Coincidental Timing in NSA’s Telecom Switch Collection

/6 Comments/in /by

We knew the government had “shut down” the Internet metadata in “late” 2011.

But I believe Friday’s filings are the first time they’ve specified publicly: they shut it down in December 2011.

That gives us the following chronology:

May 29, June 22, 2009: First Internet dragnet violations noticed as part of phone dragnet review

Around July 2009: NSA pilots new contact-chaining approach for Internet dragnet

Around November 2009: FISA Court does not re-approve Internet dragnet (see 15-16)

Between July and October 2010: FISC reauthorizes and NSA restarts Internet dragnet, but finds some overcollection since start of program in 2004

November 29, 2010: NSA signs directive allowing analysts to chain through US persons

January 3, 2011: Government rolls out new dragnet approach, providing

May 2, 2011: Government “clarifies” that upstream collection includes some US person data

October 3, 2011: John Bates finds some upstream dragnet illegal

Between October 3 and October 6, 2011: NSA General Counsel considers appeal

October 13, 2011: Government claims 1809(a)(2) does not apply — presumably to upstream collection

October 17, 2011: Draft training module advises analysts to talk to management or subject matter expert about Internet dragnet from prior to November 2009

November 22, 2011: Government still challenging applicability of 1809(a)(2) in upstream collection

Late 2011: Government starts dealing with upstream content

December 2011: Government halts Internet dragnet

That is, the government stopped collecting Internet metadata in the US within weeks of the discussion between John Bates and the government over whether or not Section 1809(a)(2) applied to NSA’s deliberate collection of US person content within the US via collection off telecom switches in the US — the same method of collection as used in the Internet dragnet.

That’s not to say the legal discussion influenced the decision. There are plenty of other explanations — including Google’s encryption by default (which made Google content inaccessible via US switches) and the earlier limits Bates imposed on US metadata collection, which may have made domestically-collected metadata less useful — for NSA to shut down that collection.

But I wonder whether Bates’ persistent focus on 1809(a)(2) had an influence.

I say that for two reasons — aside from the timing.

First, it is unusual for a training document to recommend asking a person for information about how to handle something, as the dragnet training instructed analysts, “for information on PR/TT data collected prior to November of 2009, contact your organization’s management or subject matter expert,” as late as October 17, 2011. The data from this period involved overcollection (probably content collected in the guise of metadata) that, if known to be US person data, could not be circulated without violating 1809(a)(2). This kind of instruction should be written down, especially given the legal sensitivity surrounding it, not transmitted person-to-person. But it appears not to have been.

There are a lot of details about Bates’ resolution of the Internet metadata overcollection in 2010 that we don’t yet know. Unlike with the 2011 US opinion,we don’t see the follow-up discussion to see how that collection was handled.

But we do know how Bates enforced his 2011 opinion: by emphasizing that the government couldn’t use any of that US person upstream collection for submissions to the FISC.

Beginning late in 2011, the government began taking steps that had the effect of mitigating any Section 1809(a)(2) problem, including the risk that information subject to the statutory criminal prohibition might be used or disclosed in an application filed before this Court.

Given that the government uses metadata to select which content collection to translate, this restriction on submitting improperly collected data to the FISC might be even more restrictive with the Internet dragnet information than the upstream collection.

In October and November 2011, John Bates reiterated his assertion — first made the year earlier in conjunction with Internet dragnet collected via the same means that the NSA could be subject to 1809(a)(2) — in response to which, the government still tried to object. But then they stopped objected and started complying, at the same time they also stopped collecting Internet metadata from within the US.

Two years in a row the NSA’s collection off telecom switches was deemed to be illegal. As the second judgment got resolved (by imposing restrictions on the circulation of the data), the government moved the collection tied to the first judgment overseas.

The Civil Liberties Celebration Hangover Wears Off

/16 Comments/in , , , , , , , , , /by

JusticePicAt the end of last week, I joked a little about privacy and civil liberties advocates having had the “best week ever”. It was indeed a very good week, but only relatively compared to the near constant assault on the same by the government. But the con is being put back in ICon by the Administration and its mouthpieces.

