used in DoD 5240.1-R have very specific meanings, and it is often the case that one can be led astray by relying on the generic or commonly understood definitions of a particular word. DoD 5240.1-R — entitled “Procedures Governing the Activities of DOD Intelligence Components that Affect United States Persons” – is the Department of Defense document that implements Executive Order 12333, the unilateral presidential directive first signed by President Reagan that authorizes government agencies to covertly sweep up vast amounts of private data from overseas communications. The plainspoken employee handbook was one several documents about Executive Order 12333 the ACLU obtained through a Freedom of Information Act lawsuit and released today. See also today’s Intercept story: “The Ghost of Ronald Reagan Authorizes Most NSA Spying”

Here is the handbook explaining how not to be led astray: For example, “collection of information” is defined in the Dictionary of the United States Army Terms (AR 310- 25) as: “The process of gathering information for all available sources and agencies. ” But, for the purposes of DoD 5240 .1-R, information is “collected” – only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties… (and) an employee takes some affirmative action that demonstrates an intent to use or retain the information. So, we see that “collection of information” for DoD 5240.1-R purposes is more than “gathering” – it could be described as “gathering, plus … “. For the purposes of DoD 5240.1-R, “collection” is officially gathering or receiving information, plus an affirmative act in the direction of use or retention of that information.

For good measure, there’s this footnote: In addition, data acquired by electronic means is “collected” only when it is processed into intelligible form…;What constitutes an intelligible form may be somewhat problematic. Analysts can even gather information and keep it for up to six months without it counting as having been “collected”, as long as it’s being “held or forwarded to a supervisory authority, solely for the purpose of making a determination about its collectability.” Although the intelligence community’s astonishing abuse of words has been frequently noted, particularly in the context of surveillance, this may be the first time we’ve actually seen an instruction manual.

The first (and thus far only) roll-back of post-9/11 surveillance authorities was implemented over the weekend: The National Security Agency shuttered its program for collecting and holding the metadata of Americans’ phone calls under Section 215 of the Patriot Act. While bulk collection under Section 215 has ended, the government can obtain access to this information under the procedures specified in the USA Freedom Act. Indeed, some experts have argued that the Agency likely has access to more metadata because its earlier dragnet didn’t cover cell phones or Internet calling. In addition, the metadata of calls made by an individual in the United States to someone overseas and vice versa can still be collected in bulk — this takes place abroad under Executive Order 12333. No doubt the NSA wishes that this was the end of the surveillance reform story and the Paris attacks initially gave them an opening. John Brennan, the Director of the CIA, implied that the attacks were somehow related to “hand wringing” about spying and Sen. Tom Cotton (R-Ark.) introduced a bill to delay the shut down of the 215 program. Opponents of encryption were quick to say: “I told you so.”

But the facts that have emerged thus far tell a different story. It appears that much of the planning took place IRL (that’s “in real life” for those of you who don’t have teenagers). The attackers, several of whom were on law enforcement’s radar, communicated openly over the Internet. If France ever has a 9/11 Commission-type inquiry, it could well conclude that the Paris attacks were a failure of the intelligence agencies rather than a failure of intelligence authorities. Despite the passage of the USA Freedom Act, US surveillance authorities have remained largely intact. Section 702 of the FISA Amendments Act — which is the basis of programs like PRISM and the NSA’s Upstream collection of information from Internet cables — sunsets in the summer of 2017. While it’s difficult to predict the political environment that far out, meaningful reform of Section 702 faces significant obstacles. Unlike the Section 215 program, which was clearly aimed at Americans, Section 702 is supposedly targeted at foreigners and only picks up information about Americans “incidentally.” The NSA has refused to provide an estimate of how many Americans’ information it collects under Section 702, despite repeated requests from lawmakers and most recently a large cohort of advocates. The Section 215 program was held illegal by two federal courts (here and here), but civil attempts to challenge Section 702 have run into standing barriers. Finally, while two review panels concluded that the Section 215 program provided little counterterrorism benefit (here and here), they found that the Section 702 program had been useful.

