
Court Order told Yahoo that Prism does not require a warrant [pdf] - sampsonjs
http://www.fas.org/irp/agency/doj/fisa/fiscr082208.pdf
======
sampsonjs
'Yonatan Zunger, the chief architect of Google+, wrote in a Google+ post today
that: "I can tell you that the only way in which Google reveals information
about users are when we receive lawful, specific orders about individuals --
things like search warrants."'

From the court order: "We add, moreover, that there is a high degree of
probability that requiring a warrant wound hinder the government's ability to
collect time-sensitive information and, thus, would impede the vital national
security interests that are at stake." _Cough_

~~~
justinschuh
I think you've misunderstood what you read. Under US law an FAA order carries
the same compliance burden as a warrant. And, just like a warrant, the party
served can push back on an overly broad or unjustified order. So, there's
nothing untrue or even remotely misleading in the statement that "the only way
in which Google reveals information about users are when we receive lawful,
specific orders about individuals -- things like search warrants."

~~~
lawnchair_larry
You should read the second half of his paste. Maybe disclose bias too.

~~~
justinschuh
Did you read the surrounding context of that quote in the original document?
This comment implies you did not.

------
mehwoot
Because these are FISA requests for individuals "reasonably suspected to be
residing outside the U.S.". Those have never required warrants. Before FISA
existed they just did it to whomever they pleased; now it requires a FISA
request which is not the same thing as a warrant.

Nowhere in that document does it say anything about not needing a warrant to
get information on U.S. citizens residing in the U.S. What it does actually
say is

 _For these reasons, we hold that a foreign intelligence exception to the
Fourth Amendment 's warrant requirement exists when surveillance is conducted
to obtain foreign intelligence for national security purposes and is directed
against foreign powers or agents of foreign powers reasonably believed to be
located outside the United States._

I.e. a FISA request.

~~~
justinschuh
A few points. A FISA order really is a warrant, and the NSA needs one to
collect on a US person (ie. US citizen anywhere or anyone on US soil). Before
9/11, FISA warrants were also used to compel US companies to comply with
collection against non US persons for which they were the carrier. At some
point after 9/11 the Bush administration realized the law could be reasonably
interpreted as not strictly requiring this, so they stopped using FISA for
this purpose. That was the heart of the warrantless wiretapping controversy,
and the primary goal of the FISA Amendments Act was to add requirements and
oversight for these situations.

~~~
lawnchair_larry
False, see Verizon order

~~~
justinschuh
Your response is in no way related to my comment. What point were you trying
to make?

------
justinschuh
The petitioner is redacted, so why does the title presume it to be Yahoo? Did
I miss something?

Also, PRISM is an acronym for Planning Tool for Resource Integration,
Synchronization, and Management. Could people please stop abusing it as a term
for whatever random scary thing they want to believe the NSA is doing?

~~~
declan
We learned this month that the company was Yahoo. See:

[http://www.nytimes.com/2013/06/14/technology/secret-court-
ru...](http://www.nytimes.com/2013/06/14/technology/secret-court-ruling-put-
tech-companies-in-data-bind.html?pagewanted=all&_r=0)

~~~
justinschuh
Thanks, that's certainly useful context. It's a shame the link is a bare PDF,
without that background.

------
koops
"...the petition requires us to weigh the nation's security interests against
the Fourth Amendment privacy interests of United States persons."

The text Fourth Amendment doesn't narrow itself to "United States Persons". It
says:

"The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be violated,
and no Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and the
persons or things to be seized."

~~~
fsckin
Why do you think 'the people' in the Fourth Amendment is not a reference to
the same "We 'the people' of the United States" in the Constitution?

------
Andrew_Quentin
It is so strange to see a judgment reference a previous case as Re Sealed
Case.

It feels like the judge is stating: The authority for this principle can be
found in Black Box.

It may be justified for civil cases to be held in secret. After all, civil
cases can be resolved by mediation, arbitration, even just negotiation. When
the matter concerns a petition against the government however, or against a
law, there is no reason for the case to be sealed or secret.

Whats next, the congress voted in a closed secret session a new secret law?

------
magoon
Can anybody decode this jibberish? Is it any wonder our rights are being
violated by lawyers, lawyers-turned-lawmakers, and lawyers-turned-judges?

------
mtgx
The Protect America Act still exists? Why isn't there more discussion about
it?

