The Common Commercial Services OLC Memo and Zombie CISPA

/12 Comments/in , /by

Some time last summer, Ron Wyden wrote Attorney General Holder, asking him (for the second time) to declassify and revoke an OLC opinion pertaining to common commercial service agreements. He said at the time the opinion “ha[d] direct relevance to ongoing congressional debates regarding cybersecurity legislation.”

That request would presumably have been made after President Obama’s April 25, 2012 veto threat of CISPA, but at a time when several proposed Cybersecurity bills, with different information sharing structures, were floating around Congress.

Wyden asked for the declassification and withdrawal of the memo again this January as part of his laundry list of requests in advance of John Brennan’s confirmation. Then, after having been silent about this request for 8 months (at least in public), Wyden asked again on September 26.

It appears that Wyden had intended to ask the question of one of the witnesses at an open Senate Intelligence Committee hearing (perhaps Deputy Attorney General James Cole), but — having had warning of his questions (because he sent them to the witnesses in advance) — Dianne Feinstein and Susan Collins ensured there would not be a second round of questions.

As it happens, Wyden made the request for the memo two days after DiFi told The Hill she was preparing to advance her version of CISPA, and the day after Keith Alexander started calling for cybersecurity legislation again.

In a brief interview with The Hill in the U.S. Capitol on Tuesday, Feinstein said she has prepared a draft bill and plans to move it forward.

The legislation would be the Senate’s counterpart to the Cyber Intelligence Sharing and Protection Act, known as CISPA, which cleared the House in April.

CISPA would remove legal barriers that prevent companies from sharing information with each other and the government about cyber attacks. It would also allow the government to share more information with the private sector.

Since then, Alexander has pitched new cybersecurity legislation in an “interview” with the NYT, admitting he needs to be more open about his places for cybersecurity.

Now, the Executive Branch’s unwillingness to actually share the law as it interprets it with us mere citizens prevents us from understanding precisely what relationship this OLC memo has with proposed cybersecurity legislation — but Wyden made it clear in January that it does have one. But here are some things we might surmise about the memo:

  • The Administration is currently relying on this memo. If it weren’t using it, after all, it wouldn’t need to be revoked. That means that since at least January 14, 2011 (before which date Wyden and Russ Feingold first asked it be revoked), the Administration has had a secret interpretation of law relating in some way to cybersecurity.
  • The interpretation would surprise us. As Wyden notes, “this opinion is inconsistent with the public’s understanding of the law” (he doesn’t say what that law is, but I’ll hazard a guess and say it pertains to information sharing). It’s likely, then, that some form of online provider has been sharing cyber-intelligence with the federal government under some strained interpretation of our privacy protections (and, probably, some kind of Attorney General assurances everything’s cool).

Let’s use the lesson we learned during the FISA Amendments Act where the telecoms were clambering for the legislation and the retroactive immunity, but the Internet companies were grateful for “clarity,” but explicitly opposed to retroactive immunity. When we learned the telecoms had been turning over the Internet companies metadata and content, this all made more sense. The Internet Companies wanted the telecoms to be punished for stealing their data.

In this case, in the first round of CISPA (which had broad immunity protections), Facebook and Microsoft were supporters. But in this go-around (which has still generous but somewhat more limited immunity), the big supporters consist of:

  • Telecoms (AT&T, Verizon; interestingly, Sprint did not sign a letter of support)
  • Broadband and other backbone providers (Boeing, Cisco, Comcast, TimeWarner, USTelecom)
  • Banks and financial transfer
  • Power grid operators and other utilities

Now, who knows with which of these entities the government is already relying on this common commercial services memo, which of our providers we believe have made some assurances to us but in fact they’ve made entirely different ones.

But I will say the presence of the telecoms, again, angling for immunity for information sharing, along with their analogues the broadband providers does raise questions. Especially considering Verizon Exec’s trash talking about consumer-centric Internet companies that don’t prioritize national security.

Stratton said that he appreciated that “consumer-centric IT firms” such as Yahoo, Google, Microsoft needed to “grandstand a bit, and wave their arms and protest loudly so as not to offend the sensibility of their customers.”

“This is a more important issue than that which is generated in a press release. This is a matter of national security.”

