Did the Hospital Confrontation Shut Down an Illegal Dragnet against Iraq War Critics?

/10 Comments/in , , /by

Screen shot 2014-01-06 at 1.03.11 PM

Several days ago I wrote,

Both Goldsmith’s memo (see PDF 14) and the Draft NSA IG Report (PDF 10) make it clear that, in addition to temporarily shutting down the Internet dragnet, the March 19, 2004 modifications to the program narrowed the program’s focus to exclude the Iraqi Intelligence figures who had previously been included, suggesting that Goldsmith only felt he could approve the program for terrorists.

Wait, what?

I’ve known — and written — about this detail in the past. But I hadn’t really put together what it means.

Post-hospital confrontation changes include the exclusion of Iraqi-related targets

Here’s what the two passages say. Goldsmith’s (still heavily redacted) memo reveals that, along with other modifications George Bush made on March 19, 2004 in response to the DOJ resignation threats (notably, temporarily shutting down the Internet dragnet) he also “clarified” the scope of the program.

In the March 19, 2004 Modification, the President also clarified the scope of the authorization [redacted]. He made clear that the Authorization applied where there were reasonable grounds to believe that a communicant was an agent of an international terrorist group [redacted]

The NSA IG Report explains that “clarification” halted using the Presidential Surveillance Program authority against the Iraqi Intelligence Service.

(TS//SI//NF) Iraqi Intelligence Service. For a limited period of time surrounding the 2003 invasion of lraq, the President authorized the use of PSP authority against the Iraqi Intelligence Service. On 28 March 2003, the DCI determined that, based on then current intelligence, the Iraqi Intelligence service was engaged in terrorist activities and presented a threat to U.S. interests in the United States and abroad. Through the Deputy DCI, Mr. Tenet received the President’s concurrence that PSP authorities could be used against the Iraqi Intelligence Service. NSA ceased using the Authority for this purpose in March 2004. [my emphasis]

There may be a perfectly innocent explanation for this.

At precisely that time, Goldsmith was trying to rein in the government’s rendition program to prevent the rendition of Iraqis protected under international law governing occupation. And, at what appears to have been the same time, DOD was for the first time making a distinction between between Iraqis detained and interrogated as former regime officials and Iraqis detained and interrogated as leaders of the insurgency. Clearly, up until that point, Bush had been using the rules invented to hunt terrorists in his Iraq War, creating all sorts of legal problems. So it would be unsurprising if Goldsmith used the resignation threats to force Bush to stop targeting Iraqi officials as terrorists when they were really legal opponents in a war.

The Iraqi-related illegal wiretapping targets must include US-based collection

Except that doesn’t make sense.

That’s because, whatever violations of international law Bush was committing in Iraq, illegal spying on Iraqis was almost certainly not one of them. Nothing prevented the government from spying on Iraqis, and very little spying on Iraqis in Iraq would involve the kind of US collection that implicated his illegal wiretap program.

Which is why the IG Report’s description of an Iraqi intelligence “threat to U.S. interests in the United States” gives me pause.

The illegal program, after all, was focused on US metadata and content collection to find threats (what it called “terrorists”) in the United States. Both the method and location of collection only make sense if you’re hunting communications with at least one, if not both, sides in the US.

There was no real known threat posed by Iraqi governmental interests in the US, in part because the US military chased the Iraqi government underground so quickly. And yet, for it to be something tied into the resignation threats, some significant spying must have been going on.

The obvious guess — and at this point it is just a guess — would be they used the illegal wiretap program to hunt down people Cheney’s minions claimed helped Iraq’s cause here in the US.

You know? Iraqi intelligence assets? Like anti-war activists?

Some data points that might support Bush’s use of his illegal program against anti-war activists

Again, at this point, this is just a guess, one that would be thoroughly unsurprising but is not supported by hard facts.

But it’s worth remembering that Bush did roll out a domestic spying program to track anti-war activities, CIFA, the database for which was destroyed just weeks before NYT initially exposed Bush’s illegal program. We know there were ties between that program and heavy FBI investigations in the US. Then there’s the Antiwar investigation, started just weeks after the hospital confrontation, that used a counterterrorism purpose (a watchlist Antiwar posted) as the predicate to call for further investigation of Antiwar’s online publications, conducted in multiple cities. The Bush Administration was clearly conducting aggressive spying on anti-war activists, so it would be unsurprising to learn it used the threat of Iraqi involvement in the US to conduct illegal electronic surveillance.

Then there’s the suggestion in this NSA training program (from which the two slides above come — see this post for background) that NSA had a “present example” (in 2009) of an abuse akin to Project Minaret, in which a watchlist of citizens –largely critics of the Vietnam War — were surveilled in the name of tracking any foreign influence on them. Here’s Matthew Aid’s description of recent disclosures about that program.

