NSA Bids to Expand Spying in Guise of “Fixing” Phone Dragnet

/8 Comments/in , , /by

Dutch Ruppersberger has provided Siobhan Gorman with details of his plan to “fix” the dragnet — including repeating the laughable claim that the “dragnet” (which she again doesn’t distinguish as solely the Section 215 data that makes up a small part of the larger dragnet) doesn’t include cell data.

Only, predictably, it’s not a “fix” of the phone dragnet at all, except insofar as NSA appears to be bidding to use it to do all the things they want to do with domestic dragnets but haven’t been able to do legally. Rather, it appears to be an attempt to outsource to telecoms some of the things the NSA hasn’t been able to do legally since 2009.

For example, there’s the alert system that Reggie Walton shut down in 2009.

As I reported back in February, the NSA reportedly has never succeeded in replacing that alert system, either for technical or legal reasons or both.

NSA reportedly can’t get its automated chaining program to work. In the motion to amend, footnote 12 — which modifies part of some entirely redacted paragraphs describing its new automated alert approved back in 2012 — reads:

The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes. Accordingly, this amendment to the Primary Order authorizes the use of this automated query process for development and testing purposes only. No query results from such testing shall be made available for analytic purposes. Use of this automated query process for analytical purposes requires further order of this Court.

PCLOB describes this automated alert this way.

In 2012, the FISA court approved a new and automated method of performing queries, one that is associated with a new infrastructure implemented by the NSA to process its calling records.68 The essence of this new process is that, instead of waiting for individual analysts to perform manual queries of particular selection terms that have been RAS approved, the NSA’s database periodically performs queries on all RAS-approved seed terms, up to three hops away from the approved seeds. The database places the results of these queries together in a repository called the “corporate store.”

It has been 15 months since FISC approved this alert, but NSA still can’t get it working.

I suspect this is the root of the stories claiming NSA can only access 30% of US phone records.

As described by WSJ, this automated system will be built into the orders NSA provides telecoms; once a selector has been provided to the telecoms, they will keep automatically alerting on it.

Under the new bill, a phone company would search its databases for a phone number under an individual “directive” it would receive from the government. It would send the NSA a list of numbers called from that phone number, and possibly lists of phone numbers those numbers had called. A directive also could order a phone company to search its database for such calls as future records come in. [my emphasis]

This would, presumably, mean NSA still ends up with a corporate store, a collection of people against whom the NSA has absolutely not a shred of non-contact evidence, against whom they can use all their analytical toys, including searching of content.

Note, too, that this program uses the word “directive,” not query. Directive comes from the PRISM program, where the NSA gives providers generalized descriptions and from there have broad leeway to add new selectors. Until I hear differently, I’ll assume the same is true here: that this actually involves less individualized review before engaging in 2 degrees of Osama bin Laden.

The legislation seems ripe for inclusion of querying of Internet data (another area where the NSA could never do what it wanted to legally after 2009), given that it ties this program to “banning” (US collection of, but Gorman doesn’t say that either, maintaining her consistency in totally ignoring that EO 12333 collection makes up the greater part of bulk programs) Internet bulk data collection.

The bill from Intelligence Committee Chairman Mike Rogers (R., Mich.) and his Democratic counterpart, Rep. C.A. “Dutch” Ruppersberger (D., Md.), would ban so-called bulk collection of phone, email and Internet records by the government, according to congressional aides familiar with the negotiations. [my emphasis]

Call me crazy, but I’m betting there’s a way they’ll spin this to add in Internet chaining with this “fix.”

Note, too, Gorman makes no mention of location data, in spite of having tied that to her claims that NSA only collects 20% of data. Particularly given that AT&T’s Hemisphere program provides location data, we should assume this program could too, which would present a very broad expansion on the status quo.

And finally, note that neither the passage I quoted above on directives to providers, nor this passage specifies what kind of investigations this would be tied to (though they are honest that they want to do away with the fig leaf of this being tied to investigations at all).

The House intelligence committee bill doesn’t require a request be part of an ongoing investigation, Mr. Ruppersberger said, because intelligence probes aim to uncover what should be investigated, not what already is under investigation.

Again, the word “directive” in the PRISM context also provides the government the ability to secretly pass new areas of queries — having expanded at least from counterterrorism to counterproliferation and cybersecurity uses. So absent some very restrictive language, I would assume that’s what would happen here: NSA would pass it in the name of terrorism, but then use it primarily for cybersecurity and counterintelligence, which the NSA considers bigger threats these days.

