False Prophet of Adequate Congressional Oversight Finds Congressional Ignorance Unnewsworthy

/8 Comments/in , /by

I was going to leave this post, in which Ben Wittes complains that WaPo published details of NSA’s collection of millions of contact lists, which he didn’t find at all newsworthy, well enough alone.

Here the public interest in disclosure seems, at least to me, remarkably weak, after all. At the policy level, the entire story amounts to nothing more than the proposition that NSA is under 12333 collecting large volumes of live-stream data, storing it, and protecting U.S. person material within that data only through minimization requirements. We knew all of that already.

So what does this story reveal that we didn’t already know? A specific collection method that people can now frustrate and a particular interest in collecting contact lists. In other words, here the Post does not seem to be balancing the costs of the disclosure against its benefit to the public interest. The costs, rather, are the benefit to the public interest. Put another way, I can’t quite shake the feeling that my old newspaper is now blowing secrets merely for the sake of doing so.

But his response to this post from Conor Freidersdorf convinced me to do a post. He’s written about 40 tweets in response, asserting things like, “there is no good argument that this sort of activity is illegal under current law.” In all that tweeting, he did not, however, respond to what I thought was a pretty decent argument this sort of activity might be illegal under current law.

Two years ago, then FISA Court Judge John Bates considered the legality of content collected off US switches. He found the practice, as had been conducted for over 3 years, violated both Section 702 of FISA Amendments Act and the Fourth Amendment because it intentionally collected US person data (NSA’s apologists usually obscure this last point, but Bates’ opinion was quite clear that this was intentional collection). To make the collection “reasonable” under a special needs exception, he required NSA to follow more stringent minimization procedures than already required under Section 702, effectively labeling some of the data and prohibiting the NSA from using US person data except in limited circumstances.

That collection differs from the contact list collection revealed by the WaPo in several ways:

The contact lists are collected overseas

WaPo’s sources are quite clear: this collection would be illegal in the US. They get around that restriction by collecting the data overseas.

The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss the classified program. “None of those are on U.S. territory.”

It’s not clear whether the contact list counts as metadata or content

The collection reviewed by Bates was clearly content: Internet messages collected because a selector appeared in the body of the message. With the contact lists, I could see the government claiming it was just metadata, and therefore (incorrectly, in my opinion but not in current law) subject to a much lower standard of protection. Except (as noted) WaPo’s sources admit this would be illegal if collected in the US, probably because NSA is collecting content as well.

Each day, the presentation said, the NSA collects contacts from an estimated 500,000 buddy lists on live-chat services as well as from the inbox displays of Web-based e-mail accounts.

[snip]

Contact lists stored online provide the NSA with far richer sources of data than call records alone. Address books commonly include not only names and e-mail addresses, but also telephone numbers, street addresses, and business and family information. Inbox listings of e-mail accounts stored in the “cloud” sometimes contain content, such as the first few lines of a message.

This data is subjected to a much lower standard of minimization than that imposed by Bates

In his flurry of tweets, Ben keeps repeating that the US person contact lists collected under this program are protected by minimization, so it’s all good. But minimization for Executive Order 12333 collection is not as rigorous as minimization under Section 702, and certainly doesn’t include the special handling that Bates required to make the Section 702 upstream collection compliant with the Fourth Amendment. So even for those who believe minimization on bulk collection gets you to compliance with the Fourth Amendment, it’s unclear whether the minimization provided for this collection does, and given Bates’ ruling, there’s reason to believe it does not.

Neither Congress nor the FISA Court oversee this collection closely

This is the part of the WaPo story that a guy like Ben who wails NAKED! every time someone questions whether there’s adequate oversight ought to have noted. A single source claimed this program includes checks and balances. But as WaPo lays out, these aren’t checks and balances like those protecting other US person collections.

A senior U.S. intelligence official said the privacy of Americans is protected, despite mass collection, because “we have checks and balances built into our tools.”

NSA analysts, he said, may not search within the contacts database or distribute information from it unless they can “make the case that something in there is a valid foreign intelligence target in and of itself.”

In this program, the NSA is obliged to make that case only to itself or others in the executive branch. With few exceptions, intelligence operations overseas fall solely within the president’s legal purview. The Foreign Intelligence Surveillance Act, enacted in 1978, imposes restrictions only on electronic surveillance that targets Americans or takes place on U.S. territory.

