HPSCI: We Must Spy Like Snowden To Prevent Another Snowden

/10 Comments/in , /by

I was going to write about this funny part of the HPSCI report anyway, but it makes a nice follow-up to my post on Snowden and cosmopolitanism, on the importance of upholding American values to keeping the servants of hegemon working to serve it.

As part of its attack on Edward Snowden released yesterday, the House Intelligence Committee accused Snowden of attacking his colleagues’ privacy.

To gather the files he took with him when he left the country for Hong Kong, Snowden infringed on the privacy of thousands of government employees and contractors. He obtained his colleagues’ security credentials through misleading means, abused his access as a systems administrator to search his co-workers’ personal drives, and removed the personally identifiable information of thousands of IC employees and contractors.

I have no doubt that many — most, perhaps — of Snowden’s colleagues feel like he violated their privacy, especially as their identities are now in the possession of a number of journalists. So I don’t make light of that, or the earnestness with which HPSCI’s sources presumably made this complaint (though IC employee privacy is one of the things all journalists who have reported these stories have redacted, to the best of my knowledge).

But it’s a funny claim for several reasons. Even ignoring that what the NSA does day in and day out is search people’s personal communications (including millions of innocent people), this kind of broad access is the definition of a SysAdmin.

HPSCI apparently never had a problem with techs getting direct access to our dragnet metadata, as they had and (now working in pairs) still have, for those of us two degrees away from a suspect.

Plus, HPSCI has never done anything publicly to help the 21 million clearance holders whose PII China now holds. Is it possible they’re more angry at Snowden than they are at China’s hackers, who have more ill-intent than Snowden?

But here’s the other reason this complaint is laugh-out-loud funny. HPSCI closes its report this way:

Finally, the Committee remains concerned that more than three years after the start of the unauthorized disclosures, NSA and the IC as a whole, have not done enough to minimize the risk of another massive unauthorized disclosure. Although it is impossible to reduce the change of another Snowden to zero, more work can and should be done to improve the security of the people and the computer networks that keep America’s most closely held secrets. For instance, a recent DOD Inspector General report directed by the Committee had yet to effectively implement its post-Snowden security improvements. The Committee has taken actions to improve IC information security in the Intelligence Authorization Acts for Fiscal Years 2014, 2015, 2016, and 2017, and looks forward to working with the IC to continue to improve security.

First, that timeline — showing an effort to improve network security in each year following the Snowden leaks — is completely disingenuous. It neglects to mention that the Intel Committees have actually been trying for longer than that. In the wake of the Manning leaks, it became clear that DOD’s networks were sieve-like. Congress tried to require network monitoring in the 2012 Intelligence Authorization. But the Administration responded by insisting 2013 — 3 years after Manning’s leaks — was too soon to plug all the holes in DOD’s networks. One reason Snowden succeeded in downloading all those files is because the network monitoring hadn’t been rolled out in Hawaii yet.

So HPSCI is trying to pretend Intel Committee past efforts didn’t actually precede Snowden by several years, but those efforts failed to stop Snowden.

The other reason I find this paragraph — which appears just four paragraphs after it attacks Snowden for the invasion of his colleagues’ privacy — so funny is that in the 2014 Intelligence Authorization (that is, the first one after the Snowden leaks), HPSCI codified an insider threat program, requiring the Director of National Intelligence to,

ensure that the background of each employee or officer of an element of the intelligence community, each contractor to an element of the intelligence community, and each individual employee of such a contractor who has been determined to be eligible for access to classified information is monitored on a continual basis under standards developed by the Director, including with respect to the frequency of evaluation, during the period of eligibility of such employee or officer of an element of the intelligence community, such contractor, or such individual employee to such a contractor to determine whether such employee or officer of an element of the intelligence community, such contractor, and such individual employee of such a contractor continues to meet the requirements for eligibility for access to classified information;

This insider threat program searches IC employees hard drives (one of Snowden’s sins).

Then, the following year, HPSCI got even more serious, mandating that the Director of National Intelligence look into credit reports, commercially available data, and social media accounts to hunt down insider threats, including by watching for changes in ideology like those Snowden exhibited, developing an outspoken concern about the Fourth Amendment.

I mean, on one hand, this isn’t funny at all — and I imagine that Snowden’s former colleagues blame him that they have gone from having almost no privacy as cleared employees to having none. This is what people like Carrie Cordero mean when they regret the loss of trust at the agency.

But as I have pointed out in the past, if someone like Snowden — who at least claims to have had good intentions — can walk away with the crown jewels, we should presume some much more malicious and/or greedy people have as well.

But here’s the thing: you cannot, as Cordero does, say that the “foreign intelligence collection activities [are] done with detailed oversight and lots of accountability” if it is, at the same time, possible for a SysAdmin to walk away with the family jewels, including raw data on targets. If Snowden could take all this data, then so can someone maliciously spying on Americans — it’s just that that person wouldn’t go to the press to report on it and so it can continue unabated. In fact, in addition to rolling out more whistleblower protections in the wake of Snowden, NSA has made some necessary changes (such as not permitting individual techs to have unaudited access to raw data anymore, which appears to have been used, at times, as a workaround for data access limits under FISA), even while ratcheting up the insider threat program that will, as Cordero suggested, chill certain useful activities. One might ask why the IC moved so quickly to insider threat programs rather than just implementing sound technical controls.

The Intelligence world has gotten itself into a pickle, at once demanding that a great deal of information be shared broadly, while trying to hide what information that includes, even from American citizens. It aspires to be at once an enormous fire hose and a leak-proof faucet. That is the inherent impossibility of letting the secret world grow so far beyond management — trying to make a fire hose leak proof.

Some people in the IC get that — I believe this is one of the reasons James Clapper has pushed to rein in classification, for example.

But HPSCI, the folks overseeing the fire hose? They don’t appear to realize that they’re trying to replicate and expand Snowden’s privacy violations, even as they condemn them.

Hillary Clinton’s Three Devices

/5 Comments/in /by

I really don’t want to get bogged down in the Hillary email story. But given the ongoing discussions about whether claims she used the personal server to avoid oversight have merit, I did two more things. First, I did this timeline. Without going into too much detail, there are decisions made after requests for emails that suggest avoiding oversight was driving some of this. That’s especially true given the conflicting stories from Paul Combetta pertaining to his actions in late 2014 and March 2015; he ended up deleting Hillary’s emails after being informed of the House Oversight request for them. He may have only revealed that with an immunity deal.

The other detail I want to focus on is the number of devices Hillary had. Hillary defenders often point to her claim that she used the Blackberry for convenience to claim she surely wasn’t avoiding oversight. But I think the FBI report shows that she had three devices, not just one.

Most of the attention on the number of her devices focuses on the fact that she had 13 serial BBs, none of which were handed over to the FBI (instead of her actual BBs,, Williams & Connolly turned over two other BBs, though without SIM or SD cards).

It is true that her 13 BBs were used serially, not at once, which makes Hillary Clinton just like Tom Brady in her serial use of phones: she’s just a famous person who likes to swap out her phones all the time. The difference being that Tom Brady was told he didn’t need to keep his phone, whereas Hillary was under record-keeping obligations even before any investigation started. And Brady at least had had his comms reviewed by lawyers before he deleted his phone.

But it’s not the 13 BB detail that poses problems to Hillary’s single device claim. It’s this passage.

screen-shot-2016-09-08-at-5-14-21-am

Justin Cooper, the Bill Clinton staffer who ran much of the tech in the Chappaqua basement, says that Hillary used both a Blackberry and a flip phone for calls. Huma Abedin and Cheryl Mills dispute that, though in terms that leave some wiggle room (curiously, FBI apparently didn’t ask Monica Hanley, who bought all of Hillary’s Blackberries). There were 2 phone numbers Hillary used, the latter of which only became the Blackberry number after her tenure as SoS. But footnote 8 reveals that there were 4 mobile devices that used what appears to be the second number during her tenure as SoS. This seems to indicate that Cooper is right: Hillary had both an email phone and a series of 4 telephony phones, the latter of which were not email capable.