There is, nonetheless, some pressure to narrow the reach of Section 702. The recent decision by the European Court of Justice in the safe harbor case suggests that data flows between Europe and the US may be restricted unless the PRISM program is modified to protect the information of Europeans (see here, here, and here for discussion of the decision and reform options). Pressure from Internet companies whose business is suffering — estimates run to the tune of $35 to 180 billion — as a result of disclosures about NSA spying may also nudge lawmakers towards reform. One of the courts currently considering criminal cases which rely on evidence derived from Section 702 surveillance may hold the program unconstitutional either on the basis of the Fourth Amendment or Article III for the reasons set out in this Brennan Center report. A federal district court in Colorado recently rejected such a challenge, although as explained in Steve’s post, the decision did not seriously explore the issues. Further litigation in the European courts too could have an impact on the debate.

Much Needed New Scrutiny of the Clinton Foundation   Will there ever be a serious investigation and prosecution of the Clinton cash machine? Maybe. Micah Morrison, our chief investigative reporter, has an important update in his latest Investigative Bulletin:   Rumors have been floating up from Little Rock for months now of a new investigation into the Clinton Foundation. John Solomon advanced the story recently in a January report for The Hill. FBI agents in the Arkansas capital, he wrote, “have taken the lead” in a new Justice Department inquiry “into whether the Clinton Foundation engaged in any pay-to-play politics or other illegal activities while Hillary Clinton served as secretary of state.” Solomon reports that the probe “may also examine whether any tax-exempt assets were converted for personal or political use and whether the foundation complied with applicable tax laws.”   Main Justice also is “re-examining whether there are any unresolved issues from the closed case into Clinton’s transmission of classified information through her personal email server,” Solomon notes.   Solomon is not alone. The Wall Street Journal is tracking the story. And earlier this month, investigative journalist Peter Schweizer cryptically told SiriusXM radio that federal authorities should “convene a grand jury” in Little Rock “and let the American people look at the evidence” about the Clinton Foundation.   Judicial Watch continues to turn up new evidence of Clinton pay-to-play and mishandling of classified information. In recent months, through FOIA litigation, Judicial Watch has forced the release of more than 2,600 emails and documents from Mrs. Clinton and her associates, with more to come. The emails include evidence of Clinton Foundation donors such XL Keystone lobbyist Gordon Griffin, futures brokerage firm CME Group chairman Terrence Duffy, and an associate of Shangri La Entertainment mogul Steve Bing seeking special favors from the State Department. Read more about Judicial Watch’s pay-to-play disclosures here.   Judicial Watch also revealed many previously unreported incidents of mishandling of classified information. Mrs. Clinton and her former State Department deputy chief of staff, Huma Abedin, sent and received classified information through unsecure channels. The emails and documents involved sensitive information about President Obama, the Middle East, Africa, Afghanistan, Mexico, Burma, India, intelligence-related operations and world leaders. For documents and details from Judicial Watch on the mishandling of classified information, see here, here, here and here.   Smelling a rat in Arkansas when it comes to the Clintons of course is nothing new, and the former First Couple are masters of the gray areas around pay-to-play. But mishandling of classified information is a serious matter. And the tax angle is intriguing, even if you’re not Al Capone. The tenacious financial expert Charles Ortel, who has been digging deep into Clinton finances for years, told us back in 2015 that there are “epic problems” with the entire Clinton Foundation edifice, which traces its origins back to Arkansas. He noted that independent accounting firms may have been “duped by false and materially misleading representations” made by Clinton charitable entities. Down in Arkansas, law enforcement may be finally catching up with Ortel’s insights.

The Obama administration must disclose the legal basis for targeting Americans with drones, a federal appeals court ruled Monday in overturning a lower court decision likened to "Alice in Wonderland." The Second US Circuit Court of Appeals, ruling in a Freedom of Information Act (FOIA) claim by The New York Times and the American Civil Liberties Union (ACLU), said the administration must disclose the legal rationale behind its claims that it may kill enemies who are Americans overseas.

