Does FISA grant direct access to the servers of internet service providers?

A key question is whether FISA grants direct access to the servers of internet service providers. It is always difficult for legal scholars to analyse the law in foreign jurisdictions, in this case US law. I have for some time sought the provision in FISA which obligates communication service providers (CSPs) to grant NSA access to their fibre optic cables. In the Verizon court order disclosed by the Guardian there is a reference to 50 USC § 1861 but that provision concerns the production of tangible things such as records, but arguably not direct access to fibre optic cables or the entire network of a CSP. I believe that the relevant provision needs to be sought elsewhere in FISA.

In Sweden the relevant provision is to be found chapter 6 section 19(a) of the Electronic Communications Act (2003:389). It provides that the CSPs (such as TeliaSonera and Bahnhof) are under an obligation to transfer all cable communication crossing Swedish borders to certain “interaction points” (black boxes), which may include communication where the sender or receiver is in Sweden. See also section 4.3.1 in this article.
 
I thing that I have now found the relevant provision in FISA. It is 50 USC § 1881a (see also section 702 of the FISA Amendments Act)

(h) Directives and judicial review of directives

(1) Authority  

With respect to an acquisition authorized under subsection (a), the Attorney General and the Director of National Intelligence may direct, in writing, an electronic communication service provider to—

(A) immediately provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition in a manner that will protect the secrecy of the acquisition and produce a minimum of interference with the services that such electronic communication service provider is providing to the target of the acquisition; and 

(B) maintain under security procedures approved by the Attorney General and the Director of National Intelligence any records concerning the acquisition or the aid furnished that such electronic communication service provider wishes to maintain.

See also the subsections on challenges to directives.

(4) Challenging of directives

(A) Authority to challenge  

An electronic communication service provider receiving a directive issued pursuant to paragraph (1) may file a petition to modify or set aside such directive with the Foreign Intelligence Surveillance Court, which shall have jurisdiction to review such petition. 

[...]

(5) Enforcement of directives

(A) Order to compel  

If an electronic communication service provider fails to comply with a directive issued pursuant to paragraph (1), the Attorney General may file a petition for an order to compel the electronic communication service provider to comply with the directive with the Foreign Intelligence Surveillance Court, which shall have jurisdiction to review such petition.

(B) Assignment  

The presiding judge of the Court shall assign a petition filed under subparagraph (A) to 1 of the judges serving in the pool established under section 1803 (e)(1) of this title not later than 24 hours after the filing of such petition.   

(C) Procedures for review  

A judge considering a petition filed under subparagraph (A) shall, not later than 30 days after being assigned such petition, issue an order requiring the electronic communication service provider to comply with the directive or any part of it, as issued or as modified, if the judge finds that the directive meets the requirements of this section and is otherwise lawful. The judge shall provide a written statement for the record of the reasons for a determination under this paragraph.

I believe that the interpretation of the term "electronic communication service provider" is crucial. Should it be interpreted narrow to only include CSPs such as Verizon and ATT (comparable with TeliaSonera and Bahnhof) or a more broad interpretation that also includes other internet service providers such as Google, Facebook, Microsoft and Skype? From the reaction of the latter companies and US Government it appears as the provision is interpreted narrowly. If this is true, the US Government would make a great favour to it self and this debate if it made the relevant court orders (and interpretation of such orders) public.  This is not only of interest to the American public, we have some Google, Facebook, Microsoft and Skype users in Sweden as well.

In comparison, I find the Swedish law more clear on this matter, it only concerns cables crossing Swedish borders, not servers of other internet service providers (Facebook has servers in Sweden, see this article).

I would be happy for any US scholars to correct any errors in this post on FISA.

Update 1. Marcus Jerräng pointed me to the fact that the US Director of National Intelligence (DNI) makes an explicit reference to section 702 of FISA in relation to the PRISM program which suggests a broad interpretation. At the same time the DNI is describing it in terms of "targeted acquisition". Is this a contradiction? The access can arguably be broad at the same time as the subsequent targeting of specific individuals (i.e. collection and storage of content data at the NSA) is narrow. That is how understand the operations of the FRA (the Swedish counterpart to the NSA).

Update 2. I have now found a blog post of Orin Kerr, professor at the George Washington University Law School, an expert on computer crime law and internet surveillance. He writes the following:

It sounds like the PRISM program is the way of implementing the statute [FISA Amendments Act of 2008], now codified at 50 U.S.C. 1881a

In other words, the PRISM program is legal.

Update 3. Here is a very interesting paper written by Joris Van Hoboken, Axel Arnbak and Nico Van Eijk, They also discuss the PRISM program in relation to FISA 50 USC 1881a (section 702).