The footnote makes clear FBI didn’t pursue these telephony phones because they were, by definition, outside the scope of an email leak investigation (which is one of the many reasons one needs to come to this report with an understanding of the narrow scope of the investigation). But any use of flip phones would not be outside the scope of an FRA investigation, because they undermine Hillary’s claim that she adopted the BBs for singe-device convenience.

Then there’s the passage on page 9 that shows there were also 5 iPads that were potentially used for emails, 3 of which were turned over to the FBI (indeed, one of them actually had draft emails from 2012). This suggests that at least during 2012, Hillary had still another device: 3 devices, not 1. She may not have used the iPads for email throughout her tenure, but she did, apparently, use them in some sense.

Finally, there are two more mysterious devices that aren’t accounted for: a personally-owned computer in both of Hillary’s 2 household SCIFs. Amid the discussion of those SCIFs (including the detail that both were not secure at times, which undermines claims that her only SCIF violation was bringing her BB just inside the State SCIF) is this detail.

According to Abedin, Cooper, and [redacted] there were personally-owned desktop computers in the SCIFs in Whitehaven and Chappaqua. Conversely, Clinton stated to the FBI she did not have a computer of any kind of the SCIFs in her residences. According to Abedin and Clinton, she did not use a computer, and she primarily used her BlackBerry or iPad for checking e-mails.

There is admittedly another conflict in the testimony here, between every aide asked and Hillary, but given that even Abedin and Hillary’s [redacted] staffer say there were personally-owned computers in the SCIFs, I tend to believe it.

But Abedin says Hillary didn’t use them, and I sort of believe that too. But that raises questions about 1) why personally-owned computers were in the SCIF in the first place, which is surely also a violation of SCIF rules, especially if Hillary didn’t use them, but also 2) who was using them. The passage also makes it clear Hillary’s aides had access to the SCIF so perhaps they were?

In any case, we can’t be certain given the redactions and conflicting testimony, but according to my count, Hillary probably had three parallel devices during her tenure as Secretary of State: her BB, a flip phone, and an iPad (the latter of which may or may not have been regularly used for comms, though it was at least briefly in 2012), as well as two SCIF desktops that she personally didn’t use.

The Misunderstandings of the Anti-Transparency Hillary-Exonerating Left

/13 Comments/in , /by

It wasn’t enough for Matt Yglesias to write a widely mocked piece calling for less transparency, now Kevin Drum has too. It all makes you wonder whether there’s some LISTERV somewhere — the successor to JOURNOLIST, from which leaked emails revealed embarrassing discussions of putting politics above principle, perhaps — where a bunch of center-left men are plotting about how to finally end the email scandal that Hillary herself instigated with a stupid decision to host her own email. Especially given this eye-popping paragraph in Drum’s piece:

Part of the reason is that Hillary Clinton is a real object lesson in how FOIA can go wrong when it’s weaponized. Another part is that liberals are the biggest fans of transparency, and seeing one of their own pilloried by it might make them take a second look at whether it’s gone off the rails. What we’ve seen with Hillary Clinton is not that she’s done anything especially wrong, but that a story can last forever if there’s a constant stream of new revelations. That’s what’s happened over the past four years. Between Benghazi committees and Judicial Watch’s anti-Hillary jihad, Clinton’s emails have been steadily dripped out practically monthly, even though there’s never been any compelling reason for it. It’s been done solely to keep her alleged corruption in the public eye.

Even setting aside that his piece generally ignores (perhaps, betrays no knowledge of) the widely-abused b5 exemption that already lets people withhold precisely the kinds of deliberations that Drum wants to kill FOIA over (and is used to withhold a lot more than that), this paragraph betrays stunning misunderstanding about the Clinton email scandal. Not least, the degree to which many of the delays have arisen from Clinton’s own actions.

It led me to go back to read this post, which engages in some cute spin and selective editing, but really gives up the game in this passage.

Oddly, the FBI never really addresses the issue of whether Hillary violated federal record retention rules. They obviously believe that she should have used a State email account for work-related business, but that’s about it. I suppose they decided it was a non-issue because Hillary did, in fact, retain all her emails and did, in fact, turn them over quickly when State requested them.

There’s also virtually no discussion of FOIA. What little there is suggests that Hillary’s only concern was that her personal emails not be subjected to FOIA simply because they were held on the same server as her work emails.

Of course the FBI never really addresses how Hillary violated the Federal Records Act. Of course the FBI never really addresses how Hillary tried to avoid FOIA. (Note too that Drum ignores that some of those “personal” emails have been found to be subject to FOIA and FRA and Congressional requests; they weren’t actually personal.)

That’s because this wasn’t an investigation into violating the Federal Records Act. As I wrote in this post summarizing Jim Comey’s testimony to Oversight and Government Reform:

The FBI investigation that ended yesterday only pertained to that referral about classified information. Indeed, over the course of the hearing, Comey revealed that it was narrowly focused, examining the behavior of only Clinton and four or five of her close aides. And it only pertained to that question about mishandling classified information. That’s what the declination was based on: Comey and others’ determination that when Hillary set up her home-brew server, she did not intend to mishandle classified information.

This caused some consternation, early on in the hearing, because Republicans familiar with Clinton aides’ sworn testimony to the committee investigating the email server and Benghazi were confused how Comey could say that Hillary was not cleared to have her own server, but aides had testified to the contrary. But Comey explained it very clearly, and repeatedly. While FBI considered the statements of Clinton aides, they did not review their sworn statements to Congress for truth.

That’s important because the committee was largely asking a different question: whether Clinton used her server to avoid oversight, Federal Record Act requirements, the Benghazi investigation, and FOIA. That’s a question the FBI did not review at all. This all became crystal clear in the last minutes of the Comey testimony.

Chaffetz: Was there any evidence of Hillary Clinton attempting to avoid compliance with the Freedom of Information Act?

Comey: That was not the subject of our criminal investigation so I can’t answer that sitting here.

Chaffetz: It’s a violation of law, is it not?

Comey: Yes, my understanding is there are civil statutes that apply to that. I don’t know of a crimin–

Chaffetz: Let’s put some boundaries on this a little bit — what you didn’t look at. You didn’t look at whether or not there was an intention or reality of non-compliance with the Freedom of Information Act.

Comey: Correct.

Having started down this path, Chaffetz basically confirms what Comey had said a number of times throughout the hearing, that FBI didn’t scrutinize the veracity of testimony to the committee because the committee did not make a perjury referral.

Chaffetz: You did not look at testimony that Hillary Clinton gave in the United States Congress, both the House and the Senate?

Comey: To see whether it was perjurious in some respect?

Chaffetz: Yes.

Comey: No we did not.

[snip]

Comey: Again, I can confirm this but I don’t think we got a referral from Congressional committees, a perjury referral.

Chaffetz: No. It was the Inspector General that initiated this.

Now, let me jump to the punch and predict that OGR will refer at least Hillary’s aides, and maybe Hillary herself, to FBI for lying to Congress. They might even have merit in doing so, as Comey has already said her public claims about being permitted to have her own email (which she repeated to the committee) were not true. Plus, there’s further evidence that Hillary used her own server precisely to maintain control over them (that is, to avoid FOIA).