The Obama administration must disclose the legal basis for targeting Americans with drones, a federal appeals court ruled Monday in overturning a lower court decision likened to "Alice in Wonderland." The Second US Circuit Court of Appeals, ruling in a Freedom of Information Act (FOIA) claim by The New York Times and the American Civil Liberties Union (ACLU), said the administration must disclose the legal rationale behind its claims that it may kill enemies who are Americans overseas. "This is a resounding rejection of the government's effort to use secrecy and selective disclosure to manipulate public opinion about the targeted killing program," ACLU Legal Director Jameel Jaffer said in an e-mail. The so-called targeted-killing program—in which drones from afar shoot missiles at buildings, cars, and people overseas—began under the George W. Bush administration. The program, which sometimes kills innocent civilians, was broadened under Obama to include the killing of Americans.

Government officials from Obama on down have publicly commented on the program, but they claimed the Office of Legal Counsel's memo outlining the legal rationale about it was a national security secret. The appeals court, however, said on Monday that officials' comments about overseas drone attacks means the government has waived its secrecy argument. "After senior Government officials have assured the public that targeted killings are 'lawful' and that OLC advice 'establishes the legal boundaries within which we can operate,'" the appeals court said, "waiver of secrecy and privilege as to the legal analysis in the Memorandum has occurred" (PDF). The Electronic Privacy Information Center (EPIC), which in a friend-of-the court brief urged the three-judge appeals court to rule as it did, said the decision was a boon for citizen FOIA requests. "It's very helpful. We have a number of cases, including one of our oldest FOIA cases, that involves the warrantless wiretapping memos. The basic premise is when OLC writes a legal memo and when that becomes the known basis for a program, that's the law of the executive branch and cannot be withheld," Alan Butler, EPIC's appellate counsel, said in a telephone interview.

A federal court took a critically important step late yesterday towards placing a check on the government's secretive No-Fly List. In a 38-page ruling in Latif v. Holder, the ACLU's challenge to the No-Fly List, U.S. District Court Judge Anna Brown recognized that the Constitution applies when the government bans Americans from the skies. She also asked for more information about the current process for getting off the list, to inform her decision on whether that procedure violates the Fifth Amendment guarantee of due process. We represent 13 Americans, including four military veterans, who are blacklisted from flying. At oral argument in June on motions for partial summary judgment, we asked the court to find that the government violated our clients' Fifth Amendment right to due process by barring them from flying over U.S. airspace – and smearing them as suspected terrorists – without giving them any after-the-fact explanation or a hearing at which to clear their names. The court's opinion recognizes – for the first time – that inclusion on the No-Fly List is a draconian sanction that severely impacts peoples' constitutionally-protected liberties. It rejected the government's argument that No-Fly list placement was merely a restriction on the most "convenient" means of international travel.

Such an argument ignores the numerous reasons an individual may have for wanting or needing to travel overseas quickly such as for the birth of a child, the death of a loved one, a business opportunity, or a religious obligation. According to the court, placement on the No-Fly List is like the revocation of a passport because both actions severely burden the right to international travel and give rise to a constitutional right to procedural due process: Here it is undisputed that inclusion on the No-Fly List completely bans listed persons from boarding commercial flights to or from the United States or over United States air space.  Thus, Plaintiffs have shown their placement on the No-Fly List has in the past and will in the future severely restrict Plaintiffs' ability to travel internationally. Moreover, the realistic implications of being on the No-Fly List are potentially far-reaching. For example, TSC [the Terrorist Screening Center] shares watchlist information with 22 foreign governments and United States Customs and Boarder [sic] Protection makes recommendations to ship captains as to whether a passenger poses a risk to transportation security, which can result in further interference with an individual's ability to travel as evidenced by some Plaintiffs' experiences as they attempted to travel abroad by boat and land and were either turned away or completed their journey only after an extraordinary amount of time, expense, and difficulty. Accordingly, the Court concludes on this record that Plaintiffs have a constitutionally-protected liberty interest in traveling internationally by air, which is affected by being placed on the list. The court also found that the government's inclusion of our clients on the No-Fly List smeared them as suspected terrorists and altered their ability to lawfully board planes, resulting in injury to another constitutionally-protected right: freedom from reputational harm.

