This morning, the ACLU released a set of information associated with a subpoena served on Open Whisper Systems, the maker of Signal)\, for information associated with two phone numbers. As ACLU explained, OWS originally received the subpoena with a broad gag order. OWS was only able to turn over the account creation and last connection date for one of the phone numbers; the other account had no Signal account associated with it.

But OWS also got ACLU to go challenge the gag associated with it, which led to the release of today’s information. All the specific data associated with the request is redacted (as reflected above), though ACLU was able to say the request was served on OWS in the first half of the year.

There are two interesting details of this. First, as OWS/ACLU noted in their response to the government, the government asked for far more information than they can obtain with a subpoena, including:

• subscriber name
• subscriber address
• subscriber telephone numbers
• subscriber email addresses
• subscriber method of payment
• subscriber IP registration
• IP history logs and addresses
• subscriber account history
• subscriber toll records
• upstream and downstream providers
• any associated accounts acquired through cookie data
• any other contact information from inception to the present

As OWS/ACLU noted,

OWS notes that not all of those types of information can be appropriately requested with a subpoena. Under ECPA, the government can use a subpoena to compel disclosure of information from an electro1lic communications service provider onJy if that information falls within the categories listed at 18 U.S.C. § 2703(c)(2). For other types of information, the government must obtain a court order or search warrant. OWS objects to use of the grand-jury subpoena to request information beyond what is authorized in Section 2703(c)(2).

I’ve got an email in with ACLU, but I believe ECPA would not permit the government to obtain the IP, cookie, and upstream/downstream information. Effectively, the government tried to do here what they have done with NSLs, obtain information beyond the subscriber and toll record information permitted by statute.

ACLU says this is “the only one ever received by OWS,” presumably meaning it is the only subpoena the company has obtained, but it notes the government has other ways of gagging compliance, including with NSLs (it doesn’t mention Section 215 orders, but that would be included as well).

I do wonder whether in the latter case — with a request for daily compliance under Section 215 — Signal might be able to turn over more information, given that they would know prospectively the government was seeking the information. That’s particularly worth asking given that the District that issued this subpoena — Eastern District of Virginia — is the one that specializes in hacking and other spying cases (and is managing the prosecution of Edward Snowden, who happens to use Signal), which means they’d have the ability to use NSLs or individualized 215 orders for many of their cases.

Update: Here’s a Chris Soghoian post from 2013 that deals with some, but not all, of the scope issues pertaining to text messaging.

Just to let you know that in 20 minutes I’m headed off for a 10 day almost-entirely device free vacation cycling through the south of France.

To be honest, during the redesign, I entirely lost track of the keys to the likker cabinet. But given that there’s healthy trash happening, I’m sure someone just stole them from me already.

Enjoy!

Spencer Ackerman has a story on what Hillary Clinton meant when she said she supports an “intelligence surge” to defeat terrorism. Amid a lot of vague language hinting at spying expansions (including at fusion centers and back doors), her staffers told Ackerman she supported the approach used in USA Freedom Act.

Domestically, the “principles” of Clinton’s intelligence surge, according to senior campaign advisers, indicate a preference for targeted spying over bulk data collection, expanding local law enforcement’s access to intelligence and enlisting tech companies to aid in thwarting extremism.

The campaign speaks of “balancing acts” between civil liberties and security, a departure from both liberaland conservative arguments that tend to diminish conflict between the two priorities. Asked to illustrate what Clinton means by “appropriate safeguards” that need to apply to intelligence collection in the US, the campaign holds out a 2015 reform that split the civil liberties community as a model for any new constraints on intelligence authorities.

The USA Freedom Act, a compromise that constrained but did not entirely end bulk phone records collection, “strikes the right balance”, said [former NSC and State Department staffer and current senior foreign policy advisor Laura] Rosenberger. “So those kinds of principles and protections offer something of a guideline for where any new proposals she put forth would be likely to fall.”

It then goes on to list a bunch of advisors who have been contributing advice on the “intelligence surge.”