And that last suspicion? That’s precisely what Keith Alexander said he planned to do with this “fix,” presumably during the period when he was crafting this “fix” with NSA’s local Congressman: throw civil libertarians a sop but getting instead an expansion of his cybersecurity authorities.

Update: Here’s Spencer on HPSCI, confirming it’s as shitty as I expected.

And here’s Charlie Savage on Obama’s alternative.

It would:

  • Keep Section 215 in place, though perhaps with limits on whether it can be used in this narrow application
  • Enact the same alert-based system and feed into the corporate store, just as the HPSCI proposal would
  • Include judicial review like they have now (presumably including automatic approval for FISA targets)

Obama’s is far better than HPSCI (though this seems to be part of a bad cop-good cop plan, and the devil remains in the details). But there are still some very serious concerns.

How the NSA Deals with a Threat to Its Backbone Hegemony

/8 Comments/in , /by

I have talked before about the importance of US’ dominant role in global telecom infrastructure in our hegemonic position.

US hegemony rests on a lot of things: the dollar exchange, our superlative military, our ideological lip service to democracy and human rights.

But for the moment, it also rests on the globalized communication system in which we have a huge competitive advantage. That is, one reason we are the world’s hegemon is because the rest of the world communicates through us — literally, in terms of telecommunications infrastructure, linguistically, in English, and in terms of telecommunications governance.

Which is why these stories (NYT, Spiegel’s short version, to be followed by a longer one Monday) about NSA’s targeting of Huawei are so interesting. Der Spiegel lays out the threat Huawei poses to US hegemony.

“We currently have good access and so much data that we don’t know what to do with it,” states one internal document. As justification for targeting the company, an NSA document claims that “many of our targets communicate over Huawei produced products, we want to make sure that we know how to exploit these products.” The agency also states concern that “Huawei’s widespread infrastructure will provide the PRC (People’s Republic of China) with SIGINT capabilities.” SIGINT is agency jargon for signals intelligence. The documents do not state whether the agency found information indicating that to be the case.

The operation was conducted with the involvement of the White House intelligence coordinator and the FBI. One document states that the threat posed by Huawei is “unique”.

The agency also stated in a document that “the intelligence community structures are not suited for handling issues that combine economic, counterintelligence, military influence and telecommunications infrastructure from one entity.”

Fears of Chinese Influence on the Net

The agency notes that understanding how the firm operates will pay dividends in the future. In the past, the network infrastructure business has been dominated by Western firms, but the Chinese are working to make American and Western firms “less relevant”. That Chinese push is beginning to open up technology standards that were long determined by US companies, and China is controlling an increasing amount of the flow of information on the net. [my emphasis]

And the NSA document the NYT included makes this threat clear.

There is also concern that Huawei’s widespread infrastructure will provide the PRC with SIGINT capabilities and enable them to perform denial of service type attacks.

Now, for what it’s worth, the NYT story feels like a limited hangout — an attempt to pre-empt what Spiegel will say on Monday, and also include a bunch of details on NSA spying on legitimate Chinese targets so the chattering class can talk about how Snowden is a tool of Chinese and Russian spies. (Note, the NYT story relies on interviews with a “half dozen” current and former officials for much of the information on legitimate Chinese targets here, a point noted by approximately none of the people complaining.)

But the articles make it clear that 3 years after they started this targeted program, SHOTGIANT, and at least a year after they gained access to the emails of Huawei’s CEO and Chair, NSA still had no evidence that Huawei is just a tool of the People’s Liberation Army, as the US government had been claiming before and since. Perhaps they’ve found evidence in the interim, but they hadn’t as recently as 2010.

Nevertheless the NSA still managed to steal Huawei’s source code. Not just so it could more easily spy on people who exclusively use Huawei’s networks. But also, it seems clear, in an attempt to prevent Huawei from winning even more business away from Cisco.

I suspect we’ll learn far more on Monday. But for now, we know that even the White House got involved in an operation targeting a company that threatens our hegemony on telecom backbones.

In Nomination Hearing, DIRNSA Nominee Mike Rogers Continues James Clapper and Keith Alexander’s Obfuscation about Back Door Searches

/12 Comments/in , , , /by

Yesterday, the Senate Armed Services Committee held a hearing for Vice Admiral Mike Rogers to serve as head of Cyber Command (see this story from Spencer about how Rogers’ confirmation as Cyber Command chief serves as proxy for his role as Director of National Security Agency because the latter does not require Senate approval).

