Shorter NSA: That We Discovered We Had No Fucking Clue How We Use Our Spying Is Proof Oversight Works

/18 Comments/in , /by

It’s fundraising week. Please donate if you can.

James Clapper’s office just released a bunch of documents pertaining to the Section 215 dragnet. It reveals a whole slew of violations which it attributes to this:

The compliance incidents discussed in these documents stemmed in large part from the complexity of the technology employed in connection with the bulk telephony metadata collection program, interaction of that technology with other NSA systems, and a lack of a shared understanding among various NSA components about how certain aspects of the complex architecture supporting the program functioned.  These gaps in understanding led, in turn, to unintentional misrepresentations in the way the collection was described to the FISC.  As discussed in the documents, there was no single cause of the incidents and, in fact, a number of successful oversight, management, and technology processes in place operated as designed and uncovered these matters.

More candidly it admits that no one at NSA understood how everything works. It appears they’re still not sure, as one Senior Official Who Refused to Back His Words admitted,

“I guess they have 300 people doing compliance at NSA.”

“I guess” is how they make us comfortable about their new compliance program.

Ultimately, this resulted them in running daily Section 215 collection on a bunch of numbers that–by their own admission–they did not have reasonable articulable suspicion had some time to terrorism. When they got caught, that number consisted of roughly 10 out of 11 of the numbers they were searching on.

The rest of this post will be a working thread.

Update: Here is the Wyden/Udall statement. It strongly suggests that the other thing the government lied about — as referenced in John Bates’ October 3, 2011 opinion — was the Internet dragnet.

With the documents declassified and released this afternoon by the Director of National Intelligence, the public now has new information about the size and shape of that iceberg. Additional information about these violations was contained in other recently-released court opinions, though some significant information – particularly about violations pertaining to the bulk email records collection program – remains classified.

 

In addition to providing further information about how bulk phone records collection came under great FISA Court scrutiny due to serious and on-going compliance violations, these documents show that the court actually limited the NSA’s access to its bulk phone records database for much of 2009. The court required the NSA to seek case-by-case approval to access bulk phone records until these compliance violations were addressed. In our judgment, the fact that the FISA Court was able to handle these requests on an individual basis is further evidence that intelligence agencies can get all of the information they genuinely need without engaging in the dragnet surveillance of huge numbers of law-abiding Americans.

The original order required NSA to keep the dragnet on “a secure private network that NSA exclusively will operate.” Yet on the conference call, the Secret-Officials-Whose-Word-Can’t-Be-Trusted admitted that some of the violations involved people wandering into the data without knowing where they were. And an earlier violation made it clear in 2012 they found a chunk of this data that tech people had put on their own server.

The order also requires an interface with security limitations. Again, we know tech personnel access the data outside of this structure.

That order also only approves 7 people to approve queries. That number is now 22.

(9) We need to see a copy of the first couple of reports NSA gave to FISC with its reapplications to see how things got so out of control.

(10) This approval was signed by Malcom Howard. Among other things he was in the White House during the Nixon-Ford transition period.

The original authorization for 215 was a hash. Reggie Walton got involved in 2008 and cleaned it up (though not convincingly) in this supplemental order. He relies, significantly, on the “any tangible thing” language passed in 2006. (2-3)

Read more

James Clapper’s Financial War on the World

/22 Comments/in , , /by

I’m fundraising this week. Please support me if you can. 

Yesterday, TV Globo published details of NSA spying on Brazil’s oil company, Petrobras, SWIFT, and financial organizations. Besides revealing that man-in-the-middle attacks are sometimes used, the report didn’t offer details of what the NSA was actually collecting. Its sources suggest NSA might be seeking Brazil’s leading deep sea drilling technology or geological information that would be useful in drilling auctions, but it is also conceivable the NSA is just trying to anticipate what the oil market will look like in upcoming years (this is one area where we probably even spy on our allies the Saudis, since they have been accused of lying about their reserves).

To some degree, then, I await more details about precisely what we’re collecting and why.

But what I am interested in is James Clapper’s response. He released this statement on the I Con site.

It is not a secret that the Intelligence Community collects information about economic and financial matters, and terrorist financing.

We collect this information for many important reasons: for one, it could provide the United States and our allies early warning of international financial crises which could negatively impact the global economy. It also could provide insight into other countries’ economic policy or behavior which could affect global markets.

Our collection of information regarding terrorist financing saves lives. Since 9/11, the Intelligence Community has found success in disrupting terror networks by following their money as it moves around the globe. International criminal organizations, proliferators of weapons of mass destruction, illicit arms dealers, or nations that attempt to avoid international sanctions can also be targeted in an effort to aid America’s and our allies’ interests.

