Kade Crockford, Director of the ACLU of Massachusetts Technology for Liberty Project, discusses the FBI’s greatly expanding surveillance power in three key areas: their Next Generation Identification (biometric) database; warrantless access to the internet records of Americans; and their ability to hack and install malware on computers – all potentially without any public oversight.
Podcast: Play in new window | Download
President John F. Kennedy was assassinated more than 50 years ago.
Questions still persist to this day.
Why did the Secret Service threaten deadly force against the Dallas medical examiner?
Why did a Navy official testify that the official autopsy photographs were not the ones she developed during the weekend of the assassination?
Explore these questions and more in Jacob Hornberger's best-selling e-book, The Kennedy Autopsy, published by the Future of Freedom Foundation.
Buy it today for only $2.99 on Amazon.com.
The Kennedy Autopsy by Jacob Hornberger.
There are a couple different ones here to talk about, but first and foremost, the FBI is on the cusp of obtaining three extremely dangerous new powers.
Welcome back to the show, Kate.
How are you?
I'm doing okay.
Thanks for having me, Scott.
Very happy to have you here.
Appreciate you joining us.
So, now, I'm late.
What's the date today?
Does this already happen?
So, okay, there are three different issues that I addressed in this blog post from last week.
One of them is the fact that the FBI tried to sneak an exemption from the Privacy Act for its massive biometrics database under the radar.
They were only going to allow 30 days of comment on what's a really dangerous proposal.
So, to back up, folks may know the FBI has a biometrics database called Next Generation Identification.
The FBI's goal is to collect biometric data on everybody in the country.
They're doing this in a couple of different ways.
One is every time someone's arrested in the United States, and this has been true for some time, local police send those fingerprints to the FBI, and the FBI retains them forever.
Now, the FBI is also collecting face prints from local law enforcement.
So, that's, you know, mug shots that can be used in the future to identify people through surveillance camera images on the street using face recognition and things like that.
So, they're collecting fingerprints, face prints.
Also, in some cities, when you're arrested now, police departments are pressuring people to give up their iris scans, which are being fed into their NGI database that the FBI maintains, which, by the way, if my memory serves me correctly, I believe Lockheed Martin got paid a billion dollars to create this system a number of years ago.
So, it's really costly.
They have information from arrestees, as well as people who have had to undergo a federal background check for some sort of employment.
So, there are two categories of people whose information is in the database, people who are arrested and people who have to get a license and pass a federal background check to get a job.
So, that's teachers, nurses, you know, anybody.
I was in front of a group of librarians yesterday.
They all had to submit to a federal background check.
So, a lot, a lot of people, millions and millions of people who haven't even been suspected of a crime, let alone convicted of one, whose information is in this database.
And beyond the sort of traditional biometrics of face print, fingerprint, the FBI is also hoping to collect in this database all sorts of weird futuristic stuff like gait information.
Apparently, the way you walk is a biometric, and they want to keep records on that.
They're interested in scent information, how you smell is a biometric.
Biometrics, for those of you who don't know, just means unique to an individual.
So, you know, your iris is not the same as anybody else's.
Same with your fingerprint.
Apparently, same with your scent.
Voice prints, they want to collect on people.
Tattoos, scars, markings, things like that.
So, this is like, you know, the FBI's goal here is to basically collect information about people's physical bodies and collect as much of it about as many people as they possibly can.
You know, the FBI, I'll talk about in a second, is really pushing forward the dragnet national security state, you know, unquenchable thirst for information about our digital lives on the one hand, and then at the same time through this NGI system, they want to actually have all of the information that they possibly can about our physical bodies in addition to our online activities and our phone calls and things like that.
