TLJ News from December 16-20, 2013

Target Discloses Data Breach

12/20. The Target Corporation disclosed in a release on December 19, 2013 that it experienced "unauthorized access to payment card data". Target is a large U.S. based discount retailer that uses a bullseye trademark.

It added that "Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access".

Target CEO Gregg Steinhafel stated in a release on December 20 that "We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn't mean they are victims of fraud. In fact, in other similar situations, there are typically low levels of actual fraud. Most importantly, we want to reassure guests that they will not be held financially responsible for any credit and debit card fraud. And to provide guests with extra assurance, we will be offering free credit monitoring services. We will be in touch with those impacted by this issue soon on how and where to access the service."

Sen. Patrick Leahy (D-VT) stated in a release that "I am troubled by the revelation that Target suffered a major data security breach involving 40 million credit and debit cards used to pay for purchases at its stores. This data security breach is just the latest in a series of breaches that have impacted the privacy of millions of American consumers in recent years. It is also an important reminder that the Congress must act to develop a comprehensive national strategy to improve the nation's cybersecurity."

He added that "I have worked for many years to enact Federal data privacy legislation that would better protect American consumers and businesses from cybercrime", and "I will continue to closely monitor the ongoing investigation and to work with others in Congress to enact meaningful data privacy legislation in the new year."

New York Attorney General Eric Schneiderman stated in a release that following Target's disclosure, "I urged Target to offer affected New Yorkers one year of free credit monitoring to ensure they are not victims of identity theft. I'm pleased to report that, just a short time ago, Target agreed to our request."

Target added in an update on January 13 that "it was determined last week that certain guest information, including names, mailing addresses, phone numbers or email addresses, was also taken".

Steinhafel stated in a January 13 CNBC interview [32 minutes] that the breach involved malicious software on point of sale devices at Target store check outs. He said that "there was malware installed on our point of sale registers".

The January 23 letter from House Commerce Committee (HCC) Democrats asks for, among other things, all documents "relating to the Kaptoxa malware, or to point-of-sale system security or any other information security systems implicated in this breach".

Obama to Name Baucus Ambassador to the PRC

12/20. President Obama announced his intent to appoint Sen. Max Baucus (D-MT) Ambassador to the People's Republic of China (PRC). See, White House news office release.

Sen. Max BaucusSen. Baucus (at right) has a long history of advocating free trade. Although, since the state of Montana is an agricultural products exporter, his main interest has been in that sector.

Also, as the long time Chairman of the Senate Finance Committee (SFC), which has jurisdiction over trade issues, he possesses considerable expertise in this area.

He stated in a release that "The U.S. -- China relationship is one of the world's most important bilateral relationships. If confirmed, my goal will be to further strengthen diplomatic and economic ties between our two nations."

This appointment will add to the similarities in the careers of Sen. Baucus, and his mentor, former Sen. Mike Mansfield (D-MT). Both were elected at a young age to House. Both moved to the Senate, where they served long, and held powerful positions.

Sen. Mansfield then served for twelve years as Ambassador to Japan, under both President Carter and President Reagan. Sen. Baucus is now set to become Ambassador to the PRC.

Sen. Orrin Hatch (R-UT), the ranking Republican on the SFC, stated in a release that "Max is a dear friend and proven leader who's always been willing to work across the aisle, fight for Montana and stand up for what he believes is right. His depth and breadth of knowledge will provide him with a strong foundation that will serve him well as the next U.S. envoy to China. This is a tremendous opportunity for Max, who I know will work tirelessly to strengthen U.S.-China relations, which is incredibly important in today's competitive global economy."

Late in the 112th Congress Sen. Baucus twice voted against the bill backed by President Obama and Sen. Harry Reid (D-NV) that would have given the President authority to regulate business's cyber security related practices.

Sen. Baucus is also a vocal opponent of S 743 [LOC | WW], the Senate bill that would empower states to collect taxes from out of state online retailers. Sen. Reid was able to push that bill through the Senate in May of 2013 by bypassing the SFC, which had jurisdiction over the bill.

Sen. Baucus's term ends at the end of the 113th Congress. However, he announced in April of 2013 that he will not run for re-election. See, story titled "Sen. Baucus Will Not Seek Re-Election in 2014" in TLJ Daily E-Mail Alert No. 2,552, April 22, 2013.

The state of Montana leans Republican. Had Sen. Baucus run once again, he likely would have won re-election, in part because he has a history of distancing himself from the Democratic Party. There is now some fear among Democrats that they may loose their Senate majority in the 2014 elections. Democratic retention of Sen. Baucus's seat is key to Democratic strategy for retaining this majority.

The Governor of Montana is a Democrat. He will make an interim appointment for the remainder of the 113th Congress. This appointee -- likely the Democratic Lieutenant Governor, John Walsh -- will acquire those advantages that result for incumbency. Thus, by appointing Sen. Baucus Ambassador, and getting him out of the Senate, President Obama is furthering his and Senate Democrats' goals of retaining this seat, and a Democratic majority in the Senate.

Gary Locke is the current Ambassador to the PRC.

Sen. Ron Wyden (D-OR) is the next in Democratic seniority on the SFC. Sen. Wyden has long been a leading opponent of state internet taxes. Relevant bills fall within the jurisdiction of the SFC.


House Republicans Seek Criminal Investigation of DNI Clapper

12/19. Rep. James Sensenbrenner (R-WI) and other House Republicans sent a letter to Attorney General Eric Holder requesting that the Department of Justice (DOJ) conduct an investigation into whether Director of National Intelligence James Clapper made a false statement to the Senate Intelligence Committee (SIC) in violation of 18 U.S.C. § 1001.

At a March 12, 2013 hearing Sen. Ron Wyden (D-OR) asked him "Does the N.S.A. collect any type of data at all on millions or hundreds of millions of Americans?" Clapper responded, "No sir", and "There are cases where they could inadvertently perhaps collect, but not wittingly."