As I noted in the same post, Obama himself has already thrown cold water on the promise of his NSA Review Board report. Contrary to some, I saw quite a few positives in the report and thought it much stronger than I ever expected. Still, that certainly does not mean it was, or is, the particularly strong reform that is needed. And even the measures and discussion it did contain are worthless without sincerity and dedication to buy into them by the intelligence community and the administration. But if Obama on Friday was the harbinger of the walkback and whitewash of real reform, the foot soldiers are taking the field now to prove the point.

Sunday morning brought out former CIA Deputy Director Michael Morrell on CBS Face the Nation to say this:

I think that is a perception that’s somehow out there. It is not focused on any single American. It is not reading the content of your phone calls or my phone calls or anybody else’s phone calls. It is focused on this metadata for one purpose only and that is to make sure that foreign terrorists aren’t in contact with anybody in the United States.

Morrell also stated that there was “no abuse” by the NSA and that Ed Snowden was a “criminal” who has shirked his duties as a “patriot” by running. Now Mike Morrell is not just some voice out in the intelligence community, he was one of the supposedly hallowed voices that Barack Obama chose to consider “reform”.

Which ought to tell you quite a bit about what Barack Obama really thinks about true reform and your privacy interests. Not much. In fact, Morrell suggested (and Obama almost certainly agrees) that the collection dragnet should be expanded from telephony to also include email. Not exactly the kind of “reform” we had in mind.

Then, Sunday night 60 Minutes showed that fluffing the security state is not just a vice, but an ingrained habit for them. Hot on the heels of their John Miller blowjob on the NSA, last night 60 Minutes opened with a completely hagiographic puff piece on and with National Security Advisor Susan Rice. There was absolutely no news whatsoever in the segment, it was entirely a forum for Rice and her “interviewer”, Lesley Stahl, to spew unsupported allegations about Edward Snowden (He “has 1.5 million documents!”), lie about how the DOJ has interacted with the court system regarding the government surveillance programs (the only false statements have been “inadvertent”) and rehab her image from the Benghazi!! debacle. That was really it. Not exactly the hard hitting journalism you would hope for on the heels of a federal judge declaring a piece of the heart of the surveillance state unconstitutional.

Oh, yes, Susan Rice also proudly proclaimed herself “a pragmatist like Henry Kissinger which, as Tim Shorrock correctly pointed out, is not exactly reassuring from the administration of a Democratic President interested in civil liberties, privacy and the rule of law.

So, the whitewashing of surveillance dragnet reform is in full swing, let the giddiness of last week give way to the understanding that Barack Obama, and the Intelligence Community, have no intention whatsoever of “reforming”. In fact, they will use the illusion of “reform” to expand their authorities and power. Jonathan Turley noted:

Obama stacked the task force on NSA surveillance with hawks to guarantee the preservation of the program.

Not just preserve, but to give the false, nee fraudulent, patina of Obama Administration concern for the privacy and civil liberties concerns of the American citizenry when, in fact, the Administration has none. It is yet another con.

Or, as Glenn Greenwald noted:

The key to the WH panel: its stated purpose was to re-establish public confidence in NSA – NOT reform it.

There may be some moving of the pea beneath the shells, but there will be no meaningful reform from the administration of Barack Obama. The vehicle for reform, if there is to be one at all, will have to come from the Article III federal courts. for an overview of the path of Judge Leon’s decision in Klayman through the DC circuit, see this piece by NLJ’s Zoe Tillman.

Lastly, to give just a little hope after the above distressing content, I recommend a read of this excellent article by Adam Serwer at MSNBC on the cagy pump priming for surveillance reform Justice Sotomayor has done at the Supreme Court:

If Edward Snowden gave federal courts the means to declare the National Security Agency’s data-gathering unconstitutional, Sonia Sotomayor showed them how.

It was Sotomayor’s lonely concurrence in U.S. v Jones, a case involving warrantless use of a GPS tracker on a suspect’s car, that the George W. Bush-appointed Judge Richard Leon relied on when he ruled that the program was likely unconstitutional last week. It was that same concurrence the White House appointed review board on surveillance policy cited when it concluded government surveillance should be scaled back.

“It may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties,” Sotomayor wrote in 2012. “This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

Give the entire article a read, Adam is spot on. If there is to be reform on the surveillance dragnet, it will almost certainly have to be the handiwork of the courts, and Justice Sotomayor planted the seed. The constant barrage of truth and facts coming from the Snowden materials, what Jay Rosen rightfully terms “The Snowden Effect” is providing the food for Sotomayor’s seed to flower. Hopefully.