The campaign did not identify the architects of the intelligence surge, but it pointed to prominent counter-terrorism advisers who have been contributing ideas.

They include former acting CIA director Michael Morell – who has come under recent criticism for his attacks on the Senate torture report – ex-National Counterterrorism Center director Matt Olsen; Clinton’s state department counter-terrorism chief Dan Benjamin; former National Security Council legal adviser Mary DeRosa; ex-acting Homeland Security secretary Rand Beers; Mike Vickers, a retired CIA operative who became Pentagon undersecretary for intelligence; and Jeremy Bash, Leon Panetta’s chief of staff at the CIA and Pentagon.

It appalls me that Hillary is getting advice from Mike Morell, who has clearly engaged in stupid propaganda both for her and the CIA (though he also participated in the Presidents Review Group that advocated far more reform than Obama has adopted). I take more comfort knowing Mary DeRosa is in the mix.

But I do wonder how you can take advice from Matt Olsen — who was instrumental in a lot of our current spying programs — and claim to adopt a balanced approach.

Olsen was the DOJ lawyer who oversaw the Yahoo challenge to PRISM in 2007 and 2008. He did two things of note. First, he withheld information from the FISC until forced to turn it over, not even offering up details about how the government had completely restructured PRISM during the course of Yahoo’s challenge, and underplaying details of how US person metadata is used to select foreign targets. He’s also the guy who threatened Yahoo with $250,000 a day fines for appealing the FISC decision.

Olsen was a key player in filings on the NSA violations in early 2009, presiding over what I believe to be grossly misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets. Basically, working closely with Keith Alexander, he hid the fact that NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333.

Charlie Savage provided two more details about Olsen’s fondness for bulk spying in Power Wars. As head of NCTC, Olsen was unsurprisingly the guy in charge of arranging, in 2012, for the NCTC to have access to any federal database it claimed might have terrorist information in it (thereby deeming all of us terrorists). Savage describes how, in response to his own reporting that NCTC was considering doing so — at a time when the plan was to have a further discussion about the privacy implications of the move — ODNI pushed through the change without that additional privacy consideration. That strikes me as the same kind of disdain for due process as Olsen exhibited during the Yahoo challenge.

Finally, Savage described how, when Obama was considering reforms to the phone dragnet in 2014, Olsen opposed having the FISC approve query terms before querying the database as legally unnecessary. It’s hard to imagine how Olsen would really be in favor of USAF type reforms, which codify that change.

In short, among Hillary’s named advisors, the one with the most direct past involvement in such decisions (and also the one likely to be appointed to a position of authority in the future) has advocated for more bulk spying, not less.

As a number of outlets have reported, Yahoo has announced that 500 million of its users’ accounts got hacked in 2014 by a suspected state actor.

But that massive hack is actually one of three interesting hacks of Yahoo in recent years.

2012 alleged Peace affiliated hack

In August, Motherboard reported — and reported to Yahoo — that the hacker known as Peace, who may have ties to Ukrainian and/or organized crime and also sold the MySpace and Linked In credentials, was selling credentials from what he said were 200 million accounts hacked in 2012. But when Motherboard tried to verify the data, some of it came back as out of date or invalid.

According to a sample of the data, it contains usernames, hashed passwords (created with md5 algorithm), dates of birth, and in some cases back-up email addresses. The data is being sold for 3 bitcoins, or around $1,860, and supposedly contains 200 million records from “2012 most likely,” according to Peace. Until Yahoo confirms a breach, however, or the full dataset is released for verification, it is possible that the data is collated and repackaged from other major data leaks.

[snip]

Motherboard obtained a very small sample of the data—only 5000 records—before it was publicly listed, and found that most of the two dozen Yahoo usernames tested by Motherboard did correspond to actual accounts on the service. (This was done by going to the login section of Yahoo, entering the email address, and clicking next; when the email address wasn’t recognised, it was not possible to continue.)

However, when Motherboard attempted to contact over 100 of the addresses in the sample set, many returned as undeliverable. “This account has been disabled or discontinued,” read one autoresponse to many of the emails that failed to deliver properly, while others read “This user doesn’t have a yahoo.com account.”

