Cybersecurity Archives - Page 62 of 88

Bulk Collection Is All Fun and Games Until Office of Personnel Management Gets Hacked

June 6, 2015/23 Comments/in Cybersecurity /by emptywheel

Reuters reports that, contrary to initial reports, the Office of Personnel Management hack revealed earlier this week did compromise the security clearance and background check information in the data, meaning the hack will be far more valuable as intelligence to set up phishing and other further spying efforts. The hack is believed to have been perpetrated by Chinese hackers, though it is unclear thus far whether or not they are part of the government.

Data stolen from U.S. government computers by suspected Chinese hackers included security clearance information and background checks dating back three decades, U.S. officials said on Friday, underlining the scope of one of the largest known cyber attacks on federal networks.

[snip]

A total of 2.1 million current U.S. government workers were affected, according to a source familiar with the FBI-led investigation into the incident.

Accusations by U.S. government sources of a Chinese role in the cyber attack, including possible state sponsorship, could further strain ties between Washington and Beijing. Tensions are already heightened over Chinese assertiveness in pursuit of territorial claims in the South China Sea.

The same report notes that the hack may be linked to the hack of similar scope of Anthem earlier this year.

This is, as a lot of the current and former government employees I follow on Twitter are realizing this morning, a devastating hack, one which will have repercussions both in the private lives of those whose data has been hacked as well as generally for America’s national security, because the data in the OPM servers offers a road map for further espionage targeting.

It is also something the US does all the time — and not just against official government employees of adversary nations, but also against civilian or quasi civilian telecom targets, as well as employees of corporations of interest.

This WaPo piece quotes a number of cybersecurity people suggesting several recent major hacks are being used to pull together large data repositories — similar to in purpose but at this point just a mere shadow of what we do using bulk collection and XKeyscore. But it tries to suggest the Chinese collection of bulk data is worse because, “in China, the authorities do not tolerate public debate over the proper limits of large-scale spying in the digital age.”

The US Intelligence Community let us have a debate over a mere fraction of the bulk data being collected by the NSA — that collected domestically to target Americans. But for the stuff targeting foreigners on a far greater scale, President Obama proclaimed we would continue collecting in bulk but limit its use to all the major purposes we were already using it for before we ever got around to debating the Section 215 dragnet.

(1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;

(2) threats to the United States and its interests from terrorism;

(3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;

(4) cybersecurity threats;

(5) threats to U.S. or allied Armed Forces or other U.S or allied personnel;

(6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section.

That scope goes well beyond the scope of those affected in this OPM hack.

Once the government does whatever it can to protect the millions compromised by this hack, I hope it will provide an opportunity to do two things: focus on actual cyber-defense, rather than an offensive approach that itself entails and therefore legitimates precisely this kind of bulk collection, and reflect on whether the world we’ve built, in which millions of innocent people get swept up in spying because it’s easy to do so, is really one we want to pursue. Ideally, such reflection might lead to some norm-setting that sharply limits the kinds of targets who can be bulk collected (though OPM would solidly fit in any imaginable such limits).

China has, unsurprisingly, now adopted our approach, even if it would take a decade for it to catch up in ability to bulk collect from most nodes. And that’s going to suck for a lot of government and private sector employees who will be made targets as a result.

But that’s the world and the rules we chose to create.

Update: See this NYT piece for just how shoddy the security on OPM’s servers was. We’ve been arguing for years about ways to better respond to criminal hackers and neglecting really really basic steps needed to prevent our adversaries from adopting the same approach we use.

In October 2013, Patrick Leahy and Jim Sensenbrenner Rolled Out a Bill That Would Have Ended Upstream Cyber Collection

June 4, 2015/8 Comments/in Cybersecurity, FISA /by emptywheel

Back in October 2013, Jim Sensenbrenner and Patrick Leahy released the original, far better, version of the USA Freedom Act. As I noted in November 2013, it included a provision that would limit upstream collection to international terrorism and international proliferation of WMD uses.

It basically adds a paragraph to section d of Section 702 that limits upstream collection to two uses: international terrorism or WMD proliferation.

(C) limit the acquisition of the contents of any communication to those communications—

(i) to which any party is a target of the acquisition; or

(ii) that contain an account identifier of a target of an acquisition, only if such communications are acquired to protect against international terrorism or the international proliferation of weapons of mass destruction.;

And adds a definition for “account identifier” limiting it to identifiers of people.

(1) ACCOUNT IDENTIFIER.—The term ‘account identifier’ means a telephone or instrument number, other subscriber number, email address, or username used to uniquely identify an account.

At the time, I noted that this would give the NSA 6 months to shut down the use of upstream collection to collect cyber signatures.

Jonathan Mayer’s comments on the NYT/PP story today reveals why that would be important to do (this is a point I’ve been making for years): because if you’re collecting signatures of cyber attacks, you’re collecting victim data, as well, a problem that would only get worse under the cyberinformation sharing bills before Congress.

This understanding of the NSA’s domestic cybersecurity authority leads to, in my view, a more persuasive set of privacy objections. Information sharing legislation would create a concerning surveillance dividend for the agency.

Because this flow of information is indirect, it prevents businesses from acting as privacy gatekeepers. Even if firms carefully screen personal information out of their threat reports, the NSA can nevertheless intercept that information on the Internet backbone.

Furthermore, this flow of information greatly magnifies the scale of privacy impact associated with information sharing. Here’s an entirely realistic scenario: imagine that a business detects a handful of bots on its network. The business reports a signature to DHS, who hands it off to the NSA. The NSA, in turn, scans backbone traffic using that signature; it collects exfiltrated data from tens of thousands of bots. The agency can then use and share that data.¹² What began as a tiny report is magnified to Internet scale.

But, instead of giving NSA 6 months to close this loophole, we instead passed USA F-ReDux, which does nothing to rein domestic spying in the name of cybersecurity.

Leahy released a remarkable statement in response to today’s story that doesn’t reveal whether he knew of this practice (someone knew to forbid it in their original bill!), but insisting he’ll fight for more limits on surveillance and transparency.

Today’s report that the NSA has expanded its warrantless surveillance of Internet traffic underscores the critical importance of placing reasonable and commonsense limits on government surveillance in order to protect the privacy of Americans. Congress took an important step in this direction this week by passing the USA FREEDOM Act, but I have always believed and said that more reforms are needed. Congress should have an open, transparent and honest debate about how to protect both our national security and our privacy. As Congress continues to work on surveillance and cybersecurity legislation, I will continue to fight for more reforms, more transparency, and more accountability – particularly on issues related to the privacy of Americans’ personal communications.

Remember: on Tuesday, Richard Burr vehemently denied we had secret law. And while this application of FISA wasn’t entirely secret — I figured it out pretty quickly, but a great great many people doubted me, as per usual — even Leahy is faced with a situation where he can’t admit he knew about a practice he already tried to shut down once.