Many of the questions were about Cyber Command (which was, after all, the topic of the hearing), but a few Senators asked questions about the dragnet that affects us all.

In one of those exchanges — with Mark Udall — Rogers made it clear that he intends to continue to hide the answers to very basic questions about how NSA conducts warrantless surveillance of Americans, such as whether the NSA conducts back door searches on American people.

Udall: If I might, in looking ahead, I want to turn to the 702 program and ask a policy question about the authorities under Section 702 that’s written into the FISA Amendments Act. The Committee asked your understanding of the legal rationale for NASA [sic] to search through data acquired under Section 702 using US person identifiers without probable cause. You replied the NASA–the NSA’s court approved procedures only permit searches of this lawfully acquired data using US person identifiers for valid foreign intelligence purposes and under the oversight of the Justice Department and the DNI. The statute’s written to anticipate the incidental collection of Americans’ communications in the course of collecting the communications of foreigners reasonably believed to be located overseas. But the focus of that collection is clearly intended to be foreigners’ communications, not Americans. But declassified court documents show that in 2011 the NSA sought and obtained the authority to go through communications collected under Section 702 and conduct warrantless searches for the communications of specific Americans. Now, my question is simple. Have any of those searches been conducted?

Rogers: I apologize Sir, I’m not in a position to answer that as the nominee.

Udall: You–yes.

Rogers: But if you would like me to come back to you in the future if confirmed to be able to specifically address that question I will be glad to do so, Sir.

Udall: Let me follow up on that. You may recall that Director Clapper was asked this question in a hearing earlier this year and he didn’t believe that an open forum was the appropriate setting in which to discuss these issues. The problem that I have, Senator Wyden’s had, and others is that we’ve tried in various ways to get an unclassified answer — simple answer, yes or no — to the question. We want to have an answer because it relates — the answer does — to Americans’ privacy. Can you commit to answering the question before the Committee votes on your nomination?

Rogers: Sir, I believe that one of my challenges as the Director, if confirmed, is how do we engage the American people — and by extension their representatives — in a dialogue in which they have a level of comfort as to what we are doing and why. That is no insignificant challenge for those of us with an intelligence background, to be honest. But I believe that one of the takeaways from the situation over the last few months has been as an intelligence professional, as a senior intelligence leader, I have to be capable of communicating in a way that we are doing and why to the greatest extent possible. That perhaps the compromise is, if it comes to the how we do things, and the specifics, those are perhaps best addressed in classified sessions, but that one of my challenges is I have to be able to speak in broad terms in a way that most people can understand. And I look forward to that challenge.

Udall: I’m going to continue asking that question and I look forward to working with you to rebuild the confidence. [my emphasis]

The answer to the question Rogers refused to answer is clearly yes. We know that’s true because the answer is always yes when Wyden, and now Udall, ask such questions.

But we also know the answer is yes because declassified parts of last August’s Semiannual Section 702 Compliance Report state clearly that oversight teams have reviewed the use of this provision, which means there’s something to review.

As reported in the last semiannual assessment, NSA minimization procedures now permit NSA to query its databases containing telephony and non-upstream electronic communications using United States person identifiers in a manner designed to find foreign intelligence information. Similarly, CIA’s minimization procedures have been modified to make explicit that CIA may also query its databases using United States person identifiers to yield foreign intelligence information. As discussed above in the descriptions of the joint oversight team’s efforts at each agency, the joint oversight team conducts reviews of each agency’s use of its ability to query using United States person identifiers. To date, this review has not identified any incidents of noncompliance with respect to the use of United States person identifiers; as discussed in Section 4, the agencies’ internal oversight programs have, however, identified isolated instances in which Section 702 queries were inadvertently conducted using United States person identifiers. [my emphasis]

It even obliquely suggests there have been “inadvertent” violations, though this seems to entail back door searches on US person identifiers without realizing they were US person identifiers, not violations of the procedures for using back door searches on identifiers known to be US person identifiers.

Still, it is an unclassified fact that NSA uses these back door searches.

Yet the nominee to head the NSA refuses to answer a question on whether or not NSA uses these back door searches.

And it’s not just in response to this very basic question that Rogers channeled the dishonest approach of James Clapper and Keith Alexander.