So, what we have just recently learned is that the FBI wants to exempt its Next Generation Identification Database from some key provisions of the 1974 Privacy Act, and essentially what that means is that the FBI does not want you to be able to identify information about yourself in this database, does not want you to be able to correct inaccurate information if the FBI has inaccurate files in NGI about you, and perhaps most importantly wants to ban people from being able to sue the FBI if the FBI uses information in this database in a way that either abuses your rights or in a way that, you know, screws up your life because the information was inaccurate.
So, really what they're trying to do is insulate this database from any kind of possible civil litigation related to civil rights or civil liberties violations.
So, it's very dangerous.
At the same time, the FBI is trying to obtain a couple of really broad new powers.
Oh wait, let's put those off for a second and stick with this one.
Okay.
I think, I'm trying to remember exactly how you said at the very beginning there, but I thought it sounded like they were trying to get away with this, but you guys were stopping them from shortening the public comment time and some of the other things.
Yeah, so the ACLU and some other groups wrote a letter saying, we need a lot more time to comment.
You know, particularly, I think, unfortunate about this stuff happening all right now is that the nation's attention is turned pretty squarely in the direction of the presidential contest, which, as you and your listeners probably know, doesn't feature a whole lot of substance about actual issues that we deal with in this country and mostly is just a lot of kind of stupid rhetoric.
So, issues like this are really not getting the attention that they deserve.
So, yeah, we at the ACLU and some other groups said, you know, we need a lot more time.
30 days isn't enough.
We basically just found out about this.
You need to give the public six weeks, a couple months, so that folks can, you know, have an opportunity to make comments against this proposed exemption.
Well, that's kind of the funny thing, right, is what we're talking about here is not a law.
We're talking about just some rule changes that they can change themselves and they can just expand their power themselves.
And then what?
They just put a little thing in the newspaper that said, by the way, we're doing this.
Call and complain if you want.
I mean, what difference does it even make if you complain?
They can do it anyway, right?
Well, yeah, they may be able to.
I mean, look, the only way that we ever win anything is by making noise about it, educating people about it.
You know, if we can get enough people to submit comments, it very well may be that the FBI loses this battle.
But certainly, you think you can get them to back down other than somehow getting Congress to make them back down?
I think anything's possible.
I know for a fact that if we don't do anything, the FBI is going to get what they want.
So, you know, for me, it's oh, yeah, well, don't get me wrong.
I'm not trying to discourage you.
I just mean how funny it is that what we're talking about here is not how you and your colleagues are going to testify before Congress about this.
They don't really have anything to do with it.
It's not law at all.
It's just the executive branch making up whatever rule changes they want.
So it's very difficult to perform any checks and balances when there aren't any.
That's a really good point.
And this is a fundamental weakness of the Privacy Act.
Unfortunately, it allows law enforcement agencies to essentially exempt themselves from provisions of the Privacy Act.
So, yeah, I mean, that was a weakness that was kicked in, built in by Congress in the 1970s.
And unfortunately, you know, the FBI knows how to exploit that weakness.
And by the way, was there a law that created the or allowed the creation of this biometric database in the first place?
So this whole thing was cooked up on the rule books by the bureaucrats?
Well, certainly the FBI had to get it funded.
So Congress did fund the creation of next of this next generation identification database.
And, you know, especially in the Virginia, D.C. area, Maryland, Virginia, there have been, you know, representatives from Congress who have been big supporters of this.
You know, they like when the federal government gives big contractors a billion dollars to do a lot of work in their district.
So don't get me wrong.
I mean, I'm not saying that would make it better.
Just it makes it worse in a way when it's the executive branch simply making it up as they go along without even permission.
But not that I'm saying Congress's blessing is somehow, you know, superior to the Bill of Rights or anything.
Well, so on that exact point, another issue that I wrote about in the blog last week is exactly the problem that you're describing, which is that the executive branch is claiming a huge new power without any kind of debate about it in Congress.
And so this has to do with this is kind of jargony and sounds really boring, but it could not be more important.
So this is an issue that has to do with Rule 41 of the Federal Criminal Procedure.
