John Brennan Predicts the Dissolution of the Nation-State Structure

/9 Comments/in , /by

Rather than asking John Brennan challenging questions about the reform of CIA at Brennan’s Council on Foreign Relations event Friday, Charlie Rose instead asked John Brennan what he saw as the challenge to CIA’s analytical function over the next 15 years (around 39:50).

Here’s how Brennan responded:

The world is becoming more and more challenging. Nation-states are under increasing challenge and threat. More and more, we see individuals in different corners of the world who are identifying with sub-national groups and organizations. And so just the authority of nation-states and governments I think is being looked at in a different way than it did just 20 years ago. And so this is one of the things that we really have to be able to understand and anticipate and work with foreign governments because if you’re going to have basically the dissolution of the nation-state structure that we’ve had for centuries, it’s really going to be even a more chaotic world.

I don’t actually disagree with Brennan. I’ve been saying we’re headed for NeoFeudalism for over a decade.

That said, the policies of the US government are really fostering this change. Drones — as well as increased reliance on paramilitary forces — are one thing that contributes to this. So do trade agreements, especially the ones the US is trying to force on Asia and Europe right now. US demands that its corporations help the US spy in other countries is another factor.

Yet, nevertheless, the government is pursuing these policies even while recognizing that the dissolution of the nation-state system will bring much more chaos.

Brennan describes it like a bug, but US policy suggests it’s a feature.

Update: Take this prediction in tandem with James Clapper’s judgement that “Roughly half of the world’s currently stable countries are at some risk of instability over the next two years.”

NSA Probably Doesn’t Have ALL of Hillary’s Emails … But Maybe Someone Should

/16 Comments/in , /by

I’m among those who believes Hillary Clinton’s use of a privately run email server is an abuse of power. Doing so appears to have skirted laws ensuring good governance and it may well have exposed her communications to adversaries (including some who would have reason to use the contents of her email to help Republicans win the White House), even if her email would have been just as targeted at State, per reports about persistent hacking of it. While I don’t buy — in the absence of evidence — she did so to hide ties with the Clinton Foundation, I do think she did so not just for convenience, but for control, as I laid out last week.

In response to the scandal, some people are calling on NSA to turn over Hillary’s emails (as they earlier did with former IRS official Lois Lerner).

For some Americans, the NSA isn’t an agency that protects them from terrorist threats or keeps this country safe from another catastrophic event. For many people, the NSA represents an intrusion of privacy. However, ‘Emailgate’ is an opportunity for the NSA to show Americans that it can protect the nation from possible security breaches, even when powerful members of government have made these errors of judgment. Nobody is accusing Hillary Clinton of anything treasonous or malicious, after all, Powell and Rice also used private emails at times. The primary concern with this scandal rests in the fact that private email servers were stored in a private residence, with their contents possibly being “sensitive” or “classified.”

If anyone in the country engaged in such behavior, the NSA would have likely had information on all of this citizen’s communication and activities. If  Clinton compromised national security in any way, the most renowned record-keeping agency in the U.S. government should help answer some questions. If the NSA has the full record of Clinton’s emails, it should hand them over to Congress.

There’s little reason to believe that NSA has all of Hillary’s emails — or even metadata on them — though it may well have (had) some.

We’re talking about emails from a non-PRISM US based server that are two to six years old.

Until December 2011, the NSA would have been capturing the metadata from all of Hillary’s email. But according to multiple documents (including sworn documents), NSA destroyed this data in 2011. NSA currently appears to collect US person Internet metadata from two other sources: from PRISM collection, and under SPCMA on data obtained overseas.

According to the 9-page explanation on the emails Hillary sent, “During her time at State, she communicated with foreign officials in person, through correspondence, and by telephone. The review of all of her emails revealed only one email with a foreign (UK) official.” Thus, while many of the people the Secretary of State would interact with could easily be targeted under Section 702, she claims she had email communication with only one of those legitimate targets, and that potentially legitimate target is from the UK, the least likely country to be targeted. This would mean that Hillary’s emails (and therefore metadata) would be unlikely to have been captured under PRISM collection. [Update: I realize now that any private conversations she had with foreigners could have been targeted and would not be among those she kept as official business.]

If she had used a targeted person’s identifier (email or phone number, for example), that might come up under upstream collection, particularly if she sent the email while overseas. The NSA has focused more since 2011 on sorting out the all US person communications captured in that way. But they also appear to go very far out of their way to avoid learning that communications are domestic, because that causes legal problems for them. So that would make it less likely they would ID these emails.

In other words, if NSA had collected Hillary’s emails using upstream collection, they should have destroyed them, and if they didn’t, they would now want to pretend they hadn’t collected them.

That leaves one other way the NSA might have some of Hillary’s emails (if they haven’t hurriedly destroyed them to avoid being caught having collected what would be considered domestic communications): via bulk collection overseas, which is quite possible, given how frequently Hillary would have been overseas, even in countries where the Five Eyes presumably pulls and keeps full take most of the time (though some of her emails sent both sides domestically might well have transited overseas and gotten collected).

