How CIA Criminalized a Senate Staffer Google Search
Katherine Hawkins has a very good review of the results of the CIA IG Report and “Accountability Review Board” over the Senate Intelligence Committee staffers’ access to CIA documents on torture; you should read the whole thing. Hawkins points out that the CIA’s own review of the Torture Report admitted it needs to approach individual failures from a broader systemic approach, but that their treatment of this issues shows they continue to fail to do so.
While the CIA’s official response to the Senate torture report acknowledges “significant shortcomings in CIA’s handling of accountability” for failures and abuses that occurred during the rendition and black site program, it still does not recommend any corrective action. The response instead states that the agency “do[es] not believe it would be practical or productive to revisit any [rendition, detention and interrogation program]-related case so long after the events unfolded,” thinking it sufficient to say:
Looking forward, the Agency should ensure that leaders who run accountability exercises do not limit their sights to the perpetrators of the specific failure or misconduct, but look more broadly at management responsibility and more consistently at any systemic issues … [N]o board should cite a broader issue as a mitigating factor in its accountability decision on an individual without addressing that issue head on.
The CIA Accountability Board’s December report on the agency’s search of Senate computers is the first test of whether these reforms have any meaning or effect. And the answer is: they do not.
Critically, Hawkins points to something the ARB ignores: the rationalization the CIA General Counsel lawyer used to justify searching the Senate side of the RDI server hosting the torture documents. She describes how this lawyer justified treating Senate Intelligence Committee staffers doing their job as criminals.
[T]he CIA lawyer assigned IT staff to search Senate staffers’ side of RDINet, the computer network that staffers used to review documents for the torture study. The attorney presents himself as having not only the legal right, but also the duty, to take these actions because of the CIA’s statutory obligation to protect “sources and methods.”
[snip]
Incredibly, the Accountability Board report repeatedly cites the need to preserve the CIA’s relationship with the Senate as a justification for searching Senate computers without informing the committee. The board writes that the initial search was “reasonable given the embarrassment to the Agency and harm to the Agency-SSCI relationship that would have resulted from a false allegation.” Further searches were “reasonable” because “this was no normal potential security problem; it involved the United States Senate,” which made it more important to “have explored all alternatives and possible solutions before the problem was confirmed and the D/CIA would have raised it with Senate leaders.”
But the CIA lawyer’s memo makes it very clear that the purpose of not informing the Senate was not to verify evidence and explore alternatives — which could have been accomplished through dialogue with the committee. The purpose was to gather evidence for a potential criminal prosecution of Senate staff, before Senators could protest or staff could “get their stories straight.” The agency went on to file an inaccurate crimes report against Senate staff with the Department of Justice — a fact that the Accountability Board does not dispute, but barely acknowledges. It is hard to think of anything that could be more damaging to the oversight relationship that the CIA and the White House claim to value so highly. But the Accountability Board fails to identify who was responsible for the inaccurate report to DOJ, fails to recommend that anyone be disciplined for it, and fails to recommend any safeguards against a repetition of the incident.
As Hawkins summarizes, the crime report was based off a flaw in the Google search that CIA’s own contractor had built into the system.
On February 7, 2014, the CIA’s Acting General Counsel Robert Eatinger (whose name is redacted from the OIG report) filed a crimes report against Senate staff with the Department of Justice. The OIG report found that the crimes report “was unfounded,” in part because Eatinger “had been provided inaccurate information on which the letter was based.” In particular, the OIG wrote:
[T]he crimes report stated that SSCI staffers might have exploited a software vulnerability on RDINet to obtain access to the [Panetta Review documents], in violation of the Computer Fraud and Abuse Act … The report was solely based on inaccurate information provided by the two [Office of the General Counsel] attorneys [to the Office of Security].
The OIG report found that there was indeed “a vulnerability” with the Google search tool that the CIA provided to the committee, which was “not configured to enforce access rights or search permissions within RDINet and its holdings” from 2009 to April 2013. But contrary to the CIA lawyer’s memorandum and the crimes report to DOJ, OIG found no evidence that Senate staff had deliberately “exploited” this flaw until CIA personnel “confronted them” with inappropriately accessed documents. Rather, it was SSCI staff who brought the vulnerability to the CIA’s attention. On November 1, 2012, a SSCI staff member alerted CIA staff that the search tool “was indexing the Majority staff work product on a shared drive,” and asked them to make it stop. The CIA did not act on this request for months. Then in 2013, a SSCI staff member requested “a number of detainee videos not provided to the SSCI by the CIA,” based on a spreadsheet that a CIA employee recognized as being from the Panetta Review. After this incident, in April 2013, CIA IT staff finally discovered and repaired the flaw with the Google search tool.
In other words, CIA set up an expensive server, accessed by Google searches, so SSCI staffers could do their job. And then tried to get them prosecuted for using what turned out to be a flaw in that Google search function.
There’s just one question Hawkins leaves out of this. This entire server set-up (as well as multiple contractor reviews of each document) reportedly accounts for the bulk of the $40 million the Torture Report cost to complete.
But it apparently didn’t even accomplish the function it was supposed to (or did it?). Why is CIA trying to prosecute oversight rather than reclaiming some chunk of that $40 million?