James Clapper Claims Publicly Acknowledged Details Are State Secrets While Boasting of Transparency

/14 Comments/in , , /by

Between documents leaked by Edward Snowden, official court submissions, and official public statements, we know at least the following about the surveillance system set up after 9/11 and maintained virtually intact to this day:

  • Around of 8-14% of the content collected under Bush’s illegal program was domestic content (page 15 of the NSA IG Report says this constituted 8% of all the illegal wiretap targets but the percentage works out to be higher)
  • Some of the content collected via ongoing upstream collection currently includes intentionally-collected domestic content (NSA refuses to count this, even for the FISA Court)
  • Bush’s illegal wiretap program targeted Iraqi Intelligence Service targets, as well as targets affiliated with al Qaeda and its associates (see page 8)
  • NSA uses the phone metadata program with Iranian targets, as well as targets affiliated with al Qaeda and its associates
  • Both the illegal wiretap program and the Internet dragnet authorized under Pen Register/Trap and Trace in 2004 collected information that (because of the way TCP/IP works) would be legally content if treated as electronic surveillance
  • The NSA still conducts an Internet dragnet via collection overseas, which not only would permit the metadata-as-content collection, but would permit far more collection on US persons; that collection is seamlessly linked to the domestic dragnet collection
  • NSA uses the dragnets to decide which of content the telecoms have briefly indiscriminately collected to read

That is, the surveillance system is not so much discrete metadata programs and content programs directed overseas, directed exclusively against al Qaeda or even terrorists. Rather, it is a system in which network analysis plays a central role in selecting which collected content to read. That content includes entirely domestic communication. And targets of the system have not always been — and were not as recently as June — limited to terrorists.

These details of the surveillance system — along with the fact that AT&T and Verizon played the crucial role of collecting content and “metadata” off domestic switches — are among the details James “Least Untruthful” Clapper, with backup from acting Deputy Director of NSA Frances Fleisch, declared to still be state secrets on Friday, in spite of their public (and in many cases, official) acknowledgement.

In doing so, they are attempting to end the last remaining lawsuits for illegal wiretapping dating to 2006 by prohibiting discussion of the central issue at hand: the government has repeatedly and fairly consistently collected the content of US persons from within the US, at times without even the justification of terrorism. (For more background on Jewel v. AT&T, see here.)

Here’s how Clapper, with a nod to Fleisch, lays out the rebuttal of the Jewel plaintiffs.

the NSA’s collection of the content of communications under the TSP was directed at international communications in which a participant was reasonably believed to be associated with al-Qa’ida or an affiliated organization. Thus, as the U.S. Government has previously stated, plaintiff’s allegation that the NSA has indiscriminately collected the content of millions of communications sent or received by people inside the United States after September 11, 2001, under the TSP is false.

There are several weasel parts of this claim.

The “Terrorist Surveillance Program” and the “Other Target Surveillance Program”

First, to make this claim, Clapper (and Fleisch) revert to use of “Terrorist Surveillance Program,” a term invented to segment off the part of the larger illegal wiretap program that George Bush was willing to confess to in December 2005, that involving international communications with a suspected al Qaeda figure. But as Fleisch admits — but doesn’t explain — at ¶20, the TSP is just a subset of the larger Presidential Surveillance Program.  Read more

Conning the Record, Conning the Courts, Defrauding the People

/26 Comments/in , , , , , , , , , , /by

In the parlance of the once and forever MTV set, civil libertarians just had one of the “Best Weeks Ever”. Here is the ACLU’s Catherine Crump weighing in on the surprising results of President Obama’s Review Board:

Friday, the president’s expressed willingness to consider ending the NSA’s collection of phone records, saying, “The question we’re going to have to ask is, can we accomplish the same goals that this program is intended to accomplish in ways that give the public more confidence that in fact the NSA is doing what it’s supposed to be doing?”

With this comment and the panel’s report coming on the heels of Monday’s remarkable federal court ruling that the bulk collection of telephone records is likely unconstitutional, this has been the best week in a long time for Americans’ privacy rights.

That “federal court ruling” is, of course, that of Judge Richard Leon handed down a mere five days ago on Monday. Catherine is right, it has been a hell of a good week.