Wyden et al: Spot the Lie in Brennan’s CFR Speech Contest!

May 9, 2015/7 Comments/in Cybersecurity, Torture /by emptywheel

As the Daily Dot reported, Senators Wyden, Heinrich, and Hirono wrote John Brennan a letter trying to get him to admit that he lied about hacking the Senate Intelligence Committee.

But, as often happens with Wyden-authored letters, they also included this oblique paragraph at the end:

Additionally, we are attaching a separate classified letter regarding inaccurate public statements that you made on another topic in March 2015. We ask that you correct the public record regarding these statements immediately.

A game!!! Find the lies Brennan told in March!!!

The most likely place to look for Brennan lies comes in this appearance at the Council on Foreign Relations, where Brennan took questions from the audience.

While you might think Brennan lied about outsourcing torture to our allies, his answer on CIA involvement with interrogations conducted by our partners was largely truthful, even if he left out the part of detainees being tortured in custody.

But on a related issue, Brennan surely lied. He claimed — in response to a questions from an HRW staffer — not to partner with those who commit atrocities.

QUESTION: I’m going to try to stand up. Sarah Leah Whitson, Human Rights Watch. Two days ago, ABC News ran some video and images of psychopathic murderers, thugs in the Iraqi security forces, carrying out beheadings, executions of children, executions of civilians. Human Rights Watch has documented Iraqi militias carrying out ISIS-like atrocities, executions of hundreds of captives and so forth.

And some of the allies in the anti-ISIS coalition are themselves carrying out ISIS-like atrocities, like beheadings in Saudi Arabia, violent attacks on journalists in Saudi Arabia—how do you think Iraqi Sunni civilians should distinguish between the good guys and the bad guys in this circumstance?

BRENNAN: It’s tough sorting out good guys and bad guys in a lot of these areas, it is. And human rights abuses, whether they take place on the part of ISIL or of militias or individuals who are working as part of formal security services, needs to be exposed, needs to be stopped.

And in an area like Iraq and Syria, there has been some horrific, horrific human rights abuses. And this is something that I think we need to be able to address. And when we see it, we do bring it to the attention of authorities. And when we see it, we do bring it to the attention of authorities. And we will not work with entities that are engaged in such activities.

As I noted at the time, Brennan totally dodged the question about Saudi atrocities. But it is also the case that many of the “moderates” we’ve partnered with in both Syria and Iraq have themselves engaged in atrocities.

So I suspect his claim that “we will not work with entities that are engaged in such activities” is one of the statements Wyden et al were pointing to.

A potentially related alternative candidate (the letter did say Brennan had made false statements, plural) is this exchange. When Brennan claimed, at the time, he has no ties to Qasim Soleimani, I assumed he was lying, not just because we’re actually fighting a way in IRGC’s vicinity but also because Brennan seemed to exhibit some of the “tells” he does when he lies.

QUESTION: James Sitrick, Baker & McKenzie. You spent a considerable amount of your opening remarks talking about the importance of liaison relationships. Charlie alluded to this in one of his references to you, on the adage—the old adage has it that the enemy of your enemy is your friend. Are we in any way quietly, diplomatically, indirectly, liaisoning with Mr. Soleimani and his group and his people in Iraq?

BRENNAN: I am not engaging with Mr. Qasem Soleimani, who is the head of the Quds Force of Iran. So no, I am not.

I am engaged, though, with a lot of different partners, some of close, allied countries as well as some that would be considered adversaries, engaged with the Russians on issues related to terrorism.

We did a great job working with the Russians on Sochi. They were very supportive on Boston Marathon. We’re also looking at the threat that ISIL poses both to the United States as well as to Russia.

So I try to take advantage of all the different partners that are out there, because there is a strong alignment on some issues—on proliferation as well as on terrorism and others as well.

I happen to think it an exaggeration that the Russians “were very supportive on Boston Marathon,” but maybe that’s because FSB was rolling up CIA spies who were investigating potentially related groups in Russia.

Finally, while less likely, I think this might be a candidate.

QUESTION: Thank you. Paula DiPerna, NTR Foundation. This is probably an unpopular suggestion, but is it feasible or how feasible would it be to do a little selective Internet disruption in the areas concerned, a la a blockade, digital blockade, and then an international fund to indemnify business loss?

BRENNAN: OK. First of all, as we all know, the worldwide web, the Internet, is a very large enterprise. And trying to stop things from coming out, there are political issues, there are legal issues here in the United States as far as freedom of speech is concerned. But even given that consideration, doing it technically and preventing some things from surfacing is really quite challenging.

And we see that a number of these organizations have been able to immediately post what they’re doing in Twitter. And the ability to stop some things from getting out is really quite challenging.

As far as, you know, indemnification of various companies on some of these issues, there has been unfortunately a very, very long, multi-year effort on the part of the Congress to try to pass some cybersecurity legislation that addressed some of these issues. There has been passage in the Senate.

I think it’s overdue. We need to update our legal structures as well as our policy structures to deal with the cyber threats we face.

Remember, Ron Wyden has been pointing to an OLC opinion on Common Commercial Services (which, however, CIA’s now General Counsel Carolyn Krass said publicly she wouldn’t rely on) for years. I suspect indemnity is one of the things it might cover.

Plus, I do think it likely that we’ve disrupted the Internet in various circumstances.

Who knows? Maybe Brennan just told a lot of lies.

It wouldn’t be the first time.

Update: NatSec sources are already dismissing this Sy Hersh piece on the real story behind the bin Laden killing. But if there’s truth to this detail, then it would suggest I was overly optimistic when I suggested Brennan was truthful about outsourcing our interrogation to allies.

The retired official told me that the CIA leadership had become experts in derailing serious threats from Congress: ‘They create something that is horrible but not that bad. Give them something that sounds terrible. “Oh my God, we were shoving food up a prisoner’s ass!” Meanwhile, they’re not telling the committee about murders, other war crimes, and secret prisons like we still have in Diego Garcia. The goal also was to stall it as long as possible, which they did.’

If we do still have a secret prison in Diego Garcia, then the claim that we outsource everything to allies would be the key lie here.

Edward Snowden Richard Burr Exposes IP Address Dragnet on Senate Floor

May 7, 2015/12 Comments/in Cybersecurity, PATRIOT /by emptywheel

Update: As I show in this post, the transcription of Burr’s speech in the Congressional record removed the reference to IP addresses.

Update: While Burr’s office did not respond to my request for comment, they did respond to Buzzfeed (which sadly didn’t ask the obvious follow-up questions). His office claims he misspoke, though apparently didn’t explain why he would confuse Section 215 and PRTT, why he would tie the Internet dragnet to phone calls, or why, if the current dragnet doesn’t collect Internet data but USA F-ReDux would, why that would not then be a welcome return for the Senator given his stated desire to track such collection. I have asked for comment again from Burr’s office on those questions.