The Federal Criminal Procedure are rules that the courts established to govern federal court life, basically, to govern all the operations of federal courts.
Everything from, you know, when the court is going to take official holidays throughout the year to, you know, how the grand jury process works.
The nitty gritty details of how the federal court system actually works are all laid out in these federal rules of criminal procedure.
So Rule 41 is the rule that deals with search warrants.
It's a very important rule.
A very important part of Rule 41 says that law enforcement can only obtain warrants from judges who can only authorize warrants to search people and places inside that judge's jurisdiction.
That's to say, if I'm a judge in Boston and law enforcement officials come to me asking for permission through a search warrant to search someone's house in Los Angeles, I cannot give them that warrant.
I cannot sign that warrant that violates Rule 41 of the criminal procedure, which says I can only approve search warrants in my physical jurisdiction.
This is really important for a couple of reasons.
One is because we don't want prosecutors going judge shopping if they think, oh, well, you know, I want to get this really broad warrant, and I know this one judge really likes the FBI, so I'm going to ask this judge in Seattle for permission to search some people in New Orleans because I know that he'll always say yes to me.
It prohibits that from happening, and it also makes sure that the courts are acting with all of the information they need about the law in their own jurisdiction now, or rather in the jurisdiction where the search warrant is going to be executed.
And the reason this is important is that federal law is not the same all across the country.
So in the Sixth Circuit, for example, there was a case called Warshak at the Sixth Circuit Court of Appeals, which resulted in a finding by the court that people have a right to privacy in their email.
So any email that the FBI wants to get a hold of, the court ruled they need to go get a warrant first in order to obtain those emails.
That is not the case in other areas of the country because outside of the Sixth Circuit, we haven't had any appeals court ruling holding the same thing.
So a Sixth Circuit judge, a judge, a federal judge within the Sixth Circuit is not going to necessarily know what the law is on email issues or any number of other complicated issues related to precedent within jurisdictions, except for he will know the law within his own jurisdiction.
So changing Rule 41 to allow judges to authorize searches outside of their physical jurisdictions is basically going to make a mess of the law.
It's going to make it really, really complicated and really, really difficult because judges simply don't know the legal landscape and what the actual law is throughout the entire country.
Well, it sounds like pretty quickly the FBI would figure it out, just like you're saying they would go judge shopping for their favorite judge.
They'll go to district shopping for their favorite district.
Don't take it to the San Francisco court.
Those lily-livered pantywaists, they'll let them get away with it.
We'll go to Virginia every time.
Exactly.
So that's a huge part of the problem.
A second part of the problem is that the rule change that the FBI thought, and they have now gotten approved.
So this is sort of like the short way of describing how this process works is that there are committees that consider rule changes.
If they approve the rule changes, it goes to a higher level committee within the court system.
That committee approves the rule change, and then it goes to the Supreme Court of the United States, which ultimately approves or denies all possible rule changes.
Just about a month ago, the Supreme Court approved this rule change that was years in the making that the FBI had been pushing for that the ACLU and other groups had opposed for quite some time, although I think because this is such an in-the-weeds kind of complicated issue to explain, it never really got any big coverage.
But finally it happened.
The Supreme Court approved the rule change, and now we only have until December 1st of 2016.
That is the time in which Congress can act to reject the rule change, and if they don't, it's going to take effect.
So not only, though, does the rule change allow courts to authorize search warrants outside of their physical jurisdiction, it also enables them to authorize remote access warrants.
That's another way of saying hacking, because what the FBI is really after here is the power to be able to go to a judge in Boston and get a warrant that enables them to hack thousands, tens of thousands, potentially millions of computers all over the world at the same time with one warrant, even if they don't know in what jurisdiction physically those computers fit.
And the FBI claims it needs this power to go after things like botnets and malware farms, basically, that attack many, many computers at once, send malicious code, but do it in such a way that it's actually quite difficult to determine where the initial malicious code came from.