But lest we grow too enamored of our still vaporous success, keep in mind Judge Leon’s decision, as right on the merits as it may be, and is, is still a rather adventurous and activist decision for a District level judge, and will almost certainly be pared back to some extent on appeal, even if some substantive parts of it are upheld. We shall see.

But the other cold water thrown came from Obama himself when he gave a slippery and disingenuous press conference Friday. Here is the New York Times this morning capturing spot on the worthless lip service Barack Obama gave surveillance reform yesterday:

By the time President Obama gave his news conference on Friday, there was really only one course to take on surveillance policy from an ethical, moral, constitutional and even political point of view. And that was to embrace the recommendations of his handpicked panel on government spying — and bills pending in Congress — to end the obvious excesses. He could have started by suspending the constitutionally questionable (and evidently pointless) collection of data on every phone call and email that Americans make.

He did not do any of that.
….
He kept returning to the idea that he might be willing to do more, but only to reassure the public “in light of the disclosures that have taken place.”

In other words, he never intended to make the changes that his panel, many lawmakers and others, including this page, have advocated to correct the flaws in the government’s surveillance policy had they not been revealed by Edward Snowden’s leaks.

And that is why any actions that Mr. Obama may announce next month would certainly not be adequate. Congress has to rewrite the relevant passage in the Patriot Act that George W. Bush and then Mr. Obama claimed — in secret — as the justification for the data vacuuming.

Precisely. The NYT comes out and calls the dog a dog. If you read between the lines of this Ken Dilanian report at the LA Times, you get the same preview of the nothingburger President Obama is cooking up over the holidays. As Ken more directly said in his tweet, “Obama poised to reject panel proposals on 702 and national security letters.” Yes, indeed, count on it.

Which brings us to that which begets the title of this post: I Con The Record has made a Saturday before Christmas news dump. And a rather significant one to boot. Apparently because they were too cowardly to even do it in a Friday news dump. Which is par for the course of the Obama Administration, James Clapper and the American Intel Shop. Their raison de’etre appears to be keep America uninformed, terrorized and supplicant to their power grabs. Only a big time operator like Big Bad Terror Voodoo Daddy Clapper can keep us chilluns safe!

So, the dump today is HERE in all its glory. From the PR portion of the “I Con” Tumblr post, they start off with Bush/Cheney Administration starting the “bulk” dragnet on October 4, 2001. Bet that is when it first was formalized, but the actual genesis was oh, maybe, September 12 or so. Remember, there were security daddies agitating for this long before September 11th.

Then the handcrafted Intel spin goes on to say this:

Over time, the presidentially-authorized activities transitioned to the authority of the Foreign Intelligence Surveillance Act (“FISA”). The collection of communications content pursuant to presidential authorization ended in January 2007 when the U.S. Government transitioned the TSP to the authority of the FISA and under the orders of the Foreign Intelligence Surveillance Court (“FISC”). In August 2007, Congress enacted the Protect America Act (“PAA”) as a temporary measure. The PAA, which expired in February 2008, was replaced by the FISA Amendments Act of 2008, which was enacted in July 2008 and remains in effect. Today, content collection is conducted pursuant to section 702 of FISA. The metadata activities also were transitioned to orders of the FISC. The bulk collection of telephony metadata transitioned to the authority of the FISA in May 2006 and is collected pursuant to section 501 of FISA. The bulk collection of Internet metadata was transitioned to the authority of the FISA in July 2004 and was collected pursuant to section 402 of FISA. In December 2011, the U.S. Government decided to not seek reauthorization of the bulk collection of Internet metadata.

After President Bush acknowledged the TSP in December 2005, two still-pending suits were filed in the Northern District of California against the United States and U.S. Government officials challenging alleged NSA activities authorized by President Bush after 9/11. In response the U.S. Government, through classified and unclassified declarations by the DNI and NSA, asserted the state secrets privilege and the DNI’s authority under the National Security Act to protect intelligence sources and methods. Following the unauthorized and unlawful release of classified information about the Section 215 and Section 702 programs in June 2013, the Court directed the U.S. Government to explain the impact of declassification decisions since June 2013 on the national security issues in the case, as reflected in the U.S. Government’s state secrets privilege assertion. The Court also ordered the U.S. Government to review for declassification all prior classified state secrets privilege and sources and methods declarations in the litigation, and to file redacted, unclassified versions of those documents with the Court.