Since last summer, I have been emphasizing that the bulk of Section 215 orders collect Internet data, not phone records under the phone dragnet. I pointed to evidence that that production included data flows and noted FBI claims they use it to conduct hacking investigations. But I have assumed that was primarily bulky collection, not bulk collection.

Not so. Earlier today, ~~noted whistleblower Edward Snowden~~ Senate Intelligence Chair Richard Burr revealed that there is also an IP address bulk collection program. (h/t Andrew Blake, after 2:15)

Now what’s bulk data? Bulk data is storing telephone numbers and IP addresses — we have no idea who they belong to — that are domestic. And the whole basis behind this program is that as a cell phone is picked up in Syria, and you look at the phone numbers that phone talked to, if there’s some in the United States we’d like to know that — at least law enforcement would like to know it — so that we can understand if there’s a threat against us here in the homeland [sic] or somewhere else in the world. So Section 215 allows the NSA to collect in bulk telephone numbers and IP addresses with no identifier on it. We couldn’t tell you who that American might be.

I thought when you leaked details like this it helped our enemies? I thought if you did such things you were a traitor, deserving of an orange jumpsuit at Gitmo?

Apparently not.

So it appears it’s the IP dragnet, and not the phone dragnet, that the Republicans are trying to save?

It’s a little late for that, though, given that the Second Circuit just ruled such dragnets illegal.

Sony, the White House, and 10 Downing Street: What’s the Quid Pro Quo?

May 4, 2015/5 Comments/in Culture, Cybersecurity /by Rayne

Lots of ugly things crawled out of Sony Pictures Entertainment’s emails leaked by hackers this past autumn.

The leak of emails and intellectual property, including then-unreleased film The Interview, was labeled “a serious national security matter” by the White House. In January this year, President Obama issued an executive order increasing sanctions against North Korea, the purported origin of the hack on SPE’s network and computers.

Sony Pictures Entertainment (SPE) is a wholly-owned subsidiary of Sony Corporation, a Japanese multinational conglomerate. In offering retaliation on behalf of SPE, the White House placed SPE on par with critical U.S. infrastructure, though no one will be physically injured or die should SPE be hacked again, and the market won’t collapse if SPE loses money on all its movies this year.

If SPE, a foreign-owned, information security-challenged entertainment firm, is now entitled to military protection against cyberattack, what is it the White House and the U.S. will receive or has received in exchange?

What’s the exchange in this quid pro quo?

Which brings us to the matter of STARZ’ cable series, Outlander, and UK Prime Minister David Cameron‘s government.

In 2013, STARZ network ordered the 16-episode adaptation of bestselling historical fiction novel, Outlander by author Diana Gabaldon, from production companies Tall Ship Productions, Story Mining & Supply Co., and Left Bank Productions, in association with Sony Pictures Television.

While STARZ was the U.S. distributor, offering the series on its own cable network, SPE’s TV arm appears to have handled overseas distribution to broadcast, cable, and video streaming services.

Outlander’s cross-genre narrative is set mainly in 1740s Scotland; the story is sympathetic to a Scottish protagonist and his time-traveling English wife who are caught between the British and Jacobites in the ramp up to the 1746 Battle at Culloden. The Scottish people and countryside are treated favorably in the series’ production.

The program debuted on STARZ in the U.S. on August 9 last year — a little less than six weeks before Scotland’s independence referendum (“IndyRef”). Outlander began airing in Canada and Australia in August also, and in October in Ireland after the IndyRef vote.

Distribution deals in other countries including Germany, Hungary, Japan, and the Netherlands led to wider release overseas last year.

But Outlander never received a distribution deal in 2014 in the UK, in spite of its many Scottish and British fans’ clamor and the source book’s status as a renewed bestseller in advance of the show’s U.S. debut. To date the series has only released on Amazon Prime Instant Video in the UK, for paid video-on-demand streaming — not on broadcast or cable.

At least one email leaked by hackers revealed that SPE personnel had a meeting or meetings with Cameron’s government. In an internal email from Keith E. Weaver, executive vice president, SPE executives were told,

“Your meeting with Prime Minister Cameron on Monday will likely focus on our overall investment in the U.K. – with special emphasis on the jobs created by Tommy Cooper [the ITV show], the importance of Outlander (i.e., particularly vis-a-vis the political issues in the U.K. as Scotland contemplates detachment this Fall), and the growth of our channels business…”

The implication is that SPE would suppress any effort to distribute Outlander to the benefit of Cameron’s anti-independence position, in exchange for “growth of our channels business…”

What exactly does this mean?

And is the pursuit of growth confined to SPE, or did “channels business” mean something else? Were Sony executives also looking for opportunities for Sony Corporation, which includes Sony Computer Entertainment, Sony Music Entertainment, Sony Mobile Communications (once known as Sony Ericsson), and Sony Financial?

Did SPE executives and the Prime Minister agree not to seek broadcast or cable distribution Outlander in the UK before this month’s election? Read more →

America’s Intelligence Empire

April 24, 2015/21 Comments/in Cybersecurity, EO 12333, Terrorism, Torture /by emptywheel

I’ve been reading Empire of Secrets, a book about the role of MI5 as the British spun off their empire. It describes how, in country after country, the government that took over from the British — even including people who had been surveilled and jailed by the British regime — retained the British intelligence apparatus and crafted a strong intelligence sharing relationship with their former colonizers. As an example, it describes how Indian Interior Minister, Sardr Patel, decided to keep the Intelligence Bureau rather than shut it down.

Like Nehru, Patel realised that the IB had probably compiled records on himself and most of the leaders of Congress. However, unlike Nehru, he did not allow this to colour his judgment about the crucial role that intelligence would play for the young Indian nation.

[snip]

Patel not only allowed the continued existence of the IB, but amazingly, also sanctioned the continued surveillance of extremist elements within this own Congress Party. As Smith’s report of the meeting reveals, Patel was adamant that the IB should ‘discontinue the collection of intelligence on orthodox Congress and Muslim League activity’, but at the same time he authorised it to continue observing ‘extremist organisations’. Patel was particularly concerned about the Congress Socialist Party, many of whose members were communist sympathisers.

[snip]

The reason Patel was so amenable to continued surveillance of some of his fellow Indian politicians (keeping tabs on his own supporters, as one IPI report put it) was his fear of communism.

And the same remarkable process, by which the colonized enthusiastically partnered with their former colonizers to spy on their own, happened in similar fashion in most of Britain’s former colonies.

That’s what I was thinking of on March 13, when John Brennan gave a speech to the Council on Foreign Relations. While it started by invoking an attack in Copenhagen and Charlie Hebdo, a huge chunk of the speech talked about the value of partnering with our intelligence allies.