By all means, let’s ask the NSA to search on her email identifiers to see what they’ve collected and retained for the 2-6 years in question! It would be a good test of how much “innocent” US person communications are collected incidentally, especially if that person travels frequently to targeted countries. (Though, again, I would imagine NSA has already done a purge to make sure they don’t have this, because if they got caught doing so, it would be … awkward.)

Finally, there’s one more reason to think NSA would not have Hillary’s email. As James Risen and Eric Lichtblau reported on June, 16, 2009 — just 3 months after Hillary started using this email — an analyst once got investigated for targeting Bill Clinton.

He said he and other analysts were trained to use a secret database, code-named Pinwale, in 2005 that archived foreign and domestic e-mail messages. He said Pinwale allowed N.S.A. analysts to read large volumes of e-mail messages to and from Americans as long as they fell within certain limits — no more than 30 percent of any database search, he recalled being told — and Americans were not explicitly singled out in the searches.

The former analyst added that his instructors had warned against committing any abuses, telling his class that another analyst had been investigated because he had improperly accessed the personal e-mail of former President Bill Clinton.

As NSA explained to Congress the day after the report (this notice was attached to the Q3 2009 IOB report), this incident actually dated to 1992.

On November 3, 1992, an analyst wondering how foreign targets were reacting to Bill Clinton’s election typed in a query [redacted]. The query was made against the [redacted]. There were probably very few emails of any kind in there at that time, and there would not [sic] about Bill Clinton. Immediately after the query was entered, the co-worker sitting next to the analyst identified that this was a query on a U.S. person. The analyst immediately realized that the query was wrong and contrary to authorities.

[snip]

Although this activity occurred 17 years ago, we have used it in our oversight training, even in the last several years, as an illustrative example of queries that are inappropriate and must be reported and investigated. This type of query remains as inappropriate today as it was then and will not be tolerated under any circumstances.

In other words, up until no more than a few years before Hillary became Secretary of State, NSA used illegally querying on her husband as a training example. The server Hillary was using was (as far as I understand it) a Clinton Foundation server — a corporate entity tied to the man used as a training case on illegal targeting.

I’d say the centrality of Bill in NSA training would emphasize the importance of not targeting Bill, his property, and thereby his wife’s undisclosed email. Certainly from buffered collections (which is how NSA sorts full take collection overseas), it’d be less likely anyone would query anything that looked remotely like a Clinton email, even though almost all of Clinton’s foreign donors are likely targets.

Admittedly, a lot of Clinton Foundation emails might be kept for other reasons (and would be legitimately targeted based off their foreign interlocutor). But I would imagine NSA is particularly careful with anything that bears the name Clinton, because of this history.

In other words, while NSA almost certainly doesn’t have all Hillary emails, it might have some — but would have very very big incentives to be able to tell Congress it doesn’t if and when they ask.

Which is not to say someone shouldn’t have these emails.

One thing the recent 702 Minimization Procedures reveal are that all three agencies — NSA, FBI, and CIA — keep some data for a year to conduct security assessments. For example, FBI’s reads:

Similarly, and notwithstanding any other section in these procedures, the FBI may use information acquired pursuant to section 702 of the Act to conduct security assessments of its systems in order to ensure that FBI systems have not been compromised. These security assessments may include, but will not be limited to, the temporary storage of section 702-acquired information in a separate system for a period not to exceed one year. While retained in such a storage system for security assessments, such section 702-acquired information may not be accessed for any other purpose.

To be honest, I don’t understand this provision (as FBI.gov shouldn’t be collected under 702), though the provision may exist more broadly in SIGINT collection procedures, in which case it would seem utterly parallel to the CSEC practice of storing emails sent to the government.

But it seems if the government is retaining emails in the name of security of its own systems, it could also retain emails in the name of ensuring government abides by Federal Records rules. For top officials, who appear to keep changing their identifiers to prevent average citizens from being able to contact them (both Hillary and Eric Holder did this), identifying, retaining, and storing emails seems to have few privacy implications. So maybe NSA should have Hillary’s emails?

FBI Is Not “Surveilling” WikiLeaks Supporters in Its Never-Ending Investigation; Is It “Collecting” on Them?

/8 Comments/in , , , , /by

The FOIA for records on FBI’s surveillance of WikiLeaks supporters substantially ended yesterday (barring an appeal) when Judge Barbara Rothstein ruled against EPIC. While she did order National Security Division to do a more thorough search for records, she basically said the agencies had properly withheld records under Exemption 7(A) for its “multi-subject investigation into the unauthorized disclosure of classified information published on WikiLeaks, which is ‘still active and ongoing’ and remains in the investigative stage.” (Note, the claim that the investigation is still in what FBI calls an investigative stage, which I don’t doubt, is nevertheless dated, as the most recent secret declarations in this case appear to have been submitted on April 25, 2014, though Rothstein may not have read them until after she approved such ex parte submissions on July 29 of last year.)

In so ruling, Rothstein has dodged a key earlier issue, which is that all three entities EPIC FOIAed (DOJ’s Criminal and National Security Division and FBI) invoked a statutory Exemption 3 from FOIA, but refused to explain what statute they were using.

2 Defendants also rely on Exemptions 1, 3, 5, 6, 7(C), 7(D), 7(E), and 7(F). The Court, finding that Exemption 7(A) applies, does not discuss whether these alternative exemptions may apply.

