John Yoo Approved the Stellar Wind Authorization that First Covered Iraq

/5 Comments/in /by

As I noted, one interesting aspect of reading the Stellar Wind IG Reports is tracking the things that show up in the Snowden-leaked draft IG Report that are completely redacted in the DOJ-released report.

One thing that is completely redacted is that Stellar Wind was used to spy on Iraqi targets (or US targets alleged to be Iraqi targets during the war?), as explained here.

(TS//SI//NF) Iraqi Intelligence Service. For a limited period of time surrounding the 2003 invasion oflraq, the President authorized the use of PSP authority against the Iraqi Intelligence Service. On 28 March 2003, the DCI determined that, based on then current intelligence, the Iraqi Intelligence service was engaged in terrorist activities and presented a threat to U.S. interests in the United States and abroad. Through the Deputy DCI, Mr. Tenet received the President’s concurrence that PSP authorities could be used against the Iraqi Intelligence Service. NSA ceased using the Authority for this purpose in March 2004.

Given the timing, this almost certainly is one of the things Jack Goldsmith shut down in the first set of modifications in March 2004 (there appears to have been a parallel effort in 2004 to stop treating Iraqi prisoners as terrorists who could be tortured).

And while the officially released IG Reports hide all mention of this, there is one detail that says volumes. Amid the section describing all the things Patrick Philbin found to be problematic in Yoo’s OLC memos authorizing the program, this footnote appears (at PDF 442).

See Presidential Authorization of April 22, 2003 at para. 4(b)(i) & (ii). The April 22, 2003, Authorization was the only Authorization personally approved as to form and legality by Yoo. He approved the Authorization on April 18, 2003; five days before the date of his talking points memorandum.

John Yoo, not Attorney General Ashcroft, signed the Authorization that went into effect on April 22, 2003.

This Authorization was the first issued after Tenet declared Iraq terrorists on March 28, 2003 (I’ve added the Authorization dates here).

As it happens, that Authorization was also the last or second-to-last one signed while Yoo remained at DOJ. He left in June 2003 because Ashcroft had refused to let him assume the OLC AAG position after Jay Bybee moved onto his sinecure on the 9th Circuit.

That’s not the last crazy thing Yoo did while at OLC: at roughly the same time he was free-lancing “Legal Principles” documents pretend-authorizing torture techniques that the original Bybee memo had not approved.

But I find it interesting that one of the last things Yoo did was sign an authorization to use a program purportedly focused on terrorists to surveil targets (who must in some part be in the US) related to a war of choice.

Stellar Wind IG Report, Working Thread

/1 Comment/in /by

Charlie Savage has liberated the Stellar Wind IG Report completed on July 10, 2009. He wrote it up here. This will be a working thread. [Note page numbers here are off by 1]

(PDF 13) The report reveals that OPR had not yet finished its review of John Yoo’s hackery in authorizing the illegal wiretap program.

(PDF 13) The report was scoped only to include communications, so the financial and other collections would not be included.

(PDF 16/17) Discussion of USP metadata being masked.

(PDF 14) Wolfowitz, Card, Addington, Cheney, Ashcroft, Yoo, and Tenet refused to cooperate with the IG Report.

(PDF 15) IG Report says policy is only to disseminate foreign SIGINT. But actually that policy was changed in EO 12333 the previous year (almost certainly reflected the status quo before).

(PDF 17) DOJ redacted why Hayden didn’t think he could approve a law for this spying.

(PDF 16/17) Hayden talking about value of access metadata with one end in US.

(New PDF 18) Redaction with something before “international terrorism” in targeting permission.

(New PDF 18) Discussion of new dissemination permissions.

(PDF 19/20) They changed the title of the scary memo from one focused on OBL to a more general one in June 2002.

(PDF 25) Redaction of discussion of Fourth Amendment OLC memo.

(PDF 31) NSA decided only going out 2 hops useful.

(PDF 30/31) There were 3 metadata violations reported.

(PDF 32) The fact that the program released content analysis was not included in the unredacted IG Report. But this report still redacts at least one kind of reporting — which may be way the data feeds back into other analysis (they would redact that because it would create ongoing poison tree problems).

(PDF 33) “She noted Hayden took personal responsibility for the program and managed it carefully.”

(PDF 33) The description of the delegation hides a much more strained process as described in the NSA IG Report.

(PDF 34/35) Among the tasked selectors were “international terrorist threats” not tied to al Qaeda (and at a time before Somalia or AQAP would have been considered separately).

(New 35) Note the overcollection until 2004, “discovered” in late 2008, treated in IOB in 2009 (check). That may reflect the selectors against whom there was no RAS.

(PDF 36) The discussion of IOB records is cynically inadequate, for the reasons I lay out here.

(PDF36) Note the reference to collection continuing to 2004. This may be related to the hospital confrontation. Is this the Iraq-related collection?

(PDF 39) The tippers originally came in through TAU. Which means they likely got mixed up with exigent letters. The resulting ECs would come with instructions that they be used for lead purposes only and not be used in proceedings. That system likely still exists intact!

(PDF 40-41) Describes how tippers led to threat assessments (which Savage described in his article). On top of what this says about investigative process, realize it means that if your number gets tipped you also get a back door search of any communications.

(PDF 43) The discussion of the threat assessments neglects to mention that they used info derived from torture.