In June of 2013, Edward Snowden disclosed information regarding the National Security Agency's (NSA) bulk phone records collection and querying program. The federal government subsequently confirmed the existence of the program.

The letter adds that "Director Clapper's willful lie under oath fuels the unhealthy cynicism and distrust that citizens feel toward their government and undermines Congress's ability to perform its Constitutional function."

The other signers of the letter are Rep. Darrell Issa (R-CA), Rep. Trent Franks (R-AZ), Rep. Blake Farenthold (R-TX), Rep. Trey Gowdy (R-SC), Rep. Raul Labrador (R-ID), and Rep. Ted Poe (R-TX). All are members of the House Judiciary Committee (HJC), which oversees the DOJ, but not the NSA. No Democrats signed this letter.

They requested a response by January 10, 2014.

Section 1001 provides, in part, that "in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully ... makes any materially false, fictitious, or fraudulent statement or representation ... shall be fined under this title, imprisoned ..."

Requests by Representatives and Senators for criminal prosecutions of government officials for statements made to the Congress, and the rare criminal prosecutions, are usually accompanied by allegations that law enforcement powers should not be used for political and policy based ends.

It might also be recalled that during the 2006 and 2008 election cycles Democrats, including members of the HJC, adroitly and successfully pursued election victories with repeated allegations that intelligence agencies during the Bush administration conducted illegal surveillance programs, including warrantless wiretaps. Rep. Sensenbrenner and his Republican colleagues may now be acting in a similar manner.

Verizon to Release Reports on Law Enforcement Requests for Customer Information

12/19. Verizon announced in a release that it "plans to publish an online report that will provide data on the number of law enforcement requests for customer information that the company received in 2013 in the United States and other countries in which it does business".

Verizon elaborated that this report "will identify the total number of law enforcement agency requests received from government authorities in criminal cases".

This excludes requests made pursuant to the Foreign Intelligence Surveillance Act (FISA). Many of the most significant allegations of government surveillance overreach in recent months have involved FISA, rather than Title 18, authority.

Verizon also stated that this report will "break out this data under categories such as subpoenas, court orders and warrants. Verizon will also provide other details about the legal demands it receives, as well as information about requests for information in emergencies."

Verizon's Randal Milch asserted in this release that "we do not sell information that individually identifies our customers to third parties without our customers' consent".

Greg Nojeim of the Center for Democracy and Technology (CDT) stated in a release that this is "a welcome development because it’s the first time a U.S.-based telecom has taken this step".

However, he added that "What Verizon won't report, though is what the U.S. government prevents it from reporting: the extent to which its customers' data is disclosed for intelligence reasons".

The New America Foundation (NAF) stated in a release that its is "incredibly pleased to see Verizon following the example of the Internet industry and taking a leadership position amongst the telephone companies on the issue of transparency reporting on law enforcement requests".

People and Appointments

12/19. The Senate confirmed Alejandro Mayorkas to be Deputy Secretary of the Department of Homeland Security (DHS) by a party line vote of 54-41. Democrats voted 54-0 with one abstention. Republicans voted 41-0 with 4 abstentions. See, Roll Call No. 286.

12/19. The confirmed John Koskinen to be Commissioner of the Internal Revenue Service (IRS) for a term expiring on November 12, 2017 by a party line vote of 59-36. Democrats voted 54-0 with one abstention. Republicans voted 5-36 with 4 abstentions. See, Roll Call No. 288. See also, statement by President Obama.

12/19. President Obama announced his intent to nominate James Murren to be a member of the Department of Homeland Security's (DHS) National Infrastructure Advisory Council. See, White House news office release. Murren is the Ch/CEO of MGM Resorts International. The NIAC provides advice regarding the security of critical infrastructure sectors and their information systems.


Groups Ask FCC to Stop AT&T and Other Telcos from Selling Anonymized Call Record Data

12/18. The Public Knowledge (PK) and other groups filed a Petition for Declaratory Ruling with the Federal Communications Commission on December 11, 2013 requesting that the FCC declare that AT&T and other phone companies are prohibited by the CPNI statute from selling anonymized call record data.

The FCC released a Public Notice (DA 13-2415) on December 18, 2013 requesting comments, and setting deadlines. Initial comments are due by January 17, 2014. Reply comments are due by February 3, 2014.

The petitioners request that the FCC declare, pursuant to 47 U.S.C. § 222 that non-aggregate call records that have been purged of personal identifiers but that leave customers’ individual characteristics intact are protected as individually identifiable customer proprietary network information (CPNI).

Secondly, they request that the FCC declare that telecommunications providers, are prohibited from selling or sharing such records with third parties without customers’ consent.

The PK's Laura Moy stated in a release that "Consumers have no choice but to share vast quantities of personal and private information about themselves with phone carriers in order to obtain service, which is an absolute necessity in the modern age. Americans should be able to rest assured that carriers can't just turn around and secretly share or sell that information with marketers or the government without consent. This section of the Communications Act was designed to protect consumers' privacy, and the FCC should do just that by vigorously enforcing it."

Section 222 provides, in part, that "a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories."

This is an old and now anomalous statutory prohibition. New information and communications technologies either lack similar statutory provisions, or are covered by statutory restrictions on transfer of information that are subject to exceptions for law enforcement and intelligence agencies.

The PK petition states that recent news media stories have "reported that AT&T has been selling call records to the C.I.A. AT&T reportedly attempts to anonymize call records before sharing them with the C.I.A. by “masking” several digits of Americans’ phone numbers." (Footnote omitted.)

The petition argues that  "anonymized" or "de-identified" call records "still constitute individually identifiable CPNI under Section 222. Therefore, phone carriers violate Section 222 when they disclose or even use those records internally for any reason other than those narrowly set forth under Section 222."