2014 state actor hack

Yahoo claims it discovered the 500 million user hack in its investigation of the Peace allegations in August. The details being released now, in particular the encryption used with the account, vary from what Peace claimed in August.

A source familiar with the investigation told Motherboard on Thursday that, although no direct evidence was found to support Peace’s claims, Yahoo conducted a broader investigation, and during that time, they found the attack from what they described as a state-sponsored actor in 2014. The source declined to provide any evidence that the attack was state-sponsored, but said that the company strongly believed it to be the case.

According to Yahoo’s announcement, the majority of passwords were hashed with the strong hashing function bcrypt, meaning that hackers will have a much harder time at obtaining many users’ real passwords. The source claimed that only a very small percentage of password hashes were not bcrypt.

Note, while Yahoo is claiming this was a hack done by a state actor, it has not said what state actor.

Also, Yahoo appears to be suggesting that Peace’s claim he had Yahoo credentials was not true. Though, given that Yahoo is being acquired by Verizon at the moment, they would have an incentive to claim they didn’t know about this massive hack earlier.

2016 individual hack tied to DNC

Finally, an individualized hack of a Yahoo user — DNC consultant Alexandra Chalupa — was an independent source of the claim that DNC hackers might have ties to Russia or Ukraine. While the hack was evident from emails released by WikiLeaks, Chalupa had worked with Yahoo’s Michael Isikoff previously and he added details explaining her suspicions about the timing.

“I was freaked out,” Chalupa, who serves as director of “ethnic engagement” for the DNC, told Yahoo News in an interview, noting that she had been in close touch with sources in Kiev, Ukraine, including a number of investigative journalists, who had been providing her with information about Manafort’s political and business dealings in that country and Russia.

“This is really scary,” she said.

[snip]

Chalupa’s message, which had not been previously reported, stands out: It is the first indication that the reach of the hackers who penetrated the DNC has extended beyond the official email accounts of committee officials to include their private email and potentially the content on their smartphones. After Chalupa sent the email to Miranda (which mentions that she had invited this reporter to a meeting with Ukrainian journalists in Washington), it triggered high-level concerns within the DNC, given the sensitive nature of her work. “That’s when we knew it was the Russians,” said a Democratic Party source who has knowledge of the internal probe into the hacked emails. In order to stem the damage, the source said, “we told her to stop her research.”

A Yahoo spokesman said the pop-up warning to Chalupa “appears to be one of our notifications” and said it was consistent with a new policy announced by Yahoo on its Tumblr page last December to notify customers when it has strong evidence of “state sponsored” cyberattacks.

Significantly, this story, at least, claims this (and not cyber consultant CrowdStrike) is where DNC certainty that the hack was perpetrated by Russians came from.

Note that Chalupa’s Yahoo address was also affected in the Linked In hack, which exposed a simple password.

For now, I’m just presenting these three separate hacks as data points of interest.

Last week I did a post on John McCain’s promise, given in a Senate Armed Services Committee hearing, to “expose” Twitter for refusing to share you Tweets in bulk with intelligence agencies. Later in the hearing, Jeanne Shaheen returned to the issue of Twitter’s refusal to let Dataminr share data in bulk with the Intelligence Community. She asked Under Secretary for Intelligence Marcell Lettre what the committee needs to get more cooperation. Lettre responded by suggesting one-on-one conversations between Executive Branch officials and the private sector tends to work. Shaheen interrupted to ask whether such an approach had worked with Twitter. Lettre responded by stating, “the the best of my knowledge, Twitter’s position hasn’t changed on its level of cooperation with the US intelligence community.”

That’s interesting, because on August 26, 2016, DOD announced its intent to sole-source a $13.1 million one-year contract with Dataminr to provide alerting capability based off Twitter’s Firehose.