As the Vietnam War escalated during Lyndon B. Johnson’s presidency, domestic criticism and protest movements abounded. Protesters surrounded the Pentagon in the fall of 1967 and two years later organized demonstrations and the Moratorium to End the War in Vietnam. The scale of the dissent angered Johnson as well as his successor, Richard Nixon. As fervent anti-communists, they wondered whether domestic protests were linked to hostile foreign powers, and they wanted answers from the intelligence community. The CIA responded with Operation Chaos, while the NSA worked with other intelligence agencies to compile watch lists of prominent anti-war critics in order to monitor their overseas communications. By 1969, this program became formally known as “Minaret.”

While the NSA slide describes the present example as “unauthorized targeting of suspected terrorists in the U.S.,” not targeting of anti-war activists, we know the collection shut down in March 2004 must have involved the targeting of people in the US based on a claim that some tie to Iraqi interests made them terrorists. Moreover, such targeting would be an exact parallel with Minaret (and while I haven’t discussed it yet, I am cognizant of Bernie Sanders’ recent questions about the targeting of members of Congress, as happened under Minaret and, for reasons explained in my earlier post, as the training program may allude to).

Again, I want to emphasize: this is just a wildarsed guess. though one consistent with what we know about Bush’s illegal program and his surveillance of anti-war activists generally.

Whatever it was, it was part of the package that almost led a bunch of DOJ officials to quit.

Crimes against Secrecy, Crimes against the Constitution

/13 Comments/in , , /by

I’m not all that interested in the debate about offering Edward Snowden some kind of amnesty, as I think he could never accept the terms being offered, it arises in part out of NSA’s PR effort, and distracts from the ongoing revelations.

But I am interested in this. Amy Davidson wrote a column refuting Fred Kaplan’s assertion that because Snowden “signed an oath, as a condition of his employment as an NSA contractor, not to disclose classified information,” comparisons with Jimmy Carter’s pardon for draft dodgers are inapt. She notes (as a number of people have already) that the only “oath” that Snowden made was to the Constitution.

To begin with, did Snowden sign “an oath…not to disclose classified information”? He says that he did not, and that does not appear to have been contradicted. Snowden told the Washington Posts Barton Gellman that the document he signed, as what Kaplan calls “a condition of his employment,” was Standard Form 312, a contract in which the signatory says he will “accept” the terms, rather than swearing to them. By signing it, Snowden agreed that he was aware that there were federal laws against disclosing classified information. But the penalties for violating agreement alone are civil: for example, the government can go after any book royalties he might get for publishing secrets.

Snowden did take an oath—the Oath of Office, or appointment affidavit, given to all federal employees:

I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; that I take this obligation freely, without any mental reservation or purpose of evasion; and that I will well and faithfully discharge the duties of the office on which I am about to enter. So help me God.

Now, some would argue—and it would have to be an argument, not an elision—that he violated this oath in revealing what he did; Snowden told Gellman that the revelations were how he kept it—protecting the Constitution from the officials at the N.S.A., which was assaulting it. Either way this is just not an oath, on the face of it, about disclosing classified information. [my emphasis]

Former Obama DOD official Phil Carter then attempted to refute Davidson on Twitter. He did so by pointing to the “solemnity” of the forms Snowden did sign, and then noting such “promises are far more legally enforceable than an ‘oath’ of office.”

Screen shot 2014-01-06 at 8.16.52 AM

I don’t dispute Carter’s point that nondisclosure agreements are easier to enforce legally than an oath to the Constitution. And, as noted above, in her original piece Davidson admitted that Snowden had acknowledged there were laws against leaking classified information. No one is arguing Snowden didn’t break any laws (though if our whistleblower laws covered contractors, there’d be a debate about whether that excuses Snowden’s leaks).

Nevertheless, Carter’s comment gets to the crux of the point (and betrays how thoroughly DC insiders have internalized it).

We have an ever-growing side of our government covered by a blanket of secrecy. Much of what that secrecy serves to cover up involves abuse or crime. Much of it involves practices that gut the core precepts of the Constitution (and separation of powers are as much at risk as the Bill of Rights).

Yet we not only have evolved a legal system (by reinforcing the clearance system, expanding the Espionage Act, and gutting most means to challenge Constitutional violations) that treats crimes against secrecy with much greater seriousness than crimes against the Constitution, but DC folks (even lawyers, like Carter) simply point to it as the way things are, not a fundamental threat to our country’s government.

That plight — where our legal system guards this country’s “secrets” more greedily than it guards the Constitution — is the entire point underlying calls for amnesty for Snowden. He has pointed to a system that not only poses a grave threat to the Bill of Rights, but just as surely, to separation of powers and our claim to be a democracy.

Moreover, those who (like Carter) point to our failed branches of government as better arbiters of the Constitution than Snowden ignore many of the details in the public record. Just as one example, David Kris has suggested that the entire reason Colleen Kollar-Kotelly wrote a badly flawed opinion authorizing the Internet dragnet was because George Bush had created a constitutional problem by ignoring Congress’ laws and the courts.