Read more

The Magic Lawyering Behind Stellar Wind

/10 Comments/in /by

The NSA IG Report on Stellar Wind reveals this about the legal review behind the dragnet of Americans. (PDF 156)

After having received the Authorization on 4 October 2001, General Hayden asked NSA General Counsel Robert Deitz if it was lawful. Mr. Deitz said that General Hayden understood that the Attorney General had already certified its legality by signing the Authorization, but General Hayden wanted Mr. Deitz’s view. Mr. Dietz said that on 5 October he told General Hayden that he believed the Authorization to be lawful. He added that he emphasized to General Hayden that if this issue were before the Supreme Court, it would like rule, although not unanimously, that the Authorization was legal.

On 5 October 2001, the General Counsel consulted with the Associate General Counsel for Operations at his home by secure telephone. The Associate General Counsel for Operations was responsible for all legal matters related to NSA SIGINT activities. According to the General Counsel, he had not yet been authorized to tell the Associate General Counsel about the PSP, so he “talked around” it and did not divulge details. The Associate General Counsel was given enough information to assess the lawfulness of the concept described, but records show he was not officially cleared for the PSP until 11 October 2001. On Tuesday, 9 October, he told Mr. Dietz that he believed the Authorization was lawful and he began planning for its implementation.

 

In Newly Released IG Reports, Administration Redacted Discussion of the Bill Binney Option

/in /by

One of the most fascinating aspects of the IG Reports Charlie Savage just liberated is how they redacted the NSA IG Report, a draft of which Edward Snowden already got released.

Consider the following redactions.

NSA redacts the discussion that shows they were already spying

Starting at PDF 146, the entire section describing what Michael Hayden did in the days immediately after 9/11 is redacted. Here’s what is included in the Snowden version.

(TS//SV/NF) On 14 September 2001, three days after terrorist attacks in the United States, General Hayden approved the targeting of terrorist-associated foreign telephone numbers on communication links between the United States and foreign countries where terrorists were known to be operating. Only specified, pre-approved numbers were allowed to be tasked for collection against U.S.-originating links. He authorized this collection at Special Collection Service and Foreign Satellite sites with access to links between the United States and countries of interest, including Afghanistan. According to the Deputy General Counsel, General Hayden determined by 26 September that any Afghan telephone number in contact with a U.S. telephone number on or after 26 September was presumed to be of foreign intelligence value and could be disseminated to the FBI.

(TS//SV/NF) NSA OGC said General Haydens action was a lawful exercise of his power under Executive Order (E.O.) 12333, United States Intelligence Activities, as amended. The targeting of communication links with one end in the United States was a more aggressive use of E.O. 12333 authority than that exercised by former Directors. General Hayden was  operating in a unique environment in which it was a widely held belief that additional terrorist attacks on U.S. soil were imminent. General Hayden said this was a tactical decision.

(U//FOUO) On 2 October 2001, General Hayden briefed the House Permanent Select Committee on Intelligence (HPSCI) on this decision and later informed members of the Senate Select Committee on Intelligence (SSCI) by telephone. He had also informed DCI George Tenet.

(TS) At the same time NSA was assessing collection gaps and increasing efforts against terrorist targets immediately after the 11 September attacks, it was responding to Department of Defense (DoD), Director of Central Intelligence Community Management Staff questions about its ability to counter the new threat.

We can tell the discussion in the released version is different, even though it is entirely redacted. That’s because the discussion is longer, appears to include two footnotes, and has some indentations that don’t appear in the Snowden version.

But as it is, the discussion is legally dangerous for the Executive, because it either shows that NSA used the 15-day window permitted under FISA (which would make the Yoo memos all the more problematic), or conducted this spying without any authorization. (There are also “doth protest too much” discussions of how the NSA never spied on Americans before this that we know to be false, so I suspect that’s part of the problem.)

NSA redacts the Cheney paragraph

The final report redacts a discussion (PDF 148-149) titled, “Vice President Asked What Other Authorities NSA Needed.” Some related discussion appears in the Snowden version, but clearly not the entire discussion.

Mr. Tenet relayed that the Vice President wanted to know if NSA could be doing more. General Hayden replied that nothing else could be done within existing NSA authorities. In a follow-up telephone conversation, Mr. Tenet asked General Hayden what could be done if he had additional authorities. General Hayden said that these discussions were not documented.

Though it’s possible — perhaps even probable — that what the NSA draft depicts as NSA identifying its own needs is actually Hayden getting people to identify the needs Cheney had already identified for him.

In any case, the final IG report complains that none of this was documented, which suggests there was far more of interest that actually went on in these discussions.

NSA Redacts the Binney Option

Perhaps most interesting, the NSA redacts almost all of whatever became of this discussion.

Among other things, NSA considered how to tweak transit collection-the collection of communications transiting through but not originating or terminating in the United States. NSA personnel also resurfaced a concept proposed in 1999 to address the Millennium Threat. NSA proposed that it would perform contact chaining on metadata it had collected. Analysts would chain through masked U.S. telephone numbers to discover foreign connections to those numbers, without specifying, even for analysts, the U.S. number involved. In December 1999, the Department of Justice (DoJ), Office of intelligence Policy Review (OIPR) told NSA that the proposal fell within one of the FISA definitions of electronic surveillance and, therefore, was not permissible when applied to metadata associated with presumed U.S. persons (i.e., U.S. telephone numbers not approved for targeting by the FISC).