After all, the telecoms have a history of willingly cooperating with the government, even if it bypassed the protections offered by Internet companies, even if it violated the law. Have they been joined by big broadband?

Well, DOJ could clear all this up by revoking and releasing the memo. Until they do, though, my wildarsed guess is that those operating the Toobz in the country — the telecom and broadband companies — have already started sharing consumers’ data that a plain reading of the law seemingly wouldn’t permit them to do.

Share this entry

Intelligence Committees: Not Informed about Torture, Not Informed about Drone Casualties, Not Informed about US Person Spying

/8 Comments/in , , /by

Amnesty International and Human Rights Watch released reports on US drone killings today. For the moment, I’m going to outsource reading the reports to Sarah Knuckey’s excellent post.

Both reports (per Knuckey) point to individual drone strikes on civilians that may or probably violate international law.

Specific US strikes killed civilians in violation of the law and US policy.  These are the first major reports by each organization detailing field investigations into specific strikes.  HRW reviewed six strikes in Yemen (occurring between December 2009 and April 2013). HRW concluded that two of the strikes violated international law (pp. 54, 67), four may have (pp. 30, 39, 43, 60), and none of the six appeared to have complied with Obama’s May 2013 Presidential Policy Guidance (p. 89).  AI reviewed all 45 reported Pakistan strikes between January 2012-August 2013, and investigated nine in detail.  AI’s legal findings include that “evidence indicates” that an October 2012 strike unlawfully killed a grandmother and injured eight children (p. 23), and AI had “serious concerns” that a July 2012 strike that killed 18 and injured 22 (p. 24) may have been a war crime or extrajudicial execution (p. 27).  AI also investigated a number of strikes on apparent rescuers (those who came to the scene of a first strike to help the wounded), which it concluded may have been illegal (pp. 28-30).  Neither report seeks to assess the total number or rate of civilian casualties for all strikes.

[snip]

Investigations and accountability obligations. AI states that the US has legal obligations to investigate any cases where there are “reasonable grounds to indicate that unlawful killings have occurred,” and to prosecute, and remedy where appropriate (pp. 35-37).  HRW similarly states that the US has a duty to investigate violations of the laws of war, and that government secrecy effectively denies victims’ right to redress (p. 87).  Both reports also state the US should provide compensation or condolence payments for any civilian harm, but that neither organization is aware of the US having done this (AI, p. 39; HRW, p. 88).

This documentation of civilian casualties, of course, provides further evidence Dianne Feinstein and Mike Rogers’ claims about civilian casualties are false.

But we knew that.

Which means, in addition to the fact that we’re violating international law with some of our drone killings, we also are seeing a recurrent trend.

Even the CIA’s own lawyer agreed that CIA didn’t properly inform Congress, including the Intelligence Committees, about torture.

We’re learning that vast parts of the NSA’s spying — including spying that collects US person data — remains largely hidden from the Intelligence Committees.

And we have yet more proof they have been misinformed about drone killings.

Is there some dubiously legal program the Intelligence Community has fully informed Congress on?

Share this entry

False Prophet of Adequate Congressional Oversight Finds Congressional Ignorance Unnewsworthy

/8 Comments/in , /by

I was going to leave this post, in which Ben Wittes complains that WaPo published details of NSA’s collection of millions of contact lists, which he didn’t find at all newsworthy, well enough alone.

Here the public interest in disclosure seems, at least to me, remarkably weak, after all. At the policy level, the entire story amounts to nothing more than the proposition that NSA is under 12333 collecting large volumes of live-stream data, storing it, and protecting U.S. person material within that data only through minimization requirements. We knew all of that already.

So what does this story reveal that we didn’t already know? A specific collection method that people can now frustrate and a particular interest in collecting contact lists. In other words, here the Post does not seem to be balancing the costs of the disclosure against its benefit to the public interest. The costs, rather, are the benefit to the public interest. Put another way, I can’t quite shake the feeling that my old newspaper is now blowing secrets merely for the sake of doing so.

But his response to this post from Conor Freidersdorf convinced me to do a post. He’s written about 40 tweets in response, asserting things like, “there is no good argument that this sort of activity is illegal under current law.” In all that tweeting, he did not, however, respond to what I thought was a pretty decent argument this sort of activity might be illegal under current law.