As I said in my earlier post, I’m loathe to admit this, because I’d really like to be done with this scandal (I’d like, even more, to come up with sensible policy proposals like fixing email and text archiving to prevent this from happening in every presidential administration). All the questions about whether Hillary chose to keep her own server to avoid oversight (or, as Chaffetz asked today, to obstruct OGR’s investigation) has never been investigated by FBI. Those requests even have more merit than Democrats are making out — in part for precisely this reason, FBI has never considered at least some evidence to support the case Hillary deliberately avoided FRA, including a string of really suspicious timing. As I wrote in my other post, I also think they won’t amount to anything, in part because these laws (including laws prohibiting lying to Congress) are so toothless. But they are a fair question.

All that said, it is incorrect to take a report showing the FBI not charging Hillary for intentionally mishandling classified information and conclude from that that hers is an example of FRA and FOIA gone amuck. On the contrary. Hillary has never been exonerated for trying to avoid FOIA and FRA. The evidence suggests it would be hard to do that.

Jim Comey, Poker Face, and the Scope of the Clinton Investigation(s)

/36 Comments/in /by

Screen Shot 2016-07-07 at 10.11.04 PMI write this post reluctantly, because I really wish the Hillary investigations would be good and over. But I don’t think they are.

After having watched five and a half hours of the Clinton investigation hearing today, I’ve got new clarity about what the FBI has been doing for the last year. That leads me to believe that this week’s announcement that DOJ will not charge Clinton is simply a pause in the Clinton investigation(s). I believe an investigation will resume shortly (if one is not already ongoing), though that resumed investigation will also end with no charges — for different reasons than this week’s declination.

First, understand how this all came about. After the existence of Hillary’s server became known, State’s IG Steve Linick started an investigation into it, largely focused on whether Hillary (and other Secretaries of State) complied with Federal Records Act obligations. In parallel, as intelligence agencies came to complain about State’s redactions of emails released in FOIA response, the Intelligence Committee Inspector General Charles McCullough intervened in the redaction process and referred Clinton to the FBI regarding whether any classified information had been improperly handed. As reported, State will now resume investigating the classification habits of Hillary and her aides, which will likely lead to several of them losing clearance.

The FBI investigation that ended yesterday only pertained to that referral about classified information. Indeed, over the course of the hearing, Comey revealed that it was narrowly focused, examining the behavior of only Clinton and four or five of her close aides. And it only pertained to that question about mishandling classified information. That’s what the declination was based on: Comey and others’ determination that when Hillary set up her home-brew server, she did not intend to mishandle classified information.

This caused some consternation, early on in the hearing, because Republicans familiar with Clinton aides’ sworn testimony to the committee investigating the email server and Benghazi were confused how Comey could say that Hillary was not cleared to have her own server, but aides had testified to the contrary. But Comey explained it very clearly, and repeatedly. While FBI considered the statements of Clinton aides, they did not review their sworn statements to Congress for truth.

That’s important because the committee was largely asking a different question: whether Clinton used her server to avoid oversight, Federal Record Act requirements, the Benghazi investigation, and FOIA. That’s a question the FBI did not review at all. This all became crystal clear in the last minutes of the Comey testimony.

Chaffetz: Was there any evidence of Hillary Clinton attempting to avoid compliance with the Freedom of Information Act?

Comey: That was not the subject of our criminal investigation so I can’t answer that sitting here.

Chaffetz: It’s a violation of law, is it not?

Comey: Yes, my understanding is there are civil statutes that apply to that. I don’t know of a crimin–

Chaffetz: Let’s put some boundaries on this a little bit — what you didn’t look at. You didn’t look at whether or not there was an intention or reality of non-compliance with the Freedom of Information Act.

Comey: Correct.

Having started down this path, Chaffetz basically confirms what Comey had said a number of times throughout the hearing, that FBI didn’t scrutinize the veracity of testimony to the committee because the committee did not make a perjury referral.

Chaffetz: You did not look at testimony that Hillary Clinton gave in the United States Congress, both the House and the Senate?

Comey: To see whether it was perjurious in some respect?

Chaffetz: Yes.

Comey: No we did not.

[snip]

Comey: Again, I can confirm this but I don’t think we got a referral from Congressional committees, a perjury referral.

Chaffetz: No. It was the Inspector General that initiated this.

Now, let me jump to the punch and predict that OGR will refer at least Hillary’s aides, and maybe Hillary herself, to FBI for lying to Congress. They might even have merit in doing so, as Comey has already said her public claims about being permitted to have her own email (which she repeated to the committee) were not true. Plus, there’s further evidence that Hillary used her own server precisely to maintain control over them (that is, to avoid FOIA).

That said, there are two reasons why Hillary and her aides won’t be prosecuted for lying to Congress: James Clapper and Scott Bloch.

Clapper you all know about. The Director of National Intelligence — unlike Clinton — was not under oath when he spectacularly lied to Ron Wyden. Nor was he referred to DOJ for prosecution. But that recent lie will make FBI hesitate.

DOJ will hesitate even more given the history of Scott Bloch. bmaz has written a slew of posts about this but the short version is that the former Office of Special Counsel lied to this very committee and wiped his hard drive to obscure that fact. He ultimately pled guilty, but when the magistrate handling the case pointed out that the plea carried a minimum one month sentence, Bloch and DOJ went nuts and tried to withdraw his plea. bmaz and a bunch of whistleblowers who had been poorly treated by Bloch went nuts in turn. All to no avail. After DOJ claimed there were secret facts that no one understood, the court agreed to sentence Bloch to just one day in jail.

In other words, to keep one of their own out of jail, DOJ made expansive claims about how unimportant lying to Congress is. Even assuming DOJ would ignore their own recent historical claims about the frivolity of lying to Congress, Hillary’s lawyers could use that precedent to argue that lying to Congress has, effectively, been decriminalized (unilaterally by the Executive Branch!).

So FBI will investigate it. Comey might even refer, this time, for prosecution, because the evidence is actually far stronger that Hillary used her own server to avoid oversight (and that she was less than forthcoming about that to Congress). But that, too, won’t be prosecuted because you basically can’t prosecute lying to Congress after the Bloch case.

Which brings me to the funniest part of this exchange with Chaffetz (which, coming as it did in the last minutes of the hearing, has escaped most notice).

Chaffetz: Did you look at the Clinton Foundation?

Comey: I’m not going to comment on the existence or non-existence of any other investigation.

Chaffetz: Was the Clinton Foundation tied into this investigation?

Comey: I’m not going to answer that.

Understand: Comey had already commented on the existence or non-existence of other investigations, commenting at length on the non-investigation of questions pertaining to FOIA and FRA, even describing how many people (four to five) were subjects of this investigation. Comment on non-existence of investigation, comment on non-existence of investigation, comment on non-existence of investigation.

And for what it’s worth, the Clinton Foundation probably couldn’t have been part of the scope of this, given that this was only focused on four to five people (note, a Clinton Foundation investigation would better explain why FBI gave Brian Pagliano immunity, another topic on which Comey would not comment).

But when asked about the Clinton Foundation, he claimed he couldn’t say. All of a sudden, refusal to comment on existence or non-existence of investigation.

Now, I’m just going to say I don’t think anything will come of that, because I doubt FBI would clear Hillary on one issue but not the related one (plus, given SCOTUS’ ruling in the Bob McDonnell case, it probably became impossible to prosecute any Clinton Foundation violations). But Comey’s answer does make it clear that FBI considers questions about improperly handling classified information, avoiding FOIA and other oversight, lying about avoiding FOIA, and deals made with the Clinton Foundation to be different things.

I think that doesn’t change that Hillary won’t be indicted. But I do think she will continue to be investigated in conjunction with questions about what she did and said to avoid FOIA and other oversight.

Update: This post has been tweaked.

Some Legislative Responses to Clinton’s Email Scandal

/3 Comments/in /by

The Republicans have reverted to their natural “Benghazi witchhunt” form in the wake of Jim Comey’s announcement Tuesday that Hillary Clinton and her aides should not be charged, with Comey scheduled to testify before the House Oversight Committee at 10 AM.