While this doesn’t surprise me, what IS astounding is the fact the insidious CIA has single handedly turned America into the United States of Depravity, and then has the unmittigated gal to point a finger at the very institution who proved the CIA’s war crimes, in an attempt to make those who had legal authority to pin them down, look like the real criminals. Unbelievable. This redefines the pot calling the kettle black.
“…there was indeed “a vulnerability” with the Google search tool provided to the committee, which was “not configured to enforce access rights or search permissions within RDINet and its holdings…”
Wow. There’s a lot here. Leaving aside implications with the virtual world meaning of “vulnerability”, my linguistic sensitivity is jarred by the implication that the corporation Google is responsible for that vulnerability. Note what the sentence implies if the word Google is omitted. Then there is the idea that search engines can be configured to enforce policy decisions, which presumably includes privacy concerns such as minimization procedures. This suggests that agencies have the capability to claim strict privacy policies, even court ordered policies, that can then be subject to undermining by software “vulnerabilities”. The entire plan was to have oversight staff to have access to some CIA data , but not all of it. How to accomplish that is over my head, but someone was tasked with it. One can’t help but wonder if the search tool provided wasn’t one used by the agency to do its own database searching . My sense of that agency is that mistakes in judgement are forgiven as a matter of course, so to treat faulty outcomes as the result of criminality by the victim reeks of entrapment.
It isn’t unusual for websites to have customized searches available, usually (but not always) from Google. I don’t think the problem is with Google, but with whoever specified what could be searched – someone at the agency might not have known that their usual way wasn’t what was wanted.
This sounds like a bot at work — just the kind of bot an intelligence service would love to get installed on the computer network of their enemy. Says the techie to the spy boss: “When they log on, our little bot quietly boots up and follows them around, indexing the contents of their drives, so that we can see what they’ve been working on.”
.
But I’m sure that the CIA would never install such a thing on the computers of the people who are investigating them at the behest of the Congressional committee with oversight responsibilities. No, they’d never dream of doing anything like that . . .
.
The fact that they didn’t react to this complaint for months only raises my suspicions more. “Let’s leave it there for a bit, to see if their work patterns change. Do they realize what it is, or do they think it’s just a benign nuisance?” Only when a request came through that the CIA didn’t like did they come over to deal with the software.
.
Spying on your Congressional Overseers doesn’t come cheap, Marcy.
The thing that jumped out at me was her citation of the clause of the National Security Act of 1947 and her discussion of it in relation to the Speech and Debate clause.
This should have made any criminalizing of anything moot from the outset.
.
And it also means that those 9000 or so pages that were withheld, and the ones that disappeared from their server after they already had them, should be turned over to them now for further study. Right?
Has anyone asked Eric Schmidt what his company did with their copies of what the found on their servers?
.
Something is very strange in this report… Did the CIA actually allow Google to go trolling and chumming through their records or did they (the Google engineers) provide a local copy of searching software, which they helped configure? keep in mind the engineers would have to be made aware of what the data contains to be able to decide what was searchable and what was not. Or, more civilians with higher level clearances than Ed Snowden had.
.
After all, there are plenty of free and open source search engines available that accurately and quickly index and summarize your data. Why join in a public-private venture and have Google do it? Shades of something being tit-for-tat?
.
Google sells on-site search services to many companies under standard contracts. This is one of their primary profit centers. In this respect the CIA is acting like many other fortune 500 companies and outsourcing this task and then training their own people to configure the indexing.
.
In all likelyhood those people simply created a cache of shared documents and turned it on without realizing that it would search the entire drive. This would explain the fact that it was indexing the Senate’s work product but not how the Brennan report ended up there.
.
I find it surprising that they would go outside for something as sensitive as this but perhaps they trust that the NSA will monitor any agreement with Google for them.
.
Well yes, as i and others have noted, you can get specialized Google indexing or use freely available (double meaning intended) indexing tools or for that matter use the indexing provided by the operating systems (Linux, Windows and OS-X all have some good stuff).
.
One big issue, as Ms. Emptywheel is pointing out directly is why those illicit documents were on the server to begin with. Recall that the server was set up only to allow the committee to review the information relevant to what they were investigating. The server was a ‘copy’ workstation. It was in no way needed by the CIA for daily business or any other function than to be a ‘copy’ server.
.
Any wrongly placed documents could have quickly been found and removed before the staffers were given the machine to use. (that same search software). The CIA knew they were there, that is why the software was being configured to block access to something that was not supposed to be there to begin with. As Marcy also points out, the files were being watched for access. The staffers might have used their credentials to run searches, but probably logged in with their boss(es) (the senator) id.
.
This does not explain away any involvement with Google.
I think that we agree. I was saying that the fact that the search indexed the staffer’s work can be readily explained by bad configuration. The fact that the document was there is not explained by that at all. Clearly the CIA people dumped it there and then want to blame the Senate to cover their own incompetence.
.
As to the involvement of Google, I have a hunch this may just be their preferred brand. The CIA is in many ways focused primarily on document collection and indexing. Much of their work is indexing field reports and they have always struggled with how to link things. I suspect that once Google started offering their services the CIA became an early and entheuseastic adopter. Clearly their training is off though.
quote”This should have made any criminalizing of anything moot from the outset.”unquote
ummm..yes, it SHOULD have. Unfortunately, moot is in the eye of the CIA beholder, and the DOJ simply doesn’t give a fuck. Besides, who still believes the “rule of law” isn’t a myth. Your quote SHOULD be living proof…