It explains that "The carriers' methods of ``anonymization,´´ as reported in the media may be vulnerable to ``re-identification,´´ that is, a process that reveals the true identities of individuals in an allegedly ``anonymous´´ dataset. Re-identification is now well understood in both the legal and computer science literature, and can be executed by non-technically trained people." (Footnote omitted.)

The petitioners include the PK, Common Cause, Electronic Frontier Foundation (EFF), Electronic Privacy Information Center (EPIC), Free Press (FP), New America Foundation (NAF), and others.

Sarah Morris of the NAF stated in a release that "The telecoms have proven to be unreliable stewards of customers’ sensitive information, and the FCC must now step in to clarify the scope of the privacy statutes with regard to anonymized call data."

The NAF's Kevin Bankston stated in this release that "In stark contrast to the Internet industry, which has united to support greater transparency and more reasonable checks and balances around the government's surveillance powers, the phone companies have been bending over backwards to voluntarily share our private data with intelligence agencies based on secret agreements that public interest advocates believe are illegal".

This proceeding is WC Docket No. 13-306.

Obama's Review Board Offers Recommendations Regarding Surveillance

12/18. The Executive Office of the President (EOP) released a report [308 pages in PDF] titled "Liberty and Security in a Changing World: Report and Recommendations of The President’s Review Group on Intelligence and Communications Technologies".

The members of this group are are Richard Clarke (Good Harbor Security Risk Management), Michael Morell (recently retired Deputy Director of the CIA), Geoffrey Stone (University of Chicago law school), Cass Sunstein (Harvard law school) and Peter Swire (Georgia Tech business school). President Obama named these five in a statement on August 27, 2013.

He met with this group on December 13, 2013. See, White House news office release.

The report states that "the United States is deeply committed to the protection of privacy and civil liberties -- fundamental values that can be and at times have been eroded by excessive intelligence collection".

NSA Phone Records Program. This report recommends changing the current bulk telephone records program. Currently, the Department of Justice (DOJ) obtains orders from the body titled "Foreign Intelligence Surveillance Court", on an ex parte basis, pursuant to Section 215 (50 U.S.C. § 1861), that direct telecommunications companies to give the National Security Agency (NSA) telephony metadata. The NSA combines all this data into one database, which it then queries without any further court authorization.

The just released report recommends that this telephony metadata instead be "held privately for the government to query".

It states that "the current storage by the government of bulk meta-data creates potential risks to public trust, personal privacy, and civil liberty". It adds that "the government should not be permitted to collect and store mass, undigested, non-public personal information about US persons for the purpose of enabling future queries and data-mining for foreign intelligence purposes". Although, it later qualifies this statement.

National Security Letters. The report recommends that "that statutes that authorize the issuance of National Security Letters should be amended to permit the issuance of National Security Letters only upon a judicial finding that: (1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect ``against international terrorism or clandestine intelligence activities´´ and (2) like a subpoena, the order is reasonable in focus, scope, and breadth.

Section 702 Outside the US Authority. The report also contains numerous recommendations regarding the use of Section 702 outside the US authority.

For example, it should not be used for "theft of trade secrets or obtaining commercial gain for domestic industries".

Undermining Encryption Standards. The NSA has long operated with a conflict of interest. It has been tasked both with surveillance, which entails breaking encryption, and with information assurance, which entails building strong encryption products.

Recent revelations have disclosed that the NSA has used its participation in the National Institute of Standards and Technology's (NIST) encryption standards setting process to advocate building weaknesses into standards. There have also been news stories that state that the government has worked with private companies to build in various types of weaknesses and back doors into their products and systems.

The report recommends that the NSA's Information Assurance Directorate "should become a separate agency within the Department of Defense, reporting to the cyber policy element within the Office of the Secretary of Defense".

It also recommends that the government should not "undermine efforts to create encryption standards", or "subvert, undermine, weaken, or make vulnerable generally available commercial software".

Instead, the report recommends, the government should urge US companies to increase the use of encryption, "in order to better protect data in transit, at rest, in the cloud, and in other storage".

Secret Law. The report recommends that "legislation should be enacted requiring that detailed information about authorities such as those involving National Security Letters, section 215 business records, section 702, pen register and trap-and-trace, and the section 215 bulk telephony meta-data program should be made available on a regular basis to Congress and the American people to the greatest extent possible, consistent with the need to protect classified information."

This falls far short of requiring publication of each decision, order, or opinion of the body titled "Foreign Intelligence Surveillance Court" that include significant legal interpretations of Sections 215 or 702, or even publication of unclassified summaries.

The report also contains a toothless recommendation that the government should not keep surveillance programs secret unless it has conducted "careful deliberation at high levels of government ... with due consideration of and respect for the strong presumption of transparency that is central to democratic governance".

Gag Orders on Phone Companies and Service Providers. The report recommends that gag orders associated with Section 215 or 702 orders, or National Security Letters (NSLs) should "be issued only upon a judicial finding that there are reasonable grounds to believe that disclosure would significantly threaten the national security, interfere with an ongoing investigation, endanger the life or physical safety of any person, impair diplomatic relations, or put at risk some other similarly weighty government or foreign intelligence interest".

It also recommends that such gag orders must be renewed every 180 days, and that they "should never be issued in a manner that prevents the recipient of the order from seeking legal counsel in order to challenge the order’s legality".

Organizational Recommendations. The report recommends that the Director of the NSA should be a Senate confirmed position, with civilians eligible to hold the position.

Also, the "NSA should be clearly designated as a foreign intelligence organization. Other missions (including that of NSA's Information Assurance Directorate) should generally be assigned elsewhere. The head of the military unit, US Cyber Command, and the Director of NSA should not be a single official." (Parentheses in original.)