I have argued — and still strongly suspect — that the government was relying, in part, on Section 215 of PATRIOT, as laid out in this post.

In addition to the Exemption 3 issue Rothstein dodged, though, there were three other issues that were of interest in this case.

First, we’ve learned in the 4 years since EPIC filed this FOIA that their request falls in the cracks of the language the government uses about its own surveillance (which it calls intelligence, not surveillance). EPIC asked for:

  1. All records regarding any individuals targeted for surveillance for support for or interest in WikiLeaks;
  2. All records regarding lists of names of individuals who have demonstrated support for or interest in WikiLeaks;
  3. All records of any agency communications with Internet and social media companies including, but not limited to Facebook and Google, regarding lists of individuals who have demonstrated, through advocacy or other means, support for or interest in WikiLeaks; and
  4. All records of any agency communications with financial services companies including, but not limited to Visa, MasterCard, and PayPal, regarding lists of individuals who have demonstrated, through monetary donations or other means, support or interest in WikiLeaks. [my emphasis]

As I’ve pointed out in the past, if the FBI obtained datasets rather than lists of the people who supported WikiLeaks from Facebook, Google, Visa, MasterCard, and PayPal, FBI would be expected to deny it had lists of such supporters, as it has done. We’ve since learned about the extent to which it does collect datasets when carrying out intelligence investigations.

Then there’s our heightened understanding of the words “target” and “surveillance” which are central to request 1. The US doesn’t target a lot of Americans, but it does collect on them. And when it does so — even if it makes queries that return their identifiers — it doesn’t consider that “surveillance.” That is, the FBI would only admit to having responsive data to request 1 if it were obtaining FISA or Title III warrants against mere supporters of WikiLeaks, rather than — say — reading their email to Julian Assange, whom FBI surely has targeted and still targets under Section 702 and other surveillance authorities, or even, as I guarantee you has happened, looked up people after the fact and discovered they had previous conversations with Assange. We’ve even learned that NSA collects vast amounts of Internet communications that talk “about” a targeted person’s selector, meaning that Americans’ communications might be pulled if they used WikiLeaks or Assange’s Internet identifiers in the body of their emails or chats. None of that would count as “targeted” “surveillance,” but it is presumably among the kinds of things EPIC had in mind when it tried to learn how FBI’s investigation of WikiLeakas was implicating completely innocent supporters.

I noted the way FBI’s declaration skirted both these issues some years ago, and everything we’ve learned since only raises the likelihood that FBI is playing a narrow word game to claim that it doesn’t have any responsive records, but out of an act of generosity it nevertheless considered the volumes of FBI records that are related to the request that it nevertheless has declared 7(A) over. Rothstein’s order replicates the use of the word “targeting” to discuss FBI’s search, suggesting the distinction is as important as I suspect.

Plaintiff first argues that the release of records concerning individuals who are simply supporting WikiLeaks could not interfere with any pending or reasonably anticipated enforcement proceeding since their activity is legal and protected by the First Amendment. Pl.’s Cross-Mot. at 14. This argument is again premised on Plaintiff’s speculation that the Government’s investigation is targeting innocent WikiLeaks supporters, and, for the reasons previously discussed, the Court finds it lacks merit.

All  of which brings me to the remaining interesting subtext of this ruling.

Five years after the investigation into WikiLeaks must have started in earnest, 20 months after Chelsea Manning was found guilty for leaking the bulk of the documents in question, and over 10 months since Rothstein’s most recent update on the “investigation” in question, Rothstein is convinced these records may adequately be withheld because there is an active investigation.

While it’s possible DOJ is newly considering charges related to other activities of WikiLeaks — perhaps charges relating to WikiLeaks’ assistance to Edward Snowden in escaping from Hong Kong, though like Manning’s verdict, that was over 20 months ago — it’s also very likely the better part of whatever ongoing investigation into WikiLeaks is ongoing is an intelligence investigation, not a criminal one. (See this post for my analysis of the language they used last year to describe the investigation.)

Rothstein is explicit that DOJ still has — or had, way back when she read fresh declarations in the case — a criminal investigation, not just an intelligence investigation (which might suggest Assange’s asylum in the Ecuador Embassy in London is holding up something criminal).

In stark contrast to the CREW panel, this Court is persuaded that there is an ongoing criminal investigation. Unlike the vague characterization of the investigation in CREW, Defendants have provided sufficient specificity as to the status of the investigation, and sufficient explanation as to why the investigation is of long-term duration. See e.g., Hardy 4th Decl. ¶¶ 7, 8; Bradley 2d Decl. ¶ 12; 2d Cunningham Decl. ¶ 8.

Yet much of her language (which, with one exception, relies on the earliest declarations submitted in this litigation) sounds like that reflecting intelligence techniques as much as criminal tactics.

Here, the FBI and CRM have determined that the release of information on the techniques and procedures employed in their WikiLeaks investigation would allow targets of the investigation to evade law enforcement, and have filed detailed affidavits in support thereof. Hardy 1st Decl. ¶ 25; Cunningham 1st Decl. ¶ 11. As Plaintiff notes, certain court documents related to the Twitter litigation have been made public and describe the agencies’ investigative techniques against specific individuals. To the extent that Plaintiff seeks those already-made public documents, the Court is persuaded that their release will not interfere with a law enforcement proceeding and orders that Defendants turn those documents over.