Two years ago, then FISA Court Judge John Bates considered the legality of content collected off US switches. He found the practice, as had been conducted for over 3 years, violated both Section 702 of FISA Amendments Act and the Fourth Amendment because it intentionally collected US person data (NSA’s apologists usually obscure this last point, but Bates’ opinion was quite clear that this was intentional collection). To make the collection “reasonable” under a special needs exception, he required NSA to follow more stringent minimization procedures than already required under Section 702, effectively labeling some of the data and prohibiting the NSA from using US person data except in limited circumstances.

That collection differs from the contact list collection revealed by the WaPo in several ways:

The contact lists are collected overseas

WaPo’s sources are quite clear: this collection would be illegal in the US. They get around that restriction by collecting the data overseas.

The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss the classified program. “None of those are on U.S. territory.”

It’s not clear whether the contact list counts as metadata or content

The collection reviewed by Bates was clearly content: Internet messages collected because a selector appeared in the body of the message. With the contact lists, I could see the government claiming it was just metadata, and therefore (incorrectly, in my opinion but not in current law) subject to a much lower standard of protection. Except (as noted) WaPo’s sources admit this would be illegal if collected in the US, probably because NSA is collecting content as well.

Each day, the presentation said, the NSA collects contacts from an estimated 500,000 buddy lists on live-chat services as well as from the inbox displays of Web-based e-mail accounts.

[snip]

Contact lists stored online provide the NSA with far richer sources of data than call records alone. Address books commonly include not only names and e-mail addresses, but also telephone numbers, street addresses, and business and family information. Inbox listings of e-mail accounts stored in the “cloud” sometimes contain content, such as the first few lines of a message.

This data is subjected to a much lower standard of minimization than that imposed by Bates

In his flurry of tweets, Ben keeps repeating that the US person contact lists collected under this program are protected by minimization, so it’s all good. But minimization for Executive Order 12333 collection is not as rigorous as minimization under Section 702, and certainly doesn’t include the special handling that Bates required to make the Section 702 upstream collection compliant with the Fourth Amendment. So even for those who believe minimization on bulk collection gets you to compliance with the Fourth Amendment, it’s unclear whether the minimization provided for this collection does, and given Bates’ ruling, there’s reason to believe it does not.

Neither Congress nor the FISA Court oversee this collection closely

This is the part of the WaPo story that a guy like Ben who wails NAKED! every time someone questions whether there’s adequate oversight ought to have noted. A single source claimed this program includes checks and balances. But as WaPo lays out, these aren’t checks and balances like those protecting other US person collections.

A senior U.S. intelligence official said the privacy of Americans is protected, despite mass collection, because “we have checks and balances built into our tools.”

NSA analysts, he said, may not search within the contacts database or distribute information from it unless they can “make the case that something in there is a valid foreign intelligence target in and of itself.”

In this program, the NSA is obliged to make that case only to itself or others in the executive branch. With few exceptions, intelligence operations overseas fall solely within the president’s legal purview. The Foreign Intelligence Surveillance Act, enacted in 1978, imposes restrictions only on electronic surveillance that targets Americans or takes place on U.S. territory.

[snip]

Sen. Dianne Feinstein, the California Democrat who chairs the Senate Intelligence Committee, said in August that the committee has less information about, and conducts less oversight of, intelligence gathering that relies solely on presidential authority. Read more

Share this entry

Obama Throws Top Spying Partner, Verizon, at ObamaCare

/5 Comments/in , /by

For the record, I hope the Administration finds a way to fix the ObamaCare website. While ObamaCare is a mix of good (Medicaid expansion, Medicare tweaks, MLR, some weakly enforceable limits on insurers) and bad (cost, corporate incentives, Caddy tax, insurance over care), if it fails it will set back efforts to improve health coverage in this country.

But I do take some of the warnings about how difficult it will be to fix the site seriously.

All that said, I’m not sure this is the “best and brightest” group of consultants Obama should have chosen to “surge” the website fix.

An informed source in the telecommunications industry said Verizon’s Enterprise Solutions division has been asked by the Department of Health and Human Services to improve the performance of the HealthCare.gov site, which is a key component of the Affordable Care Act. The source spoke on condition of anonymity because the announcement had not been made official.