Paul Ryan wrote a letter asking James Clapper to withhold classified briefings from Hillary. And the House Intelligence Committee is even considering a bill to prevent people who have mishandled classified information from getting clearances.

In light of the FBI’s findings, a congressional staffer told The Daily Beast that the House Intelligence Committee is considering legislation that could block security clearances for people who have been found to have mishandled classified information in the past.

It’s not clear how many of Clinton’s aides still have their government security clearances, but such a measure could make it more difficult for them to be renewed, should they come back to serve in a Clinton administration.

“The idea would be to make sure that these rules apply to a very wide range of people in the executive branch,” the staffer said. (Clinton herself would not need a clearance were she to become president.)

It’s nice to see the same Republicans who didn’t make a peep when David Petraeus kept — and still has — his clearance for doing worse than Hillary has finally getting religion on security clearances.

But this circus isn’t really going to make us better governed or safer.

So here are some fixes Congress should consider:

Add some teeth to the Federal/Presidential Records Acts

As I noted on Pacifica, Hillary’s real crime was trying to retain maximal control over her records as Secretary of State — probably best understood as an understandable effort to withhold anything potentially personal combined with a disinterest in full transparency. That effort backfired spectacularly, though, because as a result all of her emails have been released.

Still, every single Administration has had at least a minor email scandal going back to Poppy Bush destroying PROFS notes pertaining to Iran-Contra.

And yet none of those email scandals has ever amounted to anything, and many of them have led to the loss of records that would otherwise be subject to archiving and (for agency employees) FOIA.

So let’s add some teeth to these laws — and lets mandate and fund more rational archiving of covered records. And while we’re at it, let’s ensure that encrypted smart phone apps, like Signal, which diplomats in the field should be using to solve some of the communication problems identified in this Clinton scandal, will actually get archived.

Fix the Espionage Act (and the Computer Fraud and Abuse Act)

Steve Vladeck makes the case for this:

Congress has only amended the Espionage Act in detail on a handful of occasions and not significantly since 1950. All the while, critics have emerged from all corners—the academy, the courts, and within the government—urging Congress to clarify the myriad questions raised by the statute’s vague and overlapping terms, or to simply scrap it and start over. As the CIA’s general counsel told Congress in 1979, the uncertainty surrounding the Espionage Act presented “the worst of both worlds”:

On the one hand the laws stand idle and are not enforced at least in part because their meaning is so obscure, and on the other hand it is likely that the very obscurity of these laws serves to deter perfectly legitimate expression and debate by persons who must be as unsure of their liabilities as I am unsure of their obligations.

In other words, the Espionage Act is at once too broad and not broad enough—and gives the government too much and too little discretion in cases in which individuals mishandle national security secrets, maliciously or otherwise.

To underscore this point, the provision that the government has used to go after those who shared classified information with individuals not entitled to receive it (including Petraeus, Drake, and Manning), codified at 18 U.S.C. § 793(d), makes it a crime if:

Whoever, lawfully having possession of, access to, control over, or being entrusted with any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, instrument, appliance, or note relating to the national defense, or information relating to the national defense which information the possessor has reason to believe could be used to the injury of the United States or to the advantage of any foreign nation, willfully communicates, delivers, transmits or causes to be communicated, delivered, or transmitted … to any person not entitled to receive it, or willfully retains the same and fails to deliver it on demand to the officer or employee of the United States entitled to receive it …

This provision is stunningly broad, and it’s easy to see how, at least as a matter of statutory interpretation, it covers leaking—when government employees (“lawfully having possession” of classified information) share that information with “any person not entitled to receive it.” But note how this doesn’t easily apply to Clinton’s case, as her communications, however unsecured, were generally with staffers who were“entitled to receive” classified information.

Instead, the provision folks have pointed to in her case is the even more strangely worded § 793(f), which makes it a crime for:

Whoever, being entrusted with or having lawful possession or control of [any of the items mentioned in § 793(d)], (1) through gross negligence permits the same to be removed from its proper place of custody or delivered to anyone in violation of his trust, or to be lost, stolen, abstracted, or destroyed, or (2) having knowledge that the same has been illegally removed from its proper place of custody or delivered to anyone in violation of its trust, or lost, or stolen, abstracted, or destroyed … fails to make prompt report of such loss, theft, abstraction, or destruction to his superior officer …

Obviously, it’s easy to equate Clinton’s “extreme carelessness” with the statute’s “gross negligence.” But look closer: Did Clinton’s carelessness, however extreme, “[permit] … [classified information] to be removed from its proper place of custody or delivered to anyone in violation of [her] trust”? What does that even mean in the context of intangible information discussed over email? The short answer is nobody knows: This provision has virtually never been used at least partly because no one is really sure what it prohibits. It certainly appears to be focused on government employees who dispossess the government of classified material (like a courier who leaves a satchel full of secret documents in a public place). But how much further does it go?

There’s an easy answer here, and it’s to not use Clinton as a test case for an unprecedented prosecution pursuant to an underutilized criminal provision, even if some of us think what she did was a greater sin than the conduct of some who have been charged under the statute. The better way forward is for Congress to do something it’s refused to do for more than 60 years: carefully and comprehensively modernize the Espionage Act, and clarify exactly when it is, and is not, a crime to mishandle classified national security secrets.

Sadly, if Congress were to legislate the Espionage Act now, they might codify the attacks on whistleblowers. But they should not. They should distinguish between selling information to our adversaries and making information public. They should also make it clear that intent matters — because in the key circuit, covering the CIA, the Pentagon, and many contractors, intent hasn’t mattered since the John Kiriakou case.

Eliminate the arbitrariness of the clearance system

But part of that should also involve eliminating the arbitrary nature of the classification system.

I’ve often pointed to how, in the Jeffrey Sterling case, the only evidence he would mishandle classified information was his retention of 30-year old instructions on how to dial a rotary phone, something far less dangerous than what Hillary did.

Equally outrageous, though, is that four of the witnesses who may have testified against Sterling, probably including Bob S who was the key witness, have also mishandled classified information in the past. Those people not only didn’t get prosecuted, but they were permitted to serve as witnesses against Sterling without their own indiscretions being submitted as evidence. As far as we know, none lost their security clearance. Similarly, David Petraeus hasn’t lost his security clearance. But Ashkan Soltani was denied one and therefore can’t work at the White House countering cyberattacks.

Look, the classification system is broken, both because information is over-classified and because maintaining the boundaries between classified and unclassified is too unwieldy. That broken system is then magnified as people’s access to high-paying jobs are subjected to arbitrary review of security clearances. That’s only getting worse as the Intelligence Community ratchets up the Insider Threat program (rather than, say, technical means) to forestall another Manning or Snowden.

The IC has made some progress in recent years in shrinking the universe of people who have security clearances, and the IC is even making moves toward fixing classification. But the clearance system needs to be more transparent to those within it and more just.

Limit the President’s arbitrary authority over classification

Finally, Congress should try to put bounds to the currently arbitrary and unlimited authority Presidents claim over classified information.

As a reminder, the Executive Branch routinely cites the Navy v. Egan precedent to claim unlimited authority over the classified system. They did so when someone (it’s still unclear whether it was Bush or Cheney) authorized Scooter Libby to leak classified information — probably including Valerie Plame’s identity — to Judy Miller. And they did so when telling Vaughn Walker could not require the government to give al Haramain’s lawyers clearance to review the illegal wiretap log they had already seen before handing it over to the court.

And these claims affect Congress’ ability to do their job. The White House used CIA as cover to withhold a great deal of documents implicating the Bush White House in authorizing torture. Then, the White House backed CIA’s efforts to hide unclassified information, like the already-published identities of its torture-approving lawyers, with the release of the Torture Report summary. In his very last congressional speech, Carl Levin complained that he was never able to declassify a document on the Iraq War claims that Mohammed Atta met with a top Iraqi intelligence official in Prague.