[snip]

In the instant case, releasing all of the records with investigatory techniques similar to that involved in the Twitter litigation may, for instance, reveal information regarding the scope of this ongoing multi-subject investigation. This is precisely the type of information that Exemption 7(A) protects and why this Court must defer to the agencies’ expertise.

I’m left with the impression that FBI has reams of documents responsive to what EPIC was presumably interested in — how innocent people have had their privacy compromised because they support a publisher the US doesn’t like — but that they’re using a variety of tired dodges to hide those documents.

Partnering with the Kiwis, NSA “Protects” Us from Climate Resistors?

/17 Comments/in , /by

The Intercept has what will be the first in a series of partnering articles with New Zealand’s great surveillance reporter Nicky Hager on the role of New Zealand’s SIGINT agency, Government Security Communications Bureau, in the Five Eyes dragnet. As part of it, they target south Pacific islands that its hard to understand as a threat to anyone.

Since 2009, the Government Communications Security Bureau intelligence base at Waihopai has moved to “full-take collection”, indiscriminately intercepting Asia-Pacific communications and providing them en masse to the NSA through the controversial NSA intelligence system XKeyscore, which is used to monitor emails and internet browsing habits.

[snip]

The documents identify nearly two dozen countries that are intensively spied on by the GCSB. On the target list are most of New Zealand’s Pacific neighbours, including small and vulnerable nations such as Tuvalu, Nauru, Kiribati and Samoa.

Other South Pacific GCSB targets are Vanuatu, the Solomon Islands, New Caledonia, Fiji, Tonga and French Polynesia. The spy agency intercepts the flows of communications between these countries and then breaks them down into individual emails, phone calls, social media messages and other types of communications. All this intelligence is immediately made available to the NSA, which is based in Maryland, near Washington, DC.

Effectively, the NSA forces GCSB to spy on these teeny tiny countries in the middle of the Pacific in order to benefit from our dragnet.

And for what?!?!

Even the CIA acknowledges that Nauru has no military, and it somewhat optimistically claims Nauru has no international disputes.

Screen Shot 2015-03-04 at 1.34.33 PM

The same is true of Tuvalu.

Screen Shot 2015-03-04 at 1.37.13 PM

Both have a dispute, of course. The rich lifestyles of the rest of the world (which Tuvalu shared in for a period of Phosphate exploitation) threaten to wipe these nations off the face of the earth with rising ocean levels. To the extent they might be threats to the US, it is because the citizens of Tuvalu and Nauru speak with the moral authority of some of the first peoples who will be wiped off the face of the earth because of climate change.

Aside from that, Tuvalu has its own Internet domain; Nauru has become a tax haven.

Still, it’s hard to believe that the most powerful country in the world, which has an active military population that is 136 times the population of these countries, is really threatened by either of these countries.

But nevertheless, we’re forcing New Zealand to get “full take” from them, as the price of admission to our spying club.

How Internet Dragnettery Got Way More Permissive Under PRISM

/1 Comment/in , /by

I’m finally working through the minimization procedures released earlier this month as part of the blitz claiming that the Intelligence Community has made big changes in the year since President Obama’s surveillance speech. Here’s my first working thread, on FBI’s Section 702 minimization procedures (SMPs).

The SMPs provide one sense of why the NSA shut down the Internet dragnet in 2011. As a court filing last year made clear, one of the places the Internet metadata analysis moved to was Section 702. And FBI’s SMPs show that collecting and analyzing metadata via PRISM would be far more permissive in a number of ways than doing it under the rules laid out under the PRTT orders.

The first reason is obvious: whereas the PRTT dragnet could only be used for terrorism purposes, FBI can pull metadata from foreign selectors identified for any number of reasons: there are counterterrorism and counterproliferation certificates, as well as a foreign government one that appears to get used very broadly, including to cover hackers, which the government seems to treat as a counterintelligence function.

Moreover, FBI can disseminate metadata results far more broadly. It can disseminate USP data for all foreign intelligence information, which would include counterterrorism, counterproliferation, and (assuming they’re treating hacking as a clandestine intelligence activity) hackers. And it can disseminate such metadata analysis to state, local, tribal, and other agencies. There’s only protection for USP identities if FBI pulled it for foreign power purposes (that is, who’s chatting with Angela Merkel).

Those receiving the data would be told there are SMPs, but they wouldn’t require any training to receive such query results.

And that’s all before you consider that FBI can “transfer some or all such metadata to other FBI electronic and data storage systems,” which seems to broaden access to it still further.

Users authorized to access FBI electronic and data storage systems that contain “metadata” may query such systems to find, extract, and analyze “metadata” pertaining to communications. The FBI may also use such metadata to analyze communications and may upload or transfer some or all such metadata to other FBI electronic and data storage systems for authorized foreign intelligence or law enforcement purposes.

In this same passage, the definition of metadata is curious.

For purposes of these procedures, “metadata” is dialing, routing, addressing, or signaling information associated with a communication, but does not include information concerning the substance, purport, or meaning of the communication.