HHS office said Sunday the department would reach outside its government contractors to civilian companies that might be able to solve HealthCare.gov’s problems more quickly.

“Our team is bringing in some of the best and brightest from both inside and outside government to scrub in with the team and help improve HealthCare.gov,” an HHS blog post said on Sunday.

HHS did not respond to a request for confirmation about Verizon. The company also declined to comment.

It makes sense for HHS to seek Verizon’s help, said Aneesh Chopra, the Obama administration’s former chief technology officer and now a senior fellow at the Center for American Progress. “There is an existing ‘best and brightest’ available to call in,” Chopra said. “Verizon is one of those already under contract.”

Even assuming Verizon is among the most competent entities in doing this kind of fix, there are the optics.

Verizon is, after all, the entity that charges millions of Americans inflated rates even as it turns over data on all their phone based relationships on a daily basis. In addition, along with AT&T and Sprint, Verizon helps the government copy and scan up to 75% of US Internet content in search of secret selectors.

Verizon is, then, one of the worst examples of the dangerous marriage between big corporate and big government. Which perhaps makes it an appropriate entity to be tied to ObamaCare, but not one that will help ObamaCare’s credibility.

Share this entry

Why Does France Get Publicly-Reported Phone Calls?

/8 Comments/in /by

The White House just released a readout of a call between President Obama and French President François Hollande pertaining to the spying revealed yesterday by Le Monde.

Readout of the President’s Call with President Hollande of France

The President spoke today with President Hollande of France. The United States and France are allies and friends, and share a close working relationship on a wide range of issues, including security and intelligence. The President and President Hollande discussed recent disclosures in the press – some of which have distorted our activities and some of which raise legitimate questions for our friends and allies about how these capabilities are employed. The President made clear that the United States has begun to review the way that we gather intelligence, so that we properly balance the legitimate security concerns of our citizens and allies with the privacy concerns that all people share. The two Presidents agreed that we should continue to discuss these issues in diplomatic channels moving forward.  The two leaders also discussed the ongoing violence in Syria and the importance of a political solution to the crisis.

Such releases tend to be blather, so I don’t take all that much from the content of the readout.

But I am interested that they released it.

Remember, this is not the first conversation with an angry world leader Obama has had about the runaway NSA. Angela Merkel, Dilma Rousseff, and Enrique Peña Nieto have as well. And while Obama was in Germany not long after the initial Germany releases, and saw Rousseff at the G20 in Russia not long after the worst of the Brazilian stories, I don’t see any call with Peña Nieto. Plus, we know there was a follow-up call between Obama and Rousseff on September 16 (he was supposed to report his findings about the nature of NSA’s spying on Brazil and Rousseff; she called off her State Visit the day afterwards).

I assume the Obama-Rousseff call couldn’t be spun into a happy message like this one.

But what of the call to Peña Nieto? Or did he already know about the spying they did before he was elected, because content from it has been used to pressure him to keep the DEA presence in Mexico?

Share this entry

On the 12th Day of Christmas, the NSA Gave to Me … 12 “Terrorism Supporters”

/4 Comments/in , , /by

Dianne Feinstein is writing op-eds again. Of course, I’m not actually recommending you read her defense of the phone dragnet program — though I do recommend this rebuttal of her claims from ACLU’s Mike German.

In other words, the problem was not that the government lacked the right tools to do its job (it had ample authority to trace Mihdhar’s calls). The problem was that the government apparently failed to use them.

But I do want to look at how DiFi dances around the debunked claims about all the plots the dragnet have stopped.

Since its inception, this program has played a role in stopping roughly a dozen terror plots and identifying terrorism supporters in the U.S.

Her claim is grammatically false, of course. Of the 2 known of these 12 cases where Section 215 was useful, with just one — when it was used to identify an unknown phone of one already identified accomplice of Najibullah Zazi — was a plot actually stopped. In the other, all Section 215 did was identify a supporter of terrorism, Basaaly Moalin. And even there, the FBI itself believed Moalin sent money to al-Shabaab not so much to support terrorism, but to support expelling (US backed) Ethiopian invaders of Somalia.