What we do not do, as we have said many times, is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of – or give intelligence we collect to – US companies to enhance their international competitiveness or increase their bottom line.

As we have said previously, the United States collects foreign intelligence – just as many other governments do – to enhance the security of our citizens and protect our interests and those of our allies around the world. The intelligence Community’s efforts to understand economic systems and policies and monitor anomalous economic activities is critical to providing policy makers with the information they need to make informed decisions that are in the best interest of our national security.

Let me take this extraordinary statement in reverse order.

In the fourth paragraph, Clapper reiterates the final defense that NSA defenders use: that we’re better than, say, China and France, because we don’t engage in industrial espionage, stealing technology with our spying. That may be true, but I suspect at the end of the day the economic spying we do might be more appalling.

In the third paragraph, he retreats to the terror terror terror strategy the Administration has used throughout this crisis. And sure, no one really complains that the government is using financial tracking to break up terrorist networks (though the government is awfully selective about whom it prosecutes, and it almost certainly has used a broad definition of “terrorism” to spy on the financial transactions of individuals for geopolitical reasons). But note, while the Globo report provided no details, it did seem to describe that NSA spies on SWIFT.

That would presumably be in addition to whatever access Treasury gets directly from SWIFT, through agreements that have become public.

That is, the Globo piece at least seems to suggest that we’re getting information from SWIFT via two means, via the now public access through the consortium, but also via NSA spying. That would seem to suggest we’re using it for things that go beyond the terrorist purpose the consortium has granted us access for. Past reporting on SWIFT has made it clear we threatened to do just that. The Globo report may support that we have in fact done that.

Now the second paragraph. James Clapper, too cute by half, asserts, spying on financial information,

could provide the United States and our allies early warning of international financial crises which could negatively impact the global economy

Hahahahahaha! Oh my word! Hahahaha. I mean, sure, the US needs to know of pending financial crises, in the same way it wants to know what the actual versus claimed petroleum reserves in the world are (and those are, of course, closely related issues). But with this claim, Clapper suggests the US would actually recognize a financial crisis and do something about it.

Hahahahaha. Didn’t — still doesn’t — work out that way.

Read more

Any Bets FBI Was Already Searching US Person Data?

/8 Comments/in /by

If you want to support our work reporting news the WaPo will report as news in two months, please donate!

In the department of news that got reported here two months ago, the WaPo is reporting on FISC’s approval to let the government search through incidentally collected information. Its news hook is that the 2011 move reversed an earlier 2008 ban that the government had asked for.

The court in 2008 imposed a wholesale ban on such searches at the government’s request, said Alex Joel, civil liberties protection officer at the Office of the Director of National Intelligence (ODNI). The government included this restriction “to remain consistent with NSA policies and procedures that NSA applied to other authorized collection activities,” he said.

But in 2011, to more rapidly and effectively identify relevant foreign intelligence communications, “we did ask the court” to lift the ban, ODNI general counsel Robert S. Litt said in an interview. “We wanted to be able to do it,” he said, referring to the searching of Americans’ communications without a warrant.

It may well be that the NSA was prohibited from searching on incidentally collected information, but not all parts of the government were. In his October 3, 2011 FISC opinion, John Bates pointed to some other minimization procedures allowing such searches to justify his approval for NSA to do so.

This relaxation of the querying rules does not alter the Court’s prior conclusion that NSA minimization procedures meet the statutory definition of minimization procedures. [2 lines redacted] contain an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information. See [redacted] In granting [redacted] applications for electronic surveillance or physical search since 2008, including applications targeting United States persons and persons in the United States, the Court has found that the [redacted] meet the definition of minimization procedures at 50 U.S.C. §§ 1801 (h) and 1821(4). It follows that the substantially similar querying provision found at Section 3(b)(5) of the amended NSA minimization procedures should not be problematic in a collection that is focused on non-United States persons located outside the United States and that, in the aggregate, is less likely to result in the acquisition of nonpublic information regarding non-consenting United States persons.

We already had reason to believe other agencies do this, because when the Senate Intelligence Committee discussed it, they described the intelligence community generally wanting such searches.

Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession. [my emphasis]

Bates’ mention of targeting US persons strongly suggests FBI was the agency in question (though the CIA may as well). (If this practice weren’t already permitted, I would bet it got approved in the aftermath of the Nidal Hasan attack, which might explain why so many more Americans who had communicated with Anwar al-Awlaki or Samir Khan were caught in stings after that point.)