More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch. [my emphasis]

And while Kris argued Congress’ subsequent approval of the dragnets cures this original sin, the record in fact shows it did so only under flawed conditions of partial knowledge. Of course, these attempts to paper over a constitutional problem only succeed so long as they remain shrouded in secrecy.

That the first response of many is to resort to legalistic attempts to prioritize the underlying secrecy over the Constitution raises questions about what they believe they are protecting. The next torture scandal? Covert ops that might serve the interest of certain autocratic allies but actually make Americans less secure? The financial hemorrhage that is our military industrial complex? The sheer ignorance our bloated intelligence community has about subjects of great importance? Petty turf wars? Past failures of the national security system we’re encouraged to trust implicitly?

At some point, we need to attend to protecting our Constitution again. If Article I and III have gotten so scared of their own impotence (or so compromised) that they can no longer do so, then by all means lets make that clear by revealing more of the problems.

But we need to stop chanting that our Constitution is not a suicide pact and instead insist that our secrecy oaths non-disclosure agreements should not be suicide bombs.

Parallel Constructing Daoud’s Emails

/5 Comments/in /by

Judge Sharon Johnson Coleman held a hearing Friday in the Adel Daoud case on whether the government needs to reveal how it collected certain communications from Daoud. That would be notable in any case, given that Daoud is one of the defendants Dianne Feinstein invoked during debate of the FISA Amendments Act reauthorization who has not, however, been noticed that FAA was used to bust him.

But it gets more interesting given something the prosecutor in the case, William Ridgway, said in Friday’s hearing.

Another Daoud attorney, Josh Herman, said some documents turned over by prosecutors, including emails dated 2011, seemed to support defense attorneys’ claim that warrantless surveillance was used on Daoud.

“This is not tin-foil hat paranoia,” Herman said.

But prosecutor William Ridgway said that the 2011 emails may have been found on Daoud’s computer that authorities seized with a warrant in 2012.

If the government did target Daoud only after sifting through communications data without a warrant, the defense wants to challenge all subsequent evidence on the grounds it was gathered through a violation of Daoud’s constitutional rights against unreasonable searches.

The criminal complaint describes an email account Daoud used to “obtain and distribute material … relating to violent jihad” going back to October 2011. That was 7 months before the FBI’s online undercover officers first contacted Daoud — purportedly in response to things he had posted publicly — to set up their sting.

So did the FBI’s investigation of Daoud really start in May 2012, as the complaint sort of implies. In which case, why mention the earlier emails? Or did they identify Daoud via emails collected back in 2011? What legal authority did they use to access those emails? And if they did, what explains the 7 month delay in their sting?

In discussions of where those emails came from at the hearing, Ridgway was non-committal, suggesting they “may” have come from a search on his computer seized with a warrant, but not claiming they did. (The government noticed both FISA wiretap and physical search information, the latter of which often means searches of stored communications, which is presumably another way they could have obtained the emails, if Daoud didn’t delete them, but he appears to have been fairly attentive to hiding his digital tracks by 2012.)

The timing of that claimed start date — October 2011 — is particularly intriguing. Not only is that around the time Daoud turned 18. But it also dates to John Bates’ October 3, 2011 approval (for the first time) of NSA (and CIA)’s use of back door searches on previously collected data and minimization procedures that addressed his concerns about the illegal upstream collection.

I have, in the past, suggested they may have identified Daoud (or perhaps found these emails) via a back door search. While there’s no direct evidence of what collection may have included Daoud, it’s possible they collect URL searches or hits on certain websites from which he collected extremist material.

But it’s also conceivable they identified Daoud via an upstream content search (that is, email collected at a telecom switch via a search on some of the content he had in his emails). For example, perhaps NSA first picked up Daoud’s contacts based on him sending Anwar al-Awlaki materials on October 9 and 18, 2011. It’s conceivable NSA tracks online jihad membership notices, like the one Daoud received on February 6, 2012. It’s likely they track links to sites making Inspire available, such as the URL Daoud sent himself on May 9, 2012 (the initial contacts with online undercover FBI officers were on May 14 and May 17, 2012). If so, any of those emails that transited certain collection points might be sucked up as part of NSA’s use of Section 702 to search on content.

Remember though: NSA has claimed they won’t use these authorities in tandem. They told John Bates they would not conduct back door searches on upstream collection. If they got any of this via upstream collection, they presumably should not be able to go back and search for Daoud (though who knows how NSA finesses this issue via tech claims).

This is why Ridgway’s comment is so striking. Ridgway seemed to suggest there were two possible ways (three, with collection of stored emails) the government could have obtained Daoud’s earlier emails.

Does he know for a fact there are two different ways to get these emails, because the government used both? Does he know there are two ways to get them because the government is using parallel construction to hide one of their more exotic uses of FISA collection from Judge Coleman?

Either of these practices — accessing Daoud’s communications at a time when he had done nothing beyond engage in potentially hateful speech via back door search, or obtaining his emails via upstream collection — would present a use of FISA that, while approved by FISA Judge John Bates (assuming it started after October 3, 2011), has not been known to be scrutinized by an Article III judge presiding in a criminal case. So there’d be a big incentive for the government to use parallel construction to hide the underlying collection.