~~~
justinschuh
No it doesn't. Even this ruling clearly notes that the PAA had a one year
sunset and expired in 2008.

~~~
declan
The PAA does not exist. But similar language appears in the FISA Amendments
Act of 2008, which Congress renewed most recently in December. Bipartisan
enthusiasm, with approximately three-quarters of senators voting for it after
safely defeating the pro-privacy amendments: [http://thomas.loc.gov/cgi-
bin/bdquery/z?d112:HR5949](http://thomas.loc.gov/cgi-
bin/bdquery/z?d112:HR5949):

~~~
justinschuh
I don't see how you could think the PAA and FAA have similar language. The PAA
was a pretty ugly bill, and significantly loosened both FISA and USSID 18
restrictions against collection on US persons. Whereas the FAA actually
reinstated FISA order requirements and closed the third-party carrier
loophole. So, the FAA was an unambiguous win for privacy over the then-
expiring PAA, and more importantly it was an improvement over the pre PAA
version of FISA.

Before the FAA passed, there were no requirements or oversight governing
collection of non US persons communicating over a US carrier. And in fact,
existing legal precedent does not treat the carrier as party to the
communication, so collection under those circumstances was likely legal.
That's exactly the loophole the previous administration exploited to compel
third-party compliance in foreign intelligence collection without oversight.

~~~
declan
I didn't think it was controversial to claim that the PAA and FAA have similar
language. Here's one section from both bills (Sec. 702 in the FAA and 105B in
the PAA) authorizing warrantless surveillance:

[http://thomas.loc.gov/cgi-
bin/bdquery/z?d110:s.01927](http://thomas.loc.gov/cgi-
bin/bdquery/z?d110:s.01927): Notwithstanding any other law, the Director of
National Intelligence and the Attorney General, may for periods of up to one
year authorize the acquisition of foreign intelligence information concerning
persons reasonably believed to be outside the United States...

[http://thomas.loc.gov/cgi-
bin/bdquery/z?d110:H.R.6304](http://thomas.loc.gov/cgi-
bin/bdquery/z?d110:H.R.6304): Notwithstanding any other provision of law...
the Attorney General and the Director of National Intelligence may authorize
jointly, for a period of up to 1 year from the effective date of the
authorization, the targeting of persons reasonably believed to be located
outside the United States...

I didn't say they were identical, just that they were similar. Though each
does use the identical language about limits on targeting "persons reasonably
believed to be located outside the United States" \-- and we found out from
last week's leaks how far that language can be stretched.

~~~
justinschuh
Claiming the bills have similar language implies that they have similar
effect. However, the facts are quite opposite. The PAA significantly reduced
oversight and individual protections while the effect of the FAA was to
increase both.

Even those passages you're citing are night and day apart. The first
authorizes collection against US persons on foreign soil, which flew in the
face of 50 years of precedent. Whereas the second is truncated to the point of
being almost meaningless, but in context it defines some terms of collection
against non US persons outside the US--something legal for all of US history.
The only similarities between the two are the responsible parties and the
duration, which are basically boilerplate.

~~~
csoghoian
Justin, have you read the recently leaked NSA rules outlining how they define
a non-US person for the purpose of FAA surveillance?

See:
[http://www.guardian.co.uk/world/interactive/2013/jun/20/exhi...](http://www.guardian.co.uk/world/interactive/2013/jun/20/exhibit-
a-procedures-nsa-document), page 4, paragraph 1.

If the NSA does not know whether someone is a US person or a foreigner, the
agency assumes that the person is a foreigner. That matters a lot if, for
example, you're using Tor.

You might also want to look at the recently leaked minimization rules, which
permit the retention of purely domestic communications collected under the
FAA, if that information can be used to develop and exploit security
vulnerabilities. Given where you work now, and what you work on, that might be
somewhat important.

See:
[http://www.guardian.co.uk/world/interactive/2013/jun/20/exhi...](http://www.guardian.co.uk/world/interactive/2013/jun/20/exhibit-
b-nsa-procedures-document), page 5, paragraph 3.