So did Ronald Litt and Alex Joel tell Ellen Nakashima this to hide a much more intrusive practice at FBI (which they also oversee)?

NSA, GCHQ, Declare Civil War on Their Own People

/37 Comments/in /by

The Guardian, NYT, and ProPublica have the first of the co-reported stories we’ve been promised, reporting that after the government failed to get Congress to require back doors into encrypted communication, it just went ahead and took it.

I’ll come back to these stories, but for the moment, want to just point to the various names it has given this effort, from ProPublica.

The full extent of the N.S.A.’s decoding capabilities is known only to a limited group of top analysts from the so-called Five Eyes: the N.S.A. and its counterparts in Britain, Canada, Australia and New Zealand. Only they are cleared for the Bullrun program, the successor to one called Manassas — both names of American Civil War battles. A parallel GCHQ counterencryption program is called Edgehill, named for the first battle of the English Civil War of the 17th century.

Unlike some classified information that can be parceled out on a strict “need to know” basis, one document makes clear that with Bullrun, “there will be NO ‘need to know.’ ”

Only a small cadre of trusted contractors were allowed to join Bullrun. It does not appear that Mr. Snowden was among them, but he nonetheless managed to obtain dozens of classified documents referring to the program’s capabilities, methods and sources.

Manassas, Bullrun, and Edgehill.

All civil war battles.

Even rhetorically, our governments have declared civil war on us and our privacy.

Update: In related news, Obama’s Insider-Independent Non-Tech Tech Review Committee is seeking public comment on the dragnet.

Go let Cass Sunstein know what you think of this.

Microsoft, Google, as Unimpressed as I Am with I Con’s New Data Release Promise

/1 Comment/in , /by

I showed earlier that the Director of National Intelligence’s promise to release certain information — much of which they’re already obligated to release — wasn’t all that impressive. As part of that, I noted that the DNI wasn’t providing data specific to each provider.

Moreover, the government doesn’t, apparently plan to release the number Google and Yahoo would like it to release, numbers which likely show how much more enthusiastic the well-lubricated telecoms are about providing this material than the less-well lubricated Internet providers. That is, the government isn’t going to (or hasn’t yet agreed to) provide numbers that show corporations have some leeway on how much of our data they turn over to the government.

It turns out, Microsoft and Google agree with me that the promised new release is none too impressive.

More importantly, they view it as a refusal — after serial delays from the government — to release that provider specific and content type specific information they want to release.

Yesterday, the Government announced that it would begin publishing the total number of national security requests for customer data for the past 12 months and do so going forward once a year.  The Government’s decision represents a good start.  But the public deserves and the Constitution guarantees more than this first step.  Read more

Hundreds of Millions Lubricate the Telecoms

/5 Comments/in /by

In the third of its budget stories today, the WaPo reveals the scale of the funds provided to telecoms to provide vast amounts of data to the government: $278 million this year, and $394 million in 2011, for doing things like leasing networks and circuits.

The budget documents obtained by The Post list $65.96 million for Blarney, $94.74 million for Fairview, $46.04 million for Stormbrew and $9.41 million for Oakstar. It is unclear why the total of these four programs amounts to less than the overall budget of $278 million.

Among the possible costs covered by these amounts are “network and circuit leases, equipment hardware and software maintenance, secure network connectivity, and covert site leases,” the documents say. They also list in a separate line item $56.6 million in payments for “Foreign Partner Access,” although it is not clear whether these are for foreign companies, foreign governments or other foreign entities.

As former Global Crossing exec explains, it’s all about lubrication.

Former telecommunications executive Paul Kouroupas, a security officer who worked at Global Crossing for 12 years, said that some companies welcome the revenue and enter into contracts in which the government makes higher payments than otherwise available to firms receiving reimbursement for complying with surveillance orders.

[snip]

It certainly lubricates the [surveillance] infrastructure,” Kouroupas said. He declined to say whether Global Crossing, which operated a fiber-optic network spanning several continents and was bought by Level 3 Communications in 2011, had such a contract.

Now, we have always known AT&T and Verizon were rather enthusiastic to cooperate with the government, whereas Google and Yahoo have both fought some of the dragnet requests. And–as WaPo notes–that goes back to years before 9/11 (which is one reason the telecoms cooperated in Cheney’s illegal collection for 4 years before they pushed for more extensive legal cover).

We just finally know what it takes to get the telecoms excited.

The New I Con: “Total Number of Orders and Targets”

/1 Comment/in , /by

The I Con people, in another attempt to feign transparency, have announced they will release “new” numbers.