Of course, it’s most likely — given Judges’ unwillingness to be the first to challenge the government’s ability to keep all FISA materials secret — that we’ll never know, that Daoud will be denied any more information about how the government first identified him as a terrorism lead.

Obviously Bogus Clapper Exoneration Attempt 4.0

/19 Comments/in , /by

[youtube]QwiUVUJmGjs[/youtube]

Wyden: Does the NSA collect any type of data, at all, on millions, or hundreds of millions of Americans?

Clapper: No sir.

Wyden: It does not?

Clapper: There are cases where they could inadvertently, perhaps, uh, collect, but not wittingly. [After 6:38]

Almost immediately after the first Edward Snowden leaks proved James Clapper lied when he told Ron Wyden the NSA doesn’t collect data of any kind on millions of Americans, Clapper explained that he meant the NSA didn’t vicariously pore through Americans’ emails.

“What I said was, the NSA does not voyeuristically pore through U.S. citizens’ e-mails. I stand by that,” Clapper told National Journal in a telephone interview.

That is, his first response was about reading emails in a certain smarmy fashion; he did not apparently deny collecting them.

Then, with a bit more time to think up an excuse, he admitted to Andrea Mitchell that he had been “too cute by half” but didn’t really explain what semantic excuse he had invented for himself.

First– as I said, I have great respect for Senator Wyden. I thought, though in retrospect, I was asked– “When are you going to start– stop beating your wife” kind of question, which is meaning not– answerable necessarily by a simple yes or no. So I responded in what I thought was the most truthful, or least untruthful manner by saying no.

[snip]

And this has to do with of course somewhat of a semantic, perhaps some would say too– too cute by half. But it is– there are honest differences on the semantics of what– when someone says “collection” to me, that has a specific meaning, which may have a different meaning to him. [my emphasis]

Nevertheless, the implication, less than a week after Snowden’s first revelations, was that collecting Americans’ metadata doesn’t count until you access it, which seems to address the phone dragnet data (though would apply to incidentally collected US person data as well).

Perhaps because his Mitchell answer only increased the mockery, Clapper thought up a new answer, one he sent Senate Intelligence Committee Chair Dianne Feinstein 3 months after he lied to her committee.

I have thought long and hard to re-create what went through my mind at the time. Read more

2 Agents 3 Hours a Day Weren’t REALLY Reading Anwar al-Awlaki’s Email

/6 Comments/in , /by

Former CIA Deputy Director John McLaughlin wants you to believe the NSA wasn’t really reading Anwar al-Awlaki’s communications content, on whose emails (including the web-based ones) the NSA had a full-time tap at least as early as March 16, 2008.

In my experience, NSA analysts err on the side of caution before touching any data having to do with U.S. citizens. In 2010, at the request of then-Director of National Intelligence Dennis Blair, I chaired a panel investigating the intelligence community’s failure to be aware of Umar Farouk Abdulmutallab, the “underwear bomber” who tried to blow up a commercial plane over Detroit on Dec. 25, 2009.

The overall report remains classified, but I can say that the government lost vital time because of the extraordinary care the NSA and others took in handling any data involving a “U.S. person.” (Abdulmutallab, a Ni­ger­ian, was recruited and trained by the late Anwar al-Awlaki, a U.S. citizen based in Yemen.)

And maybe that’s the case.

Except it doesn’t seem to square with the report that two FBI Agents were spending 3 hours a day each reading Awlaki’s mail. It doesn’t seem to accord with the efforts those Agents made to chase down the Nidal Hasan lead — which, after all, infringed on the privacy of two American citizens, against one of whom probable cause had not been established. You’d think it would be far easier to chase down the Abdulmutallab messages, particularly given what has been portrayed as more clearly operational content, given that Abdulmutallab would have gotten no protection as a US person.

Sure, those Agents complained about the “crushing” volume of the communications content they had to review every day, but that was a factor of volume, not any restrictions on reading FISA target Anwar al-Awlaki’s email.

Don’t get me wrong. I’m thrilled someone has raised Abdulmutallab in the context of assessing NSA’s dragnet, which I’ve been calling for since October.

UndieBomb 1.0 was the guy who was allegedly plotting out Jihad with Anwar al-Awlaki — whose communications the FBI had two guys reading – over things like chats and calls. That is, Umar Farouk Abdulmutallab was a guy whose plot the NSA and FBI should have thwarted before he got on a plane. (To say nothing of the CIA and NCTC’s fuck-ups.)

And yet, he got on that plane. His own incompetence and the quick work of passengers prevented that explosion, while a number of needles went unnoticed in the NSA’s most closely watched haystacks.

Nevertheless, the lesson DiFi takes is that we need more haystacks.

Shouldn’t the lessons of UndieBomb 1.0 be just as important to this debate as the partial, distorted, lessons of 9/11?