This is merely an antiseptic version of the timeline of lies that has been relentlessly exposed by Marcy Wheeler right here on this blog, among other places. What is not included in the antiseptic, sandpapered spin is that the program was untethered from law completely and then “transitioned” to FISC after being exposed as such.

Oh, and lest anybody think this sudden disclosure today is out of the goodness of Clapper and Obama’s hearts, it is not. As Trevor Timm of EFF notes, most all of the “I Con” releases have been made only after being forced to by relevant FOIA and other court victories and that this one in particular is mostly germinated by EFF’s court order (and Vaughn index) obtained.

So, with that, behold the “I Con” release of ten different declarations previously filed and extant under seal in the Jewel and Shubert cases. Much of the language in all is similar template affidavit language, which you expect from such filings if you have ever dealt with them. As for individual dissection, I will leave that for later and for discussion by all in comments.

The one common theme that I can discern from a scan of a couple of note is that there is no reason in the world minimally redacted versions such as these could not have been made public from the outset. No reason save for the conclusion that to do so would have been embarrassing to the Article II Executive Branch and would have lent credence to American citizens properly trying to exercise and protect their rights in the face of a lawless and constitutionally infirm assault by their own government. The declarations by Mike McConnell, James Clapper, Keith Alexander, Dennis Blair, Frances Fleisch and Deborah Bonanni display a level of too cute by a half duplicity that ought be grounds for sanctions.

The record has been conned. Our federal courts have been conned. All as the Snowden disclosures have proven. And the American people have been defrauded by pompous terror mongers who value their own and institutional power over truth and honesty to those they serve. Clapper, Alexander and Obama have the temerity to call Ed Snowden a traitor? Please, look in the mirror boys.

Lastly, and again as Trevor Timm pointed out above, these are just the declarations for cases the EFF and others are still pursuing. What of the false secret declarations made in al-Haramain v. Obama, which the government long ago admitted were bogus? Why won’t the cons behind “I Con” release those declarations? What about the frauds perpetrated in Mohamed v. Jeppesen that have fraudulently ingrained states secrets cons into the government arsenal?

If the government wants to come clean, here is the opportunity. Frauds have been perpetrated on our courts, in our name. We should hear about that. Unless, of course, Obama and the “I Cons” are really nothing more than simple good old fashioned cons.

[By the way, Christmas is a giving season. If you have extra cheer to spread, our friends like Cindy Cohn, Trevor Timm, Hanni Fakhoury and Kurt Opsahl et al at EFF, and Ben Wizner, Alex Abdo, Catherine Crump et al at the ACLU all do remarkable work. Share your tax deductible love with them this season if you can. They make us all better off.]

Is “Bribery” a Demand, or a Polite Request?

/15 Comments/in /by

Back when the NSA sent its employees home with a claim that said,

NSA does not and will not demand changes by any vendor to any product, nor does it have any authority to demand such changes.

I said,

Again, watch the language carefully. NSA denies it demands changes (presumably meaning to the security of software and hardware producers). It doesn’t deny it sometimes asks for changes. It doesn’t deny it sometimes negotiates unfairly to get those changes. It doesn’t deny it steals data on those changes.

It just doesn’t demand those changes.

The NSA Review Group used almost precisely the same formulation in its non-denial denial that NSA corrupts encryption.

NSA will not demand changes in any product by any vendor for the purpose of undermining the security or integrity of the product, or to ease NSA’s clandestine collection of information by users of the product;

Yesterday, Reuters explained how computer security firm, RSA, came to use the encryption standard, Dual_EC_DRBG, the NSA corrupted. 

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

So I guess NSA considers “provide a third of a division’s revenue” a polite request, not a demand.

That’s not all that surprising. Before we’re done with this scandal, I expect we’ll learn the NSA is getting all sorts of cooperation via strong-armed cooperation. For example, we have reason to believe the NSA is relying on telecoms “voluntarily” providing “foreign” telecom communications. And there are a lot of tech and software companies that have divisions with falling revenues.

Remember — as William Ockham noted and security prof Matthew Green has emphasized on Twitter — this standard doesn’t appear in the Appendix the Review Group used to support their claim that “Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data,” the statement which appears just before they say they don’t “demand” these changes.

Which is yet further proof that that section of the Report was meant to minimize corporate risk, not end-user risk.