It recommends replacing the Privacy and Civil Liberties Oversight Board (PCLOB) with a new body titled "Civil Liberties and Privacy Protection Board".

It recommends creating a position titled "Public Interest Advocate" to "represent the interests of privacy and civil liberties before the" Foreign Intelligence Surveillance Court (FISC).

Reaction. Sen. Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee (SJC), stated in a release that "The message to the NSA is now coming from every branch of government and from every corner of our nation: You have gone too far. The bulk collection of Americans' data by the U.S. government must end. This momentous report from the President’s closest advisers is a vindication of the efforts of a bipartisan group of legislators that has been working for years to protect Americans’ privacy by reining in these intelligence authorities. I welcome the report and call on the President to immediately consider implementing the recommendations that can be achieved without legislation."

Ed Black of the Computer and Communications Industry Association (CCIA) stated in a release that "It is heartening to see the clear recognition that it’s the government’s duty to protect individuals’ property and data from unreasonable search and seizure. The report emphasizes the need to weigh security, privacy and economic interests as part of a broader definition and consideration of our national security goals."

The New America Foundation's (NAF) Kevin Bankston stated in a release that this group "is very glad that the review group appears to agree with us that the NSA should not be in the business of collecting every American's phone records, and that any government demand for communications metadata should be targeted at particular information".

Commentary: President's Review Group Offers Policy Trojan Horse

12/18. The Executive Office of the President (EOP) released a paper [308 pages in PDF] titled "Liberty and Security in a Changing World: Report and Recommendations of The President's Review Group on Intelligence and Communications Technologies".

While the report is wrapped in language regarding protecting privacy and civil liberties, some of the policy recommendations, if implemented, could expand intelligence and law enforcement surveillance capabilities, and weaken checks on the abuse of surveillance powers.

Data Retention. The report proposes ending the National Security Agency's (NSA) collecting and databasing of bulk telephone records data. But, the report does not propose ending the collection, storage and government querying of metadata. It recommends that the collection and storage function be transferred to the private sector.

This could create more threats to privacy and liberty than the existing NSA program. Currently, the NSA holds the data. This has had two significant consequences. There have been no disclosures that suggest that this data may be vulnerable to unauthorized access by criminal hackers or others. And, while the intelligence agencies have played fast and loose with their statutory authority, there have been no disclosures that suggest that they have used this data for any purpose other than fighting terrorism.

In contrast, if a multitude of companies were to retain historical metadata, it would be more vulnerable to unauthorized access, or data breaches.

Moreover, such data would then be subject to requests for access from a multitude of federal law enforcement and regulatory agencies. More significantly, unless limited by enactment of new legislation, such data would be subject to requests from the thousands of state, county, and municipal law enforcement, prosecutorial, regulatory and tax collection agencies. In addition, civil litigants would seek court orders for access to data. The possibilities for abuse would be vast.

If a body of data exists, some state police and prosecutors will seek access to it, through state processes, under state law. There are reasons to doubt that the Congress would ever enact legislation that would effectively limit access to that data to federal intelligence agencies. Not only is Congress limited to delegated powers (and there is no police power enumerated in Article I, Section 7 of the Constitution), the Congress rarely enacts outright preemptions of state powers -- especially in the area of law enforcement.

Also, implementation of a company run data collection and storage program would require federal data retention mandate legislation. Indeed, the report acknowledges (at page 119) that "implementing legislation might be required".

Ross Schulman of the Computer and Communications Industry Association (CCIA) stated in a release that "While we're also pleased to see the Review Group address limits on the storage of bulk metadata, forcing companies or any third party to store this type of data is not a viable solution. Limiting bulk surveillance would be an enormous step toward helping regain the trust of citizens around the world, but the recommendations unfortunately do not rule out the possibility of the practice, as they should."

Moreover, if the government were to seek legislation, it would very likely not be limited to telecommunications companies and phone call records. It would likely include other industry sectors, including internet companies, and their records.

In fact, the report states that the "broader question" involves "the production not only of telephone calling records, but also of every other type of record or other tangible thing that could be obtained through a traditional subpoena, including bank records, credit card records, medical records, travel records, Internet search records, e-mail records, educational records, library records, and so on." (See, page 109.)

The Obama administration, and law enforcement and intelligence agencies, sought such a data retention mandate in the 112th Congress. Rep. Lamar Smith (R-TX), the then Chairman of the House Judiciary Committee (HJC), sponsored legislation, and pushed it through his Committee. See, HR 1981 [LOC | WW], the misleadingly titled the "Protecting Children From Internet Pornographers Act of 2011".

However, it went no further, because members of Congress recognized the enormous threats to privacy and civil liberties posed by a federal data retention mandate.

Rep. Smith introduced HR 1981 on May 25, 2011. The HJC's Subcommittee on Crime, Terrorism and Homeland Security held a hearing on July 12, 2011. See, story titled "House Crime Subcommittee Holds Hearing on Data Retention Mandate Bill" in TLJ Daily E-Mail Alert No. 2,257, July 13, 2011. For a summary of the bill as introduced, see story titled "Summary of HR 1981, Data Retention Mandate Bill" in the same issue.

On July 26 the HJC released a manager's amendment (MA). For a summary of this MA, see story titled "Summary of Manager's Amendment to Data Retention Bill" in TLJ Daily E-Mail Alert No. 2,271, July 27, 2011. The HJC began its mark up the bill on July 27. See, story titled "House Judiciary Committee Begins Mark Up of Data Retention Bill" in TLJ Daily E-Mail Alert No. 2,272, July 28, 2011. The HJC completed its mark up on July 28. See, stories in TLJ Daily E-Mail Alert No. 2,278, August 3, 2011.