(I’ve also been wondering why Faisal Shahzad, who was getting instructions, including hawala notice, from known targets of drone strikes in Pakistan, before his attack, wasn’t identified by phone and Internet dragnet analysis as a person of interest through those contacts, though that may legitimately be because of turmoil in both dragnet programs.)

But for McLaughlin’s claims to be true then the description of the treatment of the Awlaki wiretaps in the Webster report on the Nidal Hasan investigation wouldn’t seem to make sense.

By all means, let’s hear what really happened back between 2008 and 2010, when the NSA missed multiple contacts with top AQAP targets and TTP targets and as a result missed two of the three main international terrorist attacks on this country since 9/11. That should be part of the debate.

But let’s be very clear whether it was really limits on US person data, when we see FBI reading content of two US persons directly, or rather the sheer volume we’re collecting (as well as the crappy computer systems FBI had in place in 2009) that caused the dragnet to fail.

The Source of the Section 702 Limitations: Special Needs?

/in /by

Way back in 2013, in Marty Lederman’s review of the NSA Review Group’s Report, he pointed to the Report’s suggestion that Section 702 collection was limited to use with counterterrorism, counterproliferation, and cybersecurity.

The Report contains an interesting clue about how the government is presently using Section 702 that I do not recall being previously disclosed—and raises a related question about legal authorities under that provision of the FAA:

The Report explains (page 136) that in implementing Section 702, “NSA identifies specific ‘identifiers’ (for example, e-mail addresses or telephone numbers) that it reasonably believes are being used by non-United States persons located outside of the United States to communicate foreign intelligence information within the scope of the approved categories (e.g., international terrorism, nuclear proliferation, and hostile cyber activities).

[snip]

Later, on pages 152-53, the authors “emphasiz[e] that, contrary to some representations,section 702 does not authorize NSA to acquire the content of the communications of masses of ordinary people.  To the contrary, section 702 authorizes NSA to intercept communications of non-United States persons who are outside the United States only if it reasonably believes that a particular ‘identifier’ (for example, an e-mail address or a telephone number) is being used to communicate foreign intelligence information related to such matters as international terrorism, nuclear proliferation, or hostile cyber activities.”  (Italics in original.)

I may be mistaken, but I don’t believe that there’s anything in the statute itself that imposes the limitations in bold–neither that the NSA must use such “identifiers,” nor that international terrorism, nuclear proliferation, and hostile cyber activities are the only topics of acceptable foreign intelligence information that can be sought.  Perhaps the FISC Court has insisted upon such limits; but, as far as I know, the Section 702 authority as currently codified is not so circumscribed.

Of course, if you’re a regular emptywheel reader, you likely know where this has been suggested in the past, since I’ve been pointing out this apparent limitation to Section 702 since June 10 and discussed some implications of it here, here, and here.

In a response to Lederman, Julian Sanchez provided some specific cautions about treating these category limits as true “limitations.” He suggests it is unlikely that the Intelligence Community or the FISA Court would impose such limitations.

The 702 language, codified at 50 U.S.C. §1881a, permits the NSA to acquire any type of “foreign intelligence information,” which is defined extraordinarily broadly to encompass, inter alia, anything that relates to the “conduct of the foreign affairs of the United States.” But here we have the Review Group suggesting repeatedly that 702 surveillance is only for acquiring certain specific types of foreign intelligence information, related to nuclear proliferation, international terrorism, or cybersecurity. Have the intelligence agencies or the FISC imposed a more restricted reading of “foreign intelligence information” than the FISA statute does? I doubt it.

While I agree with most of Sanchez’ other cautions, I actually do think it likely that the FISC conducts a review that ends up in such limited certifications. They did it for application of Section 215 to the phone dragnet (which legally could have been used for counterintelligence purposes) and I think they may well have done so with Section 702.

FISCR only ruled bulk content collection legal for “national security” foreign intelligence purposes

We’ll learn whether I’m right or not when the FISC releases more of the 2008 Yahoo challenge to Protect America Act directives. But there is enough detail in the unclassified August 22, 2008 FISA Court of Review opinion released in early 2009 to suggest where that limitation may have come from.

The FISCR opinion, written by Bruce Selya, describes the certifications before the Court as limited to “foreign intelligence for national security purposes,” a limitation that already circumscribes PAA (and the FISA Amendments Act, as Sanchez has laid out), which allow their use for foreign intelligence generally.

In essence, as implemented, the certifications permit surveillances conducted to obtain foreign intelligence for national security purposes when those surveillances are directed against foreign powers or agents of foreign powers reasonably believed to be located outside the United States. [my emphasis]

This limitation is important because of the way Selya deals with the affirmation, in the FISC ruling before the FISCR, that there is a foreign intelligence exception to the Fourth Amendment: by instead finding a special needs exception to the Fourth tied to national security. Read more

The Obama as Civil Libertarian Propaganda Rolls Out

/22 Comments/in /by

Remember back in May 2012, when Daniel Klaidman (and the NYT), rolled out stories about the White House imposing new order on the drone program. The initial roll-out stories adopted the new White House euphemism — Terrorist Attack Disruption Strikes or TADS — in lieu of the previously used “signature strike” or more accurate “untargeted drone strike.” But in stories masquerading as comprehensive, neither made any mention of the death of 16 year old American citizen Abdulrahman al-Awlaki.