[snip]

Sen. Dianne Feinstein, the California Democrat who chairs the Senate Intelligence Committee, said in August that the committee has less information about, and conducts less oversight of, intelligence gathering that relies solely on presidential authority. Read more

Obama Throws Top Spying Partner, Verizon, at ObamaCare

/5 Comments/in , /by

For the record, I hope the Administration finds a way to fix the ObamaCare website. While ObamaCare is a mix of good (Medicaid expansion, Medicare tweaks, MLR, some weakly enforceable limits on insurers) and bad (cost, corporate incentives, Caddy tax, insurance over care), if it fails it will set back efforts to improve health coverage in this country.

But I do take some of the warnings about how difficult it will be to fix the site seriously.

All that said, I’m not sure this is the “best and brightest” group of consultants Obama should have chosen to “surge” the website fix.

An informed source in the telecommunications industry said Verizon’s Enterprise Solutions division has been asked by the Department of Health and Human Services to improve the performance of the HealthCare.gov site, which is a key component of the Affordable Care Act. The source spoke on condition of anonymity because the announcement had not been made official.

HHS office said Sunday the department would reach outside its government contractors to civilian companies that might be able to solve HealthCare.gov’s problems more quickly.

“Our team is bringing in some of the best and brightest from both inside and outside government to scrub in with the team and help improve HealthCare.gov,” an HHS blog post said on Sunday.

HHS did not respond to a request for confirmation about Verizon. The company also declined to comment.

It makes sense for HHS to seek Verizon’s help, said Aneesh Chopra, the Obama administration’s former chief technology officer and now a senior fellow at the Center for American Progress. “There is an existing ‘best and brightest’ available to call in,” Chopra said. “Verizon is one of those already under contract.”

Even assuming Verizon is among the most competent entities in doing this kind of fix, there are the optics.

Verizon is, after all, the entity that charges millions of Americans inflated rates even as it turns over data on all their phone based relationships on a daily basis. In addition, along with AT&T and Sprint, Verizon helps the government copy and scan up to 75% of US Internet content in search of secret selectors.

Verizon is, then, one of the worst examples of the dangerous marriage between big corporate and big government. Which perhaps makes it an appropriate entity to be tied to ObamaCare, but not one that will help ObamaCare’s credibility.

Why Does France Get Publicly-Reported Phone Calls?

/8 Comments/in /by

The White House just released a readout of a call between President Obama and French President François Hollande pertaining to the spying revealed yesterday by Le Monde.

Readout of the President’s Call with President Hollande of France

The President spoke today with President Hollande of France. The United States and France are allies and friends, and share a close working relationship on a wide range of issues, including security and intelligence. The President and President Hollande discussed recent disclosures in the press – some of which have distorted our activities and some of which raise legitimate questions for our friends and allies about how these capabilities are employed. The President made clear that the United States has begun to review the way that we gather intelligence, so that we properly balance the legitimate security concerns of our citizens and allies with the privacy concerns that all people share. The two Presidents agreed that we should continue to discuss these issues in diplomatic channels moving forward.  The two leaders also discussed the ongoing violence in Syria and the importance of a political solution to the crisis.

Such releases tend to be blather, so I don’t take all that much from the content of the readout.

But I am interested that they released it.

Remember, this is not the first conversation with an angry world leader Obama has had about the runaway NSA. Angela Merkel, Dilma Rousseff, and Enrique Peña Nieto have as well. And while Obama was in Germany not long after the initial Germany releases, and saw Rousseff at the G20 in Russia not long after the worst of the Brazilian stories, I don’t see any call with Peña Nieto. Plus, we know there was a follow-up call between Obama and Rousseff on September 16 (he was supposed to report his findings about the nature of NSA’s spying on Brazil and Rousseff; she called off her State Visit the day afterwards).

I assume the Obama-Rousseff call couldn’t be spun into a happy message like this one.

But what of the call to Peña Nieto? Or did he already know about the spying they did before he was elected, because content from it has been used to pressure him to keep the DEA presence in Mexico?

On the 12th Day of Christmas, the NSA Gave to Me … 12 “Terrorism Supporters”

/4 Comments/in , , /by

Dianne Feinstein is writing op-eds again. Of course, I’m not actually recommending you read her defense of the phone dragnet program — though I do recommend this rebuttal of her claims from ACLU’s Mike German.