The Department of Defense (DoD), Washington Headquarters Services, Acquisition Directorate (WHS/AD), on behalf of the Office of the Under Secretary of Defense for Intelligence (OUSDI) intends to award a sole source contract pursuant to the requirements of 41 U.S.C. 3304(a)(1) Competition in Contracting Act of 1984 (CICA) as implemented by FAR Subpart 6.3, and IAW the requirements of FAR Subpart 6.303-1, Only One Responsible Source and No Other Supplies or Services will Satisfy Agency Requirements.

WHS/AD intends to issue this sole source contract to Dataminr, Inc located at 99 Madison Ave Floor 3, New York, NY 10016 (CAGE 6Q6Z6). The anticipated Period of Performance for 1500 license subscriptions are 12 months from the date of contract award. The estimated value of this procurement is approximately $13.1M.

This contract will address the requirements of OUSDI Technical Collection and Special Programs division. The award will be made for licenses, support, and maintenance which allows DoD to receive indication and warnings, situational awareness, and contextual analysis of social media data in order to provide actionable decision support in response to real-time information.

Salient Characteristics of the Data Analytics Software: The contractor shall deliver an alerting capability that, at a minimum, includes:

• Alerting: Based on the algorithmic analysis of the complete Twitter Firehose, the Contractor shall deliver near-real time alerts on breaking developments relevant to military security.
• Content: The Contractor’s platform shall generate data from the Twitter firehose. Alerts shall include from the original data source at least the text, embedded links, and associated metadata, to include the Tweet ID.

Perhaps the Under Secretary of Defense for Intelligence’s Technical Collection and Special Programs division doesn’t count as “intelligence community,” but it sure seems to qualify.

Or perhaps there are a number of loopholes in the policy that purports to keep Twitter customers’ data out of the hands of intelligence agencies.

This afternoon, the Senate had a debate on Chris Murphy and Rand Paul’s resolution to halt the sale of $1.5 billion in arms to the Saudis to use on their invasion of Yemen.

The debate was repulsive.

The opponents of the measure — led by Mitch McConnell, John McCain, and Lindsey Graham — had little to say about the well-being of Yemenis.

Lindsey even shrugged off both Saudi support for terrorism.

[shrugs] They have double dealing in the past of helping terrorist organizations.

And Saudi bombing of civilians.

They have dropped bombs on civilians. There’s no way to wage war without [shrugs again] mistakes being made.

But we had to help the Saudis kill Yemeni civilians, Lindsey argued, because Iran humiliated American sailors who entered Iranian waters, purportedly because of navigation errors.

That argument — one which expressed no interest in the well-being of Yemenis but instead pitched this as a battle for hegemony in the Middle East — held the day. By a vote of 71-27, the Senate voted to table the resolution.

If your Senators voted against tabling this amendment, please call to thank them:

Baldwin (D-WI)
Blumenthal (D-CT)
Booker (D-NJ)
Boxer (D-CA)
Cantwell (D-WA)
Durbin (D-IL)
Franken (D-MN)
Gillibrand (D-NY)
Heinrich (D-NM)
Heller (R-NV)
Hirono (D-HI)
Kirk (R-IL)
Klobuchar (D-MN)
Leahy (D-VT)
Lee (R-UT)
Markey (D-MA)
Murphy (D-CT)
Murray (D-WA)
Paul (R-KY)
Reid (D-NV)
Sanders (I-VT)
Schatz (D-HI)
Stabenow (D-MI)
Tester (D-MT)
Udall (D-NM)
Warren (D-MA)
Wyden (D-OR)

The creepiest thing, however, came just after the vote. Bill Nelson (D-Mission to Space) got up, not just to do a victory lap that the US would continue to support Saudi war crimes. But he also announced a resolution passed earlier, which funds NASA to send humans to Mars by 2030, with an eye to colonizing the red planet.

It was as if he was saying that proliferating arms and war crimes on this globe won’t matter so much because we can just go colonize another.

Surprise!

When things started going haywire earlier this year, we decided to do a site redesign to take out some of the unstable code that makes the site more vulnerable to crashes and hacks. We thought we’d pretty things up at the same time.

We’re still kicking on the tires a bit ourselves, and we’ll surely find a few things we need to tweak.