This issue will resurface when Hillary, who I presume will still win this election, nominates some of the people involved in this scandal to serve in her White House. While she can nominate implicated aides — Jake Sullivan, Huma Abedin, and Cheryl Mills — for White House positions that require no confirmation (which is what Obama did with John Brennan, who was at that point still tainted by his role in torture), as soon as she names Sullivan to be National Security Advisor, as expected, Congress will complain that he should not have clearance.

She can do so — George Bush did the equivalent (remember he appointed John Poindexter, whose prosecution in relation to the Iran-Contra scandal was overturned on a technicality, to run the Total Information Awareness program).

There’s a very good question whether she should be permitted to do so. Even ignoring the question of whether Sullivan would appropriately treat classified information, it sets a horrible example for clearance holders who would lose their clearances.

But as far as things stand, she could. And that’s a problem.

To be fair, legislating on this issue is dicey, precisely because it will set off a constitutional challenge. But it should happen, if only because the Executive’s claims about Navy v. Egan go beyond what SCOTUS actually said.

Mandate and fund improved communication system

Update, after I posted MK reminded me I meant to include this.

If Congress is serious about this, then they will mandate and fund State to fix their decades-long communications problems.

But they won’t do that. Even 4 years after the Benghazi attack they’ve done little to improve security at State facilities.

Update: One thing that came up in today’s Comey hearing is that the FBI does not routinely tape non-custodial interviews (and fudges even with custodial interviews, even though DOJ passed a policy requiring it). That’s one more thing Congress could legislate! They could pass a simple law requiring FBI to start taping interviews.

Does Jim Comey Think Thomas Drake Exhibited Disloyalty to the United States?

/11 Comments/in /by

As you’ve no doubt heard, earlier today Jim Comey had a press conference where he said Hillary and her aides were “extremely careless in their handling of very sensitive, highly classified information” but went on to say no reasonable prosecutor would prosecute any of them for storing over 100 emails with classified information on a server in Hillary’s basement. Comey actually claimed to have reviewed “investigations into mishandling or removal of classified information” and found no “case that would support bringing criminal charges on these facts.”

Our investigation looked at whether there is evidence classified information was improperly stored or transmitted on that personal system, in violation of a federal statute making it a felony to mishandle classified information either intentionally or in a grossly negligent way, or a second statute making it a misdemeanor to knowingly remove classified information from appropriate systems or storage facilities.

[snip]

Although there is evidence of potential violations of the statutes regarding the handling of classified information, our judgment is that no reasonable prosecutor would bring such a case. Prosecutors necessarily weigh a number of factors before bringing charges. There are obvious considerations, like the strength of the evidence, especially regarding intent. Responsible decisions also consider the context of a person’s actions, and how similar situations have been handled in the past.

In looking back at our investigations into mishandling or removal of classified information, we cannot find a case that would support bringing criminal charges on these facts. All the cases prosecuted involved some combination of: clearly intentional and willful mishandling of classified information; or vast quantities of materials exposed in such a way as to support an inference of intentional misconduct; or indications of disloyalty to the United States; or efforts to obstruct justice. We do not see those things here.

To be clear, this is not to suggest that in similar circumstances, a person who engaged in this activity would face no consequences. To the contrary, those individuals are often subject to security or administrative sanctions. But that is not what we are deciding now.

Before we get into his argument, consider a more basic point: It is not Jim Comey’s job to make prosecutorial decisions. Someone else — whichever US Attorney oversaw the prosecutors on this case, Deputy Attorney General Sally Yates, or Loretta Lynch — makes that decision. By overstepping the proper role of the FBI here, Comey surely gave Lynch cover — now she can back his decision without looking like Bill Clinton convinced her to do so on the tarmac. But he has no business making this decision, and even less business making it public in the way he did (the latter of which points former DOJ public affairs director Matthew Miller was bitching about).

But let’s look at his judgment.

Given that Jeffrey Sterling has been in prison for a year based off a slew of metadata (albeit showing only 4:11 seconds of conversation between James Risen and Sterling) and three, thirty year old documents, classified Secret, describing how to dial a phone, documents which were presented to prove Sterling had the “intent” to retain a document FBI never showed him retaining, I’m particularly interested in Comey’s judgment that no reasonable prosecutor would bring charges based on the facts found against Hillary. Similarly, given the history of the Thomas Drake prosecution, in which he was charged with Espionage because he kept a bunch of documents on NSA’s fraud, at the direction of the Inspector General, which the FBI found in his basement.

I can only imagine Comey came to his improper public prosecutorial opinion via one of two mental tricks. Either he — again, not the prosecutor — decided the only crime at issue was mishandling classified information (elsewhere in his statement he describes having no evidence that thousands of work emails were withheld from DOJ with ill intent, which dismisses another possible crime), and from there he decided either that it’d be a lot harder to prosecute Hillary Clinton (or David Petraeus) than it would be someone DOJ spent years maligning like Sterling or Drake. Or maybe he decided that there are no indications that Hillary is disloyal to the US.

Understand, though: with Sterling and Drake, DOJ decided they were disloyal to the US, and then used their alleged mishandling of classified information as proof that they were disloyal to the US (Drake ultimately plead to Exceeding Authorized Use of a Computer).

Ultimately, it involves arbitrary decisions about who is disloyal to the US, and from that a determination that the crime of mishandling classified information occurred.

For what its worth, I think most of these cases should involve losing security clearances rather than criminal prosecution (though Petraeus also lied to FBI). But we know, even there, the system is totally arbitrary; DOJ has already refused to answer whether any of Hillary’s aides will be disciplined for their careless handling of classified information and Petraeus never did lose his clearance. Nor did the multiple witnesses who testified against Sterling who themselves mishandled classified information lose their security clearance.

Which is another way of saying our classification system is largely a way to arbitrarily label people you dislike disloyal.

How Did Booz Employee Analyst-Trainee Edward Snowden Get the Verizon 215 Order?

/13 Comments/in , , /by

One thing I’ve been pondering as I’ve been going through the Snowden emails liberated by Jason Leopold is the transition Snowden made just before he left. They show that in August 2012, Snowden was (as we’ve heard) a Dell contractor serving as a SysAdmin in Hawaii.

Screen Shot 2016-06-10 at 1.48.37 PM

The training he was taking (and complaining about) in around April 5 – 12, 2013 was in preparation to move into an analyst role with the National Threat Operations Center.

Screen Shot 2016-06-10 at 1.55.17 PM

That would mean Snowden would have been analyzing US vulnerabilities to cyberattack in what is a hybrid “best defense is a good offense” mode; given that he was in HI, these attacks would probably have been launched predominantly from, and countermeasures would be focused on, China. (Before Stewart Baker accuses me of showing no curiosity about this move, as Baker did about the Chinese invitation to Snowden’s girlfriend to a pole dancing competition, I did, but got remarkably little response from anyone on it.)

It’s not clear why Snowden made the switch, but we have certainly seen a number of cybersecurity related documents — see the packet published by Charlie Savage in conjunction with his upstream cyber article. Even the PRISM PowerPoint — the second thing released — actually has a cybersecurity focus (though I think there’s one detail that remains redacted). It’s about using upstream to track known cyberthreat actors.

Screen Shot 2016-06-10 at 2.09.14 PM

I suspect, given the inaccuracies and boosterism in this slide deck, that it was something Snowden picked up while at Booz training, when he was back in Maryland in April 2013. Which raises certain questions about what might have been available at Booz that wasn’t available at NSA itself, especially given the fact that all the PRISM providers’ names appear in uncoded fashion.