Last month an extremist gunned down a film director at a cafe in Copenhagen, made his way across town and then shot and killed a security guard at a synagogue. Later the same day the terrorist group ISIL released a video showing the horrific execution of Coptic Christians on a beach in Libya.

The previous month, in a span of less than 24 hours, we saw a savage attack on the staff of the satirical newspaper Charlie Hebdo in France. We saw a car bomb kill dozens at a police academy in Yemen.

[snip]

As CIA tackles these challenges, we benefit greatly from the network of relationships we maintain with intelligence services throughout the world. This is a critically important and lesser known aspect of our efforts. I cannot overstate the value of these relationships to CIA’s mission and to our national security. Indeed, to the collective security of America and its allies.

By sharing intelligence, analysis, and know-how with these partner services, we open windows on regions and issues that might otherwise be closed to us. And when necessary, we set in concert to mitigate a common threat.

By collaborating with our partners we are much better able to close key intelligence gaps on our toughest targets, as well as fulfill CIA’s mission to provide global coverage and prevent surprises for our nation’s leaders. There is no way we could be successful in carrying out our mission of such scope and complexity on our own.

Naturally these are sensitive relationships built on mutual trust and confidentiality. Unauthorized disclosures in recent years by individuals who betrayed our country have created difficulties with these partner services that we have had to overcome.

But it is a testament to the strength and effectiveness of these relationships that our partners remain eager to work with us. With the stakes so high for our people’s safety, these alliances are simply too crucial to be allowed to fail.

From the largest services with global reach to those of smaller nations focused on local and regional issues, CIA has developed a range of working and productive relationships with our counterparts overseas. No issue highlights the importance of our international partnerships more right now than the challenge of foreign fighters entering and leaving the conflict in Syria and Iraq.

We roughly estimate that at least 20,000 fighters from more than 90 countries have gone to fight, several thousand of them from Western nations, including the United States. One thing that dangers these fighters pose upon their return is a top priority for the United States intelligence community, as well as our liaison partners.

We exchange information with our counterparts around the world to identify and track down men and women believed to be violent extremists. And because we have the wherewithal to maintain ties with so many national services, we act as a central repository of data and trends to advance the overall effort.

On this and in innumerable other challenges, our cooperation with foreign liaison quietly achieves significant results. Working together, we have disrupted terrorist attacks and rolled back groups that plot them, intercepted transfers of dangerous weapons and technology, brought international criminals to justice and shared vital intelligence and expertise on everything from the use of chemical armaments in Syria to the downing of the Malaysian airliner over Ukraine.

These relationships are an essential adjunct to diplomacy. And by working with some of these services in building their capabilities we have helped them become better prepared to tackled the challenges that threaten us all.

[snip]

With CIA’s support, I have seen counterparts develop into sophisticated and effective partners. Over time our engagement with partner services fosters a deeper, more candid give and take, a more robust exchange of information and assessments, and a better understanding of the world that often ultimately encourages better alignment on policy.

Another advantage of building and maintaining strong bilateral and multilateral intelligence relationships is that they can remain, albeit not entirely, insulated from the ups and downs of diplomatic ties. These lengths can provide an important conduit for a dispassionate dialogue during periods of tension, and for conveying the U.S. perspective on contentious issues.

In recognition of the importance of our liaison relationships, I recently reestablished a senior position at the CIA dedicated to ensuring that we are managing relationships in an integrated fashion. To developing a strategic vision and corporate goals for our key partnerships and to helping me carryout my statutory responsibility to coordinate the intelligence communities’ foreign intelligence relationships. [my emphasis]

We are and still remain in the same position as MI5, Brennan seems to want to assure the CFR types, in spite of the embarrassment experienced by our intelligence partners due to leaks by Chelsea Manning and Edward Snowden. Information sharing remains the cement of much of our relationships with allies; our ability to let them suck off our dragnet keeps them in line.

And of particular note, Brennan described these “strong bilateral and multilateral intelligence relationships …remain[ing], albeit not entirely, insulated from the ups and downs of diplomatic ties.”

The spooks keep working together regardless of what the political appointees do, Brennan suggested.

But that speech is all the more notable given the revelations in this Der Spiegel story. It describes how, because of the Snowden leaks, the Germans slowly started responding to something they had originally discovered in 2008. The US had been having BND spy on selectors well outside the Memorandum of Understanding governing the countries’ intelligence sharing, even including economic targets. At first, BND thought this was just 2,000 targets, but as the investigation grew more pointed, 40,000 suspicious selectors were found. Only on March 12 — the day before Brennan gave this remarkable speech — did Merkel’s office officially find out.

But in October 2013, not even the BND leadership was apparently informed of the violations that had been made. The Chancellery, which is charged with monitoring the BND, was also left in the dark. Instead, the agents turned to the Americans and asked them to cease and desist.

In spring 2014, the NSA investigative committee in German parliament, the Bundestag, began its work. When reports emerged that EADS and Eurocopter had been surveillance targets, the Left Party and the Greens filed an official request to obtain evidence of the violations.

At the BND, the project group charged with supporting the parliamentary investigative committee once again looked at the NSA selectors. In the end, they discovered fully 40,000 suspicious search parameters, including espionage targets in Western European governments and numerous companies. It was this number that SPIEGEL ONLINE reported on Thursday. The BND project group was also able to confirm suspicions that the NSA had systematically violated German interests. They concluded that the Americans could have perpetrated economic espionage directly under the Germans’ noses.

Only on March 12 of this year did the information end up in the Chancellery.

This has led to parliamentary accusations that BND lied in earlier testimony. The lies are notable, given how they echo the same kind of sentiment John Brennan expressed in his speech.

According to a classified memo, the agency told parliamentarians in 2013 that the cooperation with the US in Bad Aibling was consistent with the law and with the strict guidelines that had been established.

The memo notes: “The value for the BND (lies) in know-how benefits and in a closer partnership with the NSA relative to other partners.” The data provided by the US, the memo continued, “is checked for its conformance with the agreed guidelines before it is inputted” into the BND system.

Now, we know better. It remains to be determined whether the BND really was unaware at the time, or whether it simply did not want to be aware.

The NSA investigative committee has also questioned former and active BND agents regarding “selectors” and “search criteria” on several occasions. Prior to the beginning of each session, the agents were informed that providing false testimony to the body was unlawful. The BND agents repeatedly insisted that the selectors provided by the US were precisely checked.

As almost a snide aside, Der Spiegel notes that in spite of these lies, the public prosecutor has not yet been informed of these lies.

That is, the spooks have been lying — at least purportedly including up to and including Merkel’s office. But the government seems to be uninterested in pursuing those lies.