In other words, the problem was not that the government lacked the right tools to do its job (it had ample authority to trace Mihdhar’s calls). The problem was that the government apparently failed to use them.

But I do want to look at how DiFi dances around the debunked claims about all the plots the dragnet have stopped.

Since its inception, this program has played a role in stopping roughly a dozen terror plots and identifying terrorism supporters in the U.S.

Her claim is grammatically false, of course. Of the 2 known of these 12 cases where Section 215 was useful, with just one — when it was used to identify an unknown phone of one already identified accomplice of Najibullah Zazi — was a plot actually stopped. In the other, all Section 215 did was identify a supporter of terrorism, Basaaly Moalin. And even there, the FBI itself believed Moalin sent money to al-Shabaab not so much to support terrorism, but to support expelling (US backed) Ethiopian invaders of Somalia.

So while she could say that on 12 occasions Section 215 has helped stop a plot or identified terrorism supporters, what she has said is — surprise surprise! — a lie.

But I am rather amused at how close DiFi gets to arguing a dragnet of every Americans’ phone based relationships is worthwhile because it has found 12 guys who support, but do not engage in, terrorism.

NSA’s Section 702 Success: 150 Gigs of Defense Contractor Data Protected

/3 Comments/in , , /by

Screen shot 2013-10-21 at 9.59.11 AMOver four months ago, I noted that the most impressive success touted in James Clapper’s fact sheet on Section 702 pertained to cybersecurity, not terrorism.

Communications collected under Section 702 have provided significant and unique intelligence regarding potential cyber threats to the United States, including specific potential network computer attacks. This insight has led to successful efforts to mitigate these threats.

Le Monde, as part of its package on US spying on France, published yet another version of the PRISM slide presentation, including this slide (and 2 others that haven’t been published before; h/t Koen Rouwhorst).

While I’m not sure we’re yet looking at the complete PRISM slideset, at least as it stands, this slide tells the sole success story in the presentation. It describes how, on December 14, 2012, the NSA/CSS Threat Operations Center alerted the FBI to an implant on a Defense contractor’s network. The FBI and the contractor managed to take action that same day to prevent the exfiltration of 150G of data.

And thus using upstream collection (the slide cites Stormbrew), the NSA managed to do something equivalent to stopping China from getting yet another module of data on the F-35 development to go along with all the other data it has stolen.

While I’m glad the NSA prevented yet more tax dollars to be wasted on secrets China (or someone like them) was going to steal anyway, I am rather interested that this gets touted internally as Section 702’s big success story.

After all, Keith Alexander has been chanting terror terror terror terror for the last four months. It turns out — as I’ve been saying all along — it’s not about the 54 mostly overseas plots Section 702 has helped to thwart, it’s about cybersecurity.

Moreover, it doesn’t involve someone’s personal communications access via PRISM. It involves upstream collection (this also suggests when NSA describes searching for “selectors” in upstream collection, it searches on more than just emails and phone numbers, as it has previously suggested).

Again, this success is in no way a bad thing–kudos to the NSA for catching this.

It just highlights how we’re being sold a dragnet to protect against hackers based on fear of terrorists.

Update: In a Guardian post today, I argue Obama should use the replacement of Keith Alexander as an opportunity to break up NSA.

Metaphorically, the NSA has pursued its search for intelligence by partly disabling the locks to all our front doors. Having thus left us exposed, it demands the authority to be able to enter our homes to look around and see if those disabled locks have allowed any nasty types to get in.

Given the way the NSA’s data retention procedures have gone beyond the letter of the law to allow them to keep Americans’ data if it presents a threat to property (rather than just a threat of bodily harm), while the NSA is looking for nasty types, they might also make sure you don’t have any music or movies for which you don’t have a receipt. Thus it has happened that, in the name of preventing invaders, the NSA has itself invaded

Does This Provide Insight into Obama’s Relative Silence?

/13 Comments/in , /by

The US Ambassador to Britain, Matthew Barzun, went on the Beeb and declined to criticize Edward Snowden.

Asked if he shared the UK security services’ concerns about the threat to national security from the leaks, he said he wanted to focus on the “importance of having this debate about what the trade-offs are between security and privacy, between transparency and secrecy, and to do so in a way that protects whistleblowers – which is different, by the way, from wholesale releasing of information, hundreds of thousands of documents”.