The NSA Review Group Ganders at Metadata

/10 Comments/in , /by

As you’ve no doubt heard, the NSA Review Group recommends real limits on the government’s access to metadata, preferring that it be left with the telecoms and only be retained 2 years, and also recommending a higher standard for accessing it.

Which is why I find this recommendation, to more closely watch high level security classification holders, so ironic.

The routine PCMP review would draw in data on an ongoing basis from commercially available data sources, such as on finances, court proceedings, and driving activity of the sort that is now available to credit scoring and auto insurance companies. Government-provided information might also be added to the data base, such as publicly available information about arrests and data about foreign travel now collected by Customs and Border Patrol.

Those with extremely high Access Scores might be asked to grant permission to the government for their review by a more intrusive Additional Monitoring Program, including random observation of the meta-data related to their personal, home telephone calls, e-mails, use of online social media, and web surfing. Auditing and verification of their Financial Disclosure Forms might also occur.

A data analytics program would be used to sift through the information provided by the Additional Monitoring Program on an ongoing basis to determine if there are correlations that indicate the advisability of some additional review.

It rationalizes this intrusiveness by pointing out that clearance jobs are privileges, not a right.

We recognize that such a program could be seen by some as an infringement on the privacy of federal employees and contractors who choose on a voluntary basis to work with highly sensitive information in order to defend our nation. But, employment in government jobs with access to special intelligence or special classified programs is not a right. Permission to occupy positions of great trust and responsibility is already granted with conditions, including degrees of loss of privacy.

And, apparently unlike the phone and Internet dragnet, it proposes to start with a pilot.

But I wonder if this metadata program would have the same problem the NSA’s dragnets do: they haven’t ever proven they work as planned.

The NSA Review Group’s Non-Denial Denial on Encryption

/10 Comments/in , /by

As part of a section on “Technical Measures to Increase Security and User Confidence,” Recommendation 29 of the NSA Review Group is, in part, the following:

We recommend that, regarding encryption, the US Government should:

(1) fully support and not undermine efforts to create encryption standards;

(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software;

Several paragraphs into this section, the Group with no tech experts asserts,

Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data. Moreover, it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability, or “backdoor,” that makes it possible for the US Government or anyone else to achieve unauthorized access.

This appears to be based on an Appendix provided by NSA addressing the reliability of certain encryption systems. I’m not competent to assess the claims or comprehensiveness of that presentation and eagerly await some reviews of this report from the tech experts. [Update: William Ockham notes the Appendix doesn’t include the standard NSA is accused of weakening.]

The very next paragraph, with bullet points, reads,

Nonetheless, it is important to take strong steps to enhance trust in this basic underpinning of information technology. Recommendation 32 is designed to describe those steps. The central point is that trust in encryption standards, and in the resulting software, must be maintained. Although NSA has made clear that it has not and is not now doing the activities listed below, the US Government should make it clear that:

  • NSA will not engineer vulnerabilities into the encryption algorithms that guard global commerce;
  • The United States will not provide competitive advantage to US firms by the provision to those corporations of industrial espionage;
  • NSA will not demand changes in any product by any vendor for the purpose of undermining the security or integrity of the product, or to ease NSA’s clandestine collection of information by users of the product; and
  • NSA will not hold encrypted communication as a way to avoid retention limits.

I consider myself a bit of an aficionado in NSA claims, and I can only think of one place where they’ve made even some of these claims, sort of: the obviously bogus talking points NSA sent home at Thanksgiving. That document made a similar caveated comment about industrial espionage and assured that NSA will not demand changes by any vendor, noting it did not have the authority to do so. I pointed out some of the loopholes to those claims here.

I don’t think they have said anything about engineering vulnerabilities into encryption standards; in any case, the allegation was that they inserted vulnerabilities into certain standards through persuasion, not engineering. Besides, ODNI General Counsel Robert Litt has stated explicitly (and not all that surprisingly) that cracking encryption is their job.

Finally, I don’t think the NSA has ever addressed the fact that their minimization standards clearly allow them to keep encrypted communication forever. They like to lie about that one instead. To place in their mouth a claim that they won’t do so to get around retention limits (particularly followed, as it is, by a recommendation for how not to do this) is thin comfort coming from an agency that considers encryption possible evidence of terrorism.