Though PDF 150 appears to have a footnote that would modify that discussion (but that doesn’t appear in the Snowden version).

According to NSA OGC, DoJ has since agreed with NSA that simply processing communications metadata in this manner does not constitute electronic surveillance under the FISA.

This footnote may refer to the SPCMA decision in 2007 to 2008. Except that’s not what Binney et al proposed back in 1999. On the contrary: SPCMA permits NSA to chain through unmasked US person metadata, whereas Binney had proposed permitting only chaining through masked US person identifiers.

Which suggests the George Ellard may have been misrepresenting what was possible in this sensitive IG Report designed for Congress.

But that would make it easier to come to this conclusion, one not included in the Snowden version:

Under its authorities, NSA had no other options for the timely collection of communications of suspected terrorists when one end of those communications was in the United States and the communications could only be collected from a wire or cable in the United States.

No wonder they redacted the Binney discussion.

The “Accidental” Phone Dragnet Violations IDed in 2009 Were Actually Retained Stellar Wind Features

/2 Comments/in , /by

I have long scoffed at the claim that the phone dragnet violations discovered in 2009 were accidental. It has always been clear they were, instead, features of Stellar Wind that NSA simply never turned off, even though they violated the FISC orders on it.

The Stellar Wind IG Report liberated by Charlie Savage confirms that.

It describes that numbers were put on an alert list and automatically chained.

An automated process was created to alert and automatically chain new and potential reportable telephone numbers using what was called an “alert list.” Telephone numbers on the alert list were automatically run against incoming metadata to look for contacts. (PDF 31)

This was precisely the substance of the violations admitted in 2009.

So NSA lied to FISC about that, and the IC lied to us about it when this came out in 2013.

Update: Note the reference to the violations on PDF 36 — though they don’t admit that it’s the same damn alert list and that NSA’s IG considered telling FISC from the start.

America’s Intelligence Empire

/21 Comments/in , , , /by

I’ve been reading Empire of Secrets, a book about the role of MI5 as the British spun off their empire. It describes how, in country after country, the government that took over from the British — even including people who had been surveilled and jailed by the British regime — retained the British intelligence apparatus and crafted a strong intelligence sharing relationship with their former colonizers. As an example, it describes how Indian Interior Minister, Sardr Patel, decided to keep the Intelligence Bureau rather than shut it down.

Like Nehru, Patel realised that the IB had probably compiled records on himself and most of the leaders of Congress. However, unlike Nehru, he did not allow this to colour his judgment about the crucial role that intelligence would play for the young Indian nation.

[snip]

Patel not only allowed the continued existence of the IB, but amazingly, also sanctioned the continued surveillance of extremist elements within this own Congress Party. As Smith’s report of the meeting reveals, Patel was adamant that the IB should ‘discontinue the collection of intelligence on orthodox Congress and Muslim League activity’, but at the same time he authorised it to continue observing ‘extremist organisations’. Patel was particularly concerned about the Congress Socialist Party, many of whose members were communist sympathisers.

[snip]

The reason Patel was so amenable to continued surveillance of some of his fellow Indian politicians (keeping tabs on his own supporters, as one IPI report put it) was his fear of communism.

And the same remarkable process, by which the colonized enthusiastically partnered with their former colonizers to spy on their own, happened in similar fashion in most of Britain’s former colonies.

That’s what I was thinking of on March 13, when John Brennan gave a speech to the Council on Foreign Relations. While it started by invoking an attack in Copenhagen and Charlie Hebdo, a huge chunk of the speech talked about the value of partnering with our intelligence allies.

Last month an extremist gunned down a film director at a cafe in Copenhagen, made his way across town and then shot and killed a security guard at a synagogue. Later the same day the terrorist group ISIL released a video showing the horrific execution of Coptic Christians on a beach in Libya.

The previous month, in a span of less than 24 hours, we saw a savage attack on the staff of the satirical newspaper Charlie Hebdo in France. We saw a car bomb kill dozens at a police academy in Yemen.

[snip]

As CIA tackles these challenges, we benefit greatly from the network of relationships we maintain with intelligence services throughout the world. This is a critically important and lesser known aspect of our efforts. I cannot overstate the value of these relationships to CIA’s mission and to our national security. Indeed, to the collective security of America and its allies.

By sharing intelligence, analysis, and know-how with these partner services, we open windows on regions and issues that might otherwise be closed to us. And when necessary, we set in concert to mitigate a common threat.

By collaborating with our partners we are much better able to close key intelligence gaps on our toughest targets, as well as fulfill CIA’s mission to provide global coverage and prevent surprises for our nation’s leaders. There is no way we could be successful in carrying out our mission of such scope and complexity on our own.

Naturally these are sensitive relationships built on mutual trust and confidentiality. Unauthorized disclosures in recent years by individuals who betrayed our country have created difficulties with these partner services that we have had to overcome.

But it is a testament to the strength and effectiveness of these relationships that our partners remain eager to work with us. With the stakes so high for our people’s safety, these alliances are simply too crucial to be allowed to fail.