The importance of these rulings is clear. Because inclusion on the No-Fly List harms our clients' liberty interests in travel and reputation, due process requires the government to provide them an explanation and a hearing to correct the mistakes that led to their inclusion. But under the government's "Glomar" policy, it refuses to provide any information confirming or denying that our clients are on the list, let alone an after-the-fact explanation and hearing. The court has asked the ACLU and the government for more information about the No-Fly List redress procedure to help it decide the ultimate question of whether that system violates the Fifth Amendment right to due process. We are confident the court will recognize that the government's "Glomar" policy of refusing even to confirm or deny our clients' No-Fly List status (much less actually providing the reasons for their inclusion in the list) is fundamentally unfair and unconstitutional.

Customer proprietary network information (CPNI) is the data collected by telecommunications companies about a consumer's telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill. Telemarketers working on behalf of telephone companies, attempting to either win back a customer or upsell a customer with more services, must ask the customer's consent before accessing the billing information or before using that information to offer an upsell or any change of services. Usually this is done at the beginning of a call from the telemarketer to the telephone subscriber.

Note that as long as an affiliate is "communications" related, the FCC has ruled that CPNI is under an opt-out approach (can be shared without your explicit permission). A phone company is permitted to sell all information on you, such as numbers you call, when you called them, where you were when you called them, or any other personally identifying information. CPNI would normally require a warrant for law enforcement agencies, but it can be freely sold to "communications" related companies. One can verify this by checking rule 64.2007(b)(1) and footnote 137 in the 2007 CPNI order. One can call up a phone company and opt out by requesting that they do not share CPNI information. In the case of

The U.S. Telecommunications Act of 1996 granted the Federal Communications Commission (FCC) authority to regulate how customer proprietary network information (CPNI) can be used and to enforce related consumer information privacy provisions. The rules in the 2007 FCC CPNI Order further restrict CPNI use and create new notification and reporting requirements. The rules in the 2007 CPNI Order include: Limits the information which carriers may provide to third-party marketing firms without first securing the affirmative consent of their customers Defines when and how customer service representatives may share call details Creates new notification and reporting obligations for carriers (including identity verification procedures) Verification process must MATCH what is shown with the company placing the call.

For months, privacy advocates have been pointing to flaws in CISA, the new reincarnation of the cybersecurity bill known as CISPA that Congress has been kicking around since 2013. But today that zombie bill lurched one step closer to becoming law. The Senate Intelligence Committee passed the Cybersecurity Information Sharing Act, or CISA, by a vote of 14 to one Thursday afternoon. The bill, like the failed Cybersecurity Information Sharing and Protection Act that proceeded it, is designed to encourage the sharing of data between private companies and the government to prevent and respond to cybersecurity threats. But privacy critics have protested that CISA would create a legal framework for companies to more closely monitor internet users and share that data with government agencies.

After Thursday’s vote, Senator Ron Wyden—the only member of the Senate’s intelligence committee to vote against the bill—repeated those privacy concerns in a public statement. “If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill—it’s a surveillance bill by another name,” he wrote. “It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.”

Looking at the most recently revealed public version of CISA, privacy advocates have pointed out that it would allow sharing of personal data that goes beyond cybersecurity threats. It also allows the sharing of private sector data with the government that could prevent “terrorism” or an “imminent threat of death or serious bodily harm.” That language, Open Technology Institute privacy counsel Robyn Greene has argued, means CISA might “facilitate investigations into garden-variety violent crimes that have nothing to do with cyber threats.” “If that weren’t worrisome enough, the bill would also let law enforcement and other government agencies use information it receives to investigate, without a requirement for imminence or any connection to computer crime, even more crimes like carjacking, robbery, possession or use of firearms, ID fraud, and espionage,” Greene wrote in February. “While some of these are terrible crimes, and law enforcement should take reasonable steps to investigate them, they should not do so with information that was shared under the guise of enhancing cybersecurity.”