Sonia Sotomayor, John Roberts, and the Riley Decision

/7 Comments/in , /by

In a piece just published at Salon, I look at John Roberts’ citation in his Riley v. California decision of Sonia Sotomayor’s concurrence in US v. Jones, the opinion every privacy argument has invoked since she wrote it two years ago. I argue Roberts uses it to adopt her argument that digital searches are different.

A different part of Sotomayor’s concurrence, arguing that the existing precedent holding that you don’t have a privacy interest in data you’ve given to a third party “is ill suited to the digital age,” has been invoked repeatedly in privacy debates since she wrote it. That’s especially true since the beginning of Edward Snowden’s leaks. Lawsuits against the phone dragnet often cite that passage, arguing that the phone dragnet is precisely the kind of intrusion that far exceeds the intent of old precedent. And the courts have – with the exception of one decision finding the phone dragnet unconstitutional – ruled that until a majority on the Supreme Court endorses this notion, the old precedents hold.

Roberts cited from a different part of Sotomayor’s opinion, discussing how much GPS data on our movements reveals about our personal lives. That appears amid a discussion in which he cites things that make cellphones different: the multiple functions they serve, the different kinds of data we store in the same place, our Web search terms, location and apps that might betray political affiliation, health data or religion. That is, in an opinion joined by all his colleagues, the chief justice repeats Sotomayor’s argument that the sheer volume of this information makes it different.

Roberts’ argument here goes beyond both Antonin Scalia’s property-based opinion and Sam Alito’s persistence-based opinion in US v. Jones.

Which seems to fulfill what I predicted in my original analysis of US v. Jones — that the rest of the Court might come around to Sotomayor’s thinking in her concurrence (which, at the time, no one joined).

Sotomayor, IMO, is the only one ready to articulate where all this is heading. She makes it clear that she sides with those that see a problem with electronic surveillance too.

I would take these attributes of GPS monitoring into account when considering the existence of a reasonable societal expectation of privacy in the sum of one’s public movements. I would ask whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the Government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on.

[snip]

I would also consider the appropriateness of entrusting to the, in the absence of any oversight from a coordinate branch, a tool so amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent“a too permeating police surveillance,”

And in a footnote, makes a broader claim about the current expectation of privacy than Alito makes.

Owners of GPS-equipped cars and smartphones do not contemplate that these devices will be used to enable covert surveillance of their movements.

Ultimately, the other Justices have not tipped their hand where they’ll come down on more generalized issues of cell phone based surveillance. Sotomayor’s opinion actually doesn’t go much further than Scalia claims to when he says they can return to Katz on such issues–but obviously none of the other Republicans joined her opinion. And all those who joined Alito’s opinion seem to be hiding behind the squishy definitions that will allow them to flip flop when the Administration invokes national security.

Sotomayor’s importance to this decision likely goes beyond laying this groundwork two years ago.

There’s evidence that Sotomayor had a more immediate impact on this case. In a recent speech — as reported by Adam Serwer, who recalled this comment after yesterday’s opinion — Sotomayor suggested she had to walk her colleagues through specific aspects of the case they didn’t have the life experience to understand.

The Supreme Court has yet to issue opinions on many of its biggest cases this term, and Sotomayor offered few hints about how the high court might rule. She did use an example of a recent exchange from oral argument in a case involving whether or not police can search the cell phones of arrestees without a warrant to explain the importance of personal experience in shaping legal judgments.
“One of my colleagues asked, ‘who owns two cell phones, why would anybody?’ In a room full of government lawyers, each one of them has two cell phones,” Sotomayor said to knowing laughter from the audience. “My point is that issue was remedied very quickly okay, that misimpression was.”
The colleague was Chief Justice John Roberts, who along with Justice Antonin Scalia,seemed skeptical during oral arguments in Wurie v. United States that anyone but a drug dealer would need two cell phones.