Comments on the NSA Prism program and Verizon court ruling

The Guardian and the Washington Post have on Thursday disclosed two very interesting documents that reveal two separate, probably interrelated, surveillance programs run by the NSA. The first document is a court order that forces Verizon to hand over phone records of millions of US customers. The second document contains selected slides from a slide PowerPoint presentation on a previously undisclosed program called PRISM. I have commented upon the story in Sveriges Radio P1 Studio Ett.

Update Sunday, June 9th, 2013. If one listens to the interview with me from Friday at 04.38-6.10, you can hear that I find the information about Verizon reliable because it confirms what has been revealed before from other sources (see for example USA Today May 10th, 2006). The documents disclosed by the Guardian strengthens this story. I am more cautious in the interview in relation to the claim that the NSA through the PRISM program has direct access to the servers of internet service providers such as Google, Facebook, Microsoft and Skype because the documents (i.e. the PowerPoint presentation) is scant on the scope and mode of these operations.

It appears as I am not the only one who is cautious in relation to the original PRISM story. Ed Bott writes that the same day (Friday June 7th 2013) Washington Post changed key details in the PRISM story. After comparing the original and the edited versions of the Post's article, Bott's conclusion is that the Washington Post "leaked PowerPoint presentation from a single anonymous source and leaped to conclusions without supporting evidence". Barton Gellman, who co-wrote the Washington Post’s story, later told the Huffington Post that he “started to hear some footsteps [from the Guardian], so I had to move” and said he "would have been happier to have had a day or two” more to work on the PRISM story. In other words, the story was published prematurely. Gellman co-authored on Saturday a new article based with a different narrative on how it works:

According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows "collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations," rather than directly to company servers. ... According to slides describing the mechanics of the system, PRISM works as follows: NSA employees engage the system by typing queries from their desks. For queries involving stored communications, the queries pass first through the FBI’s electronic communications surveillance unit, which reviews the search terms to ensure there are no U.S. citizens named as targets.

If this description is correct, the PRISM program is more targeted and narrow in scope compared to how it was described initially.

This story is very similar to the debate we had 2008 in Sweden on surveillance run by the FRA (the Swedish national authority for Signals Intelligence). My conclusion is that intelligence agencies and the politicians that have insight and power over these programs need to be more transparent if they want to continue with programs they perceive as legitimate. Otherwise we are sure to see more future "scandals" in this area, even in cases when the operations are run in accordance with the law. A good start for Government (in the U.S., Sweden and elsewhere) would be to publicly publish on an annual basis the number of messages (content data) they intercept and how many records (metadata) they have in their databases.

Here is what I have written on the topic in English.

Update Monday, June 10th, 2013. Today I am interviewed by Sveriges Radio on Snowden and potential extradition to the U.S. from Hong Kong or Iceland.

New publication from OUP with contribution on evidence

Oxford University Press has recently published International Criminal Procedure: Principles and Rules, a comprehensive study of international criminal proceedings. It was edited by Göran Sluiter, Håkan Friman, Suzannah Linton, Sergey Vasiliev, and Salvatore Zappalà

I was part of the group that wrote the part on Evidence, my own contribution was the sections "General Requirements for the Admission of Evidence" and "Prosecution Access to the Defence Material" (pages 1016-1043, 1099-1107).

I find the study very useful for research when going into new areas of interest. You can read more about the publication here.


Paper on the Gotovina-Markač Judgment

I have written a paper with a summary of the Gotovina and Markač Trial Chamber judgment and Appeals Chamber judgment, in preparation for a panel discussion during the seminar “Transitional Justice in Former Yugoslavia through the Prism of the Gotovina-Markač Judgment”, Uppsala, Sweden, May 22, 2013. You can read the paper here.

Update. Rhodri Williams who participated in the seminar has written a blog post on the same matter.

Seminarium om drönare

Idag medverkade jag på ett seminarium om drönare. NyTeknik och Dagens Juridik har återgett en del av diskussionen. Nedan kan du se hela seminariet.

Seminarium om drönare

Igår deltog jag i seminarium arrangerat av Fri Värld om drönare. Nedan finns en video från evenemanget.

Orealistisk behandla tolkarna som andra asylsökande

Den 21 mars 2013 blev jag intervjuad i SvD om de afghanska tolkar som arbetat för Svenska Försvarsmakten. Rubriken är ”Orealistisk behandla tolkarna som andra asylsökande”.