More specifically, the report recommends that "legislation should be enacted that terminates the storage of bulk telephony meta-data by the government under section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party. Access to such data should be permitted only with a section 215 order from the Foreign Intelligence Surveillance Court that meets the requirements set forth in Recommendation ", which in turn recommends that "section 215 should be amended to authorize the Foreign Intelligence Surveillance Court to issue a section 215 order compelling a third party to disclose otherwise private information about particular individuals only if: (1) it finds that the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect ``against international terrorism or clandestine intelligence activities´´ and (2) like a subpoena, the order is reasonable in focus, scope, and breadth."

Exceptions that Overwhelm the Rule. This report is also full of vague language and exceptions that limit the effect of some of the recommendations to limit government powers. In some cases, the recommendations would expand government powers.

For example, while the report recommends terminating the NSA's program for collecting and storing telephony metadata, it goes on to state that this is just a "general rule" subject exceptions.

That is, the report states (at page 108) that "We recommend that, as a general rule, and without senior policy review, the government should not be permitted to collect and store all mass, undigested, non-public personal information about individuals to enable future queries and data-mining for foreign intelligence purposes. Any program involving government collection or storage of such data must be narrowly tailored to serve an important government interest."

If such language were incorporated into a statute, then the DOJ, NSA, and FISC would construe this to mean that the government could collect, and compel collection, not only of telephony metadata, but also of financial, internet, e-mail and other records, provided that there was a "senior policy review" and a "narrowly tailored" purpose. This would be a broad expansion of government surveillance power.

Reconstituting the PCLOB. The just released report also recommends that the Privacy and Civil Liberties Oversight Board (PCLOB) be replaced with a new and improved board. This has been done before, to the detriment of privacy and civil liberties.

Section 1061(b) of the Intelligence Reform and Terrorism Prevention Act of 2004 created the original PCLOB. President Bush appointed members. It hired staff, conducted investigations, and began issuing reports. It was diligently performing the function envisioned by the statute.

Then the Congress reconstituted it in the "Implementing Recommendations of the 9/11 Commission Act of 2007", ostensibly to improve it. Enactment of this bill had the effect of terminating the original PCLOB.

The 2007 act provided for Presidential appointment and Senate confirmation of new PCLOB members. However, the appointment process dragged out for five years. The 2007 act disrupted and ended the effective operation of the PCLOB. From August 2007 through August 2012, there were no PCLOB members. And, in 2012, the new Board had to start from scratch.

The point is this: the proposal contained in the just released report might likewise knock out of operation for another five years any effective oversight body.

Limiting the Scope of Privacy and Civil Liberties Oversight. In addition, the report proposes to narrow the authority of the new board that it proposes to replace the PCLOB. It would only be allowed to "oversee Intelligence Community activities for foreign intelligence purposes". (See, page 195.)

Arguably, people have concerns about the impact of government surveillance activities that do not involve intelligence activities for foreign intelligence purposes upon their privacy and civil liberties.

Also, the report recommends that "Oversight should match the scope of the activity being reviewed. Having the new CLPP Board oversee ``foreign intelligence´´ rather than ``anti-terrorism´´ would match the scope of FISA."

Consider for example, national security letters (NSL). The Department of Justice's (DOJ) Office of the Inspector General (OIG) previously found rampant abuse of NSL authority. NSLs do not require a warrant or other prior court authorization, and hence, are inherently subject to abuse. They enable the government to obtain records, including subscriber, billing and call records of phone companies and ISPs. NSLs also apply to libraries to the extent that they are providing an electronic communication service.

The 2001 surveillance act (HR 3162, 107th Congress, October 26, 2001, Public Law 107-56) amended the NSL statute to allow their use to obtain information from a "wire or electronic communication service provider" that is merely "relevant to an investigation to protect against international terrorism or clandestine intelligence activities", and without judicial review or approval.

That is, "terrorism" is a grounds for NSL issuance, but the just released report proposes to take "terrorism" out of the review board's mandate.

Moreover, the NSL statute is in the code of criminal law and procedure (at 18 U.S.C. § 2709), rather that the Foreign Intelligence Surveillance Act (which is in Title 50), and hence, does not "match the scope of the FISA".


People and Appointments

12/17. President Obama appointed Elisebeth Cook to be a member of the Privacy and Civil Liberties Oversight Board (PCLOB) for a term expiring on January 29, 2020. This is a reappointment. See, White House news office release. She works in the Washington DC office of the law firm of Wilmer Hale.

12/17. Rep. Jim Matheson (D-UT) announced in a release that he will not run for re-election in 2014.

12/17. Rep. Frank Wolf (R-VA), Chairman of the House Appropriations Committee's (HAC) Subcommittee on Commerce, Justice, Science and Related Agencies, announced in a release that he will not run for re-election in 2014.


District Court Holds that NSA's Bulk Phone Records Program Violates 4th Amendment

12/16. The U.S. District Court (DC) issued a Memorandum Opinion [68 pages in PDF] in Klayman v. Obama, granting, but staying pending appeal, a preliminary injunction of the National Security Agency's (NSA) Section 215 based bulk phone records collection and database querying program as to plaintiffs Larry Klayman and Charles Strange.

This is one of the programs publicly disclosed in June by Edward Snowden, via The Guardian.

The District Court held that the "plaintiffs have standing to challenge the constitutionality of the Government's bulk collection and querying of phone record metadata, that they have demonstrated a substantial likelihood of success on the merits of their Fourth Amendment claim, and that they will suffer irreparable harm absent preliminary injunctive relief. Accordingly, the Court will GRANT, in part, the Motion for Preliminary Injunction" with respect to plaintiffs Larry Klayman and Charles Strange.

However, the Court added that "in view of the significant national security interests at stake in this case and the novelty of the constitutional issues, I will STAY my order pending appeal."

Judge Richard Leon wrote the opinion. He held numerous positions at the Department of Justice (DOJ) after graduating from law school in 1981. He also twice served as Republican counsel to Senate committees. And, he worked in private practice at Baker & Hostetler and then Vorys Sater. Former President Bush appointed him to the District Court in 2001, and the Senate confirmed him in early 2002, without a roll call vote.