As Brennan said as this was just breaking out, the spooks retain their “strong bilateral and multilateral intelligence relationships …remain[ing], albeit not entirely, insulated from the ups and downs of diplomatic ties.”

And as with Brennan — who, as Gregory Johnsen chronicles in this long profile of the CIA Director published yesterday — the spooks always evade accountability.

FBI Counterterrorism Agent Discovers How FBI National Security Investigations Work

April 20, 2015/6 Comments/in Cybersecurity /by emptywheel

CNN has a story based on the deposition of Frederick Humphries, the friend of Jill Kelley who first initiated the investigation into Kelley’s stalker, who turned out to be David Petraeus’ lover, Paula Broadwell. The deposition is in Kelley’s suit against the FBI for violating her privacy.

The deposition contains accusations the FBI stalled the investigation because of the Presidential election and that Agents made derogatory comments about Kelly.

If what Humphries alleges is true, then it points to real abuse in an investigation affecting David Petraeus.

That said, Humphries — who has worked counterterrorism for years, including on the Ahmed Ressam case — expresses surprise that the FBI what they do on national security cases: collect broadly and then investigate what they’ve collected. The FBI used some of Kelley’s other emails against both Humphries and Kelley.

“The only victim is her husband because he has to pay for all the food that she goes out and eats and takes pictures of and sends to everyone,” said Kevin Eaton, the assistant special agent in charge, according to Humphries.

Kelley is often took photos of her food when she goes out to eat and sends them to her friends, a source close to Kelley said.

It was a comment that “shocked and surprised” Humphries since it revealed that the FBI was looking at Kelley’s e-mails beyond the ones relevant to the cyberstalking, contrary to Kelley’s explicit instruction.

[snip]

In September 2012 Ibison “summoned” Humphries to a meeting and asked him “whether there was anything in my communications with Jill Kelley for which I would be embarrassed,” he testified.

“No,” Humphries said, and Ibison “threw a bunch of pictures at me and files of my e-mails to Jill Kelley.”

“Well, I told the director that and he just shoved these up my ass,” Ibison said, according to Humphries, “and he tossed the pictures at me.”

I’m in no way saying this is right. It’s not. It’s a privacy violation and it shows how easy FBI can use its deep digs of information to abuse power.

But the FBI is explicit that once it has legally collected information, it can access that information without evidence of a crime.

And Humphries himself makes it clear that the FBI treated this as a cybersecurity investigation, investigations which (if anything) overcollect even more than counterterrorism cases.

Jill Kelley reached out to Humphries, an FBI Agent whom she and her husband knew socially.

“She explained that Gen. Allen had received an odd e-mail,” Humphries testified, noting that “whoever sent these e-mails is either in close physical proximity or has penetrated the cyber security of these folks to include the director of the Central Intelligence Agency, Director Petraeus, and I was worried and concerned for his safety, the safety of the generals.”

Humphries thought the emails “ominous” and contacted Special Agent Adam Malone of the Tampa Cyber Squad.

“We had already reached the threshold on the cyber or physical security of senior government leadership and possible their email,” he said.

Again, I absolutely agree with Humphries that FBI’s focus on Kelley and them him was wrong. But it’s wrong whether it’s someone who is two degrees of separation from an Imam of interest or a socialite in Tampa Bay who makes trouble for David Petraeus.

And, of course, such potential violations will only get more widespread if Congress passes CISA, which would permit the sharing of cyber-investigation information broadly across the government.

A Guide to the 5+ Known Intelligence Community Telecommunications Metadata Dragnets

April 9, 2015/9 Comments/in Cybersecurity, Drug War, FISA /by emptywheel

I’ve been laying this explanation out since USA Today provided new details on DEA’s International Dragnet, but it’s clear it needs to be done in more systematic fashion, because really smart people continue to mistakenly treat the Section 215 database as the analogue to the DEA dragnet described by USAT, which it’s not. There are at least five known telecommunications dragnets (some of which appear to integrate other kinds of metadata, especially Internet metadata). Here’s a quick guide to what is known about each (click to enlarge, let me know of corrections/additions, I will do running updates to make this more useful):

NSA, International

When people think about the NSA dragnet they mistakenly think exclusively of Section 215. That is probably the result of a deliberate strategy from the government, but it leads to gross misunderstanding on many levels. As Richard Clarke said in Congressional testimony last year, Section “215 produces a small percentage of the overall data that’s collected.”

Like DEA, NSA has a dragnet of international phone calls, including calls into the United States. This is presumably limited only by technical capability, meaning the only thing excluded from this dragnet are calls NSA either doesn’t want or that it can’t get overseas (and note, some domestic cell phone data may be available offshore because of roaming requirements). David Kris has said that what collection of this comes from domestic providers comes under 18 U.S.C. § 2511(2)(f). And this dragnet is not just calls: it is also a whole slew of Internet data (because of the structure of the Internet, this will include a great deal of US person data). And it surely includes a lot of other data points, almost certainly including location data. Analysts can probably access Five Eyes and other intelligence partner data, though this likely includes additional restrictions.

There are, within this dragnet, two sets of procedures for accessing it. There is straight EO 12333, which appears to defeat US person data (so if you’re contact chaining and a known US person is included in the chain, you won’t see it). This collection requires only a foreign intelligence purpose (which counternarcotics is explicitly included in). Standard NSA minimization procedures apply, which — given that this is not supposed to include US person data — are very permissive.

Starting in 2008 (and probably before 2004, at least as part of Stellar Wind), specially-trained analysts are also permitted to include US persons in the contact chaining they do on EO 12333 data, under an authority call “SPCMA” for “special procedures.” They can’t target Americans, but they can analyze and share US person data (and NSA has coached analysts how to target a foreign entity to get to the underlying US data). This would be treated under NSA’s minimization procedures, meaning US person data may get masked unless there’s a need for it. Very importantly, this chaining is not and never was limited to counterterrorism purposes — it only requires a foreign intelligence purpose. Particularly because so much metadata on Americans is available overseas, this means NSA can do a great deal of analysis on Americans without any suspicion of criminal ties.

Both of these authorities appear to link right into other automatic functions, including things like matching identities (such that it would track “emptywheel” across all the places I use that as my uniquename) and linking directly up to content, if it has been collected.

NSA, Domestic

Then there is the Section 215 dragnet, which prior to 2006 was conducted with telecoms voluntarily producing data but got moved to Section 215 thereafter; there is a still-active Jack Goldsmith OLC opinion that says the government does not need any additional statutory authorization for the dragnet (though telecoms aside from AT&T would likely be reluctant to do so now without liability protection and compensation).