Åtalet mot medåtalad till Kenyatta har fallit samman

Ett flertal medier rapporterar om att Kenyatta vunnit presidentvalet i Kenya och frågor ställs huruvida han kan vara president samtidigt som han är åtalad vid internationella brottmålsdomstolen i Haag (ICC).

William Schabas har uppmärksammat mig på en händelse i detta mål som samtliga medier tycks ha missat. Åtalet mot Kenyattas medåtalade Muthuara har fallit samman. Vad har hänt? Den 23 january 2012 fastställde ICCs förundersökningskammare åtalspunkterna mot Kenyatta och Muthaura. Därefter har det framkommit information som undergräver ett av vittnesmålen. Försvaret för såväl Kenyatta som Muthaura har därför begärt att förundersökningskammarens beslut ska undanröjas. Någon sådan procedur finns inte men åklagaren har samtyckt till åtalspunkterna mot Muthaura undanröjs för det fall en sådan procedur finns. Åklagaren skriver följande den 25 februari 2013 (para. 9).

The witness whose statement is at issue was essential on the issue of Mr Muthaura’s criminal responsibility and, in fact, was the only direct witness against him. Hence, the confirmation decision, if stripped of references to the witness' evidence, might not establish substantial grounds as a matter of law. The Prosecution also acknowledges that its disclosure error limited the Defence’s ability to challenge the critical witness’ testimony, which appears to have been the principal evidence relied upon by the Pre-Trial Chamber in its decision to confirm the charges against Mr Muthaura. In the particular circumstances of Mr Muthaura’s case, and given that he has elected to waive his Article 67(1)(c) right to go to trial without undue delay, the Prosecution does not oppose new confirmation proceedings with respect to him, should the Trial Chamber determine that there is a legal basis for such relief.

Givet att åklagaren har denna inställningen kan åklagaren lägga ner åtalet vilket anges i artikel 61(9) i Romstadgan, att skapa en särskild procedur som inte anges i stadgan verkar onödigt William Schabas verkar vara inne på samma spår. Åklagaren håller fast vid åtalet mot Kenyatta då åtalet vilar på fler vittnen än den som nämns ovan.

Jag tror utgången i målet mot Kenyatta står helt öppen med en brantare uppförsbacke för åklagaren än vanligt, efter att ha läst en rad inlagor från försvaret har jag sett en klasskillnad mot försvaret i andra mål. Det kan nämnas att förundersökningskammaren godkände åtalspunkterna med röstsiffrorna 2-1 så det fanns en osäkerhet redan tidigare (se sid. 156 i domare Kauls skiljaktiga mening).

Uppdatering 11 mars 2013. Chefsåklagaren Fatou Bensouda har låtit meddela att hon idag begär att åtalspunkterna mot Muthaura dras tillbaka. Pressmeddelandet har skickats ut per mail och finns på youtube (se nedan) men finns ännu ej på domstolens hemsida.

 

 

Uppdatering. Här finns åklagarens uttalande utskrivet.

NSA använder sannolikhetsvärden för att rikta signalspaning

Det här verkar vara en intressant bok om NSA. I recensionen står det: "If the NSA wants to collect information on a specific target, it needs one additional piece of evidence besides its own "link-analysis" protocols, a computerized analysis that assigns probability scores to each potential target". Det här med 1) link-analys (trafikanalays), 2) sannoliketsvärden och 3) automatisering i signalspaning har jag försökt uppmärksammat tidigare, se sid. 530-531 denna artikel.

Ett centralt verktyg för att kunna identifiera vilken kommunikation som är relevant för innehållsbearbetning är trafikbearbetning. Förarbetena uttrycker det på följande sätt.

Trafikbearbetningen syftar till att bringa ordning i det skenbara kaos som det inhämtade materialet erbjuder. Härigenom kan man konstatera vem som kommunicerar med vem och varför. De uppfångade radiosignalerna identifieras och trafikmönster fastställs.

Med andra ord, FRA bearbetar trafiken och fastställer vilka trafikmönster som är intressanta. Trafikbearbetningen sker i efterhand genom analys av mönster i trafikdata, dvs. man fastställer vem som kommunicerar med vem. Detta ger myndigheten förmågan att avgöra till eller från vilka telefonadresser och IP-adresser som kommunikationen behöver granskas närmare. Kryptering av innehållet i ett meddelande erbjuder inget skydd mot trafikbearbetning, eftersom det endast förutsätter tillgång till trafikdata. Trafikbearbetning benämns ibland även som trafikanalys.