Incidentally, Snowden’s job changes at NSA also reveal that there are Booz analysts, not NSA direct employees, doing Section 702 analysis (though that is technically public). In case that makes you feel any better about the way the NSA runs it warrantless surveillance programs.

Anyway, thus far, all that makes sense: Snowden got into a cybersecurity role, and one of the latest documents he took was a document that included a cybersecurity function (though presumably he could have gotten most of the ones that had already been completed as a SysAdmin before that).

But one of the most sensitive documents he got — the Verizon Section 215 primary order — has nothing to do with cybersecurity. The Section 215 dragnet was supposed to be used exclusively for counterterrorism. (And as I understand it, there are almost no documents, of any type, listing provider names in the Snowden stash, and not all that many listing encoded provider names). But the Verizon dragnet order it is dated April 23, 2013, several weeks into the time Snowden had moved into a cybersecurity analytical role.

Screen Shot 2016-06-10 at 2.29.20 PM

There’s probably an easy explanation: That even though NSA is supposed to shift people’s credentials as they move from job to job, it hadn’t happened for Snowden yet. If that’s right, it would say whoever was responsible for downgrading Snowden’s access from SysAdmin to analyst was slow to make the change, resulting in one of the most significant disclosures Snowden made (there have been at least some cases of credentials not being adjusted since Snowden’s leaks, too, so they haven’t entirely addressed what would have to be regarded as a major fuck-up if that’s how this happened).

Interestingly, however, the declassification stamp on the document suggests it was classified on April 12, not April 23, which may mean they had wrapped up the authorization process, only to backdate it on the date it needed to be reauthorized. April 12, 2013 was, I believe, the last day Snowden was at Fort Meade.

Screen Shot 2016-06-10 at 2.34.33 PM

Whatever the underlying explanation, it should be noted that the most sensitive document Snowden leaked — the one that revealed that the government aspired to collect phone records from every single Verizon customer (and, significantly, the one that made court challenges possible) — had to have been obtained after Snowden formally left his SysAdmin, privileged user, position.

Carrie Cordero’s Counterintelligence Complaints

/10 Comments/in /by

I wasn’t going to respond to Carrie Cordero’s Lawfare piece on my and Jason Leopold’s story on NSA’s response to Edward Snowden’s claims he raised concerns at the agency, largely because I think her stance is fairly reasonable, particularly as compared to other Snowden critics who assume his leaks were, from start to finish, an FSB plot. But a number of people have asked me to do so, so here goes.

Let’s start with this:

As far as we know – even after this new reporting – Snowden didn’t lodge a complaint with the NSA Inspector General. Or the Department of Defense Inspector General. Or the Intelligence Community Inspector General. He didn’t follow up with the NSA Office of General Counsel. He didn’t make phone calls.  He didn’t write letters. He didn’t complain to Members of Congress who would have been willing to listen to his concerns.

Now here’s the rub: do I think that had he done all these things, the programs he questioned would have been shut down and there would have been the same effect as his unauthorized disclosures? No. He probably would have been told that more knowledgeable lawyers, leadership officials, congressmen and dozens of federal judges all assessed that the activities he questioned were legal.

Without noting the parts of the article that show that, nine months into the Snowden leaks and multiple hearings on the subject, Keith Alexander still didn’t know how contractors might raise complaints, and that the NSA editing of its Q&A on Snowden show real questions about the publicity and viability of reporting even to the IG, especially for legal violations, Cordero complains that he did not do so. Then she asserts that had Snowden gone to NSA’s IG (ignoring the record of what happened to Thomas Drake when he did the same), the programs would not have changed.

And yet, having taken a different approach, some of them have changed. Some of the programs — notably Section 215, but also tech companies’ relationship with the government, when exposed to democratic and non-FISA court review, and FISA court process itself — did get changed. I think all but the tech company changes have largely been cosmetic, Cordero has tended to think reforms would go too far. But the record shows that Snowden’s leaks, along with whatever else damage critics want to claim they caused, also led to a democratic decision to shift the US approach on surveillance somewhat. Cordero accuses Snowden of doing what he did because of ego — again, that’s her prerogative; I’m not going to persuade people who’ve already decided to think differently of Snowden — but she also argues that had Snowden followed the already problematic methods to officially report concerns, he would have had less effect raising concerns than he had in fact. Some of what he exposed may have been legally (when argued in secret) sustainable before Snowden, but they turned out not to be democratically sustainable.

Now let’s go back to how Cordero characterizes what the story showed:

Instead, the report reveals:

  • An NSA workforce conducting a huge after-action search for documents seeking to affirm or refute Snowden’s claim that he had raised red flags internally before resorting to leaking classified documents;
  • Numerous officials terrified that they would miss something in the search, knowing full-well how easily that could happen in NSA’s giant and complex enterprise; and
  • The NSA and ODNI General Counsels, and others in the interagency process –doing their job.

The emails in the report do reveal that government officials debated whether to release the one document that was evidence that Snowden did, in fact, communicate with the NSA Office of General Counsel. It’s hard to be surprised by this. On one hand, the one email in and of itself does not support Snowden’s public claim that he lodged numerous complaints; on the other hand, experienced senior government officials have been around the block enough times to know that as soon as you make a public statement that “there’s only one,” there is a very high likelihood that your door will soon be darkened by a staff member telling you, “wait, there’s more.” So it is no wonder that there was some interagency disagreement about what to do.

For what it’s worth, I think the emails show a mixed story about how well various participants did their job. They make Admiral Rogers look great (which probably would have been more prominently noted had the NSA not decided to screw us Friday night, leading to a very rushed edit job). They make Raj De, who appears to have started the push to release the email either during or just as Snowden’s interview with Brian Williams finished airing (it aired at 10:00 PM on May 28; though note the time stamps on this string of De emails are particularly suspect), look pretty crummy, and not only for that reactive response. (I emailed De for comment but got no response.)

Screen Shot 2016-06-05 at 12.57.44 PM

Later on, Cordero admits that, in addition to the OGC email, the story reported for the first time that there had also been a face-to-face conversation with one of the people involved in responding to that email.

The Vice report reveals that Snowden did do at least these things related to his interest in legal authorities and surveillance activities: (i) he clicked on a link to send a question to NSA OGC regarding USSID 18 training, which resulted in an emailed response from an NSA attorney; and (ii) he had a personal interaction (perhaps a short conversation) with a compliance official regarding questions in a training module. But according to the report, in his public statements, “Snowden insisted that he repeatedly raised concerns while at the NSA, and that his concerns were repeatedly ignored.”

(Note Cordero entirely ignores that interviews with Snowden’s colleagues — the same people whom she characterized as terrified they’d miss something in the media response but doesn’t consider whether they would be even more terrified conversations about privacy with Snowden might be deemed evidence of support for him — found a number of them having had conversations about privacy and the Constitution).

She doesn’t get into the chronology of the NSA’s treatment of the face-to-face conversation, though. What the story lays out is this:

  • Released emails show NSA now asserts that Snowden complained about two training programs within the span of a week, possibly even on the same day, with Compliance being involved in both complaints (Snowden would have known they were involved in the OGC response from forwarded emails)
  • Given the record thus far, it appears that there is no contemporaneous written record of the face-to-face complaint (we asked the NSA for any and that’s when they decided to just release the emails in the middle of the night instead of responding, though I assume there is an FBI 302 from an interview with the training woman)
  • Given the record thus far, NSA only wrote up that face-to-face complaint the day after and because NSA first saw teasers from the April 2014 Vanity Fair article revealing Snowden’s claim to have talked to “oversight and compliance”
  • In spite of what I agree was a very extensive (albeit frantic and limited in terms of the definition of “concern”) search, NSA did not — and had not, until our story — revealed that second contact, even though it was written up specifically in response to claims made in the press and well before the May 29 release of Snowden’s email
  • In the wake of NSA not having acknowledged that second contact, a senior NSA official wrote Admiral Rogers a fairly remarkable apology and (as I’ll show in a follow-up post) the NSA is now moving the goal posts on whom they claim Snowden may have talked to

Now, I actually don’t know what happened in that face-to-face contact. We asked both sides of the exchange very specific questions about it, and both sides then declined to do anything but release a canned statement (the NSA had said they would cooperate before they saw the questions). Some would say, so what? Snowden was complaining about training programs! Training programs, admittedly, that related to other documents Snowden leaked. And at least one training program, as it turns out, that the NSA IG had been pushing Compliance to fix for months, which might explain why they don’t want to answer any questions. But nevertheless “just” training programs.