As Udall alluded, at the end of a long series of questions about Cyber Command, the committee asked a series of questions about back door searches and other dragnet issues. They asked (see pages 42-43):

  • Whether NSA can conduct back door searches on data acquired under EO 12333 and if so under what legal rationale
  • Whether NSA can conduct back door searches on data acquired pursuant to traditional FISA and if so under what legal rationale
  • What the legal rationale is for back door searches on data acquired under FISA Amendments Act
  • What the legal rationale is for searches on the Section 215 query results in the “corporate store”

I believe every single one of Rogers’ answers — save perhaps the question on traditional FISA — involves some level of obfuscation. (See this post for further background on what NSA’s Raj De and ODNI’s Robert Litt have admitted about back door searches.)

Consider his answer on searches of the “corporate store” as one example.

What is your understanding of the legal rationale for searching through the “Corporate Store” of metadata acquired under section 215 using U.S. Persons identifiers for foreign intelligence purposes?

The section 215 program is specifically authorized by orders issued by the Foreign Intelligence Surveillance Court pursuant to relevant statutory requirements. (Note: the legality of the program has been reviewed and approved by more than a dozen FISC judges on over 35 occasions since 2006.) As further required by statute, the program is also governed by minimization procedures adopted by the Attorney General an d approved by the FISC. Those orders, and the accompanying minimization procedures, require that searches of data under the program may only be performed when there is a Reasonable Articulable Suspicion that the identifier to be queried is associated with a terrorist organization specified in the Court’s order.

Remember, not only do declassified Primary Orders make it clear NSA doesn’t need Reasonable Articulable Suspicion to search the corporate store, but PCLOB has explained the possible breadth of “corporate store” searches plainly.

According to the FISA court’s orders, records that have been moved into the corporate store may be searched by authorized personnel “for valid foreign intelligence purposes, without the requirement that those searches use only RAS-approved selection terms.”71 Analysts therefore can query the records in the corporate store with terms that are not reasonably suspected of association with terrorism. They also are permitted to analyze records in the corporate store through means other than individual contact-chaining queries that begin with a single selection term: because the records in the corporate store all stem from RAS-approved queries, the agency is allowed to apply other analytic methods and techniques to the query results.72 For instance, such calling records may be integrated with data acquired under other authorities for further analysis. The FISA court’s orders expressly state that the NSA may apply “the full range” of signals intelligence analytic tradecraft to the calling records that are responsive to a query, which includes every record in the corporate store.73

There is no debate over whether NSA can conduct back door searches in the “corporate store” because both FISC and PCLOB say they can.

Which is probably why SASC did not ask whether this was possible — it is an unclassified fact that it is — but rather what the legal rationale for doing so is.

And Rogers chose to answer this way:

  1. By asserting that the phone dragnet must comply with statutory requirements
  2. By repeating tired boilerplate about how many judges have approved this program (ignoring that almost all of these approvals came before FISC wrote its first legal opinion on the program)
  3. By pointing to AG-approved minimization procedures (note–it’s not actually clear that NSA’s — as distinct from FBI’s — dragnet specific procedures are AG-approved, though the more general USSID 18 ones are)
  4. By claiming FISA orders and minimization procedures “require that searches of data under the program may only be performed when there is a Reasonable Articulable Suspicion that the identifier to be queried is associated with a terrorist organization”

The last part of this answer is either downright ignorant (though I find that unlikely given how closely nominee responses get vetted) or plainly non-responsive. The question was not about queries of the dragnet itself — the “collection store” of all the data. The question was about the “corporate store” — the database of query results based off those RAS approved identifiers. And, as I said, there is no dispute that searches of the corporate store do not require RAS approval. In fact, the FISC orders Rogers points to say as much explicitly.

And yet the man Obama has picked to replace Keith Alexander, who has so badly discredited the Agency with his parade of lies, refused to answer that question directly. Much less explain the legal rationale used to conduct RAS-free searches on phone query results showing 3rd degree connections to someone who might have ties to terrorist groups, which is what the question was.

Which, I suppose, tells us all we need to know about whether anyone plans to improve the credibility or transparency of the NSA.

2008’s New and Improved EO 12333: Sharing SIGINT

/17 Comments/in , , /by

As part of my ongoing focus on Executive Order 12333, I’ve been reviewing how the Bush Administration changed the EO when, shortly after the passage of the FISA Amendments Act, on July 30, 2008, they rolled out a new version of the order, with little consultation with Congress. Here’s the original version Ronald Reagan issued in 1981, here’s the EO making the changes, here’s how the new and improved version from 2008 reads with the changes.