Förarbetena förklarar inte hur FRA genom trafikbearbetning kan identifiera ”varför” viss kommunikation äger rum. Följande resonemang kan erbjuda en tänkbar förklaring. Om FRA först identifierar vem som kommunicerar med vem och med vilken frekvens (intensitet) denna kommunikation äger rum kan myndigheten även dra andra slutsatser. FRA kan avgöra om dessa personer tillhör en fast grupp eller ett lösare nätverk, vem som är ledare för denna grupp samt om deras kommunikation kan kopplas till aktivitet som är känd genom andra informationskällor. I en amerikansk studie beskriver National Research Council hur brottsbekämpande myndigheter använder metoder (Data Mining) för att identifiera mönster som i regel är kopplad till terrorverksamhet. Liknande metoder för trafikanalys kan i militära sammanhang ge indikationer på att ytterligare förband förts in i ett område, eller att förband försvunnit därifrån. På sådant sätt kan myndigheter som FRA göra mer eller mindre säkra slutsatser om varför en viss kommunikation äger rum. Det finns en viss grad av osäkerhet i slutsatser som endast grundas på trafikbearbetning varför de ska hanteras med försiktighet. 

Samt sid. 102-103 i denna artikel.

Public authorities as well as private parties hold transactional records, for example 1) applications for passports, visas, work permits and drivers’ licenses; 2) credit and debit card transactions; 3) automated teller machine (ATM) withdrawals; 4) airline and rental car reservations; 5) in the context of this article: Internet access, records of phone calls and e-mail messages. The fact that all of the data in question are in digital form means that increasingly powerful tools - such as automated data mining - can be used to analyze it. ...  

In a report from the U.S. National Research Council the following definitions on two different data mining techniques are provided. Subject-based data mining uses an initiating individual or other datum that is considered, based on other information, to be of high interest, and the goal is to determine what other persons or financial transactions or movements, etc., are related to that initiating datum. This data mining technique simply expands and automates what a police detective or intelligence analyst would carry out with sufficient time. Patternbased data mining looks for patterns (including anomalous data patterns) that might be associated with terrorist activity —these patterns might be regarded as small signals in a large ocean of noise. In its report, the National Research Council Such presents the conclusion that automated terrorist identification is not technically feasible because the notion of an anomalous pattern - in the absence of some well-defined ideas of what might constitute a threatening pattern - is likely to be associated with many more benign activities than terrorist activities. It is argued that the utility of pattern-based data mining is found primarily if not exclusively in its role in helping humans to prioritize attention and deploy scarce investigative resources.

Källhänvisningar finns i de länkade artiklarna.

Evidence in International Criminal Trials: Confronting Legal Gaps and the Reconstruction of Disputed Events

Martinus Nijhoff has now published my book Evidence in International Criminal Trials: Confronting Legal Gaps and the Reconstruction of Disputed Events.

You can order it here in an hardback version. It is also published as an e-book which makes it free of cost for you if accessed through an institution that has a Brill subscription, most university libraries have such access.

Here is the abstract:

In Evidence in International Criminal Trials Mark Klamberg compares procedural activities relevant for international criminal tribunals and the International Criminal Court, including evaluation, collection, disclosure, admissibility and presentation of evidence. The author analyses what objectives are recognized in relation to the aforementioned procedural activities and whether it is possible to establish a priority between them. The concept of “robustness” is introduced to discuss the quantity of evidence in addition to concepts that deal with quality. Finally, the exclusion of every reasonable hypothesis of innocence method is examined as one of several analytical steps that may contribute to the systematic evaluation of evidence. The book seeks to provide guidance on how to confront legal as well as factual issues

Samhällsvetenskaplig metod - tvärvetenskapligt inslag eller grund för rättsvetenskapen?

Till min vänner inom akademin: ska man se samhällsvetenskaplig metod som ett tvärvetenskapligt inslag eller grund för rättsvetenskapen? Mitt intryck är att vi rättsvetare har en tendens att klassificera samhällsvetenskapliga metoder som tvärvetenskap när det i många fall handlar om att rättsvetenskap istället borde ses som en gren av samhällsvetenskap där vissa metoder är gemensamma. Vad tycker ni?

Fick denna tanke efter att ha läst Rapley (kapitel 15 i Silverman "Qualitative Research")

Intervju i P1-morgon om tortyr

Igår medverkade jag i P1-morgon om varför brottsrubriceringen "tortyr" saknas i svensk lag. Du kan lyssna här. Frågan är intressant eftersom justitiedepartement under lång tid utrett ett förslag till lag om internationella brott, det är oklart när ett sådant förslag kommer presenteras och hur frågan om tortyr som självständigt brott kommer att hanteras. Jag kommenterade samma sak för ett år sedan i DN.