I assume this uses the very broad definition John Bates rubber stamped in 2010, which included some kinds of content. Furthermore, the SMPs elsewhere tell us they’re pulling photographs (and, presumably, videos and the like). All those will also have metadata which, so long as it is not the meaning of a communication, presumably could be tracked as well (and I’m very curious whether FBI treats location data as metadata as well).

Using PRISM data, it would be far, far easier to “correlate” multiple identities, so as to show (for example) all the people chained off of one person’s multiple Google identities, because the providers know these (note, too, this seems to have been something the government started asking Yahoo for months after Protect America Act started).

Then there’s retention. While some of the key numbers are redacted, the base retention level for FBI 702 data is 5 years, and for data deemed to have a foreign intelligence purpose it is longer — perhaps as long as the 20 and 30 year retention for FBI records (plus 5 years on the front end). So whereas the NSA had to throw out the underlying data after 4.5 and, for a period, 5 years, they can keep underlying data far longer at the FBI.

Finally, there’s tracking. It appears the FBI doesn’t have to track the metadata queries it makes at all.

The FBI shall identify FISA-acquired information in its storage systems, other than those used solely for link analysis of metadata, that has been reviewed and meets those standards.2

2 Although the FBI need not mark metadata as meeting the retention standards or as having been disseminated, the FBI must still assess whether the metadata meets the requirements for dissemination pursuant to Section V prior to actually disseminating the information.

Indeed, this may be the real problem for FBI’s counting of back door searches — that they don’t require the tracking of metadata queries at all.

And I think it’s possible (though I’m less sure about this) the curious language I noted in USA Freedom Act exempting communications metadata from cloud providers may also hide what isn’t already protected under back door searches, basically not counting this metadata collection as such.

So whereas under the PRTT program the NSA tracked every single metadata query, using PRISM data there’d be almost no tracking at all.

There are, I think, just two limits in using PRISM to do Internet dragnettery (but remember, some of this almost certainly moved overseas under SPCMA as well, which wouldn’t have these particular limits). First, depending on how a provider retains their data (and how long a user retains her own communications), the FBI might not have access to 5 years of communications data when it first started tracking someone (though it seems NSA primarily needed 2 years, and given how long people keep email, there’d often be far more than 5 years available).

And finally — and this is a significant one — there’s the requirement that the government only target people overseas. So unless FBI is permitted to pull two or three degrees of communication off of targets (and they might be!), it would harder, though not impossible, to show internal communication patterns.

Still, I can see how they’d find the PRTT dragnet to have performance limits. Because, for the purpose of tracking those with ties to known overseas threats, pulling metadata from PRISM would be far permissive if you did it at FBI.

 

34 Years Later, Treasury Is Still Operating without Procedures to Protect Americans under EO 12333

/3 Comments/in , /by

With almost no explanation, PCLOB just released this table ODNI compiled showing the status of procedures Agencies follow to protect US person information when using data obtained under EO 12333. This is something PCLOB has been pushing for since August 2013, when it sent a letter to Attorney General Holder pointing out that some agencies weren’t in compliance with the EO.

As you know, Executive Order 12333 establishes the overall framework for the conduct of intelligence activities by U.S. intelligence agencies. Under section 2.3 of the Executive Order, intelligence agencies can only collect, retain, and disseminate information about U.S. persons if the information fits within one of the enumerated categories under the Order and if it is permitted under that agency’s implementing guidelines approved by the Attorney General after consultation with the Director of National Intelligence.

The Privacy and Civil Liberties Oversight Board has learned that key procedures that form the guidelines to protect “information concerning United States person” have not comprehensively been updated, in some cases in almost three decades, despite dramatic changes in information use and technology.

So I assume the release of this table is designed to pressure the agencies that have been stalling this process.

The immediate takeaway from this table is that, 34 years after Ronald Reagan ordered agencies to have such procedures in Executive Order 12333 and 18 months after PCLOB pushed for agencies to follow the EO, several intelligence agencies still don’t have Attorney General approved procedures. Those agencies and the interim procedures they’re using are:

The Department of Homeland Security’s notoriously shoddy Office of Intelligence and Analysis: Pending issuance of final procedures, I&A is operating pursuant to Interim Intelligence Oversight Procedures, issued jointly by the Under Secretary for Intelligence and Analysis and the Associate General Counsel for Intelligence (April 3, 2008).

United States Coast Guard (USCG)- Intelligence and counterintelligence elements: Pending issuance of final procedures, operating pursuant to Commandant Instruction – COMDINST 3820.12, Coast Guard Intelligence Activities (August 28, 2003).

Department of Treasury Office of Intelligence and Analysis (OIA): Pending issuance of final procedures. While draft guidelines are being reviewed in the interagency approval process, the Office of Intelligence and Analysis conducts intelligence operations pursuant to EO 12333 and statutory responsibilities of the IC element, as advised by supporting legal counsel.

Drug Enforcement Administration, Office of National Security Intelligence (ONSI): Pending issuance of final procedures, operates pursuant to guidance of the Office of Chief Counsel, other guidance, and: Attorney General approved “Guidelines for Disclosure of Grand Jury and Electronic, Wire, and Oral Interception Information Identifying United States Persons” (September 23, 2002); Attorney General approved “Guidelines Regarding Disclosure to the Director of Central Intelligence and Homeland Security Officials of Foreign Intelligence Acquired in the Course of a Criminal Investigation” (September 23, 2002).