This is a remarkable statement from someone at the heart of what must be touchy relations between the NSA and GCHQ and the US and Brits more generally (if complaints about prior US leaks serve as predictor).

Moreover, it might vocalize some of the reluctance on President Obama’s part to aggressively defend the NSA’s violation of laws authorizing surveillance.

Don’t get me wrong. I don’t believe Obama welcomes any real debate. The conduct James Clapper’s Committee to Make Us Love the Dragnet makes that all too clear. Rather, I suspect Obama believes he can win the debate, and convince us all that we need an even bigger dragnet. (Which might explain the inclusion of Cass Sunstein on the Committee to Make Us Love the Dragnet.)

I suspect Obama, having been convinced by partial briefings the dragnet is great for America, also believes he can persuade the rest of us (who aren’t stuck in his partial briefing bubble) to love it too.

Certainly, his Ambassador to Britain seems to have been permitted to adopt the same stance.

My name is US Bandwith, king of kings:

/37 Comments/in /by

“My name is US Bandwith, king of kings:
Look on my works, ye Mighty, and despair!”
Nothing beside remains. Round the decay
Of that colossal wreck, boundless and bare
The lone and level sands stretch far away

I’m thinking of planting a sphinx in UT in front of the UT Data Center. What other appropriate response is there to this?

The U.S. National Security Agency failed to install the most up-to-date anti-leak software at a site in Hawaii before contractor Edward Snowden went to work there and downloaded tens of thousands of highly classified documents, current and former U.S. officials told Reuters.

[snip]

The main reason the software had not been installed at the NSA’s Hawaii facility by the time Snowden took up his assignment there was that it had insufficient bandwidth to comfortably install it and ensure its effective operation, according to one of the officials.

Due to the bandwidth issue, intelligence agencies in general moved more slowly than non-spy government units, including the Defense Department, to install anti-leak software, officials said.

This is precisely the excuse they used after Chelsea Manning absconded with several databases on a Lady Gaga CD. They’re still using it.

Then there’s this:

The NSA’s Utah data center is still struggling to get up and running. The Wall Street Journal reported earlier this month that the site slated to hold exabytes of NSA spy data has been suffering from lightning arcs and meltdowns that have destroyed hundreds of thousands of dollars worth of equipment and prevented the NSA from using the center for its intended purpose: massive data storage and mining. The WSJ reported there had been ten incidents thus far. A source familiar with the project says the center underwent yet another shutdown over the weekend after electrical problems on Thursday and Friday.

The data center was shut down through Tuesday. The source says there aren’t “arcs and fires anymore” but that the experts on the site still haven’t figured out what’s causing the problems. They have figured out how to prevent flashes of lightning, though.

“They’re seeing a pattern of where it gets to the meltdown point and they stop it before it blows again,” says the source. The source says that contractors have been injured and taken to the hospital due to electrocution, but not in the most recent shutdown.

At least they’ve stopped electrocuting contractors.

Our empire needs the intelligence, you see, but apparently can’t ensure an adequate supply of power, of any type.

Update: Argh. As Morris Minor notes, it’s bandwidth, not bandwith. But I’ve grown fond of it, so I’m going to leave it as is, calling it poetic license, while I hang my head in shame.

Docket Inflation at the FISA Court?

/2 Comments/in , /by

Screen shot 2013-10-18 at 3.17.36 PMAs I noted in my last post, I’m a bit alarmed by the docket numbers we’re seeing out of the FISC court. The order released today appears to be the 158th docket for the year.

Compare that to the docket numbers from 2009, as revealed in the orders Reggie Walton issued while trying to clean up NSA’s act. His November 5, 2009 order appears to be just the 15th docket for the year, as compared to Mary McLaughlin’s October order being the 158th.

We’re running at 10 times the pace we were 4 years ago.

The thing is, while the comparison does make this year seem especially bad, it actually seems to be part of a longer trend. Here’s the numbers of NSLs and Section 215 orders the FISC has issued since 2005.

Screen shot 2013-10-18 at 4.17.42 PM

 

 

Before we knew how extensive the phone dragnet was, these numbers suggested some of the NSL production got moved into the secret interpretations of Section 215 after 2010 (which is about the same time Ron Wyden and Mark Udall got especially shrill about it).