Consistent with this directive and in the interest of increased transparency, the DNI has determined, with the concurrence of the IC, that going forward the IC will publicly release, on an annual basis, aggregate information concerning compulsory legal process under certain national security authorities.

Specifically, for each of the following categories of national security authorities, the IC will release the total number of orders issued during the prior twelve-month period, and the number of targets affected by these orders:

  • FISA orders based on probable cause ( Titles I and III of FISA, and sections 703 and 704).
  • Section 702 of FISA
  • FISA Business Records (Title V of FISA).
  • FISA Pen Register/Trap and Trace ( Title IV of FISA)
  • National Security Letters issued pursuant to 12 U.S.C. § 3414(a)(5), 15 U.S.C. §§ 1681u(a) and (b), 15 U.S.C. § 1681v, and 18 U.S.C. § 2709.

Only, this is, as I Con transparency always is, less than meets the eye.

To start with, the I Cons already release much of this due to statutory requirements. It releases the number of FISA orders on probable cause (and the number rejected), the number of business records, and the National Security letters, as well as the number of US persons included in those NSLs.

If I understand this correctly, the only thing new they’ll add to this information is the number of people “targeted” under the Section 215. In other words, they’ll tell us they’ve used fewer than 300 selectors in the previous year to conduct up-to three hop link analysis which in reality mean thousands or even millions might be affected (to say nothing of the hundreds of millions whose communications might be affected by virtue of being collected). But they won’t tell us how many people got included in those two or three hops.

Furthermore, in the absence of knowing what else they’re using Section 215 for, the meaning of these numbers will be hidden — as it already was when the government told us (last year) it had submitted 212 Section 215 applications, without telling us several of those applications collected every American’s phone records.

The same is true of the Pen Register/Trap and Trace provision. The government has told us they’re no longer using it to collect the Internet metadata of all Americans. But what are they using it to do? Are they (in one theory posited since the Snowden leaks started) using it to collect key information from Internet providers? Given the precedents hidden at the FISA Court, we’re best served to assume there is some exotic use like this, meaning any number they show us could represent a privacy threat far bigger than the number might indicate.

Then, finally, there’s Section 702, which will be new information. The October 3, 2011 John Bates opinion tells the NSA collects 250 million communications a year under Section 702; the August 2013 Compliance Assessment seems to support (though it redacts the numbers) the NSA targeting 63,000 to 73,000 selectors on any given day. In other words, those numbers are big. But that doesn’t tell us, at all, how many US persons get sucked up along with the targeted selectors. That number is one the NSA refuses to even collect, though Ron Wyden has asked them for it. Usually, when the NSA refuses to count something, it is because doing so would demonstrate how politically (and potentially, Constitutionally) untenable it is.

Moreover, the government doesn’t, apparently plan to release the number Google and Yahoo would like it to release, numbers which likely show how much more enthusiastic the well-lubricated telecoms are about providing this material than the less-well lubricated Internet providers. That is, the government isn’t going to (or hasn’t yet agreed to) provide numbers that show corporations have some leeway on how much of our data they turn over to the government.

So, ultimately, this seems to be about providing two or three new numbers, in addition to what the government is legally obliged to provide, yet without providing any numbers on how many Americans get sucked into this dragnet.

They will provide the “total number of orders and targets.” But they’re not going to provide the information we actually want to know.

3 Tech Issues the Non-Technologist NSA Technical Committee Needs to Address

/32 Comments/in , /by

A number of people are asking why I’m so shocked that President Obama appointed no technologists for his NSA Review Committee.

Here are three issues that should be central to the Committee’s discussions that are, in significant part, technology questions. There are more. But for each of these questions, the discussion should not be whether the Intelligence Community thinks the current solution is the best or only one, but whether it is an appropriate choice given privacy implications and other concerns.

  • Whether the Intelligence Community can accomplish the goals of the Section 215 dragnet without collecting all US person metadata
  • Whether the NSA can avoid collecting Multiple Communication Transactions as part of upstream collection
  • How to oversee unaudited actions of technical personnel

There are just three really obvious issues that should be reviewed by the committee. And for all of them, it would be really useful for someone with the technical background to challenge NSA’s claims to be on the committee.

Whether the Intelligence Community can accomplish the goals of the Section 215 dragnet without collecting all US person metadata

One of the most contentious NSA practices — at least as far as most Americans go — is the collection of all US person phone metadata for the Section 215 dragnet. Yet even Keith Alexander has admitted — here in an exchange with Adam Schiff in a House Intelligence Committee hearing on June 18 — that it would be feasible to do it via other means, though perhaps not as easy.