I’m not surprised about DHS I&A because — as I noted — most people who track it know that it has never managed to do what it claims it should be doing. And I’m not all that worried about the Coast Guard; how much US person spying are they really doing, after all?

One should always worry about the DEA, and the fact that DEA has only had procedures affecting some of its use of EO 12333 intelligence is par for the course. I mean, limits on what it can share with CIA, but no guidelines on what it can share with FBI? And no guidelines on what it has dragnet collected overseas, where it is very active?

But I’m most troubled by Treasury OIA. In part, that’s because it doesn’t have anything in place — it has just been operating on EO 12333, apparently, in spite of EO 12333’s clear requirement that agencies have more detailed procedures in place. But Treasury’s failure to develop and follow procedures to protect US persons is especially troubling given the more central role OIA has — which expanded in 2004 — in researching and designating terrorists, weapons proliferators, and drug kingpins.

OIA makes intelligence actionable by supporting designations of terrorists, weapons proliferators, and drug traffickers and by providing information to support Treasury’s outreach to foreign partners. OIA also serves as a unique and valuable source of information to the Intelligence Community (IC), providing economic analysis, intelligence analysis, and Treasury intelligence information reports to support the IC’s needs.

As it is, such designations and the criminalization of US person actions that might violation sanctions imposed pursuant to such designations are a black box largely devoid of due process (unless you’re a rich Saudi business man). But Treasury’s failure to establish procedures to protect US persons is especially troubling given how central these three topics — terrorists, weapons proliferation, and drugs — are in the intelligence communities overseas collection. This is where bulk collection happens. And yet any US persons suck up in the process and shared with Treasury have only ill-defined protections?

Treasury’s role in spying on Americans may be little understood. But it is significant. And apparently they’ve been doing that spying without the required internal controls.

 

DOJ Says It’s Not Legally Required to Tell Wyden Whether Executive Branch Conduct Was Legal

/2 Comments/in /by

Via Ali Watkins’ story on Dianne Feinstein’s vindication by the Senate parliamentarian, Ron Wyden has written Eric Holder a letter listing all the unfinished business he’d like the Attorney General to finish before going off to his sinecure defending banks (my assessment, not Wyden’s).

Three of the requests are familiar:

  • A request to know the limits of using deadly force against Americans outside of declared war zones
  • A request for the withdrawal and declassification of an OLC opinion on common commercial service agreements
  • A request that Holder share the Torture Report widely so it can be useful (or maybe even just open it)

But a fourth is, as far as I know, new:

I have asked repeatedly over the past several years for the Department of Justice’s opinion on the lawfulness of particular conduct that involved an Executive Branch agency. I finally received a response to these inquiries in June 2014; however the response simply stated that the Department of Justice was not statutorily obligated to respond to my question. I suppose there my not be a particular law that requires the Department to answer this question, but this response is nonetheless clearly troubling. My question was not hypothetical, and I did not ask to see any pre-decisional legal advice — I simply asked whether the Justice Department believed that the specific actions taken in this case were legal. It would be reasonable for the Department to say “Yes, this conduct was lawful” and explain why, or to say “No, this appears to have been unlawful” and take appropriate follow-up action. Refusing to answer at all is highly problematic and clearly undermines effective oversight of government agencies, especially since the actions in question were carried out in secret. For these reasons, I renew my request for an answer to the question, and I hope that you can help provide one.

Uh, with all due respect, Senator, I believe Holder has given you an answer: While I don’t know what the actions in question are, it seems the answer is, “Yes, those actions were illegal, but since we’re not going to do anything about it, we’re not going to tell you that.”

Or perhaps, “Yes, those actions were illegal. But if the President orders them, we don’t consider them illegal.”

Wyden has apparently been asking this for “several years.” While that doesn’t entirely rule out CIA spying on SSCI (which, after all, DOJ has answered by not prosecuting), it seems it is some other action he learned about under Obama’s tenure.

So is DOJ refusing to prosecute some clearly illegal action that happened under Obama?

Working Thread: New and Improved Dragnettery

/1 Comment/in /by

I Con the Record has released a series of changes to the dragnet to fulfill President Obama’s directive to improve privacy. This will be a working thread.

Seeking Independent Advice

This section lays out all the independent advice the IC has sought in the last 18 months, from the advice largely ignored (President’s Review Group) to narrowly scoped (the National Academies of Science report that assessed whether the IC could get the same features of the current phone dragnet, without assessing whether it was effective) to the largely inane (Congressional hearings).

It doesn’t really address whether it’s using this advice effectively. There seems to be an underlying efficacy question still missing.

Privacy and Civil Liberties Protections

This appears to be the meat of the report.

It starts by linking to the interim report that basically exempted the most privacy intrusive parts of NSA’s dragnet — bulk collection and research — from its privacy protections.