Lead plaintiff Larry Klayman filed suit immediately after the first Snowden disclosures in early June. For more on those disclosure, see story titled "FISC Orders Verizon to Produce Call Data for Everyone Every Day" in TLJ Daily E-Mail Alert No. 2,571, June 5, 2013.

See also, stories regarding this surveillance program in TLJ Daily E-Mail Alert No. 2,572, June 6, 2013, TLJ Daily E-Mail Alert No. 2,573, June 8, 2013, and TLJ Daily E-Mail Alert No. 2,574, June 10, 2013.

Summary of the District Court Opinion in Klayman v. Obama

12/16. The U.S. District Court (DC) issued a Memorandum Opinion [68 pages in PDF] in Klayman v. Obama, granting, but staying pending appeal, a preliminary injunction of the National Security Agency's (NSA) Section 215 based bulk phone records collection and data querying program as to two plaintiffs.

Outline of this Article.

Introduction. The Court's preliminary injunction pertains only to claims against government defendants (and not companies and their officers), only to claims regarding telecommunications company data (and not internet company data), and only to one of the Constitutional claims (and not statutory or tort claims).

The Court held that the Section 1861/215 based bulk phone records program likely violates two plaintiffs' 4th Amendment rights.

The Court wrote that "The Government, in its understandable zeal to protect our homeland, has crafted a counterterrorism program with respect to telephone metadata that strikes the balance based in large part on a thirty-four year old Supreme Court precedent, the relevance of which has been eclipsed by technological advances and a cell phone-centric lifestyle heretofore inconceivable."

This is a major victory for advocates of privacy and liberty interests in the context of new information and communications technologies. This is a major setback for government surveillance agencies.

This is just the first opinion. The government will likely appeal to the U.S. Court of Appeals (DCCir). The Supreme Court will also like grant certiorari regardless of the outcome in the Court of Appeals. And, this a preliminary injunction, not a final judgment.

Complaints. Larry Klayman, the head of Freedom Watch, filed a complaint in the District Court on June 6, 2013 (D.C. No. 13-cv-851), and a second complaint on June 12 (D.C. No. 13-cv-881), alleging, among other things, violation of the 4th Amendment by the National Security Agency (NSA) and others in connection with the bulk collection and querying of phone record data of U.S. citizens.

Klayman founded Judicial Watch, and later, Freedom Watch. Both entities are dedicated to using litigation to achieve policy ends. However, unlike many entities of this nature, Klayman's groups have largely pursued policy ends shared by many conservatives and advocates of limited government.

Klayman ran in the Florida Republican primary election for the U.S. Senate in 2004, in which Mel Martinez and Bill McCollum were the leading candidates. Klayman won 1.1% of the vote. See, primary election results. Martinez won the general election. See, results. Sen. Marco Rubio (R-FL) now holds this seat.

Klayman and other plaintiffs assert standing as subscribers and users of telecommunications and internet companies affected by the NSA's phone records collection program. Plaintiffs pled class action allegations, but have not yet moved for class certification.

The first complaint (851) named as defendants President Obama, Keith Alexander (NSA Director), NSA, Lowell McAdam (CEO of Verizon), Verizon, and others.

It pled violation of 5th Amendment interest in liberty by government defendants, violation of 1st Amendment freedom of speech and association by chilling plaintiffs' freedom of expression and association by government defendants, and violation of the 4th Amendment prohibition of unreasonable searches and seizures by government defendants.

It also pled the tort of intentional infliction of emotional distress by all defendants, and the tort of intrusion upon seclusion by all defendants. Finally, it pled, violation of the Electronic Communications Privacy Act's (ECPA) prohibition against divulging records (18 U.S.C. § 2702(a)(1) and (2)) by the Verizon defendants.

Klayman subsequently filed a second complaint adding parties and claims, including a claim that the government exceeded its statutory authority under the Foreign Intelligence Surveillance Act (FISA) in violation of the Administrative Procedure Act (APA). However, the first complaint contains, in the third count, the claim upon which the Court held the NSA program unconstitutional -- 4th Amendment.

The additional company defendants named in the second complaint are AOL, Apple, AT&T, Facebook, Google, Microsoft, PalTalk, Sprint, Skype, Yahoo, and YouTube.

Section 215. Section 215 serves as the basis for the orders issued by the entity titled "Foreign Intelligence Surveillance Court" or "FISC" that authorize the NSA to conduct its bulk phone records program.

It is codified at Section 1861 of Title 50. It is also known as Section 501 of the FISA. The 2001 surveillance act (Section II of the USA PATRIOT Act) amended Section 1861/501 in its Section 215. See also, HR 3162, 107th Congress, titled "USA PATRIOT Act", signed October 26, 2001, Public Law 107-56.

Hence, this provision is now often referred to as Section 215. The just released opinion refers to it as Section 1861.

This 1861/501/215 authority enables the FBI to obtain from a judge or magistrate an order requiring the production business records, including phone company, ISP, library, and bookseller records. Moreover, while the FISC body bears very few attributes of an Article III court, the statute counts the FISC as a court.

This section provides that if the government submits an application to the court that states that there are "reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation", then the "judge shall enter an ex parte order as requested". This is a very low standard. The judge is left with almost no discretion.

Precisely, this section requires that such application "shall include ... a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, such things being presumptively relevant to an authorized investigation if the applicant shows in the statement of the facts that they pertain to -- (i) a foreign power or an agent of a foreign power; (ii) the activities of a suspected agent of a foreign power who is the subject of such authorized investigation; or (iii) an individual in contact with, or known to, a suspected agent of a foreign power who is the subject of such authorized investigation".