And remember back in February 2013, when Klaidman rolled out claims that John Brennan would not only change the drone targeting rules at CIA, but roll back the war on terror altogether? That article didn’t see any contradiction with treating Brennan’s claims as honest when trying to argue he approved signature strikes in Yemen yet admitting he had twice opposed them. Once again, a purportedly comprehensive article — even one focused on Yemen — didn’t mention Abdulrahman al-Awlaki.

And remember when, a month later, Klaidman proclaimed, “Exclusive: No More Drones for CIA”? I predicted then, based on the evidence of John Brennan’s formal statements to Congress and actions rather than credulously treated anonymous claims, it was wrong.

I was right.

Well, yesterday Klaidman was out with another big counterterrorism scoop, this one promising that “Obama’s Defining Fight” would be “how he will take on the NSA’s surveillance state in 2014.” It dedicates 2,200 words to supporting this proposition.

Throughout his presidency he has struggled, even agonized, over how to balance security and liberty in an age of terror.

[snip]

Obama’s willingness to go back and reform his own counterterrorism policies sometimes has led him to give up power or place it under tighter constraints, an unusual characteristic, given that most presidents try to enhance executive authority, especially in the national security arena. Obama, on the contrary, ordered a policy review toward the end of his first term that eventually placed greater restraints on his targeted killing program, resulting in fewer strikes.

His trajectory on surveillance fits the pattern. [my emphasis]

Klaidman apparently doesn’t see the contradiction with the conclusion of his tale.

Sometime in January, Obama plans to deliver a major speech laying out his own blueprint for surveillance reform.

That is, ultimately Obama plans his own “reform.” Which not only keeps the authority for “reform” in the Executive’s hands — protecting executive authority — but almost certainly stops short of the reasonable but by no means adequate changes proposed by his Review Group.

More importantly, in a story focusing on the reform proposals offered by his Review Group that Obama apparently may accept, Klaidman once again has one of his increasingly characteristic black holes in the middle of the story.

Klaidman reports on Obama’s openness to entertain his NSA Review Group’s recommendations. Yet he makes not one mention of the Group’s recommendation that Director of NSA and CyberCommand be split, and that a civilian lead the former organization. This is one of the most important structural reforms proposed by the Review Group.

Nor does Klaidman mention that Obama has already pre-empted that recommendation publicly after having learned of it, announcing that the position would remain joined and in military hands.

This, in an article that portrays Obama getting miffed at General Alexander (and credulously reporting Alexander’s laughable–and more limited claim, in reality–that no one knew that NSA hadn’t turned off deliberate features of the illegal dragnet after FISC excluded those features from the dragnet.

But behind the scenes, Obama was showing some irritation with the intelligence leadership that had pressed for these capabilities and repeatedly vouched for their value. One story that rocketed around the intelligence community involved a meeting between the president and NSA Director Keith Alexander. Alexander, who holds advanced degrees in physics and electronic warfare, was trying to explain certain aspects of one of the surveillance programs to Obama. As his highly technical and jargon-laden presentation rambled on, Obama was beginning to lose patience. When Alexander finished, the president thanked him and then icily asked if he could do it over again, “but this time in English.”

While it went unstated at the time, Obama may have felt frustrated that the complexity of the technology was overwhelming policymakers. Even Alexander had publicly conceded that no single person at the NSA had the wherewithal to understand the metadata program in all its dimensions.

Obama already made it clear that certain issues — as it happens, issues that might rein in the national security state — are not up for deliberation. And yet Klaidman makes no mention of that evidence refuting his central premise, even while pretending Obama will and has stood up to Alexander.

Don’t get me wrong. These tales from Klaidman are useful, because so few other reporters get this access. But given the black holes that persist at the center of Klaidman’s scoops, it’s advisable to take his factoids as potentially fictional details, floating completely independently of the narrative he places them in. Because his narratives increasingly have enormous holes precisely where the known evidence exists.

How NSA Hunts Metadata “Content” in Search of Your Digital Tracks

/38 Comments/in /by

Screen shot 2013-12-30 at 10.12.55 AMDer Speigel has posted a set of slides associated with their story on how NSA’s TAO hacks targets.

The slides explain how analysts can find identifiers (IPs, email addresses, or cookies) they can most easily use to run a Quantum attack.

Because NSA is most successful hacking Yahoo, Facebook, and static IPs, it walks analysts through how to use Marina (or “QFDs,” which may be Quantum specific databases) to find identifiers for their target on those platforms. If they can’t find one of them, it also notes, analysts can call on GCHQ to hack Gmail. Once they find other identifiers, they can see how often the identifier has been “heard,” and how recently, to assess whether it is a still-valid identifier.