I happen to care about the fact that NSA seems to have a pattern of providing, at best, very vague information about how seriously NSA has to take FISA (or, in the one program we have in its entirety, perfectly legal tips about how to bypass FISA rules), but I get that people see this as just a training issue.

I also happen to care about the fact that when Snowden asked what NSA would like to portray as a very simple question — does what would be FISA take precedence over what would be EO 12333 — it took 7 people who had been developing that training program to decide who and how to answer him. That question should be easier to answer than that (and the emailed discussion(s) about who and how to answer were among the things conspicuously withheld from this FOIA).

But yes, this is just two questions about training raised at a time (we noted in the story) when he was already on his way out the door with NSA’s secrets.

Which is, I guess, why the balance of Cordero’s post takes what I find a really curious turn.

If this is all there is – a conversation and a question  – then to believe that somehow NSA attorneys and compliance officials were supposed to divine that he was so distraught by his NSA training modules that he was going to steal the largest collection of classified documents in NSA history and facilitate their worldwide public release, is to live in a fantasy land.

No, what this new report reveals is that NSA lawyers and compliance personnel take questions, and answer them. Did they provide a simple bureaucratic response when they could or should have dug deeper? Maybe. Maybe not.

Because what they apparently do not do is go on a witch hunt of every employee who asks a couple legal questions. How effective do we think compliance and training would be, if every person who asks a question or two is then subject to intense follow-up and scrutiny? Would an atmosphere like that support a training environment, or chill it?

[snip]

NSA is an organization, and a workforce, doggedly devoted to mission, and to process. In the case of Snowden, there is an argument (one I’ve made before) that its technical security and counterintelligence function failed. But to allude – as today’s report does – that a couple questions from a low level staffer should have rung all sorts of warning bells in the compliance and legal offices, is to suggest that an organization like NSA can no longer place trust in its workforce. I’d wager that the reason the NSA lawyers and compliance officials didn’t respond more vigorously to his whispered inquiries, is because they never, in their wildest dreams, believed that a coworker would violate that trust.

Cordero turns a question about whether Snowden ever complained into a question about why the NSA didn’t notice he was about to walk off with the family jewels because he complained about two training programs.

There are two reasons I find this utterly bizarre. First, NSA’s training programs suck. It’s not just me, based on review of the few released training documents, saying it (though I did work for a number of years in training), it’s also NSA’s IG saying the 702 courses, and related materials, are factually wrong or don’t address critical concepts. Even the person who was most negative towards Snowden in all the emails, the Chief of SID Strategic Communications Team, revealed that lots of people complain about the 702 test (as is also evident from the training woman’s assertion they have canned answers for such complaints).

Complaints about fairness/trick questions are something that I saw junior analysts in NTOC … would pose — these were all his age and positional peers: young enlisted Troops, interns, and new hires. Nobody that has taken this test several times, or worked on things [redacted] for more than a couple of years would make such complaints. It is not a gentleman’s course. *I* failed it once, the first time I had to renew.

I’m all for rigorous testing, but all the anecdotes about complaints about this test may suggest the problem is in the test, not the test-takers. It’s not just that — as Cordero suggested — going on a witch hunt every time someone complains about training courses would chill the training environment (of a whole bunch of people, from the sounds of things). It’s that at precisely the moment Snowden took this training it was clear someone needed to fix NSA’s training, and Cordero’s response to learning that is to wonder why someone didn’t launch a CI investigation.

Which leads me to the other point. As Cordero notes, this is not the first time she has treated the Snowden story as one primarily about bad security. I happen to agree with her about NSA’s embarrassing security: the fact that Snowden could walk away with so much utterly damns NSA’s security practices (and with this article we learn that, contrary to repeated assertions by the government, he was in an analytical role, though we’ve already learned that techs are actually the ones with unaudited access to raw data).

But here’s the thing: you cannot, as Cordero does, say that the “foreign intelligence collection activities [are] done with detailed oversight and lots of accountability” if it is, at the same time, possible for a SysAdmin to walk away with the family jewels, including raw data on targets. If Snowden could take all this data, then so can someone maliciously spying on Americans — it’s just that that person wouldn’t go to the press to report on it and so it can continue unabated. In fact, in addition to rolling out more whistleblower protections in the wake of Snowden, NSA has made some necessary changes (such as not permitting individual techs to have unaudited access to raw data anymore, which appears to have been used, at times, as a workaround for data access limits under FISA), even while ratcheting up the insider threat program that will, as Cordero suggested, chill certain useful activities. One might ask why the IC moved so quickly to insider threat programs rather than just implementing sound technical controls.

Carrie Cordero’s lesson, aside from grading the participants in this email scrum with across-the-board As, is that Snowden complaining about the same training programs the IG was also complaining about should have been a counterintelligence issue but wasn’t because of the great trust at NSA. That argument, taken in tandem with Cordero’s vouching for NSA’s employees, should not, itself, inspire trust.

You Can Get Clearance If You Always Believed in the Fourth Amendment, But Not if You’re a Fourth Amendment Convert

/3 Comments/in /by

Screen Shot 2016-05-14 at 8.43.08 PMOn Thursday night at 11PM, in advance of an Oversight and Government Reform hearing scheduled at 9AM Friday, James Clapper’s office rolled out a new policy integrating the use of social media in security clearance reviews. Basically, the government can use public social media in making security clearance determinations, but can’t ask for your password, friend you to collect information, or access your non-public social media activity. They additionally claim, implausibly, they won’t keep anything unnecessary to make such determinations.

Even taking those caveats in good faith, the policy should not be regarded as a risk-free policy, because government bureaucrats don’t have a perfect record with attribution (something National Counterintelligence Director William Evanina admitted in the hearing) and they have a still worse one with irony. Plus, the history of FBI prosecutions of alleged terrorists for RTs suggests they will read certain actions in social media with a certain kind of intent that may not be true.

Worse, Evanina said two ridiculous things in the hearing that raises real questions about the policy and his ability to implement it fairly.

First, Thomas Massie asked Evanina whether political views would be considered. Massie, after having noted the committee notes suggested a social media search might have identified Snowden as a potential threat (Snowden did spend time online before his classified career, but nothing would have obviously flagged him), also noted their similar political contribution histories. “Do you take into account political support when you’re doing background research on social media?” After Evanina explained the background check would not review that, Massie asked specifically about whether a person supported a candidate who was strong on the Fourth Amendment.”Your belief in Fourth Amendment would not have any predication on whether you could hold or maintain a security clearance,” Evanina replied in response.

Breaking! You can believe in the Fourth Amendment and get a security clearance. 

Only, that’s not true if you’re a convert to the Fourth Amendment (as Snowden arguably was, given his online comments).

Barely mentioned at the hearing were the guidelines the Intelligence Authorization had laid out for this policy, which I wrote about here and here.