So while she could say that on 12 occasions Section 215 has helped stop a plot or identified terrorism supporters, what she has said is — surprise surprise! — a lie.

But I am rather amused at how close DiFi gets to arguing a dragnet of every Americans’ phone based relationships is worthwhile because it has found 12 guys who support, but do not engage in, terrorism.

Share this entry

NSA’s Section 702 Success: 150 Gigs of Defense Contractor Data Protected

/3 Comments/in , , /by

Screen shot 2013-10-21 at 9.59.11 AMOver four months ago, I noted that the most impressive success touted in James Clapper’s fact sheet on Section 702 pertained to cybersecurity, not terrorism.

Communications collected under Section 702 have provided significant and unique intelligence regarding potential cyber threats to the United States, including specific potential network computer attacks. This insight has led to successful efforts to mitigate these threats.

Le Monde, as part of its package on US spying on France, published yet another version of the PRISM slide presentation, including this slide (and 2 others that haven’t been published before; h/t Koen Rouwhorst).

While I’m not sure we’re yet looking at the complete PRISM slideset, at least as it stands, this slide tells the sole success story in the presentation. It describes how, on December 14, 2012, the NSA/CSS Threat Operations Center alerted the FBI to an implant on a Defense contractor’s network. The FBI and the contractor managed to take action that same day to prevent the exfiltration of 150G of data.

And thus using upstream collection (the slide cites Stormbrew), the NSA managed to do something equivalent to stopping China from getting yet another module of data on the F-35 development to go along with all the other data it has stolen.

While I’m glad the NSA prevented yet more tax dollars to be wasted on secrets China (or someone like them) was going to steal anyway, I am rather interested that this gets touted internally as Section 702’s big success story.

After all, Keith Alexander has been chanting terror terror terror terror for the last four months. It turns out — as I’ve been saying all along — it’s not about the 54 mostly overseas plots Section 702 has helped to thwart, it’s about cybersecurity.

Moreover, it doesn’t involve someone’s personal communications access via PRISM. It involves upstream collection (this also suggests when NSA describes searching for “selectors” in upstream collection, it searches on more than just emails and phone numbers, as it has previously suggested).

Again, this success is in no way a bad thing–kudos to the NSA for catching this.

It just highlights how we’re being sold a dragnet to protect against hackers based on fear of terrorists.

Update: In a Guardian post today, I argue Obama should use the replacement of Keith Alexander as an opportunity to break up NSA.

Metaphorically, the NSA has pursued its search for intelligence by partly disabling the locks to all our front doors. Having thus left us exposed, it demands the authority to be able to enter our homes to look around and see if those disabled locks have allowed any nasty types to get in.

Given the way the NSA’s data retention procedures have gone beyond the letter of the law to allow them to keep Americans’ data if it presents a threat to property (rather than just a threat of bodily harm), while the NSA is looking for nasty types, they might also make sure you don’t have any music or movies for which you don’t have a receipt. Thus it has happened that, in the name of preventing invaders, the NSA has itself invaded

Share this entry

Does This Provide Insight into Obama’s Relative Silence?

/13 Comments/in , /by

The US Ambassador to Britain, Matthew Barzun, went on the Beeb and declined to criticize Edward Snowden.

Asked if he shared the UK security services’ concerns about the threat to national security from the leaks, he said he wanted to focus on the “importance of having this debate about what the trade-offs are between security and privacy, between transparency and secrecy, and to do so in a way that protects whistleblowers – which is different, by the way, from wholesale releasing of information, hundreds of thousands of documents”.

This is a remarkable statement from someone at the heart of what must be touchy relations between the NSA and GCHQ and the US and Brits more generally (if complaints about prior US leaks serve as predictor).

Moreover, it might vocalize some of the reluctance on President Obama’s part to aggressively defend the NSA’s violation of laws authorizing surveillance.

Don’t get me wrong. I don’t believe Obama welcomes any real debate. The conduct James Clapper’s Committee to Make Us Love the Dragnet makes that all too clear. Rather, I suspect Obama believes he can win the debate, and convince us all that we need an even bigger dragnet. (Which might explain the inclusion of Cass Sunstein on the Committee to Make Us Love the Dragnet.)