So the FBI is saying, in order to go after these kinds of operations, we need to be able to effectively peer into millions of computers all around the world at the same time and do so using one search warrant.
So this is really unprecedented.
I mean, never before in American history would the government be able to do what it's trying to do using one search warrant.
It's really the equivalent of a digital general warrant.
It's extremely dangerous, and the FBI has basically gotten this power.
Now our only hope is that Congress does something within the next couple of months.
Again, December 1st is the deadline.
Senator Ron Wyden, who is always good on these issues, has proposed a bill called the Stop Mass Hacking Act, the SMH Act, and this bill, the Stop Mass Hacking Act, would effectively just reject the Rule 41 change.
Wyden and others in Congress who are paying attention to this have said that if the FBI is really serious about this and it really needs this new power, it should go to Congress, and we should have a full and open debate about the merits and the dangers of this new power that it's trying to obtain instead of just allowing the FBI to get this power through basically like a procedural rule change through the courts.
This is not the appropriate way to give a federal law enforcement agency an extremely vast new power, and yet that's exactly what's happening.
So if you care about this, if you care about your computer not being hacked by the FBI, if you care about basic rules of American criminal jurisprudence not being totally excluded, you should contact your representatives and tell them that you support the Stop Mass Hacking Act.
All right, well, I don't mind advocating for the devil for a minute.
What about these terrible malware botnets and all these things, and maybe it is a technical issue?
We're the ones in the zeros have done an end run around the Bill of Rights, and the FBI is helpless to protect us without this change.
Cade, what about that?
Well, you always have to look at who the FBI is and what their interests are, and first of all, the Department of Homeland Security, I think, is in some ways better suited to deal with botnets and malicious software and things like that.
You know, the FBI is not...the FBI's main...their primary responsibility in the United States, they claim, is counterintelligence and counterterrorism, so they are sort of ill-equipped at the outset to be doing this work in the first place.
But secondly, this is precisely why we need to have a debate about these issues in Congress and why we need Congress to legislate.
If any power remotely like this is going to come to the FBI or other federal law enforcement agencies, we need Congress to be giving them that power and not through...and they can't be getting that power through this rule change.
And the reason for that is pretty simple.
If we are going to give the executive broad new power to search us and, you know, monitor what we're doing on our computers and potentially install malware on them, hack them, whatever, we need robust transparency and accountability mechanisms to accompany those powers.
Nothing like that would happen.
If they get these powers through the rule change alone, they will have basically carte blanche.
There will be no oversight mechanisms that don't currently exist.
There will be no transparency mechanisms.
It'll be very difficult for us to ever find out how the FBI uses this power.
So, you know, to the question of, well, this is a really serious problem.
If we don't do anything, we're all going to die.
If the FBI really does strongly believe that, then they need to go to Congress and make that case.
We need to hear from technical experts who can, you know, make it really simple, make a complex issue simple enough so that Americans and people in Congress can understand the risks on both sides, whether we give this power to the FBI or we don't.
And then if Congress chooses to go ahead and, you know, enable the FBI to do some of what it claims it needs to do here, there needs to be really, really strict rules, including robust transparency and accountability mechanisms.
And none of that is going to happen if this power is granted to the FBI through this rule change process alone.
All right.
Now, wasn't there one more, too, about the expanded ability of the FBI to ask any Internet service provider to just hand over histories, basically?
Exactly.
So the third massive extension of FBI power that Comey is really chomping at the bit to get is what he calls fixing a typo in the national security letter statute.
So he says, it's no big deal.
We just really need to fix this typo.
Oh, by the way, it's the most important legislative issue for the FBI right now.
Fixing this typo, he says.
In the statute that authorizes the power the FBI has to serve national security letters, which, again, are simply subpoenas.
They're secret subpoenas.
No judge ever sees them.
There's no oversight over how many are ever sent.
No meaningful oversight.
Anyway, there's basically no accountability.