It then links all the agencies’ efforts to implement

These will take closer review. Note that DEA’s report only covers its Office of National Security Intelligence, which seems to suggest there’s a lot more — a whole lot more — intelligence that falls outside this area. And it’s really perfunctory. Compare the storage section with that of DHS, which at least has standards it has to meet for the security of the data it keeps (even if we know DHS is so technologically backwards they can’t really meet this).

FBI

I can already see some problems with FBI’s entry (which conveniently cannot be cut and paste). For example, it assumes any minimized data it receives adheres to certain standards. “Unless it possesses specific information to the contrary, the FBI will presume that any evaluated or minimized section 702 information it receives from other IC elements meets these standards.” The recently liberated 702 report showed that this left a bit of gap in compliance.

Then there’s the exception that eats the rule, in which prohibits FBI from keeping any unevaluated non-US person data for longer than 5 years “unless retention of comparable information concerning U.S. persons would be permitted under section 2.3 of Executive Order 12333.” FBI’s interpretation of exceptions here are very broad.

FBI’s queries language is not tied to law enforcement investigations. That likely means that it retains the ability to do queries for assessments, which require no evidence of wrong-doing.

When FBI talks about oversight, it describes “periodic auditing.” Given that the 702 IG report showed that FBI had basically blown off statutory requirements for auditing and reports for 2 of 3 years reviewed, I’d like to see something more concrete than this…

Incidentally, note that FBI just signed this on February 2. It appears they were the last (or among the last) agencies to finish these (probably after deadline, too, as this was supposed to be rolled out on the 1 year anniversary of Obama’s speech).

NSA

There are some interesting exceptions in the NSA report, including the ginormous one for bulk collection. I’m particularly interested in a few of these:

Screen Shot 2015-02-03 at 10.49.14 AM

 

The economic advantage language appears to get weaker and weaker in here. It now states that identifying trade violations does not constitute a competitive advantage. It also permits the collection of private trade secrets for national security purposes — which is what China would say it is doing when it steals our secrets.

I think the retention language has gotten slightly broader, now. The encrypted communication exception has been rewritten to include anything not processed into intelligible form.

It also states, “personal information about the routine activities of a non-U.S. person would not be disseminated without some indication that the personal information is related to an authorized foreign intelligence requirement.” Consider how this language would work for what we know to have been spying on the online sex habits of people the US wants to discredit. First, they only need “some indication” that the dissemination is tied to a FI requirement. There’s also that word, “related to,” which as we know now means “all.” In other words, this exception would still permit really intrusive spying, if we thought the target was a nice FI target.

Others

Love this from DOE: “The origins of specific information contained in evaluated or finished intelligence products—or the specific means by which such information was collected—may not in all cases be evident to DOE-IN or DOE as a recipient of such intelligence products.” State has a very similar caveat.

Non-NSA DOD components just adopted NSA’s document.

Judicial Redress

Read more

CIA’s Careful Terrorism

/16 Comments/in , /by

Both WaPo and Newsweek have stories out on CIA’s role in assassinating Imad Mugniyah in 2008. As described, Michael Hayden loved the idea, but then got a bit squeamish about ordering a hit. Luckily, President Bush was all too happy to approve it. Here’s Newsweek:

“General Hayden, at first, was all for this,” the former official said, “But slowly, or maybe not so slowly, the realization set in for him that he was ordering an assassination, that basically he was putting out a hit. And once he became pretty much cognizant of the fact that he was basically ordering the murder of someone, he got cold feet. He didn’t fancy himself as a Corleone.”

And he wasn’t, really. That role would ultimately fall to the president.

“Obviously [Hayden] had to get authority for this, and authority could come from only one person, and that would be POTUS,” said the participant. “So he went down to see President Bush. It took Bush apparently only about 30 seconds to say, ‘Yes, and why haven’t you done this already? You have my blessing. Go with God.’”

[snip]

But in late December, with the bomb ready and Mugniyah firmly in their sights, Hayden “started to get really cold feet again,” the participant said. He decided to go see President Bush personally—on Christmas Eve 2007, at Camp David.

“On Christmas Eve morning, he and [Deputy CIA Director Steven] Kappes fly up to Camp David to see POTUS, to say, ‘Okay, look, here’s what we got, everything is in place, do we still have the go-ahead?’ And POTUS basically threw both of them out, saying, ‘Why are you up here wasting my time on Christmas Eve? Get the fuck out and go do this. Not quite in those terms. But it was, ‘Yes, I’ve already given you my approval. Go do this; go with God.’”

“Go with our Christian God,” I guess Bush meant.

Both pieces emphasize how careful the CIA and Mossad were with their terrorist tactics, to make sure only their target was killed. Again, Newsweek:

Finally, the car was in place. But then there were always other people around. Weeks more went by. Hayden’s demands that only Mugniyah be killed, and no one else, with no collateral damage, had to be met.

“It was always either he wasn’t alone, or he had his kids with him, or somebody else with him, or there were casuals in the area, or he was gone, he was in the Bekka [Valley] or someplace else, he wasn’t in his apartment,” the participant said. “The rules of engagement were so tight that he probably walked past the thing dozens of times but they just couldn’t do anything because somebody was there or it just didn’t fit into the rules of engagement.”