“That’s why it’s important to have people with different life experiences,” Sotomayor said. ”Especially on a court like the Supreme Court, because we have to correct each other from misimpressions.”

In my Salon piece, I suggest that some years from today, some Court observer (I had Jeffrey Toobin in mind) will do a profile of how Sotomayor has slowly brought her colleagues around on what the Fourth Amendment needs to look like in the digital age.

I come away from this opinion with two strong hunches. First, that years from now, some esteemed court watcher will describe how Sonia Sotomayor has gradually been persuading her colleagues that they need to revisit privacy, because only she would have written this opinion two years ago.

Of course, it likely took Roberts writing the opinion to convince colleagues like Sam Alito. Roberts wrapped it up in nice originalist language, basically channeling James Madison with a smart phone. That’s something that surely required Roberts’ stature and conservatism to pull off.

But if this does serve as a renewed Fourth Amendment, with all the heft that invoking the Founders gives it, I’ll take it.

Alan Grayson: Is Keith Alexander Selling Classified Information to the Banks?

/12 Comments/in , , /by

I’ve been tracking Keith Alexander’s utterly predictable new gig, getting rich off of having drummed up cybersecurity concerns for the last several years, while at the same time shacking up with the most dubious of shadow bank regulators, Promontory Financial Group.

Apparently, I’m not the only one. Alan Grayson just sent some of the entities that Alexander has been drumming up business with — the Security Industries and Financial Markets Association, Consumer Bankers Association, and Financial Services Roundtable — a letter asking how the former NSA Director can be making a reported $600,000 a month. He cites Bruce Schneier wondering whether part of the deal is that Alexander will share classified information he learned while at NSA.

Security expert Bruce Schneier noted that this fee for Alexander’s services is on its face unreasonable. “Think of how much actual security they could buy with that $600K a month.Unless he’s giving them classified information.” Schneier also quoted Recode.net, which headlined this news as: “For another million, I’ll show you the back door we put in your router.”

[snip]

Disclosing or misusing classified information for profit is, as Mr. Alexander well knows, a felony. I question how Mr. Alexander can provide any of the services he is offering unless he discloses or misuses classified information, including extremely sensitive sources and methods. Without the classified information that he acquired in his former position, he literally would have nothing to offer to you.

Please send me all information related to your negotiations with Mr. Alexander, so that Congress can verify whether or not he is selling military and cybersecurity secrets to the financial services industry for personal gain.

Alexander is just the latest of a long line of people who profit directly off driving up the cybersecurity threat. But — as Recode.net notes — he’s also got the kind of inside information that could be particularly valuable.

As the Intelligence Industrial Complex and the Banking industry hop into bed together, there ought to be some transparency about just what kind of deals are being made. There’s simply too much immunity handed out to this community to let boondoggles like Alexander’s slide.

The intelligence community is subjecting every low level clearance holder to intense scrutiny right now. But thus far, there has not been a peep from those quarters that the former DIRNSA could command these fees for the expertise gained while overseeing the nation’s secrets.

Riley Meets the Dragnet: Does “Inspection” amount to “Rummaging”?

/1 Comment/in , /by

It’s clear today’s decision in Riley v. California will be important in the criminal justice context. What’s less clear is its impact for national security dragnets.

To answer the question, though, we should remember that question really amounts to several. Does it affect the existing phone dragnet, which aspires to collect the phone records of every person in the US? Does it affect the government’s process of collecting massive amounts of data from which to cull an individual’s data to make up a “fingerprint” that can be used for targeting and other purposes? Will it affect the program the government plans to implement under USA Freedumber, in which the telecoms perform connection-based chaining for the NSA, and then return Call Detail Records as results? Does it affect Section 702? I think the answer may be different for each of these, though I think John Roberts’ language is dangerous for all of this.

In any case, Roberts wants it to be unclear. This footnote, especially, claims this opinion does not implicate cases — governed by the Third Party doctrine — where the collection of data is not considered a search.