While the most significant changes in the EO were — and were billed to be — the elaboration of the increased role for the Director of National Intelligence (who was then revolving door Booz executive Mike McConnell), there are actually several changes that affected NSA.

Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.

The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,

In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.

In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.

Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.

In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.

And a more subtle change goes even further. Section 2.5 of the EO delegates authority to the AG to “approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes.” In both the original and the revised EO, that delegation must be done within the scope of FISA (or FISA as amended, in the revision). But in 1981, FISA surveillance had to be “conducted in accordance with that Act [FISA], as well as this Order,” meaning that the limits on US person collection and dissemination from the EO applied, on top of any limits imposed by FISA. The 2008 EO dropped the last clause, meaning that such surveillance only has to comply with FISA, and not with other limits in the EO.

That’s significant because there are at least three things built into known FISA minimization procedures — the retention of US person data to protect property as well as life and body, the indefinite retention of encrypted communications, and the broader retention of “technical data base information” — that does not appear to be permitted under the EO’s more general guidelines but, with this provision, would be permitted (and, absent Edward Snowden, would also be hidden from public view in minimization procedures no one would ever get to see).

Read more

Keith Alexander’s One Step Solution

/4 Comments/in , /by

Keith Alexander is testifying before the Senate Armed Services Committee, ostensibly about CyberCommand.

He has gotten a number of questions about the solutions they’ve offered the President to resolve the phone dragnet issue. He responded it would be possible to keep the data with the telecoms.

Then, in response to a Cyber question, Alexander said the problem is that the NSA can’t share classified information about malicious code with industry, because if it does so in a non-classified setting, attackers will learn how NSA obtained the information. (There’s a lot that’s problematic with that claim, but just ignore all that for now.)

So we need legislation that allows NSA to share classified information back and forth with industry.

He then returned to the phone dragnet. He suggested that the industry retention solution would require legislation allowing NSA to share terrorist identifiers with industry. (Note, this premise is absolutely absurd, as DEA apparently has no problem with sharing drug target identifiers with AT&T in the Hemisphere program in an explicitly unclassified program.)

Finally, he said this legislation — allowing the NSA to share classified identifiers with industry — would serve as the precedent for the Cyber legislation he has long sought but not obtained legislatively.

In other words, on his way out the door, Keith Alexander is now sacrificing his beloved phone dragnet to get cyber legislation in the guise of something else.

How to Avoid Rubber-Stamping another Drone Execution: Leave

/15 Comments/in , /by

NPR’s Carrie Johnson reports that OLC head Virginia Seitz quietly left OLC before Christmas.

Virginia Seitz, who won Senate confirmation after an earlier candidate under president Obama foundered, resigned from federal service after two-and-a-half years on the job. The timing is unusual because her unit plays a critical role in drawing the legal boundaries of executive branch action —at a time when President Obama says he will do more to bypass a divided Congress and do more governing by way of executive order.

And while DOJ’s official line is that Seitz left entirely for personal reasons, two sources told Johnson the ongoing discussions about whether to drone kill another American were another factor.

Two other sources suggested that aside from the tough work, another issue weighed heavily on her mind over the last several months: the question of whether and when the US can target its own citizens overseas with a weaponized drone or missile attack. American officials are considering such a strike against at least one citizen linked to al Qaeda, the sources said.

While a “law enforcement” source (but wait! the entire point of drone assassinations is they replace law enforcement with intelligence entirely!) suggests the decision has not yet been made.

A law enforcement source told NPR the controversy over the use of drones against Americans in foreign lands did not play a major role in Seitz’s decision to leave government, since the OLC is continuing to do legal analysis on the issue and there was no firm conclusion to which she may have objected or disagreed.

Which is sort of funny, because Kimberly Dozier’s report on the American in question says DOD, at least, has made its decision.

But one U.S. official said the Defense Department was divided over whether the man is dangerous enough to merit the potential domestic fallout of killing an American without charging him with a crime or trying him, and the potential international fallout of such an operation in a country that has been resistant to U.S. action.

Another of the U.S. officials said the Pentagon did ultimately decide to recommend lethal action.

And remember, as I’ve pointed out, this potential drone execution target is differently situated from Anwar al-Awlaki, in that there appears to be no claim this one is targeting civilians in the US.

But let’s take a step back and consider some other interesting details of timing.