“They were keeping watch on this just about all the time,” he added. “They were taking shifts, a station officer and a Mossad officer. The Mossad officer was there just to make the confirmation that, ‘yeah, that’s him.’”

The kill was made all the harder by the way the bomb would be detonated. There was a two-second delay from the time the CIA and Mossad agents in the lookout post pushed the button to when the bomb exploded. Under the plan, the Mossad agent would ID Mugniyah, and the CIA man would press the remote control.

“So you would have to count—one, one thousand; two, one thousand… “ the participant said. “They had about six seconds from the time he came out of the apartment door to the time he moved out of the danger zone. So they had to do it really fast.”

And WaPo notes how tedious it was to get approval to kill a guy whose attacks on the US were years earlier, under Reagan.

Former U.S. officials, all of whom spoke on the condition of anonymity to discuss the operation, asserted that Mughniyah, although based in Syria, was directly connected to the arming and training of Shiite militias in Iraq that were targeting U.S. forces. There was little debate inside the Bush administration over the use of a car bomb instead of other means.

“Remember, they were carrying out suicide bombings and IED attacks,” said one official, referring to Hezbollah operations in Iraq.

[snip]

The authority to kill Mughniyah required a presidential finding by President George W. Bush. The attorney general, the director of national intelligence, the national security adviser and the Office of Legal Counsel at the Justice Department all signed off on the operation, one former intelligence official said.

The former official said getting the authority to kill Mughniyah was a “rigorous and tedious” process. “What we had to show was he was a continuing threat to Americans,” the official said, noting that Mughniyah had a long history of targeting Americans dating back to his role in planning the 1983 bombing of the U.S. Embassy in Beirut.

“The decision was we had to have absolute confirmation that it was self-defense,” the official said.

(Note, Newsweek says the Finding was signed under Reagan, which actually makes more sense since the Gloves Come Off Memorandum of Notification Bush and Obama have relied on was also a modification of a Finding signed by him.)

This is, presumably, meant to be a big success story for CIA. My hope, however, is that it adds some nuance to debates about our use of drones. If the US kills more collateral casualties using drones than using a classic terrorist technique — in both cases making really attenuated claims about current threats — which is the greatest terror technique?

Update: Kevin Jon Heller argues the US violated the Terrorist Bombing Convention.

Levitation: Inspire-Ing Work from CSE

/4 Comments/in /by

Screen shot 2015-01-29 at 11.33.43 AMThe Intercept and CBC have a joint story on a Canadian Security Establishment project called Levitation that seems to confirm suspicions I’ve had since before the Snowden leaks. It targets people based on their web behavior (the story focuses on downloads from free file upload sites, but one page of the PPT makes it clear they’re also tracking web search terms and other behaviors), and once it finds behavior of suspicion (such as accessing bomb-making instructions; it calls these “events”) it uses SIGINT tools, including NSA’s MARINA, to work backwards off those accessing those materials to get IPs, cookies, facebook IDs, and the like to identify a suspect.

The PPT is the most detailed explanation that I’ve seen of how the SIGINT agencies do “correlations” — a function about which I believe ODNI continues to hide an August 20, 2008 FISC opinion. It appears to do so in two ways: first, by tracking known correlations. But also, by analyzing similar activities from around the same time from the same IP, then coming up with other identifiers that, with varying degrees of probability, are probably the same user. This serves, in part, to come up with new identifiers to track.

I’ve argued the NSA does similar analysis using known codes tied to Inspire (not the URL, necessarily, but possibly the encryption code included in each Inspire edition) on upstream collection, which would basically identify the people within the US who had downloaded AQAP’s propaganda magazine. One reason I’m so confident NSA does this is because of the high number of FBI sting operations that seem to arise from some 20-year old downloading Inspire, which them appears to get sent out to a local FBI office for further research into online activities and ultimately approaches by a paid informant or undercover officer.

Screen shot 2015-01-29 at 11.46.15 AMIn other words, this kind of analysis seems to lie at the heart of a lot of the stings FBI initiates.

But as the “Scoreboard” slide in this presentation makes clear, what this process gives you is not validated IDs, but rather probabilistic matches (which FISC appears to deal with using minimization procedures, suggesting they let NSA collect on these probabilistic matches with the understanding they have to treat the data in some certain way if it ends up being a false positive).

That’s important not just for the young men whom FBI decides might make worthwhile targets (even if they’re being targeted, largely, on their First Amendment activities).

It’s important, too, for the false negatives, by far the most important of which I believe to be the Tsarnaev brothers, both of whom reportedly had downloaded multiple episodes of Inspire, as well as other similar jihadist material, and on whom NSA had collected data it never accessed until after the attack, but neither of whom got targeted off this correlation process before they attacked the Boston Marathon.

That is, this really important possible false negative, just as much as the dubious positives that end up getting unbalanced young men targeted by the FBI, may say as much about the reliability of this process as anything else.

This CSE PPT is not yet proof that my suspicions are entirely accurate (though my claims here about correlations are based on officially released documents). But they strongly suggest my suspicions have been correct.

And — particularly given ODNI’s refusal to release what appears to be a key opinion describing the terms on which FISC permits the use of these correlations — this ought to elicit far more conversations about how NSA and its Five Eye partners “correlate” identities and how those correlations get used.