1Because the United States and California agree that these cases involve searches incident to arrest, these cases do not implicate the question whether the collection or inspection of aggregated digital information amounts to a search under other circumstances.

Orin Kerr reads this as addressing the mosaic theory directly — which holds that a Fourth Amendment review must consider the entirety of the government collection — (and he is the expert, after all). Though I’m not impressed with his claim that the analogue language Roberts uses directly addresses the mosaic theory; Kerr seems to be arguing that because Roberts finds another argument unwieldy, he must be addressing the theory that Kerr himself finds unwieldy. Moreover, in addition to  this section, which Kerr says supports the Mosaic theory,

An Internet search and browsing history, for example, can be found on an Internet-enabled phone and could reveal an individual’s private interests or concerns—perhaps a search for certain symptoms of disease, coupled with frequent visits to WebMD. Data on a cell phone can also reveal where a person has been. Historic location information is a stand-ard feature on many smart phones and can reconstruct someone’s specific movements down to the minute, not only around town but also within a particular building. See United States v. Jones, 565 U. S. ___, ___ (2012) (SOTOMAYOR, J., concurring) (slip op., at 3) (“GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.”).

I think the paragraph below it also supports the Mosaic theory — particularly its reference to a “revealing montage of the user’s life.”

Mobile application software on a cell phone, or “apps,” offer a range of tools for managing detailed information about all aspects of a person’s life. There are apps for Democratic Party news and Republican Party news; apps for alcohol, drug, and gambling addictions; apps for sharing prayer requests; apps for tracking pregnancy symptoms; apps for planning your budget; apps for every conceivable hobby or pastime; apps for improving your romantic life. There are popular apps for buying or selling just about anything, and the records of such transactions may be accessible on the phone indefinitely. There are over a million apps available in each of the two major app stores; the phrase “there’s an app for that” is now part of the popular lexicon. The average smart phone user has installed 33 apps, which together can form a revealing montage of the user’s life.

I’d argue that the opinion as a whole endorses the notion that you need to assess the totality of the surveillance in question. But then the footnote adopts the awkward phrase, “collection or inspection of aggregated digital information,” to suggest there may be some arrangement under which the conduct of such analysis might not constitute a search requiring a higher standard. (And all that still leaves the likely possibility that the government would scream “special need” and get an exception to get the data anyway; as they surely will do to justify ongoing border searches of computers.)

Of crucial importance, then, Roberts seems to be saying that it might be okay to conduct mosaic analysis, depending on where you get the data and/or whether you actually obtain or instead simply inspect the data.

That’s crucial, of course, because the government is, as we speak, replacing a phone dragnet in which it collects all the data from everyone and analyzes it (or rather, claims to only access only a minuscule portion of it, claiming to do so only through phone-based contacts) with one where it will go to “inspect” the data at telecoms.

So Roberts seems to have left himself an out (or included language designed to placate even Democrats like Stephen Breyer, to say nothing of Clarence Thomas, to achieve unanimity) that happens to line up nicely with where the phone dragnet, at least, is heading.

All that said, Robert’s caveat may not be broad enough to cover the new-and-improved phone dragnet as the government plans to implement it. After all, the “connection” based analysis the government intends to do may only survive via some kind of argument that letting telecoms serve as surrogate spooks makes this kosher under the Fourth Amendment. Because we have every reason to expect that the NSA intends to — at least — tie multiple online and telecom identities together to chain on all of them, and use cell location to track who you meet. And they may well (likely, if not now, then eventually) intend to use things like calendars and address books that Roberts argues makes cell phones not cell phones, but minicomputers that serve as “cameras,video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers.” Every single one of those minicomputer functions is a potential “connection” based chain.

So while the new-and-improved phone dragnet may fall under Roberts’ “inspect” language, it involves far more yoking of the many functions of cell phones that Roberts finds to be problematic.

