702 nuggets: no court-ordered encryption backdoors (yet), CIA working on tracking its USP metadata queries, and more
The Office of the Director of National Intelligence has provided some written answers to questions submitted by senators like Dianne Feinstein, Ron Wyden, and Angus King during Senate Intel hearings over the summer about the FISA Amendments Act Section 702 warrantless surveillance program. Some of this is well covered territory, like Wyden’s fighting with the intelligence community about why they can’t/won’t estimate the volume of incidentally intercepted American information in the repository or the FBI’s inability/refusal to count its US person queries, but some weedy nuggets of interest jump out. Posting here for specialists.
- DEFINITION OF “DERIVED FROM” AND PARALLEL CONSTRUCTION: They say they’re basically following the Title III wiretap “fruit of the poisonous tree” approach to defining when evidence is derived from 702 (such that notice to defendant is required), but essentially concede they’re not considering evidence to be “derived from” 702 if they decided they could fit it into the doctrines of independent source, inevitable discovery, and attenuation. (Since there’s not been a 702 notice to a defendant for a long time after the 2013-14 flurry that followed Don Verrilli’s intervention, obviously this exception has now swallowed the rule in how agents gather evidence in new cases. Still, the one-time flurry of notices did give several regular courts the opportunity to scrutinize the constitutionality of 702.) (PG 18/PDF 11)
- USE OF 702 FOR TRANSNATIONAL CRIMES: The government (since Bob Litt era) has said it will restrict the use of 702 obtained/derived information in criminal cases to six of categories of serious crime, among them “transnational” crimes. But it’s still not defined the scope and limits of what counts as a transnational crime. In any case it says there haven’t been any transnational crime cases that used 702 information so far, only terrorism cases. (But see the big caveat above about the government’s use of parallel construction to launder 702 information.) (PG 20, PDF 13)
- CIA SEARCHES OF US PERSON METADATA: While the CIA doesn’t keep track of its queries of the 702 metadata repository for U.S. person information (which we knew), it’s re-engineering its systems and expects to be able to start providing counts by the end of calendar year 2018. (PG 21, PDF 14)
- USING 702 TO COMPEL PROVIDERS TO BUILD BACK DOORS IN ENCRYPTION: 702 says the government may direct providers to provide technical assistance in carrying out authorized surveillance and may get a court order to compel compliance. Wyden has been raising alarms about the possibility it could use this to force providers to build backdoors into their encrypted services or products, although it’s not clear whether he knows that something is actually happening or is instead just issue-spotting a hypothetical worry. Here we see that to date (as of the summer) the government has not sought a court order to force a provider to build an encryption backdoor. Ambiguity remains: the answer doesn’t say whether or not any providers have been directed to do this by US officials without resorting to a court order. (PG 27/PDF 18)
- WHY THE IC SAYS IT CAN’T ESTIMATE THE VOLUME OF INCIDENTALLY COLLECTED US PERSON INFO IT HAS COLLECTED: We knew this rationale (which a US official explained to me in September) but now we can see a letter Dan Coats sent to the House Judiciary Committee last July explaining it to Congress, which was kept secret at the time. It says the problem basically boils down to an inability to systematically and reliably identify the location/nationality of non-targets on e-mails. (Wyden disagrees with this.) (PDF 28)