Until 2009, the distinctions between NSA’s EO 12333 data and Section 215 were not maintained. Indeed, in early 2008 “for purposes of analytical efficiency,” the Section 215 data got dumped in with the EO 12333 data and it appears the government didn’t even track data source (which FISC made them start doing by tagging each discrete piece of data in 2009), and so couldn’t apply the Section 215 rules as required. Thus, until 2009, the Section 215 data was subjected to the automatic analysis the EO 12333 still is. That was shut down in 2009, though the government kept trying to find a way to resume such automatic analysis. It never succeeded and finally gave up last year, literally on the day the Administration announced its decision to move the data to the telecoms.

The Section 215 phone dragnet can only be used for counterterrorism purposes and any data that gets disseminated outside of those cleared for BRFISA (as the authority is called inside NSA) must be certified as to that CT purpose. US person identifiers targeted in the dragnet must first be reviewed to ensure they’re not targeted exclusively for First Amendment reasons. Since last year, FISC has pre-approved all identifiers used for chaining except under emergencies. Though note: Most US persons approved for FISA content warrants are automatically approved for Section 215 chaining (I believe this is done to facilitate the analysis of the content being collected).

Two very important and almost universally overlooked points. First, analysts access (or accessed, at least until 2011) BRFISA data from the very same computer interface as they do EO 12333 data (see above, which would have dated prior to the end of 2011). Before a chaining session, they just enter what data repositories they want access to and are approved for, and their analysis will pull from all those repositories. Chaining off data from more than one repository is called a “federated” query. And the contact chaining they got — at least as recently as 2011, anyway — also included data from both EO 12333 collection and Section 215 collection, both mixed in together. Importantly, data with one-end in foreign will be redundant, collected under both EO 12333 and 215. Indeed, a training program from 2011 trained analysts to re-run BRFISA queries that could be replicated under EO 12333 so they could be shared more permissively. That said, a footnote (see footnote 13) in phone dragnet orders that has mostly remained redacted appears to impose the BRFISA handling rules on any data comingled with it, so this may limit (or have imposed new more recent limits) on contact chaining between authorities.

As I noted, NSA shut down the automatic features on BRFISA data in 2009. But once data comes back in a query, it can be subjected to NSA’s “full range of analytical tradecraft,” as every phone dragnet order explains. Thus, while the majority of Americans who don’t come up in a query don’t get subjected to more intrusive analysis, if you’re 3 hops (now 2) from someone of interest, you can be — everything, indefinitely. I would expect that to include trolling all of NSA’s collected data to see if any of your other identifiable data comes up in interesting ways. That’s a ton of innocent people who get sucked into NSA’s maw and will continue to even after/if the phone dragnet moves to the providers.

DEA, International

As I said, the analogue to the program described by the USA Today, dubbed USTO, is not the Section 215 database, but instead the EO 12333 database (indeed, USAT describes that DEA included entirely foreign metadata in their database as well). The data in this program provided by domestic providers came under 21 USC 876 — basically the drug war equivalent of the Section 215 “tangible things” provision. An DEA declaration in the Shantia Hassanshahi case claims it only provides base metadata, but it doesn’t specify whether that includes or excludes location. As USAT describes (and would have to be the case for Hassanshahi to be busted for sanctions violations using it, not to mention FBI’s success at stalling of DOJ IG’s investigation into it), this database came to be used for other than counternarcotics purposes (note, this should have implications for EO 12333, which I’ll get back to). And, as USAT also described, like the NSA dragnet, the USTO also linked right into automatic analysis (and, I’m willing to bet good money, tracked multiple types of metadata). As USAT describes, DEA did far more queries of this database than of the Section 215 dragnet, but that’s not analogous; the proper comparison would be with NSA’s 12333 dragnet, and I would bet the numbers are at least comparable (if you can even count these automated chaining processes anymore). DEA says this database got shut down in 2013 and claims the data was purged. DEA also likely would like to sell you the Brooklyn Bridge real cheap.

DEA, Domestic

There’s also a domestic drug-specific dragnet, Hemisphere, that was first exposed by a NYT article. This is not actually a DEA database at all. Rather, it is a program under the drug czar that makes enhanced telecom data available for drug purposes, while the records appear to stay with the telecom.

This seems to have been evolving since 2007 (which may mark when telecoms stopped turning over domestic call records for a range of purposes). At one point, it pulled off multiple providers’ networks, but more recently it has pulled only off AT&T’s networks (which I suspect is increasingly what has happened with the Section 215 phone dragnet).

But the very important feature of Hemisphere — particularly as compared to its analogue, the Section 215 dragnet — is that the telecoms perform the same kind of analysis they would do for their own purposes. This includes using location data and matching burner phones (though this is surely one of the automated functions included in NSA’s EO 12333 dragnet and DEA’s USTO). Thus, by keeping the data at the telecoms, the government appears to be able to do more sophisticated kinds of analysis on domestic data, even if it does so by accessing fewer records.

That is surely the instructive motivation behind Obama’s decision to “let” NSA move data back to the telecoms. It’d like to achieve what it can under Hemisphere, but with data from all telecom providers rather than just AT&T.

CIA

At least as the NSA documents concerning ICREACH tell it, CIA and DEA jointly developed a sharing platform called PROTON that surely overlaps with USTO in significant ways. But PROTON appeared to reside with CIA (and FBI and NSA were late additions to the PROTON sharing). PROTON included CIA specific metadata (that is, not telecommunications metadata but rather metadata tracking their own HUMINT). But in 2006 (these things all started to change around that time), NSA made a bid to become the premiere partner here with ICREACH, supporting more types of metadata and sharing it with international partners.

So we don’t know what CIA’s own dragnet looks like, just that it has one, one not bound to just telecommunications.

In addition, CIA has a foreign intelligence equivalent of Hemisphere, where it pays AT&T to “voluntarily” hand over data that is at least one-end foreign (and masks the US side unless the record gets referred to FBI).

Finally, CIA can “upload or transfer some or all” of the metadata that it pulls off of raw PRISM data received under 702 into its other databases. While this has to be targeted off a foreign target, that surely includes a lot of US person data, and metadata including Internet based calls, photos, as well as emails. CIA does a lot of metadata queries for other entities (other IC agencies? foreign partners? who knows!), and they don’t count it, so they are clearly doing a lot of it.

FBI

As far as we know, FBI does not have a true “bulk” dragnet, sucking up all the phone or Internet records for the US or foreign switches. But it surely has fairly massive metadata repositories itself.

Until 2006, it did, however, have something almost identical to what we understand Hemisphere to be, all the major telecoms, sitting onsite, ready to do sophisticated analysis of numbers offered up on a post-it note, with legal process to follow (maybe) if anything nifty got turned over. Under this program, AT&T offered some bells and whistles, included “communities of interest” that included at least one hop. That all started to get moved offsite in 2006, when DOJ’s IG pointed out that it didn’t comply with the law, but all the telecoms originally contracted (AT&T and the companies that now comprise Verizon, at least), remained on contract to provide those services albeit offsite for a few years. In 2009, one of the telecoms (which is likely part or all of Verizon) pulled out, meaning it no longer has a contract to provide records in response to NSLs and other process in the form the FBI pays it to.