From the largest services with global reach to those of smaller nations focused on local and regional issues, CIA has developed a range of working and productive relationships with our counterparts overseas. No issue highlights the importance of our international partnerships more right now than the challenge of foreign fighters entering and leaving the conflict in Syria and Iraq.

We roughly estimate that at least 20,000 fighters from more than 90 countries have gone to fight, several thousand of them from Western nations, including the United States. One thing that dangers these fighters pose upon their return is a top priority for the United States intelligence community, as well as our liaison partners.

We exchange information with our counterparts around the world to identify and track down men and women believed to be violent extremists. And because we have the wherewithal to maintain ties with so many national services, we act as a central repository of data and trends to advance the overall effort.

On this and in innumerable other challenges, our cooperation with foreign liaison quietly achieves significant results. Working together, we have disrupted terrorist attacks and rolled back groups that plot them, intercepted transfers of dangerous weapons and technology, brought international criminals to justice and shared vital intelligence and expertise on everything from the use of chemical armaments in Syria to the downing of the Malaysian airliner over Ukraine.

These relationships are an essential adjunct to diplomacy. And by working with some of these services in building their capabilities we have helped them become better prepared to tackled the challenges that threaten us all.

[snip]

With CIA’s support, I have seen counterparts develop into sophisticated and effective partners. Over time our engagement with partner services fosters a deeper, more candid give and take, a more robust exchange of information and assessments, and a better understanding of the world that often ultimately encourages better alignment on policy.

Another advantage of building and maintaining strong bilateral and multilateral intelligence relationships is that they can remain, albeit not entirely, insulated from the ups and downs of diplomatic ties. These lengths can provide an important conduit for a dispassionate dialogue during periods of tension, and for conveying the U.S. perspective on contentious issues.

In recognition of the importance of our liaison relationships, I recently reestablished a senior position at the CIA dedicated to ensuring that we are managing relationships in an integrated fashion. To developing a strategic vision and corporate goals for our key partnerships and to helping me carryout my statutory responsibility to coordinate the intelligence communities’ foreign intelligence relationships. [my emphasis]

We are and still remain in the same position as MI5, Brennan seems to want to assure the CFR types, in spite of the embarrassment experienced by our intelligence partners due to leaks by Chelsea Manning and Edward Snowden. Information sharing remains the cement of much of our relationships with allies; our ability to let them suck off our dragnet keeps them in line.

And of particular note, Brennan described these “strong bilateral and multilateral intelligence relationships …remain[ing], albeit not entirely, insulated from the ups and downs of diplomatic ties.”

The spooks keep working together regardless of what the political appointees do, Brennan suggested.

But that speech is all the more notable given the revelations in this Der Spiegel story. It describes how, because of the Snowden leaks, the Germans slowly started responding to something they had originally discovered in 2008. The US had been having BND spy on selectors well outside the Memorandum of Understanding governing the countries’ intelligence sharing, even including economic targets. At first, BND thought this was just 2,000 targets, but as the investigation grew more pointed, 40,000 suspicious selectors were found. Only on March 12 — the day before Brennan gave this remarkable speech — did Merkel’s office officially find out.

But in October 2013, not even the BND leadership was apparently informed of the violations that had been made. The Chancellery, which is charged with monitoring the BND, was also left in the dark. Instead, the agents turned to the Americans and asked them to cease and desist.

In spring 2014, the NSA investigative committee in German parliament, the Bundestag, began its work. When reports emerged that EADS and Eurocopter had been surveillance targets, the Left Party and the Greens filed an official request to obtain evidence of the violations.

At the BND, the project group charged with supporting the parliamentary investigative committee once again looked at the NSA selectors. In the end, they discovered fully 40,000 suspicious search parameters, including espionage targets in Western European governments and numerous companies. It was this number that SPIEGEL ONLINE reported on Thursday. The BND project group was also able to confirm suspicions that the NSA had systematically violated German interests. They concluded that the Americans could have perpetrated economic espionage directly under the Germans’ noses.

Only on March 12 of this year did the information end up in the Chancellery.

This has led to parliamentary accusations that BND lied in earlier testimony. The lies are notable, given how they echo the same kind of sentiment John Brennan expressed in his speech.

According to a classified memo, the agency told parliamentarians in 2013 that the cooperation with the US in Bad Aibling was consistent with the law and with the strict guidelines that had been established.

The memo notes: “The value for the BND (lies) in know-how benefits and in a closer partnership with the NSA relative to other partners.” The data provided by the US, the memo continued, “is checked for its conformance with the agreed guidelines before it is inputted” into the BND system.

Now, we know better. It remains to be determined whether the BND really was unaware at the time, or whether it simply did not want to be aware.

The NSA investigative committee has also questioned former and active BND agents regarding “selectors” and “search criteria” on several occasions. Prior to the beginning of each session, the agents were informed that providing false testimony to the body was unlawful. The BND agents repeatedly insisted that the selectors provided by the US were precisely checked.

As almost a snide aside, Der Spiegel notes that in spite of these lies, the public prosecutor has not yet been informed of these lies.

That is, the spooks have been lying — at least purportedly including up to and including Merkel’s office. But the government seems to be uninterested in pursuing those lies.

As Brennan said as this was just breaking out, the spooks retain their “strong bilateral and multilateral intelligence relationships …remain[ing], albeit not entirely, insulated from the ups and downs of diplomatic ties.”