REP. SCHIFF: General Alexander, I want to ask you — I raised this in closed session, but I’d like to raise it publicly as well — what are the prospects for changing the program such that, rather than the government acquiring the vast amounts of metadata, the telecommunications companies retain the metadata, and then only on those 300 or so occasions where it needs to be queried, you’re querying the telecommunications providers for whether they have those business records related to a reasonable, articulable suspicion of a foreign terrorist connection?

Read more

The No-Technologist Technology Review Panel

/15 Comments/in , /by

In addition to the four people ABC earlier reported would be part of Obama’s Committee to Learn to Trust the Dragnet, Obama added … another law professor, Geoffrey Stone. (Stone is [see update], along with Swire, a worthwhile member. But not a technologist.)

What’s fucking crazy about the committee is it has zero technologists to review a topic that is highly technical. Obama implicitly admits as much! He sells this committee for their “immense experience in national security, intelligence, oversight, privacy and civil liberties.” National security, intelligence, oversight, privacy, civil liberties. No technology.

On August 9, President Obama called for a high-level group of experts to review our intelligence and communications technologies. Today the President met with the members of this group: Richard Clarke, Michael Morell, Geoffrey Stone, Cass Sunstein and Peter Swire.

These individuals bring to the task immense experience in national security, intelligence, oversight, privacy and civil liberties. The Review Group will bring a range of experience and perspectives to bear to advise the President on how, in light of advancements in technology, the United States can employ its technical collection capabilities in a way that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure.

The President thanked the Members of the Group for taking on this important task and looks forward to hearing from them as their work proceeds. Within 60 days of beginning their work, the Review Group will brief their interim findings to the President through the Director of National Intelligence, and the Review Group will provide a final report and recommendations to the President. [my emphasis]

So in spite of the fact that the White House highlights technology in its mandate, that didn’t lead them to find even a single technologist.

Also: Cass Sunstein.

Also: the Committee does, in fact, report its findings through James Clapper, the guy whose programs they will review, they guy who lied to Congress.

At least the White House isn’t promising — as Obama originally did — that it will be an “outside” “independent” committee.

Update: Egads. I take back what I said about Stone, who said this in June.

[W]hat should Edward Snowden have done? Probably, he should have presented his concerns to senior, responsible members of Congress. But the one thing he most certainly should not have done is to decide on the basis of his own ill-informed, arrogant and amateurish judgment that he knows better than everyone else in government how best to serve the national interest. The rule of law matters, and no one gave Edward Snowden the authority to make that decision for the nation. His conduct was more than unacceptable; it was criminal.

FISC Judges Should Threaten NSA with Criminal Prosecution More Often

/6 Comments/in /by

This James Bamford description of NSA efforts to avoid criminal prosecution in a 1975 investigation convinced me to point to evidence that then FISA Chief Judge John Bates — who is normally fairly deferential to the Executive Branch — cowed the government with threats of criminal prosecution.

The story starts in the October 3, 2011 opinion. After having laid out how the government was collecting US person data from the switches, Bates noted that the government wanted to keep on doing so.

The government’s submissions make clear not only that the NSA has been acquiring Internet transactions since before the Court’s approval of the first Section 702 certification in 2008,15 but also that NSA seeks to continue the collection of Internet transactions.

Noting that this collection had been going on longer than the 3 years the government had been using Section 702 of the FISA Amendments Act to justify its collection likely references a time when the NSA — led by Keith Alexander as far back as 2005 — was collecting that US person information with no legal sanction whatsoever as part of Dick Cheney’s illegal program.

Then, in footnote 15, Bates notes that sharing such illegally collected information is a crime.

The government’s revelations regarding the scope of NSA’s upstream collection implicate 50 U.S.C. § 1809(a), which makes it a crime (1) to “engage[] in electronic surveillance under color of law except as authorized” by statute or (2) to “disclose[] or use[] information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized” by statute. See [redacted] (concluding that Section 1809(a)(2) precluded the Court from approving the government’s proposed use of, among other things, certain data acquired by NSA without statutory authority through its “upstream collection”). The Court will address Section 1809(a) and related issues in a separate order. [my emphasis]

Now, I’m particularly interested in the redacted text, because it appears some FISC judge has had to issue this threat in a past (still-redacted) opinion. That threat may have applied to this same upstream collection, but from the time before the government pointed to FAA to justify it (again, Alexander’s tenure would overlap into that illegal period).

Read more