The slides are fascinating for what they say about NSA’s hacking (and GCHQ’s apparent ability to bypass Google’s encryption, perhaps by accessing their own fiber). But they’re equally interesting for what they reveal about how the NSA is using Internet metadata.

The slides direct analysts to enter a known identifier, to find all the other known identifiers for that user, which are:

determined by linking content (logins/email registrations/etc). It is worth verifying that these are indeed selectors associated to your target. [my emphasis]

This confirms something — about Internet metadata, if not yet phone metadata — that has long been hinted. In addition to using metadata to track relationships, they’re also using it to identify multiple identities across programs.

This makes plenty of sense, since terrorists and other targets are known to use multiple accounts to hide their identities. Indeed, doing more robust such matching is one of the recommendations William Webster made after his investigation of Nidal Hasan’s contacts with Anwar al-Awlaki, in part because Hasan contacted Awlaki via different email addresses.

But it does raise some issues. First, how accurate are such matches? The NSA slides implicitly acknowledge they might not be accurate, but it provides no clues how analysts are supposed to “verify[] that these are indeed selectors associated to your target.” In phone metadata documents, there are hints that the FISC imposed additional minimization procedures for matches made with US person identifiers, but it’s not clear what kind of protection that provides.

Also, remember NSA was experiencing increased violation numbers in early 2012 in significant part because of database errors, and Marina errors made up 21% of those. If this matching process is not accurate, that may be one source of error.

Also, note that NSA itself calls this “content,” not metadata. It may be they’ve associated such content via other means, not just metadata collection, but given NSA’s “overcollection” of metadata under the Internet dragnet, almost certainly collecting routing data that count as content, it does reflect the possibility they themselves admit this goes beyond metadata. Moreover, this raises real challenges to NSA claims that they don’t know the “identity” of the people they track in metadata.

Now, none of this indicates US collection (though it does show that NSA continues to collect truly massive amounts of Internet traffic from some location). But the slide above does show NSA monitoring whether this particular user was “seen” at US-[redacted] in the last 14 days. US-[redacted] is presumably a US-associated SIGAD (collection point). (They’re looking for a SIGAD from which they can successfully launch Quantum attacks, so seeing if their target’s traffic uses that point commonly.) While that SIGAD may be offshore, and therefore outside US legal jurisdiction, it does suggest this monitoring takes place within the American ambit.

At least within the Internet context, Marina functions not just as a collection of known relationships, but also as a collection of known data intercepts, covering at least a subset of traffic. They likely do similar things with international phone dragnet collection and probably the results of US phone dragnet in the “corporate store” (which stores query results).

In other words, this begins to show how much more the NSA is doing with metadata than they let on in their public claims.

Update: 1/1/14, I’m just now watching Jacob Appelbaum’s keynote at CCC in Berlin. He addresses the Marina features at 22:00 and following. He hits on some of the same issues I do here.

NSA, Not China, the Global BIOS Suicide Cyber-Bomber

/24 Comments/in /by

Remember when, to fearmonger as part of 60 Minutes NSA propaganda, they warned of a Chinese attack on the US economy that, if launched, would have amounted to China acting as a suicide cyber-bomber?

The attack would have targeted computers’ BIOS.

Then there’s the scary BIOS plot.

I’ll need to go back and review this, but the jist of the scary claim at the heart of the report is that the NSA caught China planning a BIOS plot to shut down the global economy.

To.

Shut.

Down.

The.

Global.

Economy.

Of course, if that happened, it’d mean a goodly percentage of China’s 1.3 billion people would go hungry, which would lead to unbelievable chaos in China, which would mean the collapse of the state in China, the one thing the Chinese elite want to prevent more than anything.

But the NSA wants us to believe that this was actually going to happen.

That China was effectively going to set off a global suicide bomb. Strap on the economy in a cyber-suicide vest and … KABOOOOOOOM!

And the NSA heroically thwarted that attack.

The invocation of a BIOS attack was meant to provide authenticity and (for those who didn’t realize how obvious this is, mystery), I think.

But I find it particularly ironic that inserting backdoors into BIOS is (or was, back in 2008) the preferred method of NSA’s Access Network Technology group, which provides tools to access hardware and software.

It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer’s motherboard that is the first thing to load when a computer is turned on.

This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this “Persistence” and believe this approach has provided them with the possibility of permanent access.

Again, this is not surprising. It’s just a means of doing what the NSA wants to acquire.

Still, it highlights the degree to which most fearmongering claims the NSA makes may well be projection about its own activities.

That said, given the list of companies whose products they’ve compromised, it may serve as a kind of suicide bomb against the tech industry:

  • Juniper Networks
  • Cisco
  • Huawei
  • Western Digital
  • Seagate
  • Maxtor
  • Samsung

Again, that ANT tampers with Huawei products is not surprising, but it is ironic, given that we not only won’t let Huawei do business in the US, but increasingly want to keep them out of our close allies’ networks, all because of concerns China would require the company to insert back doors into Huawei equipment.