And as with Brennan — who, as Gregory Johnsen chronicles in this long profile of the CIA Director published yesterday — the spooks always evade accountability.

Why Do All the Stingray NDAs Date to 2011 to 2012?

/3 Comments/in /by

The other day, the Baltimore Sun continued its great work on Stingrays with a report on the most recent court disclosure from the Baltimore Police Department, revealing that instead of the 4,300 uses of its Stingray that it testified to earlier this month, it had in fact used the Stingray 25,000 times, not counting the times it has used it in exigent situations.

While police said earlier this month that the agency had deployed a “Stingray” cell simulator device more than 4,300 times since 2007 Det. Michael Dressel testified Monday that the actual number of times used with a court order was north of 25,000 times. The lesser figure reflected the amount since the department changed the way it documents its use of the device.

[snip]

Dressel said there are a number of scenarios in which police can cite exigent circumstances and proceed without a court order or search warrant. He said he did not know the number of such instances.

The revelation, on its face, reveals two important points. That BPD, at least, doesn’t track all its uses of its Stingray. But also that at some point in time (the original count purported to date back to 2007), the department changed the way it counted Stingrays.

This post started as a reflection on the changing numbers Baltimore Police Department has given for its use of Stingrays. I learned after I posted that the Sun had retracted the 25,000 number.

That said, the now retracted article got me thinking about the data of all the Stingray NDAs.

The two complete non-disclosure agreements we’ve seen — from Erie (June 29, 2012) and Baltimore (July 13, 2011) — as well as some of the partial ones we’ve seen — Tacoma (December 19, 2012), Minneapolis (June 12, 2012), San Bernadino (December 7, 2012), Hillsborough, FL (around March 6, 2012) — all date to around the same 2011 to 2012 time period. But Stingray use goes back well before that, as the contracts released make clear. That’s all not long after the government started trying to protect its use of Stingray to find Daniel Rigmaiden (see the docket starting at document 465 and this contemporaneous coverage of it), which Stephanie Pell and Chris Soghoian point to as the first time use of a Stingray showed up in a criminal proceeding (see 29 ff).

That may not be the explanation — I can think of a number of other possibilities why, starting in 2011, the government changed how it approached Stingray secrecy — but it is a possibility. 2011 is also the year US v. Jones was briefed to SCOTUS, and also the year NSA ultimately gave up its efforts to get location as part of its phone dragnet. It at least appears possible that FBI started pushing out NDAs (or new NDAs) starting in 2011.

Is that what led to the change in how BPD counted these?

In any case, I’m increasingly wondering whether there’s a significant change that took place in 2011 with how the FBI administered Stingray use at the local level, which led, in that year and the next, to a whole new Nondisclosure regime.

 

NSA’s Dragnet Failed to “Correlate” David Headley’s Identity, One of Its Core Functions

/11 Comments/in , , /by

In a piece on the GCHQ and NSA failure to identify David Headley’s role in the Mumbai terrorist attack, ProPublica quotes former CIA officer Charles Faddis on the value of bulk surveillance.

“I’m not saying that the capacity to intercept the communications is not valuable,” said Charles (Sam) Faddis, a former C.I.A. counterterror chief. “Clearly that’s valuable.” Nonetheless, he added, it is a mistake to rely heavily on bulk surveillance programs in isolation.

“You’re going to waste a lot of money, you’re going to waste a lot of time,” Faddis said. “At the end, you’re going have very little to show for it.”

The article as a whole demonstrates that in a manner I’m fairly shocked about. The NSA failed to recognize what it had in intelligence collected on Headley’s role in the attack even after the attack because they hadn’t correlated his known birth name with the name he adopted in the US.

Headley represents another potential stream of intelligence that could have made a difference before Mumbai. He is serving 35 years in prison for his role. He was a Pakistani-American son of privilege who became a heroin addict, drug smuggler and DEA informant, then an Islamic terrorist and Pakistani spy, and finally, a prize witness for U.S. prosecutors.

In recounting that odyssey, we previously explored half a dozen missed opportunities by U.S. law enforcement to pursue tips from Headley’s associates about his terrorist activity. New reporting and analysis traces Headley’s trail of suspicious electronic communications as he did reconnaissance missions under the direction of Lashkar and Pakistan’s Inter-Services Intelligence Directorate (ISI).

Headley discussed targets, expressed extremist sentiments and raised other red flags in often brazen emails, texts and phone calls to his handlers, one of whom worked closely on the plot with Shah, the Lashkar communications chief targeted by the British.

U.S. intelligence officials disclosed to me for the first time that, after the attacks, intensified N.S.A. monitoring of Pakistan did scoop up some of Headley’s suspicious emails. But analysts did not realize he was a U.S.-based terrorist involved in the Mumbai attacks who was at work on a new plot against Denmark, officials admitted.

The sheer volume of data and his use of multiple email addresses and his original name, Daood Gilani, posed obstacles, U.S. intelligence officials said. To perfect his cover as an American businessman, Headley had legally changed his name in 2006.

“They detected a guy named ‘Gilani’ writing to bad guys in Pakistan, communicating with terror and ISI nodes,” a senior U.S. intelligence official said. “He wrote also in fluent Urdu, which drew interest. Linking ‘Gilani’ to ‘Headley’ took a long time. The N.S.A. was looking at those emails post-Mumbai. It was not clear to them who he was.”