Then there’s this passage, that Roberts used to deny the government the ability to “just” get call logs.

We also reject the United States’ final suggestion that officers should always be able to search a phone’s call log,as they did in Wurie’s case. The Government relies on Smith v. Maryland, 442 U. S. 735 (1979), which held that no warrant was required to use a pen register at telephone company premises to identify numbers dialed by a particular caller. The Court in that case, however, concluded that the use of a pen register was not a “search” at all under the Fourth Amendment. See id., at 745–746. There is no dispute here that the officers engaged in a search of Wurie’s cell phone. Moreover, call logs typically contain more than just phone numbers; they include any identifying information that an individual might add, such as the label “my house” in Wurie’s case. [my emphasis]

The first part of this passage makes a similar kind of distinction as you see in that footnote (and may support my suspicion that Roberts is trying to carve out space for the new-and-improved phone dragnet). Using a pen register at a telecom is not a search, because it doesn’t involve seizing the phone itself.

But the second part of this passage — which distinguishes between pen registers and call logs — seems to be the most direct assault on the Third Party doctrine in this opinion, because it suggests that data that has been enhanced by a user — phone numbers that are not just phone numbers — may not fall squarely under Smith v. Maryland.

And that’s important because the government intends to get far more data than phone numbers while at the telecoms under the new-and-improved phone dragnet. It surely at least aspires to get logs just like the one Roberts says the cops couldn’t get from Wurie.

Think, too, of how this should limit all the US person data the government collects overseas that the government then aggregates to make fingerprints, claiming incidentally collected data does not require any legal process. That data is seized not from telecoms but rather stolen off cables — does that count as public collection or seizure?

Perhaps the language that presents the most sweeping danger to the dragnet, however, is the line that both Kerr and I like best from the opinion.

Alternatively, the Government proposes that law enforcement agencies “develop protocols to address” concerns raised by cloud computing. Reply Brief in No. 13–212, pp. 14–15. Probably a good idea, but the Founders did not fight a revolution to gain the right to government agency protocols.

Admittedly, Roberts is addressing a specific issue, the government’s proposal of how to protect personal data stored on a cloud that might be accessed from a phone (as if the government gives a shit about such things!).

But the underlying principle is critical. For every single dragnet program the government conducts at NSA, it dismisses obvious Fourth Amendment concerns by pointing to minimization procedures.

The FISC allowed the government to conduct the phone dragnet because it had purportedly strict minimization procedures (which the government ignored); it allowed the government to conduct an Internet dragnet for the same reason; John Bates permitted the government to address domestic content collection he deemed a violation of the Fourth Amendment with new minimization procedures; and the 2008 FISCR opinion approving the Protect America Act (which FISCR and the government say covers FAA as well) relied on targeting and minimization procedures to judge it compliant with the Fourth Amendment. FISC is also increasingly using minimization procedures to deem other Section 215 collections compliant with the law, though we know almost nothing about what they’re collecting (though it’s almost certain they involve Mosaic collection).

Everything, everything, ev-er-y-thing the NSA does these days complies with the Fourth Amendment only under the theory that minimization procedures — “government agency protocols” — provide adequate protection under the Fourth Amendment.

It will take a lot of work, in cases in which the government will likely deny anyone has standing, with SCOTUS’ help, to make this argument. But John Roberts said today that the government agency protocols that have become the sole guardians of the Fourth Amendment are not actually what our Founders were thinking of.

Ultimately, though, this passage may be Roberts’ strongest condemnation — whether he means it or not — of the current dragnet.

Our cases have recognized that the Fourth Amendment was the founding generation’s response to the reviled “general warrants” and “writs of assistance” of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity. Opposition to such searches was in fact one of the driving forces behind the Revolution itself.