~~~
justinschuh
Chris, that's one paragraph absent the surrounding context. Targeting must be
validated and verified as outside the US, but beyond that it can be very hard
to authoritatively guarantee what the nationality of the parties is. The best
I can add is that I've done the job, and I know the cardinal rule is you do
not collect on US persons except in the rare case that you have a FISA order.
And the people I know still doing the job concur that hasn't changed.
Violating it willfully or negligently means the end of a career and possible
jail time.

~~~
csoghoian
There appears to be a bit of a conflict between the cardinal rule you were
taught when you worked at NSA of not collecting information on US persons with
the current practices of the NSA.

The Section 215 program in which the NSA has been collecting metadata about
every domestic telephone call would appear to violate that rule, even if, as
we are told, only a couple dozen NSA employees can query the database, and
even if they only use it for investigations related to terrorism.

Likewise, the non-us persons targeting rules leaked last week suggest that the
NSA has ongoing access to GSM Home Location Register data for the entire
United States. While this doesn't pinpoint someone's location to a house or
street, we're still talking about the NSA getting city-level location data for
hundreds of millions of innocent Americans.

See page 6 of:
[http://www.guardian.co.uk/world/interactive/2013/jun/20/exhi...](http://www.guardian.co.uk/world/interactive/2013/jun/20/exhibit-
a-procedures-nsa-document)

Given how compartmentalized NSA is, it seems quite reasonable that your former
team (which, I assume, penetrated the computers of foreign targets) would have
no contact at all with the teams tasked with collecting domestic
communications.

~~~
justinschuh
I don't know what was ambiguous about "except in the rare case that you have a
FISA order." I'm dubious of the metadata thing (a bit less knowing that it is
not part of the collection and A&P pipeline), but the fact is that it was
approved by the FISA court and an order was issued.

------
drivebyacct2
Wait, are there actually people in the US who still assume that there someone
has to get a warrant to investigate them under the auspices of terrorism or
National Security? I assumed this was a more or less accepted fact by now.

They take everything they want off the wire anyway; the best case scenario is
that they have FISA rubber stamp warrants for the times where they "need a
warrant".

Do we really care about specific instances of uses of PRISM? I mean, in an
honest way I'm curious :: is there really any benefit if we could definitely
prove that PRISM was used without a warrant? Is it worse than any of the other
things that have been disclosed or leaked since originally finding out about
PRISM?

I don't think so, but I was screaming bloody murder about NSLs in 2006,
soooo......

~~~
mayneack
Just because everyone "knew" doesn't make this less useful to be released.
Last month if you went on CNN and claimed that the NSA had free reign to
access whatever they wanted, you'd be considered a conspiracy theorist. Now
you are at least just considered to be aiding the terrorists. This type of
thing is also useful for groups like the ACLU filing lawsuits because they
need more proof than "everyone knows already"

~~~
waqf
"free rein". It's a metaphor about horses, not kingdoms (though I have heard
that the one can be exchanged for the other).

~~~
rafcavallaro
I've heard that the offer has been made, but there's no record of the
transaction ever having been completed.

------
consonants
The NSA has specifically stated that they have the ability to preliminarily
gather data through PRISM a week before going to FISC for a warrant. What is
presented to the judge as evidence is usually that very collected data.