First, on November 29 of last year, Ron Wyden, Mark Udall, and Martin Heinrich released a letter they sent to Eric Holder asking for more clarity on when the President could kill an American.

[W]e have concluded that the limits and boundaries of the President’s power to authorize the deliberate killing of Americans need to be laid out with much greater specificity. It is extremely important for both Congress and the public to have a fully understanding of what the executive branch thinks the President’s authorities are, so that lawmakers and the American people can decide whether these authorities are subject to adequate limits and safeguards.

Retrospectively, it seems this letter may have pertained to this new execution target, particularly given the different circumstances regarding his alleged attacks against the US. I might even imagine this serving as a public demand that DOJ not simply rely on the existing Awlaki drone assassination memo, creating the need to do a new one.

Now consider how (currently acting OLC head) Caroline Krass’ confirmation hearing plays in. On December 17, Wyden asked her who had the authority to withdraw an OLC opinion (the opinion in question pertains to common commercial services in some way related to cybersecurity, but I find it interesting in retrospect).

Wyden: But I want to make sure nobody else ever relies on that particular opinion and I’m concerned that a different attorney could take a different view and argue that the opinion is still legally valid because it’s not been withdrawn. Now, we have tried to get Attorney General Holder to withdraw it, and I’m trying to figure out — he has not answered our letters — who at the Justice Department has the authority to withdraw the opinion. Do you currently have the authority to withdraw the opinion?

Krass: No I do not currently have that authority.

Wyden: Okay. Who does, at the Justice Department?

Krass: Well, for an OLC opinion to be withdrawn, on OLC’s own initiative or on the initiative of the Attorney General would be extremely unusual.

She said she did not “currently have that authority.” Was she about to get that authority in days or hours?

Then finally there are the implications for Krass’ confirmation. The leaks about this current drone execution target almost certainly came from Mike Rogers’ immediate vicinity. He’s torqued because Obama’s efforts to impose some limits on the drone war have allegedly made it more difficult to execute this American with no due process.

And while Rogers doesn’t get a vote over Krass’ confirmation to be CIA General Counsel, Dianne Feinstein and Saxby Chambliss do. And their efforts to keep CIA in the drone business may well have an impact on — and may have been motivated by — our ability to assassinate Americans.

I don’t recall Krass getting questions that directly addressed drone killing, though she did get some that hinted at the edges of such questions, such as this one:

Are there circumstances in which a use of force, or other action, by the U.S. government that would be unlawful if carried out overtly is lawful when carried out covertly? Please explain.

ANSWER: As a matter of domestic law, I cannot think of any circumstances in which a use of force or other action by the U.S. government that would be unlawful if carried out overtly would be lawful when carried out covertly, but I have not studied this question.

This seems to be a question she would have had to consider if she had any involvement in OLC’s consideration of a new drone execution memo.

All that said, she hasn’t yet gotten her vote (though any delay may arise from holds relating to the Senate Torture Report).

It just seems likely that — as we did in May 2005 when Steven Bradbury reapproved torture in anticipation of a promotion to head OLC — we’re faced yet again with a lawyer waiting for a promotion being asked to give legal sanction to legally suspect activity. My impression is that Krass has far more integrity than Bradbury (remember, she’s the one who originally imposed limits on the Libya campaign), so I’m only raising this because of the circumstances, not any reason to doubt her character.

It just seems like if you need lawyers to rubber stamp legally suspect activities, there ought to be more transparency about what promotions and resignations are going on.

Apple’s Go to Fail Response

/19 Comments/in /by

if you haven’t already heard, Apple admitted to what has been discovered to be a serious security flaw on Friday.

Essentially, for some of the more careful kinds of security, the flaw would allow an attacker to conduct a Man-in-the-Middle attack when you were sending or receiving data via an Apple operating system. Apple’s announcement Friday pertained to just iOS. But security researchers quickly discovered that the bug affects recent releases of OSX as well. And even if you’re using Chrome or Firefox, the bug may affect underlying applications.

This post, from Google engineer Adam Langley, is one of the best posts on the bug itself. Here’s Wired’s take. Here’s a really accessible take from Gizmodo.

In the wake of the Snowden revelations, the discovery of the bug raises questions about how it got there. Langley thinks it was a mistake. Steve Bellovin does too, though does note that targeting Perfect Forward Security is precisely what a determined hacker, including a nation-state’s SIGINT agency, would need to compromise. Others are raising more questions.