Roberts elsewhere says that cell searches are more intrusive than home searches. And by stealing and aggregating that data that originates on our cell phones, the government is indeed rummaging in unrestrained searches for evidence of criminal activity or dissidence. Roberts likely doesn’t imagine this language applies to the NSA (in part because NSA has downplayed what it is doing). But if anyone ever gets an opportunity to demonstrate all that NSA does to the Court, it will have to invent some hoops to deem it anything but digital rummaging.

I strongly suspect Roberts believes the government “inspects” rather than “rummages,” and so believes his opinion won’t affect the government’s ability to rummage, at least at the telecoms.  But a great deal of the language in this opinion raises big problems with the dragnets.

The Opinion Accompanying the Latest Dragnet Order

/1 Comment/in /by

As I noted on Friday, the Administration got a new phone dragnet order on the same day that Senators Wyden, Udall, and Heinrich pointed out that — so long as the Administration only wants to do what it claims to want to do — it could stop holding phone records right away, just as it implemented Obama’s 2-hop mandate and court review in February right away.

From ODNI’s announcement they got a new dragnet order Friday (which they congratulate themselves as a great show of transparency), it’s clear they have no intention of doing so. On the contrary, they’re going to hold out HR 3361 — and their unconvincing claim it ends bulk collection as normal people understand the term — with each new dragnet order.

After carefully considering the available options, the President announced in March that the best path forward is that the government should not collect or hold this data in bulk, and that it remain at the telephone companies with a legal mechanism in place which would allow the government to obtain data pursuant to individual orders from the FISC approving the use of specific numbers for such queries.  The President also noted that legislation would be required to implement this option and called on Congress to enact this important change to the Foreign Intelligence Surveillance Act (FISA).

Consistent with the President’s March proposal, in May, the House of Representatives passed H.R. 3361, the USA FREEDOM Act, which would, if enacted, create a new mechanism for the government to obtain this telephony metadata pursuant to individual orders from the FISC, rather than in bulk.  The bill also prohibits bulk collection through the use of Section 215, FISA pen registers and trap and trace devices, and National Security Letters.

Overall, the bill’s significant reforms would provide the public greater confidence in our programs and the checks and balances in the system, while ensuring our intelligence and law enforcement professionals have the authorities they need to protect the Nation.  The Administration strongly supports the USA FREEDOM Act.  We urge the Senate to swiftly consider it, and remain ready to work with Congress to clarify that the bill prohibits bulk collection as noted above, as necessary.

Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the Section 215 telephony metadata program, the government has sought a 90-day reauthorization of the existing program, as modified by the changes the President announced earlier this year.

But here’s the bit I’m most struck by, particularly given that the government has not yet released the March 28, 2014 dragnet order which should be a slam dunk declassification process, given that its content has presumably all been released in the past.

In addition to a new primary order last Friday, FISC also wrote a memorandum opinion.

The Administration is undertaking a declassification review of this most recent court order and an accompanying memorandum opinion for publication.

I can think of two things that would explain a memorandum opinion: the program has changed in some way (perhaps they’ve changed how they interpret “selection term” or implement the automated process which they had previously never gotten running?), or the FISC considered some new legal issue before approving the dragnet.

As I noted last week, both US v. Quartavious Davis, in which the 11th Circuit ruled stored cell location data required a warrant), and US v Stavros Ganias, in which the 2nd Circuit ruled the government can’t use data it seized under an old warrant years later, might affect both the current and future dragnets, as well as other programs the NSA engages in.

Thing is, whatever the subject of the opinion, then it’d sure be nice to know what it says before we pass this legislation, as the legislation may have to correct the wacky secret decisions of the FISC (most members of Congress are still not getting unredacted dragnet orders). But if the last order is any indication, we won’t get this new order until months from now, long after the bill is expected to be rushed through the Senate.

Which is probably all by design.

DiFi’s Fake FISA Fix “Connection” Language

/2 Comments/in /by

As you know, I’ve been trying to track the language in existing phone dragnet orders and new legislation approving the collection of records that are “connected” to a selector by means other than actual calls made. (See here, here, and here for background.) Basically, the automated query approved by the FISA Court in 2012 and the USA Freedumber Act both authorize the government to collect call detail records from phones “connected” to a selector without any call having been made.