The referenced subsection (a)(2) merely requires that the investigation be conducted pursuant to "guidelines approved by the Attorney General" and that it "not be conducted of a United States person solely upon the basis of activities protected by the first amendment to the Constitution".

This section also requires that the FBI's application contain an "enumeration of the minimization procedures adopted by the Attorney General". However, Roger Vinson's order does not reference minimization. It also grants broad immunity from liability for anyone, such as phone and internet companies, who comply with a the order.

NSA Bulk Phone Records Program. The District Court noted in its opinion that the "plaintiffs and Government have portrayed the scope of the Government's surveillance activities very differently", but that for this opinion, the Court would "accept the Government's description".

The Court thus wrote this is a 215/1861 based "counterterrorism program" under which the government "collect, complies, retains, and analyzes certain telephone records, which it characterizes as "business records" created by certain telecommunications companies".

Under this "Bulk Telephony Metadata Program", or BTMP, the government collects "information about what phone numbers were used to make and receive calls, when the calls took place, and how long the calls lasted", but not "information about the content of those calls, or the names, addresses, or financial information of any party to the calls."

Then, "Through targeted computerized searches of those metadata records, the NSA tries to discern connections between terrorist organizations and previously unknown terrorist operatives located in the United States".

Beginning in 2006 the NSA collected data from phone companies under this program, and then consolidated such data into one database.

The Court also noted that the FISC has "concluded that the NSA has engaged in ``systematic noncompliance´´ with the FISC-order minimization procedures in this BTMP, "and has also repeatedly made misrepresentations and inaccurate statements about the program to the FISC judges".

Court Opinion: Jurisdiction and Judicial Review. The Court addressed the claim pled in the second complaint that the NSA program exceeds statutory authority, and therefore violates the Administrative Procedure Act (APA), 5 U.S.C. § 706. It concluded that it lacks jurisdiction because the Foreign Intelligence Surveillance Act (FISA) "impliedly" precludes APA review.

The Court then addressed whether it has jurisdiction over the plaintiff's Constitutional claims. It wrote that this turns on "whether Congress intended to preclude judicial review of constitutional claims related to FISC orders by any non-FISC courts".

It wrote that the "FISA does not include an express right of judicial review for third party legal challenges to Section 1861 orders -- whether constitutional or otherwise, whether in the FISC or elsewhere. But neither does FISA contain any language expressly barring all judicial review of third party claims regarding Section 1861 orders ..."

The Court relied upon the Supreme Court's statement in Webster v. Doe, 486 U.S. 592, that "where Congress intends to preclude judicial review of constitutional claims its intent to do so must be clear" to reach the conclusion that there is a right of judicial review in the District Court of Section 1861 orders.

And this. "While Congress has great latitude to create statutory schemes like FISA, it may not hang a cloak of secrecy over the Constitution."

Court Opinion: Standing. The Court then applied a four prong test for issuance of preliminary injunctive relief. In the present case, the key prong is substantial likelihood of success upon the merits.

Success upon the merits goes to whether the surveillance program violates the plaintiffs constitutional rights. The Court focused upon the 4th Amendment claim. (The Court wrote that since it disposed of the plaintiffs' motion on the 4th Amendment claim, "I do not reach their other constitutional claims under the First and Fifth Amendments.")

But before proceeding with an analysis of the merits, the Court addressed the procedural question of whether the plaintiffs have standing to bring this constitutional challenge to the BTMP. The Court held that they do.

The Department of Justice (DOJ) and even the Supreme Court have viewed claims to standing to challenge secretive surveillance programs with considerable prejudice. See for example, the Supreme Court's 2013 opinion in Clapper v. Amnesty International, Sup. Ct. No. 11-1025.

The gist of the DOJ argument has been that these are secretive programs, the government does not disclose its targets (and sometimes asserts the state secrets privilege to avoid doing so), so no one can prove to the Court that they have been injured by the program, and hence no one can prove injury sufficient to confer standing.

The Supreme Court wrote in Clapper and other opinions that the injury that confers standing must be "concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling."

The District Court distinguished the facts of the present case from those of Clapper, which involved the "located outside the United States" surveillance authority. See, 50 U.S.C. § 1881a, which was added to the FISA by the FISA Amendments Act of 1978.

A small subset of all phone users are surveilled under Section 1881a orders. Hence, the District Court wrote that the plaintiffs in Clapper "could only speculate as to whether they would be surveilled at all", while under the 1861/215 BTMP, the plaintiffs "can point to strong evidence that, as Verizon customers, their telephony metadata has been collected". Thus, the District Court concluded with straight forward reasoning that the plaintiffs have standing to challenge the data collection component of the NSA program.

Next, there is the matter of whether the plaintiffs also have standing to challenge the database querying component of the NSA program. They cannot present evidence that the NSA has queried their phone numbers. However, the Court creatively reasoned that whenever the NSA conducts a query using one phone number, "plaintiffs' metadata -- indeed everyone's metadata -- is analyzed". That is, "When the NSA runs such a query, its system must necessarily analyze metadata for every phone number in the database".

The Court's creative analysis does not, however, explain how plaintiffs suffered any injury by querying.