I doubt this assertion that NSA doesn’t try to weaken encryption is fooling anyone. Indeed, it appears less than 30 pages after the Report states, in justifying moving Information Assurance out of NSA,

When the offensive personnel find some way into a communications device, software system, or network, they may be reluctant to have a patch that blocks their own access.

So it’s hard to treat this entire passage as anything else but the “strong step to enhance trust” they say is necessary within it.

The NSA Review Group makes worthwhile recommendations on a reorganization of NSA–the most aggressive one of which — to split the DIRNSA from the CyberCommand position — Obama already pre-empted. Moving Information Assurance out of NSA would also create a champion for privacy, albeit a hopelessly weak one (they even state it should be moved to DHS, but Congress would never agree to do so).

But ultimately on this and some other cybersecurity related issues (including its toothless recommendation on Zero Days that immediately follows this section), the Report serves only to pretend the US doesn’t engage in weakening security as part of its offensive attacks using the Internet.

Update: Oh, as to that Appendix that doesn’t include the standard everyone has been worried about? Someone’s just found a fatal bug in the standard.

An advisory published Thursday warns that a “FIPS module” of the widely used OpenSSL library contained a “fatal bug” in its implementation of Dual EC_DRBG. Credible doubts about the trustworthiness of the deterministic random bit generator surfaced almost immediately after National Security Agency (NSA) officials shepherded it through an international standards body in 2006. In September, those fears were rekindled when The New York Times reported the algorithm may contain an NSA-engineered backdoor that makes it easier for government spies to decode encrypted communications.

The fatal Dual EC_DRBG bug resides in the FIPS Object Module v2.0, an optional OpenSSL library used to build crypto apps that are certified by the US government’s Federal Information Processing Standards. When using the module’s implementation of Dual EC_DRBG, the application crashes and can’t be recovered. That’s an amazing discovery for an application that had to undergo countless hours of testing to be certified by the government of the world’s most powerful country.

President’s Review Group Suggests NSA Currently Acts as a Domestic Security Service

/14 Comments/in /by

One amusing tension in the NSA Review Group report is that its members clearly have been briefed on some things that haven’t been reported in the Snowden stories (yet), but it can’t tell us what those are.

Which is why I’m curious what’s behind the following language, offered in support of the recommendation to clearly designate NSA as a foreign intelligence organization and presented with two other things we know NSA does.

It should not be a domestic security service, a military command, or an information assurance organization.

[snip]Like other agencies, there are situations in which NSA does and should provide support to the Department of Justice, the Department of Homeland Security, and other law enforcement entities. But it should not assume the lead for programs that are primarily domestic in nature.

That seems to suggest that, in addition to supporting DHS, DOJ, and other law enforcement entities (cough, DEA, as well as probably Secret Service in its cyber-role), NSA takes the lead on certain issues that are primarily domestic.

I do hope we’ll learn what this refers to. Because if NSA is operating domestically (maybe to police IP?), it will be scandalous news.

3 Certifications — Terror, Proliferation, and Cyber — and Stealing from Google

/6 Comments/in /by

Screen shot 2013-12-19 at 7.10.00 AMFor months, I have been suggesting that the government only uses Section 702 of FISA, under which it collects data directly from US Internet providers and conducts some upstream content from telecom providers, for three purposes:

  • Counterterrorism
  • Counterproliferation
  • Cyber

I have said so based on two things: many points in documents — such as the second page from John Bates’ October 3, 2011 opinion on 702, above — make it clear there are 3 sets of certifications for 702 collection. And other explainer documents released by the government talk about those three topics (though they always stop short of saying the government collects on only those 3 topics).

The NSA Review Group report released yesterday continues this pattern in perhaps more explicit form.

[S]ection 702 authorized the FISC to approve annual certifications submitted by the Attorney General and the Director of National Intelligence (DNI) that identify certain categories of foreign intelligence targets whose communications may be collected, subject to FISC-approved targeting and minimization procedures. The categories of targets specified by these certifications typically consist of, for example, international terrorists and individuals involved in the proliferation of weapons of mass destruction.

If I’m right, it explains one of the issues driving overseas collection and, almost certainly, rising tensions with the Internet companies.

I suggested, for example, that this might explain why NSA felt the need to steal data from Google’s own fiber overseas.

I wonder whether the types of targets they’re pursuing have anything to do with this. For a variety of reasons, I’ve come to suspect NSA only uses Section 702 for three kinds of targets.