Clearly this provision serves to allow the government to track “burner” phones. But given that under the Hemisphere program, AT&T uses cell location to conduct chaining, I expect “connections” will include that too. And it may include things like address books, photos, and calendars, which would be accessible to smart phone providers, and which we know the NSA collects and uses to establish such connections overseas.

I just realized in the last few days that the Fake FISA Fix Dianne Feinstein passed through the Senate Intelligence Committee last year also provides for “connections” based chaining. Here’s how it appears in the bill:

Scope of permissible query return information:

For any query performed pursuant to paragraph (1)(D)(i), the query only may return information concerning communications—

(A) to or from the selector used to perform the query;
(B) to or from a selector in communication with the selector used to perform the query; or
(C) to or from any selector reasonably linked to the selector used to perform the query, in accordance with the court approved minimization procedures required under subsection (g). [my emphasis]

This appears to confirm that the existing connection chaining uses the minimization procedures stage to assess the validity of the connection.

Nowhere, however, have I ever seen any language limiting what kind of “reasonable links” NSA can make in secret.

Particularly given that the government is intent on giving telecoms to make these links, we really ought to be limiting the kinds of links they’re permitted to make.

Wyden, Udall, and Heinrich Call Obama’s Bluff

/2 Comments/in , /by

The three surveillance critics from the Senate Intelligence Committee — Ron Wyden, Mark Udall, and Martin Heinrich — wrote a letter to Obama on the developments in the NSA reform. Generally, they repeat exhortations that Wyden and Udall have already made in hearings to end the dragnet right now, as Obama has already claimed he wants to do.

I’m not entirely sure what to make of it, but I find some of the details in it to be of particular interest.

The Senators point out, for example, that several bills accomplish the goals Obama has publicly stated he’d support. Those bills include the original USA Freedom Act, and separate proposals advanced by both Udall and Wyden.

But they also include the original PATRIOT Reauthorization from 2005, which Dianne Feinstein once supported, as did a young Senator named Barack Obama (though the Senators don’t mention either of those details). Wyden has long pointed obliquely to when the Executive first started using PATRIOT to conduct dragnets, and the record shows the Executive withheld information about how it was using the PRTT authority from even the Intelligence Committees during the 2005 reauthorization. So the Senators may be nodding towards Executive refusal to respect the will of Congress with this mention.

The Senators then both question claims from Administration officials that “in the absence of new legislation, there is no plan to suspend the bulk collection of Americans’ phone records,” and express their doubts “that the version of the USA Freedom Act that recently passed the House of Representatives would actually ban the bulk collection of Americans’ records.”

While they repeatedly reiterate their support for legislative reform, they also lay out a plan by which the President can immediately end the dragnet. Here’s the part I find particularly interesting.

First, they say it is “highly likely” FISC would let them get 2-degrees of phone records, unless FISC has already prohibited that.

Unless the FISC has already rejected such a request from the government, it does not seem necessary for the executive branch to wait for Congress before taking action.

Isn’t this already included in current orders? Shouldn’t the Senators know if FISC has rejected such a request (especially Wyden, who has been on the committee through all this period)? Is Wyden saying it’s possible there’s something else limiting the dragnet? Is he pointing to a ruling he knows about?

Just as interesting, the Senators argue the Pen Register Authority — not Section 215 — could serve to carry out the prospective collection the bill claims to want to do.

FISC would likely approve the defined and limited prospective searches for records envisioned under your proposal pursuant to current USA PATRIOT Act Section 214 pen register authorities, given how broadly it has previous interpreted these authorities.