I suspect Obama, having been convinced by partial briefings the dragnet is great for America, also believes he can persuade the rest of us (who aren’t stuck in his partial briefing bubble) to love it too.

Certainly, his Ambassador to Britain seems to have been permitted to adopt the same stance.

Share this entry

My name is US Bandwith, king of kings:

/37 Comments/in /by

“My name is US Bandwith, king of kings:
Look on my works, ye Mighty, and despair!”
Nothing beside remains. Round the decay
Of that colossal wreck, boundless and bare
The lone and level sands stretch far away

I’m thinking of planting a sphinx in UT in front of the UT Data Center. What other appropriate response is there to this?

The U.S. National Security Agency failed to install the most up-to-date anti-leak software at a site in Hawaii before contractor Edward Snowden went to work there and downloaded tens of thousands of highly classified documents, current and former U.S. officials told Reuters.

[snip]

The main reason the software had not been installed at the NSA’s Hawaii facility by the time Snowden took up his assignment there was that it had insufficient bandwidth to comfortably install it and ensure its effective operation, according to one of the officials.

Due to the bandwidth issue, intelligence agencies in general moved more slowly than non-spy government units, including the Defense Department, to install anti-leak software, officials said.

This is precisely the excuse they used after Chelsea Manning absconded with several databases on a Lady Gaga CD. They’re still using it.

Then there’s this:

The NSA’s Utah data center is still struggling to get up and running. The Wall Street Journal reported earlier this month that the site slated to hold exabytes of NSA spy data has been suffering from lightning arcs and meltdowns that have destroyed hundreds of thousands of dollars worth of equipment and prevented the NSA from using the center for its intended purpose: massive data storage and mining. The WSJ reported there had been ten incidents thus far. A source familiar with the project says the center underwent yet another shutdown over the weekend after electrical problems on Thursday and Friday.

The data center was shut down through Tuesday. The source says there aren’t “arcs and fires anymore” but that the experts on the site still haven’t figured out what’s causing the problems. They have figured out how to prevent flashes of lightning, though.

“They’re seeing a pattern of where it gets to the meltdown point and they stop it before it blows again,” says the source. The source says that contractors have been injured and taken to the hospital due to electrocution, but not in the most recent shutdown.

At least they’ve stopped electrocuting contractors.

Our empire needs the intelligence, you see, but apparently can’t ensure an adequate supply of power, of any type.

Update: Argh. As Morris Minor notes, it’s bandwidth, not bandwith. But I’ve grown fond of it, so I’m going to leave it as is, calling it poetic license, while I hang my head in shame.

Share this entry

Docket Inflation at the FISA Court?

/2 Comments/in , /by

Screen shot 2013-10-18 at 3.17.36 PMAs I noted in my last post, I’m a bit alarmed by the docket numbers we’re seeing out of the FISC court. The order released today appears to be the 158th docket for the year.

Compare that to the docket numbers from 2009, as revealed in the orders Reggie Walton issued while trying to clean up NSA’s act. His November 5, 2009 order appears to be just the 15th docket for the year, as compared to Mary McLaughlin’s October order being the 158th.

We’re running at 10 times the pace we were 4 years ago.

The thing is, while the comparison does make this year seem especially bad, it actually seems to be part of a longer trend. Here’s the numbers of NSLs and Section 215 orders the FISC has issued since 2005.

Screen shot 2013-10-18 at 4.17.42 PM

 

 

Before we knew how extensive the phone dragnet was, these numbers suggested some of the NSL production got moved into the secret interpretations of Section 215 after 2010 (which is about the same time Ron Wyden and Mark Udall got especially shrill about it).

While that may or may not explain the big jump between 2009 — when the Walton numbers are perfectly consistent — and 2011, it’s not the phone dragnet driving the numbers. That has only been responsible for something like 6 dockets in any given year, and more often just 4 (for example, even in 2009, the multiple iterations were just additional entries to the docket tied to that quarter’s order).

I thought, too, the Boston Marathon attack might explain higher numbers for this year. But we might even come in slightly lower than we did last year.

Which is another way of noting how deceitful these numbers are. Any single NSL could include more than one American. We know at least some of the Section 215 orders include every American.

So how many records might these entail of each one could represent every American?

Share this entry