As I’ve explained, one of the things NSA does with all its data is to “correlate” selectors, so that it maps a picture of all the Internet and telecom (and brick and mortar, where they have HUMINT) activities of a person using the multiple identities that have become common in this day and age. This is a core function of the NSA’s dragnets, and it works automatically on EO 12333 data (and worked automatically on domestically-collected phone and — probably — Internet metadata until 2009).

When you think about it, there are some easy ways of matching online identities (going to a provider, mapping some IP addresses). And even the matching of “burner” IDs can be done with 94% accuracy, at least within AT&T’s system, according to AT&T’s own claims.

The NSA says they didn’t do so here because Headley had changed his name.

Headley, recall, was a DEA informant. Which means, unless these intelligence agencies are far more incompetent than I believe they are, this information was sitting in a government file somewhere: “Daood Gilani, the name of a known Urdu-fluent informant DEA sent off to Pakistan to hang out with baddies  = David Headley.” Unless Headley adopted the new name precisely because he knew it would serve to throw the IC off his trail.

And yet … NSA claims it could not, and did not, correlate those two identities and as a result didn’t even realize Headley was involved in the Mumbai bombing even after the attack.

Notably, they claim they did not do so because of the “sheer volume of data.”

In short, according to the NSA’s now operative story (you should click through to read the flaccid apologies the IC offered up for lying about the value of Sections 215 and 702 in catching Headley), the NSA’s dragnet failed at one of its core functions because it is drowning in data.

 

The Government Changed Its Mind about How Many Databases It Searched in the Hassanshahi Case after It Shut Down the DEA Dragnet

/in , , /by

As I noted in this post, the government insists that it did not engage in parallel construction in the case of Shantia Hassanshahi, the Iranian-American busted for sanctions violations using evidence derivative of a search of what the government now claims was a DEA dragnet. “While it would not be improper for a law enforcement agency to take steps to protect the confidentiality of a law enforcement sensitive investigative technique, this case raises no such issue.”

The claim is almost certainly bullshit, true in only the narrowest sense.

Indeed, the changing story the government has offered about how they IDed Hassanshahi based off a single call he had with a phone belonging to a person of interest, “Sheikhi,” in Iran, is instructive not just against the background of the slow reveal of multiple dragnets over the same period. But also for the technological capabilities included in those claims. Basically, the government appears to be claiming they got a VOIP call from a telephony database.

As I lay out below, the story told by the government in various affidavits and declarations (curiously, the version of the first one that appears in the docket is not signed) changed in multiple ways. While there were other changes, the changes I’m most interested in pertain to:

  • Whether Homeland Security Investigator Joshua Akronowitz searched just one database — the DEA toll record database — or multiple databases
  • How Akronowitz identified Google as the provider for Hassanshahi’s phone record
  • When and how Akronowitz became interested in a call to Hassanshahi from another Iranian number
  • How many calls of interest there were

As you can see from the excerpts below, Akronowitz at first claimed to have searched “HSI-accessible law enforcement databases,” plural, and suggested he searched them himself.  In July 2014, in response to a motion to suppress (and after Edward Snowden had disclosed the NSA’s phone dragnet), Akronowitz changed that story and said he sent a research request to a single database, implying someone else did a search of just one database. Akronowitz told the same story in yet another revised affidavit submitted last October. In the declaration submitted in December but unsealed in January, DEA Assistant Special Agent Robert Patterson stuck with the single database story and used the passive voice to hide who did the database query.

While Akronowitz’ story didn’t change regarding how he discovered that Hassanshahi’s phone was a Google number, it did get more detailed in the July 2014 affidavit, which explained that he had first checked with another VOIP provider before being referred to Google.

Perhaps most interestingly, the government’s story changed regarding how many calls of interest there were, and between what numbers. In January 2013, Akronowitz said “a number of telephone calls between ‘Sheikhi’s’ known business telephone number and telephone number 818-971-9512 had occurred within a relatively narrow time frame” (though he doesn’t tell us what that time frame was). He also says that his Google subpoena showed “numerous calls to the same Iranian-based telephone number during a relatively finite period of time.” He neither explained that this number was not Sheikhi’s number — it was a different Iranian number — nor what he means by “a relatively finite period of time.”  His July and October affidavits said his research showed a contact, “on one occasion, that is, on July 4, 2011,” with Sheikhi’s number. The July affidavit maintained the claim that there were multiple calls between Hassanshahi’s number and an Iranian one: “numerous phone calls between Hassanshahi’s ‘818’ number and one Iranian phone number.” But by October, Akronowitz conceded that the Google records showed only “that Hassanshahi’s ‘818’ number made contact with an Iranian phone number (982144406457) only once, on October 5, 2011” (as well as a “22932293” number that he bizarrely claimed was a call to Iran).  Note, Akronowitz’ currently operative story would mean the government never checked whether there were any calls between Hassanshahi and Sheikhi between August 24 and September 6 (or after October 6), which would be rather remarkable. Patterson’s December affidavit provided no details about the date of the single call discovered using what he identified as DEA’s database, but did specify that the call was made by Hassanshahi’s phone, outbound to Iran. (Patterson didn’t address the later Google production, as that was pursuant to a subpoena.)