But whether or not this is an intentional backdoor into the security protecting users of most of Apple’s most recent devices, I’m just as interested in Apple’s response … both to the public report, almost 6 months ago, that,

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

And to its discovery — reportedly perhaps as long as a few weeks ago — that it had this serious bug.

Now, if I were a leading device/consumer products company with an incentive to get consumers deeper into the cloud and living further and further online, particularly if I were a leading device/consumer products company sitting on mountains and mountains of cash, upon reading the report last September, I would throw bodies at my code to make sure I really was providing the security my customers needed to sustain trust. And given that this is a key part of the security on which that trust relies, I would think the mountains of cash device/consumer products company might have found this bug.

According to rumors, at least, this bug was not found by Apple with all its mountains and mountains of cash; it was found by a researcher.

Then there’s the radio silence Apple has maintained since issuing its alert about iOS on Friday. It told Reuters over the weekend that it would have a fix to the OSX bug “soon,” so it has, effectively acknowledged that it’s there. But it has not issued an official statement.

It just seems to me there is little that can explain issuing Friday’s security alert — alerting everyone, including potential hackers, that the problem is there, which quickly led to the independent identification of the OSX problem — without at the same time rolling out an OSX announcement and alert. Admitting to the iOS error effectively led to OSX users being exposed to people responding to the announcement. Millions of Apple customers are even further exposed, until such time as Apple rolls out a fix (though you might consider doing your banking on a browser other than Safari to give yourself a tiny bit of protection until that point).

The only thing I can think of that would explain Apple’s actions is if the security researcher who found this bug gave them limited warning, before her or she would have published it.

Otherwise, though, I’m as interested in the explanation for Apple’s two-step rollout of this bug fix as I am in how it got there in the first place.

In Cut and Paste Tumblr Post, James Clapper Describes Who We Can Spy on without Discriminants

/in , , /by

As part of his Presidential Policy Directive on Signals Intelligence, Obama said this about bulk collection:

In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: (1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests; (2) threats to the United States and its interests from terrorism; (3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied Armed Forces or other U.S or allied personnel; and (6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section. In no event may signals intelligence collected in bulk be used for the purpose of suppressing or burdening criticism or dissent; disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion; affording a competitive advantage to U.S. companies and U.S . business sectors commercially; or achieving any purpose other than those identified in this section.

The Assistant to the President and National Security Advisor (APNSA), in consultation with the Director of National Intelligence (DNI), shall coordinate, on at least an annual basis, a review of the permissible uses of signals intelligence collected in bulk through the National Security Council Principals and Deputies Committee system identified in PPD-1 or any successor document. At the end of this review, I will be presented with recommended additions to or removals from the list of the permissible uses of signals intelligence collected in bulk.

The DNI shall maintain a list of the permissible uses of signals intelligence collected in bulk. This list shall be updated as necessary and made publicly available to the maximum extent feasible, consistent with the national security.

To fulfill that bolded “shall” language, James Clapper just released this on his IContheRecord Tumblr page:

Presidential Policy Directive/PPD-28 – Signals Intelligence Activities establishes a process for determining the permissible uses of nonpublicly available signals intelligence that the United States collects in bulk. It also directs the Director of National Intelligence to “maintain a list of permissible uses of signals intelligence collected in bulk” and make the list “publicly available to the maximum extent feasible, consistent with the national security.”

Consistent with that directive, I am hereby releasing the current list of permissible uses of nonpublicly available signals intelligence that the United States collects in bulk.

Signals intelligence collected in “bulk” is defined as “the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).” As of Jan. 17, 2014, nonpublicly available signals intelligence collected by the United States in bulk may be used by the United States “only for the purposes of detecting and countering:

  1. Espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;
  2. Threats to the United States and its interests from terrorism;
  3. Threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;
  4. Cybersecurity threats;
  5. Threats to U.S. or allied Armed Forces or other U.S. or allied personnel; and
  6. Transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named above.”

Further, as prescribed in PPD-28, “in no event may signals intelligence collected in bulk be used for the purpose of suppressing or burdening criticism or dissent; disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion; affording a competitive advantage to U.S. companies and U.S. business sectors commercially;” or achieving any purpose other than those identified above.

Effectively, Clapper fulfilled an obligation mandated by the PPD by simply cutting and pasting the list of 6 permissible uses of bulk collection in the PPD.

Given that this list is expected to be assessed annually, does that mean the PPD itself should be considered valid for no more than a year?