While that may or may not explain the big jump between 2009 — when the Walton numbers are perfectly consistent — and 2011, it’s not the phone dragnet driving the numbers. That has only been responsible for something like 6 dockets in any given year, and more often just 4 (for example, even in 2009, the multiple iterations were just additional entries to the docket tied to that quarter’s order).

I thought, too, the Boston Marathon attack might explain higher numbers for this year. But we might even come in slightly lower than we did last year.

Which is another way of noting how deceitful these numbers are. Any single NSL could include more than one American. We know at least some of the Section 215 orders include every American.

So how many records might these entail of each one could represent every American?

NSA’s Dissenters

/10 Comments/in /by

I tweeted a bunch of details from this James Risen interview with Edward Snowden. That comparing the NSA to China’s People’s Liberation Army is not perceived as funny by NSA brass. How Snowden’s professed commitment to whistleblowing came from reading the 2009 Draft NSA IG Report ought to disqualify Michael Hayden — whose criminal actions the report details — from commenting on Snowden from here on out. And that ignoring the security vulnerabilities in a CIA personnel database seems kind of stupid.

But I found this paragraph most interesting.

Mr. Snowden added that inside the spy agency “there’s a lot of dissent — palpable with some, even.” But he said that people were kept in line through “fear and a false image of patriotism,” which he described as “obedience to authority.”

Two times since the Snowden leaks started, NSA has done touchy feely things to reassure employees. First, Keith Alexander’s call that “there is no substitute for victory,” even while suggesting NSA employees should leave the debate about their work to others. And then the group hug to them and their families.

I believe those are the comments of a General who is genuinely worried that learning what the NSA has been doing — aside from targeting terrorists — might lead to more dissent among NSA employees.

If Snowden’s comment is true, that all makes sense.

As I have said, many NSA employees might have an image of the NSA as a foreign codebreaker organization that would never target Americans. If they do, they may well be in for a rude awakening.

12 Years Later, DOJ Is Still Struggling Through Dragnet Discovery Issues

/5 Comments/in , , /by

As I noted earlier, Charlie Savage describes how, after Don Verrilli made false representations to the Supreme Court about whether defendants get an opportunity to challenge FISA Amendments Act derived evidence, it set off a discussion in DOJ about their discovery obligations.

Mr. Verrilli sought an explanation from national security lawyers about why they had not flagged the issue when vetting his Supreme Court briefs and helping him practice for the arguments, according to officials.

The national security lawyers explained that it was a misunderstanding, the officials said. Because the rules on wiretapping warrants in foreign intelligence cases are different from the rules in ordinary criminal investigations, they said, the division has long used a narrow understanding of what “derived from” means in terms of when it must disclose specifics to defendants.

In national security cases involving orders issued under the Foreign Intelligence Surveillance Act of 1978, or FISA, prosecutors alert defendants only that some evidence derives from a FISA wiretap, but not details like whether there had just been one order or a chain of several. Only judges see those details.

After the 2008 law, that generic approach meant that prosecutors did not disclose when some traditional FISA wiretap orders had been obtained using information gathered through the warrantless wiretapping program. Division officials believed it would have to disclose the use of that program only if it introduced a recorded phone call or intercepted e-mail gathered directly from the program — and for five years, they avoided doing so.

For Mr. Verrilli, that raised a more fundamental question: was there any persuasive legal basis for failing to clearly notify defendants that they faced evidence linked to the 2008 warrantless surveillance law, thereby preventing them from knowing that they had an opportunity to argue that it derived from an unconstitutional search? [my emphasis]

It’s not entirely true that only judges learn if there are a series of orders leading up to a traditional FISA that incriminates a person. For example, we know it took 11 dockets and multiple orders to establish probable cause to wiretap Basaaly Moalin, the one person allegedly caught using Section 215. We also know there was a 2-month delay between the time they identified his calls with (probably) Somali warlord Aden Ayrow and the time they started wiretapping him under traditional FISA. Even before that point, Ayrow would have been — and almost certainly was — a legal FISA Amendments Act target. Meaning it’d be very easy for the government to watch Moalin’s side of their conversations in those two months to develop probable cause — or even to go back and read historical conversations (note, Ken Wainstein may have signed some of the declarations in question, which would make a lot of sense if they took place during the transition between Attorneys General earlier in 2007).

But Moalin’s attorneys didn’t — and still haven’t — learned whether that’s what happened. (Note, I’m overdue to lay out the filings in the case since I last covered it; consider it pending.)

Read more