To sum up, before Edward Snowden’s leaks alerted us to the scope of NSA’s domestic and international dragnet, Akronowitz claimed he personally had searched multiple databases and found evidence of multiple calls between Hassanshahi’s phone number and Sheikhi’s number, as well as (after getting a month of call records from Google) multiple calls to another Iranian number over unspecified periods of time. After Snowden’s leaks alerted us to the dragnet, after Dianne Feinstein made it clear the NSA can search on Iranian targets in the Section 215 database, which somehow counts as a terrorist purpose, and after Eric Holder decided to shut down just the DEA dragnet, Akronowitz changed his story to claim he had found just one call between Hassanshahi and Shiekhi, and — after a few more months — just one call from another Iranian number to Hassanshahi. Then, two months later, the government claimed that the only database that ever got searched was the DEA one (the one that had already been shut down) which — Patterson told us — was based on records obtained from “United States telecommunications service providers” via a subpoena.

Before I go on, consider that the government currently claims it used just a single phone call of interest — and the absence of any additional calls in a later months’s worth of call records collected that fall — to conduct a warrantless search of a laptop in a state (CA) where such searches require warrants, after having previously claimed there was a potentially more interesting set of call records to base that search on.

Aside from the government’s currently operative claim that it would conduct border searches based on the metadata tied to a single phone call, I find all this interesting for two reasons.

First, the government’s story about how many databases got searched and how many calls got found changed in such a way that the only admission of an unconstitutional search to the judge, in December 2014, involved a database that had allegedly been shut down 15 months earlier.

Maybe they’re telling the truth. Or maybe Akronowitz searched or had searched multiple databases — as he first claimed — and found the multiple calls he originally claimed, but then revised his story to match what could have been found in the DEA database. We don’t know, for example, if the DEA database permits “hops,” but he might have found a more interesting call pattern had he been able to examine hops (for example, it might explain his interest in the other phone number in Iran, which otherwise would reflect no more than an immigrant receiving a call from his home country).

All of this is made more interesting because of my second point: the US side of the call in question was an Internet call, a Google call, not a telephony call. Indeed, at least according to Patterson’s declaration (records of this call weren’t turned over in discovery, as far as I can tell), Hassanshahi placed the call, not Sheikhi.

I have no idea how Google calls get routed, but given that Hassanshahi placed the call, there’s a high likelihood that it didn’t cross a telecom provider’s backbone in this country (and god only knows how DEA or NSA would collect Iranian telephony provider records), which is who Patterson suggests the calls came from (though there’s some room for ambiguity in his use of the term “telecommunications service providers”).

USAT’s story on this dragnet suggests the data all comes from telephone companies.

It allowed agents to link the call records its agents gathered domestically with calling data the DEA and intelligence agencies had acquired outside the USA. (In some cases, officials said the DEA paid employees of foreign telecom firms for copies of call logs and subscriber lists.)

[snip]

Instead of simply asking phone companies for records about calls made by people suspected of drug crimes, the Justice Department began ordering telephone companies to turn over lists of all phone calls from the USA to countries where the government determined drug traffickers operated, current and former officials said.

[snip]

Former officials said the operation included records from AT&T and other telecom companies.

But if this call really was placed from a Google number, it’s not clear it would come up under such production, even under production of calls that pass through telephone companies’ backbones. That may reflect — if the claims in this case are remotely honest — that the DEA dragnet, at least, gathered call records not just from telecom companies, but also from Internet companies (remember, too, that DOJ’s Inspector General has suggested DEA had or has more than one dragnet, so it may also have been collecting Internet toll records).

And that — coupled with the government’s evolving claims about how many databases got checked and how many calls that research reflected — may suggest something else. Given that the redactions on the providers obliged under the Section 215 phone dragnet orders haven’t changed going back to 2009, when it was fairly clear there were just 3 providers (AT&T, Sprint, and Verizon), it may be safe to assume that’s still all NSA collects from. A never-ending series of leaks have pointed out that the 215 phone dragnet increasingly has gaps in coverage. And this Google call would be precisely the kind of call we would expect it to miss (indeed, that’s consistent with what Verizon Associate General Counsel — and former DOJ National Security Division and FBI Counsel — Michael Woods testified to before the SSCI last year, strongly suggesting the 215 dragnet missed VOIP). So while FISC has approved use of the “terrorist” Section 215 database for the terrorist group, “Iran,” (meaning NSA might actually have been able to query on Sheikhi), we should expect that this call would not be in that database. Mind you, we should also expect NSA’s EO 12333 dragnet — which permits contact chaining on US persons under SPCMA — to include VOIP calls, even with Iran. But depending on what databases someone consulted, we would expect gaps in precisely the places where the government’s story has changed since it decided it had searched only the now-defunct DEA database.