But for now, feel free to test out the new comments (which have at least some of the features ya’ll have been screaming for for some time).

Update: I was remiss in not thanking CurlyHost — a local, woman-owned business — for the clean new design. Thanks Andrea!

After being pushed into it by Congress, Customs and Border Protection has been going through the rule-making process on asking visa applicants for their social media IDs. The idea is root out people like Tashfeen Malik, the wife in the San Bernardino attack couple, who spoke in radicalized terms on private messaging areas of Facebook before she came to the country.

At first, the idea was just to ask for applicants to turn over social media sites voluntarily. But given the pressure CBP already uses, even with US citizens, it’s easy to see how that “voluntary” request can be made to seem obligatory in the pressure of a border encounter.

But as Access Now points out, at the same time as extending the comment period (presumably hoping to get enough scared people commenting to balance out those who find this problematic), CBP also altered the proposed form to make it obligatory. There’s one other problem with the form:

The form requests “social media identifier,” not “identifiers.”

Now, I’ve long thought that the whole point of this wasn’t so much to find people engaged in radicalized discussions before the fact. Instead, it was about providing an excuse to deport people after they’ve been discovered, based off a claim they “lied” to CBP and thereby engaged in immigration fraud. Worse, they’ll probably dig up some social media account that someone made years earlier and forgot about it — could you remember every social media account you’ve ever set up?

Here, they’ve literally asked for one, singular, ID. Meaning someone could rightly put just their Facebook ID but then get deported for having not offered up their Twitter one.

Like I said: this is designed to be nothing more than a trap to provide an excuse for deporting someone based off something more fleeting than the old “Have you ever been a member of the Communist Party” question.

One final point: CBP also expanded how broadly they can share all this information. As I’ll write in a follow-up, I suspect it’s part of a larger, unannounced effort.

There’s now a growing list of things in the HPSCI report on Snowden that are either factually wrong, misleading, or spin.

One part of the spin the report admits itself: the committee assessed damage based on the 1.5 million documents Snowden touched — an approach the now discredited General Michael Flynn presented in briefings to the committee — rather than the far more limited set the Intelligence Community included in its damage assessment.

Over the past three years, the IC and the Department of Defense (DOD) have carried out separate reviews with differing methodologies of the damage Snowden caused. Out of an abundance of caution, DOD reviewed all 1.5 million documents Snowden removed. The IC, by contrast, has carried out a damage assessment for only a small subset of the documents. The Committee is concerned that the IC does not plan to assess the damage of the vast majority of documents Snowden removed.

Clearly, the IC wants a real assessment of the damage Snowden caused. HPSCI, however, appears to be interested in the most damning, which makes sense given that members of Congress actively solicited information they could use to damage Snowden.

Here are other problems with the report.

From Bart Gellman’s rebuttal:

• HPSCI claimed the “bilateral tibial stress fractures” that led to Snowden’s discharge were “shin splints.”
• HPSCI claimed he never got a GED. According to official Maryland records, Snowden got his equivalent degree on June 2, 2004.
• HPSCI claimed Snowden was a computer technician at CIA. At the end he served as a “solutions referent/cyber referent” working on cyber contracts.
• HPSCI claimed Snowden’s effort to show a security hole in CIA’s human resources intranet was an effort to doctor his performance evaluations.

From me:

HPSCI claimed Snowden failed the Section 702 training. According to an email from the SIGINT Compliance Chief, Snowden did pass it (the Chief had not checked whether or not Snowden had really failed it).“He said he had failed it multiple times (I’d have to check with ADET on that). He did pass the course at some point.”

The claim Snowden didn’t pass the test stems from an email written a year after an exchange between him and a Compliance training person. The training person wrote the email in direct response to Snowden’s claims that he had “contacted N.S.A. oversight and compliance bodies.” While it may be true Snowden failed the test before he passed it, there are enough irregularities with the email claim and related story it should not be credited without backup. When we asked NSA for specific answers about that email in conjunction with this story, they flipped out and went nuclear and preemptively released all the emails rather than provide the very easy answers to validate the email story.