GCHQ DDoS Hackers Hang Out with NSA’s Audit-Free Techies

/1 Comment/in , , /by

Yesterday, I noted NBC’s report that GCHQ conducted a DDoS attack against Anonymous IRC chat.

There’s a subtle point that deserves more attention: GCHQ presented the underlying Powerpoint to NSA’s SIGDEV conference.

The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder — and other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.

[snip]

In the presentation on hacktivism that was prepared for the 2012 SIGDEV conference, one official working for JTRIG described the techniques the unit used to disrupt the communications of Anonymous and identify individual hacktivists, including some involved in Operation Payback. Called “Pushing the Boundaries and Action Against Hacktivism,” the presentation lists Anonymous, Lulzsec and the Syrian Cyber Army among “Hacktivist Groups,” says the hacktivists’ targets include corporations and governments, and says their techniques include DDOS and data theft.

SIGDEV is NSA’s term for the agency’s efforts to develop new signals intelligence techniques and sources. Thus, GCHQ presented the attack as the cutting edge of what NSA does.

Goodie.

But remember: NSA’s SIGDEV analysts have access to raw data outside of normal channels. This shows up repeatedly in the primary orders for the dragnet. And, as Bart Gellman noted (and I elaborated on here), Obama specifically exempted these folks from his Presidential Policy Directive limiting our spying (though his PPD did say foreigners could be spied on for cybersecurity reasons).

In other words, the people GCHQ boasted of their attack on Anonymous to are the people who have some of the least oversight within NSA.

The “McCain Committee” Would Be Full of NSA Defenders

/17 Comments/in , /by

Imagine a McCain Committee as the inheritor of the tradition of Frank Church and Otis Pike.

(Yes, I did that to make bmaz’ head explode.)

That seems to be what John McCain intends with his resolution calling for a Committee to Investigate the Dragnet. (h/t Steven Aftergood)

Only, McCain proposes to investigate not just whether NSA has engaged in things it was not authorized to do. But also to investigate Snowden’s leaks themselves and the potential role of contractors in making leaks more likely.

All that said, I might be excited about McCain’s proposal to review the dragnet, as described:

(3) The nature and scope of National Security Agency intelligence-collection programs, operations, and activities, including intelligence-collection programs affecting Americans, that were the subject matter of the unauthorized disclosure, including–

(A) the extent of domestic surveillance authorized by law;

(B) the legal authority that served as the basis for the National Security Agency intelligence-collection programs, operations, and activities that are the subject matter of those disclosures;

(C) the extent to which such programs, operations, and activities that were the subject matter of such unauthorized disclosures may have gone beyond what was authorized by law or permitted under the Constitution of the United States;

(D) the extent and sufficiency of oversight of such programs, operations, and activities by Congress and the Executive Branch; and

(E) the need for greater transparency and more effective congressional oversight of intelligence community activities.

There’s just one problem with McCain’s proposal.

Here’s the list of the people who would be on the Committee (he provides titles, I’m providing names):

  • Diane Feinstein
  • Saxby Chambliss
  • Carl Levin
  • Jim Inhofe
  • Tom Carper
  • Tom Coburn
  • Robert Menendez
  • Bob Corker
  • Pat Leahy
  • Chuck Grassley
  • Jello Jay Rockefeller
  • John Thune
  • A Harry Reid pick
  • A Mitch McConnell pick

There are a number of very big NSA defenders on this list — in addition to DiFi and Saxby, both Jello Jay and Coburn are Intel Committee members who have never questioned the dragnet (indeed, Coburn has called for getting rid of the controls on the phone dragnet!). Chuck Grassley, too, has generally been supportive of the dragnet in SJC hearings on the subject. Most of the rest are simply not the caliber of people who might critically assess the dragnet much less show real interest in Americans’ privacy. Only Carl Levin and Pat Leahy, alone among the 12 named members, have been explicitly skeptical of the dragnet at all.

McCain proposes a Select Committee to investigate the dragnet. And he proposes to fill it with people who are really happy with the dragnet as it currently exists.

Update: Just to give a sense of how terrible this make-up for a Select Committee is, compare it with the bipartisan list of 26 Senators who asked James Clapper for more information on other uses of Section 215 last June. Just one Senator from that list — Pat Leahy — would be on McCain’s committee.

Update: Haha! Via Matt Sledge, DiFi shot McCain’s idea down pretty quickly.