We found out in 2007 when there was a rare inspector general report that looked at FBI use of national security letters after 9-11 that the FBI lied to Congress about how many of these it had filed, that the FBI filed, you know, 150,000-some of these letters within a couple-year period, and that during that period, only 300-and-some of those 145,000 national security letters actually led to criminal proceedings.
So that's not even a conviction.
That's just a prosecution.
That is 0.1%.
So the vast majority of these national security letter investigations go absolutely nowhere.
It's not hard to see why, because the FBI doesn't have to have any evidence that you're involved in a crime before it uses one of these secret subpoenas to obtain information about you.
So these are used in phishing expeditions, basically.
They may very well be used in operations to try to find information about people that can later be used to blackmail them, get them to become informants.
It's a very dangerous power that the FBI has repeatedly abused.
Congress has been lied to about the FBI's use of these tools.
Nonetheless, Comey is now saying, we need a massive expansion of this power, but don't worry about it.
We're just fixing a typo.
And to make matters worse, he got Senator Corbyn to tack on an amendment to the email privacy bill that we almost succeeded in passing this session.
I'm not sure if folks have heard, but the Electronic Communications Privacy Act is a 30-some-year-old law that contains a really weird provision that says if emails are older than 180 days sitting on a server, law enforcement can access them without a warrant.
This is an old law that relates to a time in which digital storage was very expensive, and so more people couldn't possibly store information for more than six months.
Well, obviously, we live in a different world.
So the ACLU, tech groups, all sorts of people have been trying for years, lobbying Congress, to get this 180-day rule eliminated so that there's an across-the-board warrant for email.
Well, we came really close this session.
The House passed the bill unanimously.
There was a companion bill that was moving its way through the Senate.
And what did Jim Comey do but attach an amendment to that very straightforward, simple privacy bill that would give the FBI extremely broad new powers to use national security letters to obtain all sorts of information about the digital trails we leave behind on the internet, information that they are not currently authorized to get using national security letters?
He attaches this amendment to the bill, basically killing it.
Senator Pat Leahy from Vermont, who's been a major supporter of the Email Privacy Act, said, you know, I'm paraphrasing, I can't in good conscience move this bill forward if there's this massive surveillance provision attached to it.
This is supposed to be a privacy bill.
So Comey, with one fell swoop, manages to kill this email privacy bill and advance the notion that the FBI needs this broad new power.
So that might not be happening on the email privacy bill front because, you know, its sponsors aren't going to move this bill forward when it has this poison pill attached to it.
But Comey has also gotten Corbyn to add, or I believe it was Corbyn, but there are rumors, at least, that the 2017 intelligence authorization package, which is the way that Congress funds the intelligence infrastructure of the country, also includes an amendment that would do this.
So, you know, and that really bothers me because it seems pretty clear that Comey knew that this amendment was going to get passed on to the intel authorization bill, which has to pass, which always passes.
You know, no Congress or president would ever get reelected if their opponent were able to say, you voted against funding the national security state.
So this bill will pass, it always does.
So given that he knew this amendment to expand NFL power so massively was going to be tacked on to the intelligence authorization bill, the fact that he also got it tacked on to the email privacy bill is just like spitting in the eye of the privacy and civil liberties community.
It seems like there was no reason to do that other than to kill the bill.
But yes, looking forward, people should be very concerned.
Call their representatives and senators and ask them to look into this amendment on the intelligence authorization act of 2017 that would broadly extend the FBI's power to use NSLs.
And, you know, in my communications with Congress, I'm going to remind them that the FBI has routinely lied to Congress about their use of NSLs.
And so maybe they shouldn't be rewarded for their bad behavior.
Yeah, that's a good angle.
See if you can possibly get some of these Congress people to take it personally, then maybe they'll have a problem since they don't care about our freedom at all.
But let me ask you a detail about this email loophole thing that they have left over here.