From Patrick Eddington:

HPSCI claimed Snowden could have reported complaints to the committee, but HPSCI killed an effort to extend whistleblower protections to intelligence contractors in 2012.

Eddington and Steven Aftergood both suggest the shitty HPSCI report is good reason to embrace a set of reforms to improve HPSCI oversight.

But depending on the reason for the utter shittiness of the report, I think it might just warrant shutting the entire committee down and devolving oversight to real committees, like Judiciary, Homeland Security, and Armed Services. Remember, every single member of the committee, Democrat or Republican, signed this report. Every single one. For some reason, even fairly smart people like Adam Schiff and Jackie Speier signed off on something with inexcusable errors.

So I wanted to point to this passage on methodology.

The Committee’s review was careful not to disturb any criminal investigation or future prosecution of Snowden, who has remained in Russia since he fled there on June 23, 2013. Accordingly, the Committee did not interview individuals whom the Department of Justice identified as possible witnesses at Snowden’s trial, including Snowden himself, nor did the Committee request any matters that may have occurred before a grand jury. Instead, the IC provided the Committee with access to other individuals who possessed substantively similar knowledge as the possible witnesses. Similarly, rather than interview Snowden’s NSA coworkers and supervisors directly, Committee staff interviewed IC personnel who had reviewed reports of interviews with Snowden’s co-workers and supervisors.

So for this inexcusably shitty report, HPSCI did not interview:

• Direct witnesses (presumably including the Compliance training woman whose email on 702 training is dodgy and probably also Booz and Dell contractors who might risk losing contracts)
• Snowden’s co-workers
• Snowden’s supervisors

They did interview:

• People who possessed “substantively similar knowledge” as the people DOJ think might be witnesses at trial
• People who reviewed reports of interviews with Snowden’s co-workers and supervisors

HPSCI spent two years but didn’t interview any of the direct witnesses.

Now, as a threshold matter, the publicly released emails provide good reason to doubt the adequacy of this indirect reporting on Snowden’s colleagues. Here’s how the Chief of NSA’s CI Division backed the conclusion that Snowden never talked about concerns about NSA surveillance with his colleagues.

Our findings are that we have found no evidence in the interviews, email, or chats reviewed that support his claims. Some coworkers reported discussing the Constitution with Snowden, specifically his interpretation of the Constitution as black and white, and others reported discussing general privacy issues as it relates to the Internet. Not one mentioned that Snowden mentioned a specific NSA program that he had a problem with. Actually, many of the people interviewed affirmed that he never complained about any NSA program. We also did not have any reflection that he asked anyone how he should/could report perceived wrongdoing.

So colleagues — who would presumably be in great fear of association with Snowden, especially in interviews with NSA’s Counterintelligence people — nevertheless revealed that they discussed the Constitution (and Snowden’s black and white interpretation of it) and general privacy issues about the Internet. “Many” of the interviewees said he never complained about any NSA program, which raises questions about what those excluded from this “many” said.

But it appears that NSA’s CI investigators only considered mention of specific programs to be a complaint, not general discussions about privacy and the Constitution.

We should assume the interview reports back to HPSCI members and staffers were similarly scoped.

There’s another reason I’m interested in this methodology section. That’s the implication from Spencer Ackerman’s series on SSCI’s Torture Report that CIA successfully used the John Durham investigation to undermine the SSCI investigation.

In August 2009, US attorney general Eric Holder expanded the remit of the prosecutor looking at the tapes destruction, John Durham, to include the torture program, much as the Senate committee had. The justice department’s new mandate was not as broad as the Senate’s. It would only concern itself with torture that exceeded the boundaries set for the CIA by the Bush-era justice department. Still, for all of Obama’s emphasis on looking forward and not backward, now the CIA had to face its greatest fear since launching the torture program: possible prosecution.

Holder’s decision, ironically, would ultimately hinder the committee more than the CIA, and lead to a criticism that the agency would later use as a cudgel against the Senate.