  • Terrorists
  • Arms proliferators
  • Hackers and other cyber-attackers

According to the plain letter of Section 702 there shouldn’t be this limitation; Section 702 should be available for any foreign intelligence purpose. But it’s possible that some of the FISC rulings — perhaps even the 2007-8 one pertaining to Yahoo (which the government is in the process of declassifying as we speak) — rely on a special needs exception to the Fourth Amendment tied to these three types of threats (with the assumption being that other foreign intelligence targets don’t infiltrate the US like these do).

Which would make this passage one of the most revealing of the WaPo piece.

One weekly report on MUSCULAR says the British operators of the site allow the NSA to contribute 100,000 “selectors,” or search terms. That is more than twice the number in use in the PRISM program, but even 100,000 cannot easily account for the millions of records that are said to be sent back to Fort Meade each day.

Given that NSA is using twice as many selectors, it is likely the NSA is searching on content outside whatever parameters that FISC sets for it, perhaps on completely unrelated topics altogether. This may well be foreign intelligence, but it may not be content the FISC has deemed worthy of this kind of intrusive search.

That is, if NSA can only collect 3 topics domestically, but has other collection requirements it must fulfill — such as financial intelligence on whether the economy is going to crash, which FISC would have very good reasons not to approve as a special need for US collection — then they might collect it overseas (and in the Google case, they do it with the help of GCHQ). But as Google moved to encryption by default, NSA would have been forced to find new ways to collect it.

Which might explain why they found a way to steal data in motion (on Google’s cables, though).

Here’s the thing, though. As I’ll note in a piece coming out later today, the Review also emphasizes that EO 12333 should only be available for collection not covered by FISA. With Section 702, FISA covers all collection from US Internet providers. So FISC’s refusal to approve (or DOJ’s reluctance to ask for approval) to collect on other topics should foreclose that collection entirely. The government should not be able to collect some topics under 702 here, then steal on other topics overseas.

But it appears that’s what it’s doing.

Read more

Turns Out, Committee to Make You Love the Dragnet Soured on the Dragnet

/13 Comments/in /by

Here’s their report, which I’ll have far more to say about.

But one-third of the way in, I’ve decided to do a working thread. Will fill in my earlier observations later. (Page numbers are to document page numbers, not PDF.)

(90) Report says most of the 21,000 NSLs issued in FY2012 were issued for subscriber information. I’m not sure we knew that. It also coincides with the move of the Internet dragnet overseas, and may be related.

(97) Report says 215 collects “only a small percentage” of total telephone metadata. This seems to conflict w/statement that they collect “substantially all.”2

(97) Report confirms Internet metadata tured off in 2009 and back on in 2010, as reported here.

(125-7) You get the feeling the Group is not all that critical of Snowden. Note reference to disclosing “unwise or even unlawful govt programs” and that whistleblower laws don’t apply to contractors. Also note the discussion of spying on journalists.

(128) Note the suggestion that govt numbers might not be accurate:

Reports from providers can be a useful supplement to reports from the government—the existence of multiple sources of information reduces the risk of inaccurate reporting by any one source.

(131) Note they define foreign power in the terms of the 3 categories I think are available for FAA: CT, CP, and Cyber

(135) The discussion of FAA 703-5 (not named as such) is more specific than some claims I’ve gotten from the WH.

(136) The report is consistent with my belief that FAA only used for CT, CP, and cyber.

(141) Report’s discussion of the 2011 problem refers to problems in the plural, suggesting there have been others. Also note he calls that inadvertent collection; that’s not what Bates said.

(144-5) This seems to suggest that all 54 “thwarted” plots involve some 702 component, including Moalin (though MOalin would have been PAA). That makes sense, but they haven’t illustrated that side of things.

(148) Note they don’t include the “threat to property” in their summary of minimization procedures.

(149) Note the complaint about the definition of foreign intelligence value.

(152) Report again says 702 is limited, potentially to just CT, CP, and cyber

(154) This is a remarkable sentiment, but I’m not sure it holds:

As an aside, we note that the very existence of these protections in the United States can help promote and preserve democratic accountability across the globe. In light of the global influence of the United States, any threat to effective democracy in the United States could have negative and far-reaching consequences in other nations as well. By helping to maintain an effective system of checks and balances within the United States, the special protections that FISA affords United States persons can therefore contribute to sustaining democratic ideals abroad.