And I think people have heard of this, right?
As you mentioned, this rule left over from the 80s, I guess.
But this applies to my own server and my own webmail account?
Or this only means if I have Hotmail or MSN or Gmail?
Or how exactly does that work?
Well, it applies.
So this is the law that we're talking about is the Electronic Communications Privacy Act.
And there's a part of that law called the Stored Communications Act.
And in the Stored Communications Act, there's basically, it says you have to get a warrant for new emails for new electronic communications.
But for electronic communications that are older than 180 days, you can use something called a 2703D order.
And that's the part of the statute.
It's Section 2703D of the Stored Communications Act that authorizes the government to use these.
And so we call them D orders.
And D orders do not require probable cause.
They don't require a showing that the information the police or the agency hopes to return from the search will be evidence of a crime.
That's the probable cause standard.
It doesn't exist with these D orders.
So for information that's older than 180 days, law enforcement or prosecutors, rather, can just go to judges, magistrate judges, and get D orders, which only require a showing that the information will be relevant and material to an ongoing investigation.
And relevant and material is a very low standard that doesn't implicate any criminality.
So, you know, your email can be relevant and material to an investigation that has to do with your neighbor.
Even if you are not the target of the investigation, you are not suspected of any crime, as long as that information is relevant and material, it can be handed over.
It's a very low standard.
It's very easy for law enforcement to get these D orders.
So to the question about the server, generally, if you maintain your own server and you're the only person who knows how to get information off of that server, then, you know, unfortunately for law enforcement, they would have to come to you with one of these orders.
Oh, so this doesn't give them necessarily the permission to hire someone to hack into my server remotely from somewhere else.
They'd have to just come and take it.
That's right.
But if they get their way with this rule change, the rule 41, then, you know, they very well may be able to actually just hack your stuff.
Yeah, man, I don't know how you keep track of all this stuff.
You sure do a great job.
And I appreciate too, that you fight about it.
You're not just informing us about it.
You're really a crusader on this stuff.
So tell people again, how they can get involved and help you out here.
Uh, cool.
Yeah.
Check out my blog, privacy, SOS.org slash blog.
That's at the ACLU of Massachusetts.
And, you know, I know a lot of folks probably disagree with some of the positions here, but groups like ours and, um, EFF are really at the forefront of making sure that you have rights in the digital 21st century.
And so if you care about that, you should support us with your money.
All right.
Well, thanks very much, Kate.
I really appreciate it.
You got to take care of that.
All right, y'all.
That is Cade Crockford.
She's at the ACLU of Massachusetts.
Again, check out her website, privacy, SOS.org.
All right, y'all.
Thanks for listening.
Scott Horton Show, scotthorton.org for all the archives, 4,000 of them and something going back to 2003.
Sign up for the podcast feed there, uh, iTunes, Stitcher and all that stuff.
Help support the show at scotthorton.org slash donate and follow me on Twitter at Scott Horton Show.
Hey, I'm Scott Horton here to tell you about this great new ebook by long-time future freedom author, Scott McPherson, freedom and security, the second amendment and the right to keep and bear arms.
This is the definitive principled case in favor of gun rights and against gun control.
America is exceptional here.
The people come first and we refuse to allow the state of monopoly on firearms.
Our liberty depends on it.
Get Scott McPherson's freedom and security.
The second amendment and the right to keep and bear arms on Kindle at amazon.com today.
Hey, I'll Scott Horton here for wallstreetwindow.com.
Mike Swanson knows his stuff.
He made a killing running his own hedge fund and always gets out of the stock market before the government generated bubbles pop, which is by the way, what he's doing right now, selling all the stocks and betting on gold and commodities.
Sign up at wallstreetwindow.com and get real time updates from Mike on all his market moves.
It's hard to know how to protect your savings and earn a good return in an economy like this.
Mike Swanson can help follow along on paper and see for yourself wallstreetwindow.com.