Finally, note that if the government was sufficiently interested in Sheikhi, it could easily have targeted him under PRISM (he did have a GMail account), which would have made any metadata tied to any of his Google identities broadly shareable within the government (though DHS Inspectors would likely have to go through another agency, quite possibly the CIA). PRISM production should return any Internet phone calls (though there’s nothing in the public record to indicate Sheikhi had an Internet phone number). Indeed, the way the NSA’s larger dragnets work, a search on Sheikhi would chain on all his correlated identifiers, including any communications via another number or Internet identifier, and so would chain on whatever collection they had from his GMail address and any other Google services he used (and the USAT described the DEA dragnet as using similarly automated techniques).  In other words, when Akronowitz originally said there had been multiple “telephone calls,” he may have instead meant that Sheikhi and Hassanshahi had communicated, via a variety of different identifiers, multiple times as reflected in his search (and given what we know about DEA’s phone dragnet and my suspicion they also had an Internet dragnet, that might have come up just on the DEA dragnets alone).

The point is that each of these dragnets will have slightly different strengths and weaknesses. Given Akronowitz’ original claims, it sounds like he may have consulted dragnets with slightly better coverage than just the DEA phone dragnet — either including a correlated DEA Internet dragnet or a more extensive NSA one — but the government now claims that it only consulted the DEA dragnet and consequently claims it only found one call, a call it should have almost no reason to have an interest in.

Read more

Bob Graham’s Credibility

/3 Comments/in , /by

On Monday, the NYT had a story on former Senator Bob Graham’s continuing efforts to shed light on the Saudi role in 9/11. The article cast Graham’s obstinance on the Saudi role in 9/11 against FBI efforts to get him to shut up, noting for example that the recent 9/11 follow-up report dismissed FBI’s former interest in a Florida couple that had ties to some of the hijackers (though the NYT did not note how hackish the report is).

Against FBI’s insistence the Saudis had no role on 9/11, NYT balances the comments of Graham’s former colleagues about his judgement. And they point to his prescience.

Mr. Graham’s refusal to drop what many in the intelligence community consider to be long-settled issues has stirred some private criticism that the former senator has been out of the game too long and is chasing imagined conspiracies in an effort to stay relevant as he lectures and writes books. Intelligence officials say the claims in the secret 28 pages were explored and found to be unsubstantiated in a later review by the national commission.

Former colleagues are not so ready to write off a lawmaker they remember for sounding the alarm against the invasion of Iraq. He warned that shifting attention to removing Saddam Hussein would debilitate efforts to rid Afghanistan of Al Qaeda, which Mr. Graham said posed a far greater threat to the United States.

“Bob Graham has proven to be prescient about many things,” said Jane Harman, the former California congresswoman who once served as the top Democrat on the House Intelligence Committee.

Never one of the flashiest members of the Senate, Mr. Graham was seen more as a cautious, conscientious lawmaker eager to dig into the dry details of policy. His unglamorous reputation no doubt contributed to his inability to catch on during an abbreviated run for the Democratic presidential nomination in 2003. But his colleagues also saw him as a man who would not be easily dissuaded.

“Bob is kind of quiet, but once he is on to something, he is like a dog with a bone,” said Tom Daschle, the former Senate Democratic leader.

The NYT only raises Graham’s prescience on the Iraq War, not the “many things” Jane Harman raises (who didn’t overlap in the Gang of Four with Graham, but closely followed him).

But it’s worth reminding that, in addition to being right about the Iraq War, Graham was right about torture. Indeed, in his last months as ranking member on Senate Intelligence Committee, he made initial moves to learn more about CIA’s detention program, only to have Pat Roberts agree to stop the effort in early 2003. And, interestingly, Graham (and Nancy Pelosi, Graham’s counterpart on the Gang of Four) linked the two, tying the erroneous claims about Iraq to the non-briefings on torture they were getting in September 2002.

Now that they are explicitly stating that CIA lied in its September briefings on torture, Nancy Pelosi and Bob Graham are also both linking those lies with the lies they were telling–at precisely the same time–in the Iraq NIE. Here’s Pelosi:

Of all the briefings that I have received at this same time, earlier, they were misinforming the American people there were weapons of mass destruction in Iraq and it was an imminent threat to the United States. I, to the limit of what I could say to my caucus, told them, the intelligence does not support the imminent threat that this Administration is contending. Whether it’s on the subject of what’s happening in Iraq, whether it’s on the subject of techniques used by the intelligence community on those they are interrogating, every step of the way, the Administration was misleading the Congress.

And that is the issue. And that is why we need a truth commission.

And here’s Graham:

Yes, they’re obligated to tell the full Intelligence Committee, not just the leadership. This was the same time within the same week, in fact, that the CIA was submitting its National Intelligence Estimate on weapons of mass destruction in Iraq which proves so erroneous that we went to war, have had thousands of persons killed and injured as a result of misinformation.

Now, it’s quite possible Graham and Pelosi are tying these two lies together just to remind reporters how unreliable the CIA is. Perhaps they’re doing it to remind reporters of how they got burned leading into the Iraq War, trusting the spin of the Administration.

But perhaps they’re trying to say there’s a direct connection, an explicit one, between the NIE and torture. We know Ibn Sheikh al-Libi’s claims appeared in there. Did anything that came out of Abu Zubaydah’s interrogation? Or Ramzi bin al-Shibh?

Graham would have also been briefed on Stellar Wind, including in briefings with Harman, though he has been less outspoken about that.

None of this is to say these four issues — Saudi support for an enormous attack on the US, spying on Americans, torturing detainees, and trumping up the Iraq War — are connected (though all have ties). It just seems like Graham copped onto the larger project of obfuscation during his tenure on SSCI, in a way that is rather interesting.