FBI also would have a database of the records it has collected using NSLs and subpoenas (I’ll go look up the name shortly), going back decades. Plus, FBI, like CIA, can “upload or transfer some or all” of the metadata that it pulls off of raw PRISM data received under 702. So FBI has its own bulky database, but all of the data in it should have come in in relatively intentional if not targeted fashion. What FBI does have should date back much longer than NSA’s Section 215 database (30 years for national security data) and, under the new Section 309 restrictions on EO 12333 data, even NSA’s larger dragnet. On top of that, AT&T still provides 7 bells and whistles that are secret and that go beyond a plain language definition of what they should turn over in response to an NSL under ECPA (which probably parallel what we see going on in Hemisphere). In its Section 215 report, PCLOB was quite clear that FBI almost always got the information that could have come out of the Section 215 dragnet via NSLs and its other authorities, so it seems to be doing quite well obtaining what it needs without collecting all the data everywhere, though there are abundant reasons to worry that the control functions in FBI’s bulky databases are craptastic compared to what NSA must follow.

CISA Hack of the Day: White House Can Already Share Intelligence with the State Department

April 9, 2015/3 Comments/in Cybersecurity /by emptywheel

In about 10 days, Congress will take up cyber information sharing bills. And unlike past attempts, these bills are likely to pass.

That, in spite of the fact that no one has yet explained how they’ll make a significant difference in preventing hacks.

So I’m going to try to examine roughly one hack a day that immunized swift information sharing between the government and the private sector wouldn’t prevent.

Yesterday, for example, CNN reported that Russia had hacked “sensitive parts” (read, unclassified) of the White House email system.

While the White House has said the breach only affected an unclassified system, that description belies the seriousness of the intrusion. The hackers had access to sensitive information such as real-time non-public details of the president’s schedule. While such information is not classified, it is still highly sensitive and prized by foreign intelligence agencies, U.S. officials say.

The White House in October said it noticed suspicious activity in the unclassified network that serves the executive office of the president. The system has been shut down periodically to allow for security upgrades.

The FBI, Secret Service and U.S. intelligence agencies are all involved in investigating the breach, which they consider among the most sophisticated attacks ever launched against U.S. government systems. The intrusion was routed through computers around the world, as hackers often do to hide their tracks, but investigators found tell-tale codes and other markers that they believe point to hackers working for the Russian government.

The hackers — whether they really are Russian government operatives or not — managed the hack by first hacking the State Department and then phishing an account at the White House using a State email.

To get to the White House, the hackers first broke into the State Department, investigators believe.

The State Department computer system has been bedeviled by signs that despite efforts to lock them out, the Russian hackers have been able to reenter the system. One official says the Russian hackers have “owned” the State Department system for months and it is not clear the hackers have been fully eradicated from the system.

As in many hacks, investigators believe the White House intrusion began with a phishing email that was launched using a State Department email account that the hackers had taken over, according to the U.S. officials.

In other words, the hackers breached the White House by first hacking State — a hack that was well known to the government — and then duping some schmoe at the White House to compromise their email.

Now, unless things have gone really haywire in the government, nothing prevents the State Department from sharing information with the White House. Indeed, NSA and DHS should have an active role in both hacks. Nor would anything prevent NSA from sharing information on the proxy computers used by the hackers. And if NSA can’t find those, we have other problems.

Finally, there’s little a private company could tell the White House to get its schmoes to be a bit more cautious about the email they get (though I suspect in both State and the White House, it is hard to balance responsiveness with adequate skepticism to odd emails).

In other words, CISA would do nothing to prevent this hack of the White House. But nevertheless, Congress is going to rush through this bill without fixing other more basic vulnerabilities.

Section 215’s Multiple Programs and Where They Might Hide after June 1

April 4, 2015/6 Comments/in Cybersecurity, FISA /by emptywheel

In an column explicitly limited to the phone dragnet, Conor Friedersdorf pointed to a post I wrote about Section 215 generally and suggested I thought the phone dragnet was about to get hidden under a new authority.

Marcy Wheeler is suspicious that the Obama Administration is planning to continue the dragnet under different authorities.

But my post was about more that just the phone dragnet. It was about two things: First, the way that, rather than go “cold turkey” after it ended the Internet dragnet in 2011 as the AP had claimed, NSA had instead already started doing the same kind of collection using other authorities that — while they didn’t collect all US traffic — had more permissive rules for the tracking they were doing. That’s an instructive narrative for the phone dragnet amid discussions it might lapse, because it’s quite possible that the Intelligence Community will move to doing far less controlled tracking, albeit on fewer Americans, under a new approach.

In addition, I noted that there are already signs that the IC is doing what Keith Alexander said he could live with a year ago: ending the phone dragnet in exchange for cybersecurity information sharing. I raised that in light of increasing evidence that the majority of Section 215 orders are used for things related to cybersecurity (though possibly obtained by FBI, not NSA). If that’s correct, Alexander’s comment would make sense, because it would reflect that it is working cybersecurity investigations under protections — most notably, FISC-supervised minimization — all involved would rather get rid of.

Those two strands are important, taken together, for the debate about Section 215 expiration, because Section 215 is far more than the dragnet. And the singular focus of everyone — from the press to activists and definitely fostered by NatSec types leaking — on the phone dragnet as Section 215 sunset approaches makes it more likely the government will pull off some kind of shell game, moving the surveillances they care most about (that is, not the phone dragnet) under some new shell while using other authorities to accomplish what they need to sustain some kind of phone contact and connection chaining.

So in an effort to bring more nuance to the debate about Section 215 sunset, here is my best guess — and it is a guess — about what they’re doing with Section 215 and what other authorities they might be able to use to do the same collection.

Here are the known numbers on how Section 215 orders break out based on annual reports and this timeline.

The Phone Dragnet

Since its transfer under Section 215 in 2006, the phone dragnet has generally made up 4 or 5 orders a year (Reggie Walton imposed shorter renewal periods in 2009 as he was working through the problems in the program). 2009 is the one known year where many of the modified orders — which generally involve imposed minimization procedures — were phone dragnet orders.

We know that the government believes that if Section 215 were to sunset, it would still have authority to do the dragnet. Indeed, it not only has a still-active Jack Goldsmith memo from 2004 saying it can do the dragnet without any law, it sort of waved it around just before the USA Freedom Act debate last year as if to remind those paying attention that they didn’t necessarily think they needed USAF (in spite of comments from people like Bob Litt that they do need a new law to do what they’d like to do).