[snip]

Finally, although we have seen no evidence that the government has needed the bulk phone records collection program to attain any time-sensitive objectives, we agree that new legislation should provide clear emergency authorities to allow the government to obtain court approval of individual queries after the fact under specific circumstances. The law currently allows prospective emergency acquisitions of call records under Section 403 of the Foreign Intelligence Surveillance Act (FISA), and the acquisition of past records without judicial review under national security letter authorities.

Of course, the PRTT authority (cited twice here) should always have been the appropriate authority for this collection; we’ve just never learned why the government didn’t use that.

Basically, the Senators are laying out how the Executive could do precisely what it says it wants to do with existing authorities (indeed, with the PRTT authority that are actually targeted to the kind of record in question).

The Executive has all the authorities it needs, the Senators lay out, so why doesn’t it end the dragnet — achieve the reform it claims it wants — immediately?

We believe the way to restore Americans’ constitutional rights and their trust in our intelligence community is to immediately end the practice of vacuuming up the phone records of huge numbers of innocent Americans every day and permit the government to obtain only the phone records of people actually connected to terrorism or other nefarious activity. We support your March 27, 2014, proposal to achieve these goals, but we also view ending bulk collection as an imperative that cannot wait.

Damn! That’s a very good question! Obama moved immediately to implement his first reform proposal — advance FISC approval and limits to two hops — back in February. So why isn’t he moving immediately to implement the plan he says he wants now, as the Senators lay out he could well do under existing authorities?

It may be the Senators are just pressuring Obama to implement changes now, and nothing here is meant to point to some underlying issue.

But I wildarseguess that they’re trying to point out the differences between what they could do — under the PRTT orders they should have been using from the start — and what they want to do.

There’s one difference we can point to right away, after all: immunity. If all the government wanted to do was to obtain call detail records, then they wouldn’t need to give the telecoms immunity. That’s something they do every day. But there’s something they will do that has led the telecoms to demand immunity. That’s the stuff that goes beyond traditional PRTT activity.

Then there’s the stuff we don’t know about: the “connections” based chaining. As I’ve said, I don’t know what that entails. But it is an obvious explanation for why the telecoms need immunity — and for why a simple PRTT order won’t suffice.

One way or another, the Senators are calling Obama’s bluff. Obama says he wants nothing more than to obtain specific phone records going forward. If that’s true, he could make the change today. Yet the Executive is clear they can’t do that.

Update: One more detail. As Wyden’s release on this makes clear, today’s the day the March 28, 2014 phone dragnet order expires, so presumably the government got another one today. We’ve never seen that March 28 order, by the way.

Keith Alexander to Earn $600,000 a Month for Preventing DDos Attacks

/12 Comments/in , /by

When Politico reported that Keith Alexander was shacking up with shadow regulator Promontory Financial Group to profit off his cyber fear-mongering, I knew he’d be raking in the bucks.

Bloomberg provides more details on how much: his asking price starts at $1M a month, from which he negotiates down to a mere $600,000.

Alexander, 62, said in the interview he was invited to give a talk to the Securities Industry and Financial Markets Association, known as Sifma, shortly after leaving the NSA and starting his firm, IronNet Cybersecurity Inc. He has met with other finance groups including the Consumer Bankers Association, the Financial Services Roundtable and The Clearing House.

At the sessions, Alexander discussed destructive computer programs such as Wiper, which the U.S. government said was notable because attacks using it appeared to originate from North Korea and Iran. “I told them I did think they could defend against that,” Alexander said.

Still, despite the banks’ growing investments in computer security, Alexander said, “many of them aren’t really confident they’re getting their money’s worth.”

[snip]

Sifma Meeting

Alexander offered to provide advice to Sifma for $1 million a month, according to two people briefed on the talks. The asking price later dropped to $600,000, the people said, speaking on condition of anonymity because the negotiation was private.

Alexander declined to comment on the details, except to say that his firm will have contracts “in the near future.”

The article talks in terms of the DDoS attacks launched against US bank websites last year, as well as Wiper, which is allegedly tied to the StuxNet family (and therefore is something with which ALexander ought to be intimately familiar).