Maybe those back doors are really NSA’s?

Judge Pauley’s Deliberate Blind Spot: Systematic Section 215 Abuses

/73 Comments/in , /by

Sorry for my silence of late, particularly regarding William Pauley’s ruling finding the phone dragnet legal. The good news is my mom can now reach the light switch in her sewing room without risk of falling.

As noted, Judge Pauley ruled against the ACLU in their suit challenging the phone dragnet. A number of commentators have pointed to some bizarre errors or focus in Pauley’s ruling, including,

  • Pauley says the government could not find the “gossamer threads” of terrorist plotters leading up to 9/11. They did find them. They simply didn’t act appropriately with them.
  • He unquestioningly considers the 3 uses of Section 215 (with Zazi, Headley, and Ouazzani) proof that it is effective. He does not note that even Keith Alexander has admitted it was only critical in one case, one not even mentioned in the government’s filings in this case.
  • He ignores the role of the Executive in willingly declassifying many details this program, instead finding it dangerous to allow the ACLU to sue based on an unauthorized leak. The government has actually been very selective about what Snowden-leaked programs they’ve declassified, almost certainly to protect even more problematic programs from legal challenge.
  • He claims Congress has renewed Section 215 7 times (including 2001, it was renewed it 5 times).
  • He claims there is no doubt the Intelligence and Judiciary Committees knew about the rulings underlying the program in spite of the fact that some rulings were not provided until after Section 215 was renewed; he admits that the limits on circulation of notice in 2011 was “problematic” but asserts the Executive met its statutory requirements (he doesn’t deal with the evidence in the record that the Executive Branch lied in briefings about the conduct of the dragnet).

There are also Pauley’s claims about the amount of data included — he says the government collects all phone metadata; they say NSA collects far less data. This is a more complicated issue which I’ll return to, though maybe not until the New Year.

But I’m most interested in the evidence Pauley points to to support his claim that the FISC (and Congress) conduct adequate oversight over this program. He points to John Bates’ limits to the government’s intentional collection of US person data via upstream collection rather than Reggie Walton’s limits to Section 215 abuses.

For example, in 20011, FISC Judge Bates engaged in a protracted iterative process with the Government–over the Government’s application for reauthorization of another FISA collection program. That led to a complete review of that program’s collection and querying methods.

He then immediately turns to Claire Eagan’s opinion reiterating that the government had found and dealt with abuses of the phone dragnet program.

In other words, for some bizarre reason he introduces a series of rulings pertaining to Section 702 — and not to Section 215 — to support his argument that the government can regulate this Section 215 collection adequately.

It’s particularly bizarre given that we have far more documents showing the iterative process that took place in 2009 pertaining directly to the phone dragnet. Why even mention the Bates rulings on upstream collection when there are so many Reggie Walton ones pertaining directly to Section 215?

I suspect this is because Pauley relies so heavily on the adequacy of the minimization procedures imposed by the FISC, as when he cites Claire Eagan’s problematic opinion to claim that without adequate minimization procedures, FISC would not approve Section 215 phone dragnet orders.

Without those minimization procedures, FISC would not issue any section 215 orders for bulk telephony metadata collection.

(Note, Pauley doesn’t note that the government has not met the terms of the Section 215 itself with regards to minimization procedures, which among other things would require an analysis of the NSA using a statute written for the FBI.)

The only way Pauley can say the limits he points to in his analysis — that NSA can only analyze 3 hops deep, that FBI only gets summaries of the queries, that every query got approved for RAS — is if he ignores that for the first 3 years of the program, all of these claims were false.

He uses similar analysis to dismiss concerns about the power of metadata.

But [ACLU’s contention that the government could use metadata analysis to learn sensitive details about people] is at least three inflections from the Government’s bulk telephony metadata collection. First, without additional legal justification–subject to rigorous minimization procedures–the NSA cannot even query the telephony metadata database. Second, when it makes a query, it only learns the telephony metadata of the telephone numbers within three “hops” of the “seed.” Third, without resort to additional techniques, the Government does not know who any of the telephone numbers belong to.

These last assertions are all particularly flawed. Not only have these minimization procedures failed in the past, not only has the government been able to go four hops deep in the past (which could conceivably include all Americans in a query), not only is there abundant evidence — which I’ll lay out in a future post — that the government does know the identities of at least some of those whom it is chaining, but there are two ways the government accesses this data for which none of this is true: when “data integrity analysts” fiddle with the data to prepare it for querying, and when it is placed in the “corporate store” and analyzed further.

All the claims about minimization Pauley uses to deem this program legal have big big problems.

The NSA conducted a fraud on the FISC for 3 years (and still is, to the extent they claim the violations under the program arose from complexity rather than their insistence on adopting all the practices used under the illegal program for the FISC-authorized program). Yet Pauley points to the FISC to dismiss any Constitutional concerns with this program.

And to do that, he ignores the abundant evidence that all his claims have been — and may still be, in some cases — false.