Typically, when the justice department and congressional inquiries coincide, the two will communicate in order to deconflict their tasks and their access. In the case of the dual torture investigations, it should have been easy: Durham’s team accessed CIA documents in the exact same building that Jones’s team did.

But every effort Jones made to talk with Durham failed. “Even later, he refused to meet with us,” Jones said.

Through a spokesman, Durham, an assistant US attorney in Connecticut, declined to be interviewed for this story.

The lack of communication had serious consequences. Without Durham specifying who at CIA he did and did not need to interview, Jones could interview no one, as the CIA would not make available for congressional interview people potentially subject to criminal penalty. Jones could not even get Durham to confirm which agency officials prosecutors had no interest in interviewing. “Regrettably, that made it difficult for our committee to do interviews. So the judgment was, use the record,” said Wyden, the Oregon Democrat on the panel.

[snip]

The CIA stopped compiling the Panetta Review in 2010 after Durham told Preston that CIA risked complicating any prosecution if it “made different judgments than the prosecutors had reached”, Charlie Savage reported in his 2015 book Power Wars.

Not only did CIA’s General Counsel Stephen Preston (who later served as DOD General Counsel from October 2013 until June 2015) use the Durham investigation to halt the CIA’s own internal investigation into the worthlessness of their torture, but it served as the excuse to withhold cooperation from SSCI. That, in turn, gave Republicans an excuse to disavow the report.

With the HPSCI report, an FBI investigation has again been used as an excuse to limit congressional oversight.

HPSCI’s failure to interview any of the relevant people directly is all the weirder given that there should be no problem for a witness to appear before both the grand jury and the committee. Certainly, House Oversight had no problem interviewing some of the subjects of the Hillary email investigation! And unlike the email investigation, with the Snowden one, few if any of the people who might serve as witnesses at any Snowden trial would be subjects of the investigation; they’d have no legal risk in also testifying to the committee. Snowden is the one at legal risk, and he has already been charged. And curiously, we’re hearing no squawking from Republicans about the necessity of direct interviews for the integrity of an investigation, like we heard with the Senate Torture Report.

One thing is certain: the public is owed an explanation for how HPSCI came to report knowably false information. The public is owed an explanation for why HPSCI is effectively serving as NSA’s propaganda wing.

And if we don’t get one, we should shut down the entire charade of post-Church Committee oversight committee.

I was going to write about this funny part of the HPSCI report anyway, but it makes a nice follow-up to my post on Snowden and cosmopolitanism, on the importance of upholding American values to keeping the servants of hegemon working to serve it.

As part of its attack on Edward Snowden released yesterday, the House Intelligence Committee accused Snowden of attacking his colleagues’ privacy.

To gather the files he took with him when he left the country for Hong Kong, Snowden infringed on the privacy of thousands of government employees and contractors. He obtained his colleagues’ security credentials through misleading means, abused his access as a systems administrator to search his co-workers’ personal drives, and removed the personally identifiable information of thousands of IC employees and contractors.

I have no doubt that many — most, perhaps — of Snowden’s colleagues feel like he violated their privacy, especially as their identities are now in the possession of a number of journalists. So I don’t make light of that, or the earnestness with which HPSCI’s sources presumably made this complaint (though IC employee privacy is one of the things all journalists who have reported these stories have redacted, to the best of my knowledge).

But it’s a funny claim for several reasons. Even ignoring that what the NSA does day in and day out is search people’s personal communications (including millions of innocent people), this kind of broad access is the definition of a SysAdmin.

HPSCI apparently never had a problem with techs getting direct access to our dragnet metadata, as they had and (now working in pairs) still have, for those of us two degrees away from a suspect.

Plus, HPSCI has never done anything publicly to help the 21 million clearance holders whose PII China now holds. Is it possible they’re more angry at Snowden than they are at China’s hackers, who have more ill-intent than Snowden?