(C) publicly available information, whether electronic, printed, or other form, including relevant security or counterintelligence information about the covered individual or information that may suggest ill intent, vulnerability to blackmail, compulsive behavior, allegiance to another country, change in ideology, or that the covered individual lacks good judgment, reliability, or trustworthiness; [my emphasis]

One thing Congress explicitly wanted to measure was “change in ideology” (I believe this was always included in security clearance determinations, but it has a much different impact if one is reviewing everyone’s candid thoughts), the kind of thing when someone who once railed against leakers in public comments goes on to question whether surveillance has gotten out of hand, as Snowden did.

Or as a lot of other people did, when they considered the impact of their dragnets.

The other ridiculous thing Evanina said came in response to Ted Lieu’s concerns about the number of Asian Americans charged with spying charges that later collapsed (something that Judy Chu has also been hitting on). Lieu also mentioned that since the public reports of spying cases collapsing, he has heard from some people who believe they were denied security clearances because of their (presumably Chinese-American) ethnicity.

So Lieu asked Evanina if that’s ever a consideration.

Evanina not only claimed that it is not a consideration (in spite of the case of the man who was denied clearance because of the USAID-tied organization his wife worked for), but he offered up that in his 19 years at FBI, they had also never used ethnicity as a reason for investigation.

There’s one ginormous problem with that claim (which was sworn).

Evanina was at FBI when, in 2008, they changed the Domestic Investigations and Operations Guide (as noted above) to permit consideration of First Amendment protected activities, including religion, among the things FBI Agents may take into account during an investigation.

FBI employees may take appropriate cognizance of the role religion may play in the membership or motivation of a criminal or terrorism enterprise. If, for example, affiliation with a certain religious institution or a specific religious sect is a known requirement for inclusion in a violent organization that is the subject of an investigation, then whether a person of interest is a member of that institution or sect is a rational and permissible consideration. Similarly, if investigative experience and reliable intelligence reveal that members of a terrorist or criminal organization are known to commonly possess or exhibit a combination of religion-based characteristics or practices (e.g., group leaders state that acts of terrorism are based in religious doctrine), it is rational and lawful to consider such a combination in gathering intelligence about the group-even if any one of these, by itself, would constitute an impermissible consideration.

Worse, Evanina served in a policy role when, in 2011, they reinforced this permission in that year’s DIOG.

Admittedly, religion is not the same thing as ethnicity. But for a number of ethnicities, including Chinese and Muslim Arabs, religion can stand in for a kind of ethnicity.

It may be that Evanina was foolish enough to raise his FBI experience, which might be entirely unrelated to the practice of security clearance evaluations. But he did. And that raised some really good reasons (on top of the known record and explicit direction from Congress about what this social media approach should entail) to doubt his assurances to the committee about civil liberties problems with this policy.

I get that it makes sense to review someone’s social media to see if they can keep a secret. But it is also the case that the IC generally, the FBI in particular, and Evanina personally, are not credible on this point.

The Intelligence Community Casts Its Vote for Hillary Clinton

/9 Comments/in /by

Since Donald Trump all-but sealed the nomination the other day, there has been a bit of a tizzy because he’ll receive intelligence briefing(s). Several spooks and former spooks complained to the Daily Beast that Trump might run his mouth and let something slip.

And that prospect has some spies sweating. Trump, who can’t seem to dam his stream of consciousness on Twitter, and who has lately taken to spreading rumors and conspiracy theories on national television, has never been privy to national secrets. Nor has he ever demonstrated that he’s capable of keeping them.

“My concern with Trump will be that he inadvertently leaks, because as he speaks extemporaneously, he’ll pull something out of his hat that he heard in a briefing and say it,” said a former senior U.S. intelligence official who has participated in the process of briefing presidential candidates.

[snip]

“It’s not an unreasonable concern that he’ll talk publicly about what’s supposed to stay in that room,” said another former senior intelligence official.

A currently serving U.S. official echoed some of those anxieties and wondered whether Trump would respect the discretion of the briefing and not use it to his advantage on the campaign trail.

The DB piece admits that Hillary is under investigation for mishandling classified information, with her presumptive National Security Advisor Jake Sullivan among the staffers who forwarded emails the CIA claims (dubiously) to be super secret (curiously, this flurry of Trump briefing stories came on the same date the FBI was leaking to CNN that thus far they’ve got nothing against Hillary). It doesn’t mention that Leon Panetta, who leaked classified information for political gain, is also among Hillary’s advisors.

WaPo’s Greg Miller airs more concerns from the spooks, including that intelligence briefers would be uncomfortable briefing people who have close business ties to rivals or adversaries, not to mention people who espouse torture.

Analysts selected for such assignments tend to be among the most polished and experienced in the intelligence community. “They are going to be very professional,” Peritz said, but Trump poses unique complications. “He has all kinds of relationships with Chinese investors and Russian investors. He’s spoken very highly of our adversaries. And he’s talked about using torture and waterboarding and attacking people’s families. All these things are going through the analysts’ minds.”

Huh? The CIA doesn’t have anyone left over who briefed Dick Cheney? Because those guys surely knew he talked about torture and waterboarding! Or how about the folks who briefed Obama before someone killed Anwar al-Awlaki’s teenage son? And if Hillary, with all her ties to Clinton Global Initiatives people, can be briefed, I’m not sure why Trump can’t, with his business ties. It’s not as if the Russians and Chinese haven’t already stolen the secrets that Trump would get.

Look. Michele Bachmann served on the House Intelligence Committee for four years. She’s every bit as unpredictable as Donald Trump. And aside from that time she claimed that jihadis had already tried to penetrate 6 of the 15 Pakistani nuclear sites that were vulnerable — a detail that had already been reported to the press — she never ran her mouth more than, say, Marco Rubio when he leaked details about the implementation of USA Freedom Act earlier this year.

The point is, all this Sturm und Drang about Trump getting intelligence briefings ignores all the other leakage that already goes on by people the Intelligence Community doesn’t seem worried about briefing. All the more so given what Charlie Savage notes — that this is just one limited briefing; Trump won’t get to learn the good stuff until after he wins the Presidency.

Michael J. Morell, a former deputy C.I.A. director, who regularly briefed Mr. Obama before retiring in 2013, said the postconvention nominee briefing would last several hours. The idea is to “get them to understand that they have now stepped into a bigger world” in which foreign allies, adversaries, and neutral parties are paying close attention to whatever they say, and that their words may have broad consequences, he said.

Michael E. Leiter, a former director of the National Counterterrorism Center, provided the terrorism portion of the briefing that Mr. Obama received after he became the Democratic nominee in 2008. Mr. Leiter said the post-convention briefings lay out a significant amount of important and sensitive information.

“You are not trying to give them a tactical update on the issues of the day, but to lay out the full panoply of issues that they are going to face; the good, the bad, and the ugly of what the world looks like and what implications there may be going forward,” he said.

Both former officials said that the postconvention briefing for nominees would contain top secret information, but not a discussion of the sources and methods used to gather it, or any description of covert operations.

Raising the specter of classified information is nice. But this seems to be more a statement of preference for Hillary Clinton, and a continuation of the status quo, with all its questionable aggression, than a case against Trump, no matter how bad his foreign policy would be (though his domestic policy against minorities would be worse than his foreign policy). The spooks want Hillary and a continuation of their current plans.

Plus, all this whining ignores something else.

Although the Executive does so by very broadly interpreting the relevant precedents, for decades, Presidents have claimed — and the Intelligence Community has backed that claim fully — that they have unlimited discretion to classify or declassify information. The idea is that if some guy can get elected, he can decide what counts as classified in this country.

If that would be a problem with Trump, then maybe now is the time to start thinking about codifying some limits to giving popularly elected Presidents unfettered discretion to play with classified information? I, frankly, don’t want Hillary to have that authority either (or any President!). You never know when someone is going to leak an officer’s identity just for political gain, after all.

But the IC has for decades agreed with a system in which the President has complete, arbitrary control over what counts as classified. That’s the underlying problem. Not that Donald Trump might get a single intelligence briefing.