But that depends on telecoms being willing to turn over the dragnet data voluntarily. While we have every reason to believe AT&T does that, the government’s inability to obligate Verizon to turn over phone records in the form it wants them is probably part of the explanation for claims the current dragnet is not getting all the cell records of Americans.

A number of people — including, in part, Ron Wyden and other SSCI skeptics in a letter written last June — think the government could use FISA’s PRTT authority (which does not sunset) to replace Section 215, and while they certainly could get phone records using it, if they could use PRTT to get what it wants, they probably would have been doing so going back to 2006 (the difference in authority is that PRTT gets actual activity placed, whereas 215 can only get records maintained (and Verizon isn’t maintaining the records the government would like it to, and PRTT could not get 2 hops).

For calls based off a foreign RAS, the government could use PRISM to obtain the data, with the added benefit that using PRISM would include all the smart phone data — things like address books, video messaging, and location — that the government surely increasingly relies on. Using PRISM to collect Internet metadata is one of two ways the government replaced the PRTT Internet dragnet. The government couldn’t get 2 hops and couldn’t chain off of Americans, however.

I also suspect that telecoms’ embrace of supercookies may provide other options to get the smart phone data they’re probably increasingly interested in.

For data collected offshore, the government could use SPCMA, the other authority the government appears to have replaced the PRTT Internet dragnet with. We know that at least one of the location data programs NSA has tested out works with SPCMA, so that would offer the benefit of including location data in the dragnet. If cell phone location data is what has prevented the government from doing what they want to do with the existing phone dragnet, SPCMA’s ability to incorporate location would be a real plus for NSA, to the extent that this data is available (and cell phone likely has more offshore availability than land line).

The government could obtain individualized data using NSLs — and it continues to get not just “community of interest” (that is, at least one hop) from AT&T, but also 7 other things that go beyond ECPA that FBI doesn’t want us to know about. But using NSLs may suffer from a similar problem to the current dragnet, that providers only have to provide as much as ECPA requires. Thus, there, too, other providers are probably unwilling to provide as much data as AT&T.

Telecoms might be willing to provide data the government is currently getting under 215 under CISA and CISA collection won’t be tied in any way to ECPA definitions, though its application is a different topic, cybersecurity (plus leaks and IP theft) rather than terrorism. So one question I have is whether, because of the immunity and extended secrecy provisions of CISA, telecoms would be willing to stretch that?

Other Dragnets

In addition to the phone dragnet, FBI and other IC agencies seem to operate other dragnets under Section 215. It’s probably a decent guess that the 8-13 other 215 orders prior to 2009 were for such things. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year. Other items discussed involve hotel dragnets and explosives precursor dragnets, the latter of which would have been expanded after the 2009 Najibullah Zazi investigation. In other words, there might be up to 5 dragnets, each representing 4-5 orders a year (assuming they work on the same 90-day renewal cycle), so a total of around 22 of the roughly 175 orders a year that aren’t the phone dragnet (the higher numbers for 2006 are known to be combination orders both obtaining subscription data for PRTT orders and location data with a PRTT order; those uses stopped in part with the passage of PATRIOT reauthorization in 2006 and in part with FISC’s response to magistrate rulings on location data from that year).

Some of these dragnets could be obtained, in more limited fashion, with NSLs (NSLs currently require reporting on how many US persons are targeted, so we will know if they move larger dragnets to NSLs). Alternately, the FBI may be willing to do these under grand jury subpoenas or other orders, given the way they admitted they had done a Macy’s Frago Elite pressure cooker dragnet after the Boston Marathon attack. The three biggest restrictions on this usage would be timeliness (some NSLs might not be quick enough), the need to have a grand jury involved for some subpoenas, and data retention, but those are all probably manageable hurdles.

The Internet content

Finally, there is the Internet content — which we know makes up for a majority of Section 215 orders — that moved to that production from NSLs starting in 2009. It’s probably a conservative bet that over 100 of current dragnet orders are for this kind of content. And we know the modification numbers for 2009 through 2011 — and therefore, probably still — are tied to minimization procedure requirements imposed by the FISC.

A recent court document from a Nicholas Merrill lawsuit suggests this production likely includes URL and data flow requests. And the FBI has recently claimed –for what that’s worth — that they rely on Section 215 for cybersecurity investigations.

Now, for some reason, the government has always declined to revise ECPA to restore their ability to use NSLs to obtain this collection, which I suspect is because they don’t want the public to know how extensive the collection is (which is why they’re still gagging Merrill, 11 years after he got an NSL).

But the data here strongly suggests that going from NSL production to Section 215 production has not only involved more cumbersome application processes, but also added a minimization requirement.

And I guarantee you, FBI or NSA or whoever is doing this must hate that new requirement. Under NSLs, they could just horde data, as we know both love to do, the FBI even more so than the NSA. Under 215s, judges made them minimize it.

As I noted above, this is why I think Keith Alexander was willing to do a CISA for 215 swap. While CISA would require weak sauce Attorney General derived “privacy guidelines,” those would almost certainly be more lenient than what FISC orders, and wouldn’t come with a reporting requirement. Moreover, whereas at least for the phone dragnet, FISC has imposed very strict usage requirements (demanding that a counterterrorism dragnet be used only for counterterrorism purposes), CISA has unbelievably broad application once that data gets collected — not even requiring that terrorist usages be tied to international terrorism, which would seem to be a violation of the Keith Supreme Court precedent).

All of this is to suggest that for cybersecurity, IP theft, and leak investigations, CISA would offer FBI their ideal collection approach. It would certainly make sense that Alexander (or now, Admiral Mike Rogers and Jim Comey) would be willing to swap a phone dragnet they could largely achieve the same paltry results for using other authorities if they in exchange got to access cybersecurity data in a far, far more permissive way. That’d be a no-brainer.

There’s just one limitation on this formula, potentially a big one. CISA does not include any obligation. Providers may share data, but there is nothing in the bill to obligate them to do so. And to the extent that providers no longer provide this data under NSLs, it suggests they may have fought such permissive obligation in the past. It would seem that those same providers would be unwilling to share it willingly.

But my thoughts on CISA’s voluntary nature are for another post.

One final thought. If the government is contemplating some or all of this, then it represents an effort — one we saw in all versions of dragnet reform to greater (RuppRoge) or lesser degrees (USAF) — to bypass FISC. The government and its overseers clearly seem to think FISC-ordered minimization procedures are too restrictive, and so are increasingly (and have been, since 2009) attempting to replace the role played by an utterly dysfunctional secret court with one entirely within the Executive.

This is the reason why Section 215 sunset can’t be treated in a vacuum: because, to the extent that the government could do this in other authorities, it would largely involve bypassing what few restrictions exist on this spying. Sunsetting Section 215 would be great, but only if we could at the same time prevent the government from doing similar work with even fewer controls.