But here’s the other reason this complaint is laugh-out-loud funny. HPSCI closes its report this way:

Finally, the Committee remains concerned that more than three years after the start of the unauthorized disclosures, NSA and the IC as a whole, have not done enough to minimize the risk of another massive unauthorized disclosure. Although it is impossible to reduce the change of another Snowden to zero, more work can and should be done to improve the security of the people and the computer networks that keep America’s most closely held secrets. For instance, a recent DOD Inspector General report directed by the Committee had yet to effectively implement its post-Snowden security improvements. The Committee has taken actions to improve IC information security in the Intelligence Authorization Acts for Fiscal Years 2014, 2015, 2016, and 2017, and looks forward to working with the IC to continue to improve security.

First, that timeline — showing an effort to improve network security in each year following the Snowden leaks — is completely disingenuous. It neglects to mention that the Intel Committees have actually been trying for longer than that. In the wake of the Manning leaks, it became clear that DOD’s networks were sieve-like. Congress tried to require network monitoring in the 2012 Intelligence Authorization. But the Administration responded by insisting 2013 — 3 years after Manning’s leaks — was too soon to plug all the holes in DOD’s networks. One reason Snowden succeeded in downloading all those files is because the network monitoring hadn’t been rolled out in Hawaii yet.

So HPSCI is trying to pretend Intel Committee past efforts didn’t actually precede Snowden by several years, but those efforts failed to stop Snowden.

The other reason I find this paragraph — which appears just four paragraphs after it attacks Snowden for the invasion of his colleagues’ privacy — so funny is that in the 2014 Intelligence Authorization (that is, the first one after the Snowden leaks), HPSCI codified an insider threat program, requiring the Director of National Intelligence to,

ensure that the background of each employee or officer of an element of the intelligence community, each contractor to an element of the intelligence community, and each individual employee of such a contractor who has been determined to be eligible for access to classified information is monitored on a continual basis under standards developed by the Director, including with respect to the frequency of evaluation, during the period of eligibility of such employee or officer of an element of the intelligence community, such contractor, or such individual employee to such a contractor to determine whether such employee or officer of an element of the intelligence community, such contractor, and such individual employee of such a contractor continues to meet the requirements for eligibility for access to classified information;

This insider threat program searches IC employees hard drives (one of Snowden’s sins).

Then, the following year, HPSCI got even more serious, mandating that the Director of National Intelligence look into credit reports, commercially available data, and social media accounts to hunt down insider threats, including by watching for changes in ideology like those Snowden exhibited, developing an outspoken concern about the Fourth Amendment.

I mean, on one hand, this isn’t funny at all — and I imagine that Snowden’s former colleagues blame him that they have gone from having almost no privacy as cleared employees to having none. This is what people like Carrie Cordero mean when they regret the loss of trust at the agency.

But as I have pointed out in the past, if someone like Snowden — who at least claims to have had good intentions — can walk away with the crown jewels, we should presume some much more malicious and/or greedy people have as well.

But here’s the thing: you cannot, as Cordero does, say that the “foreign intelligence collection activities [are] done with detailed oversight and lots of accountability” if it is, at the same time, possible for a SysAdmin to walk away with the family jewels, including raw data on targets. If Snowden could take all this data, then so can someone maliciously spying on Americans — it’s just that that person wouldn’t go to the press to report on it and so it can continue unabated. In fact, in addition to rolling out more whistleblower protections in the wake of Snowden, NSA has made some necessary changes (such as not permitting individual techs to have unaudited access to raw data anymore, which appears to have been used, at times, as a workaround for data access limits under FISA), even while ratcheting up the insider threat program that will, as Cordero suggested, chill certain useful activities. One might ask why the IC moved so quickly to insider threat programs rather than just implementing sound technical controls.

The Intelligence world has gotten itself into a pickle, at once demanding that a great deal of information be shared broadly, while trying to hide what information that includes, even from American citizens. It aspires to be at once an enormous fire hose and a leak-proof faucet. That is the inherent impossibility of letting the secret world grow so far beyond management — trying to make a fire hose leak proof.

Some people in the IC get that — I believe this is one of the reasons James Clapper has pushed to rein in classification, for example.

But HPSCI, the folks overseeing the fire hose? They don’t appear to realize that they’re trying to replicate and expand Snowden’s privacy violations, even as they condemn them.