What he doesn’t seem to be promising he can fix are things like the recent hack of a hedge fund’s High Frequency Trading algorithms (about which I am simply failing not to laugh hysterically at … sorry, hedgies).

No wonder the banks doubt they’re getting their money’s worth.

It’s hard to read this as anything but a scam. Not only has Alexander spent the last year talking up the risk of cyberattacks, not only has he had access to whatever bank secrets haven’t been encrypted for the last 8 years, plus the double dipping in SWIFT databases. But he also knows what holes NSA hasn’t fixed.

Ultimately, though, this all serves to obscure the fact that these banks are rickety all by themselves, with or without a hacker’s help (which is one reason I’m laughing at that HFT hack). There’s only so much you can do to harden that target, and the banks won’t do it.

Massie-Lofgren Would Shut Down ALL Back Door Searches under Section 702

/10 Comments/in /by

There are two details about the Massie-Lofgren Amendmentwhich passed the house by a 293-123 vote last night — that are currently being missed. First, the bill would shut down all back door searches under Section 702.

Except as provided in subsection (b), none of the funds made available by this Act may be used by an officer or employee of the United States to query a collection of foreign intelligence information acquired under section 702 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1881a) using a United States person identifier.

That means it would apply to FBI, in addition to CIA and NSA (which is what some people are reporting).

That’s the other detail people are missing. According to the John Bates opinion in which he first authorized back door searches for NSA and CIA in 2011, a third agency, which another document says is the FBI, had had that authority going back to 2008. According to the same language, FBI also had the authority to conduct back door searches on traditional FISA taps, which they would retain under this amendment.

 

Massie-Lofgren Amendment Closes NSA’s Back Door (for Now)

/4 Comments/in /by

The Massie-Lofgren amendment to the appropriations bill just passed, 293-123.

The amendment would prohibit funds to be used to do either of two things:

  • Conduct back door searches on US person selectors
  • Require companies to put back doors into their products

The vote total was similar to that the National Security folks have been crowing that USA Freedumber got a few weeks ago.

Leadership on both sides of the aisle will attempt to find some way to kill this, so the battle is not won yet. But the vote makes it very clear that a bipartisan majority is not okay with some of NSA’s worst abuses.

Update: Here’s the roll call. I’ll have more to say about that tomorrow.

Defund All “Bad Guy” National Security Thinking

/9 Comments/in , /by

Ellen Nakashima has a report on the development of CyberCommand’s national mission teams. Here’s how her anonymous “senior defense official” source described their job.

Part of their job is to do reconnaissance work on foreign networks to watch traffic in servers used by adversaries that the military has gained lawful access to, he said.

“We need to be inside the bad guy’s head and network,” he said. “That’s the mission of the national mission teams: to be inside the bad guy’s head and his network.”

Getting inside the bad guy’s network means monitoring the “hop points” or servers commandeered around the world by adversaries to route and disguise their computer traffic, not necessarily hacking into their command and control computers, he said. “Whatever these bad guys are using in order to do their work, that’s what we’re interested in.”

It’s defense appropriations season, though admittedly too late into the process to do this. But can I suggest an amendment defunding any program or person who discusses targeting in terms of “good guys” and “bad guys”?

Even when discussing physical attacks — say those about to be unleashed on ISIS — it encourages a kind of simplistic thinking. But when discussing online targeting, in which sorting legitimate targets from Big Data chaff should involve a lot of nuanced analysis, and which does happen with little oversight, thinking in such Manichean terms betrays a sloppiness that is unacceptable.

And for both kinds of targeting, physical and digital, presuming we are always the “good guys” fosters a sense of impunity for whatever we do, no matter how rash and — at times — disproportionate our actions are.

Our national security establishment seems to be run by men (mostly men, anyway) with the cognitive sophistication of children. Perhaps we’d be well-served to change that.