The Constitution does not use the word standing. Rather, it states that "The judicial Power shall extend to all Cases ..." and "... Controversies ...". Courts have constructed the doctrine of standing out of this case or controversy limitation. The government vehemently argues, with considerable success, that the case or controversy limitation precludes judicial review of its surveillance programs that are based upon orders issued by the FISC. It might also be noted that there is another aspect of the case or controversy limitation that is not addressed in either the present opinion, or the Supreme Court's opinion in Clapper -- the absence of a case or controversy in the proceeding in which the order of the FISC order is issued. That is, trial courts have the authority to hear cases or controversies. They also have ancillary powers, such as to summon juries, hold lawyers in contempt, and issue subpoenas. There can be a case or controversy in which the presiding judge issues no ancillary orders. But, a judge does not ordinarily issue ancillary orders absent a case or controversy. Of course, under criminal law judges have authority to issue search warrants absent a case or controversy. However, the criminal prosecutions that follow are cases or controversies that confer standing to challenge the constitutionality of the warrants. Also, there are other means for targets of such warrants to create a case of controversy that addresses the warrant. In contrast, in the case of the FISA, the Congress created the FISC for the purpose of issuing ancillary orders in the absence of any present or future case or controversy. Nevertheless, it has not heretofore troubled the courts that the Congress created an Alice in Wonderland "grin without a cat" process. But, the situation remains that the government asks the courts to push the case or controversy limitation to extraordinary lengths to preclude constitutional challenges to its programs that are justified by FISC orders, when the FISC process itself stretches the case or controversy limitation to extraordinary lengths.

Court Opinion: 4th Amendment. At page 42, the Court finally reached the central question -- the merits of the claim that the NSA bulk telephone data collection program violates the 4th Amendment.

The 4th Amendment to the Constitution provides, in full, that "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

The District Court first addressed whether, under Supreme Court precedent construing the 4th Amendment, including Katz v. U.S, there is a reasonable expectation of privacy.

The Supreme Court issued its landmark opinion in Katz v. U.S. in 1967. It is reported at 389 U.S. 347. In that case the FBI conducted a warrantless wiretap of a public telephone booth used by the defendant, and introduced the product of those wiretaps into evidence in a criminal trial.

Former Justice Harlan used the phrase "constitutionally protected reasonable expectation of privacy" in his concurrence, which has become the bedrock upon which all subsequent analysis has been based. He elaborated that "My understanding of the rule that has emerged from prior decisions is that there is a twofold requirement, first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ``reasonable.´´" (Parentheses in original.)

The District Court also relied upon the 2001 opinion in Kyllo v. United States, 533 U.S. 27, regarding thermal imaging of a home to detect lamps used for growing marijuana. See, story titled "Supreme Court Opines on Searches" in TLJ Daily E-Mail Alert No. 206, June 12, 2001.

The government relied upon the 1979 Supreme Court opinion in Smith v. Maryland, 442 U.S. 735, to argue that there is no reasonable expectation of privacy in phone records metadata. In that case, in the investigation a single obscene phone caller, police obtained call data without a warrant.

The District Court wrote that "The question before me is not the same question" as in Smith. Rather, it "is a far cry from the issue in that case".

"Indeed, the question in this case can more properly be styled as follows: When do present-day circumstances -- the evolutions in the Government's surveillance capabilities, citizens' phone habits, and the relationship between the NSA and telecom companies -- become so thoroughly unlike those considered by the Supreme Court thirty-four years ago that a precedent like Smith simply does not apply? The answer, unfortunately for the Government, is now."

The Court continued that "the surveillance program now before me is so different from a simple pen register that Smith is of little value in assessing whether the Bulk Telephony Metadata Program constitutes a Fourth Amendment search."

For example, the Court explained, the pen register in Smith was only operational for a few days; data was not retained; and, the data was used only prospectively, to find violations of law after installation. In contrast, the BTMP collects and retains "a historical database containing five years' worth of data."

Also, "the almost-Orwellian technology that enables the Government to store and analyze the phone metadata of every telephone user in the United States is unlike anything that could have been conceived in 1979."

Finally, "the nature and quantity of the information contained in people's telephony metadata is much greater". The District Court added that "the ubiquity of phones has dramatically altered the quantity of information that is now available and, more importantly, what that information can tell the Government about people's lives."

"In sum, the Smith pen register and the ongoing NSA Bulk Telephony Metadata Program have so many significant distinctions between them that I cannot possibly navigate these uncharted Fourth Amendment waters using as my North Star a case that predates the rise of cell phones." Hence, the Court concluded that the plaintiffs' have a subjective expectation of privacy in their phone call data.

The next part of the 4th Amendment analysis is whether this expectation is "one that society is prepared to recognize as objectively reasonable and justifiable". The Court wrote that this turns on the government's concerns and purposes.

The Court wrote that "the Government does not cite a single instance in which analysis of the NSA's bulk metadata collection actually stopped an imminent attack, or otherwise aided the Government in achieving any objective that was time-sensitive in nature." And, "Given the limited record before me a this point in the litigation -- most notably, the utter lack of evidence that a terrorist attack has ever been prevented because of searching the NSA database was faster than other investigative tactics -- I have serious doubts about the efficacy of the metadata collection program as a means of conducting time-sensitive investigations in cases involving imminent threats of terrorism." Thus, "plaintiffs have a substantial likelihood of showing that their privacy interests outweigh the Government's interest in collecting and analyzing bulk telephony metadata and therefore the NSA's bulk collection program is indeed an unreasonable search under the Fourth Amendment."

(The Court noted that the government did not back up in sworn testimony its public statements and Congressional testimony regarding stopping terrorist attacks, and that it declined to provide testimony in camera.)

Finally, the Court wrote, with quotations from the Supreme Court's opinion in Berger v. New York, 388 U.S. 41, that "I cannot imagine a more ``indiscriminate´´ and ``arbitrary invasion´´ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying and analyzing it without prior judicial approval. Surely, such a program infringes on ``that degree of privacy´´ that the Founders enshrined in the Fourth Amendment."

And, with reference to a speech by former President James Madison, the Court concluded that "I have little doubt that the author of our Constitution, James Madison, who cautioned use to beware ``the abridgement of freedom of the people by gradual and silent encroachments by those in power,´´ would be aghast."

(The Court dealt very briefly with the other prongs of the test for issuance of a preliminary injunction.)

People and Appointments

12/16. The Senate confirmed Jeh Johnson to be Secretary of Homeland Security by a vote of 78-16. See, Roll Call No. 276.