Keith Alexander: “We Must Win, There Is No Substitute for Victory”

/30 Comments/in , , , , /by

I frankly have no problem with Keith Alexander giving the employees of the National Security Agency a pep talk as the truth of what they’re doing to us becomes public. They are not, after all, responsible for the serial disinformation Alexander and James Clapper have spread about their work. And the overwhelming majority of them are just trying to support the country.

I don’t find this part of Alexander’s speech even remotely accurate, mind you, but I’ve gotten used to dissembling from Alexander.

The issue is one that is partly fueled by the sensational nature of the leaks and the way their timing has been carefully orchestrated to inflame and embarrass. The challenge of these leaks is exacerbated by a lack of public understanding of the safeguards in place and little awareness of the outcomes that our authorities yield. Leadership, from the President and others in the Executive Branch to the Congress, is now engaged in a public dialogue to make sure the American public gets the rest of the story while not disclosing details that would further endanger our national security.

It’s hard to understand how leaks can be inflammatory and embarrassing but all the claims about safeguards and dialogue to also be true.

But it’s this passage I’m far more struck by:

Let me say again how proud I am to lead this exceptional workforce, uniformed and civilian, civil service and contract personnel. Your dedication is unsurpassed, your patriotism unquestioned, and your skills are the envy of the world. Together with your colleagues in US Cyber Command, you embody the true meaning of noble intent through your national service. In a 1962 speech to the Corps of Cadets on “duty, honor and country,” one of this nation’s military heroes, General Douglas MacArthur, said these words teach us “not to substitute words for action; not to seek the path of comfort, but to face the stress and spur of difficulty and challenge; to learn to stand up in the storm.” You have done all that and more. “Duty, Honor, Country” could easily be your motto, for you live these words every day. [my emphasis]

It’s not just that he calls out Cyber Command in the midst of a scandal that’s not supposed to be (but really is) about offensive war.

It’s not just that he chooses to cite one of the most powerful Generals ever, one who defied civilian command to try to extend a war that — it turns out — wasn’t existential.

But it’s also that he chose to cite a speech that invokes that moment of insubordination, a speech that encourages political inaction among the troops, a speech whose audience MacArthur defined as singularly military.

And through all this welter of change and development your mission remains fixed, determined, inviolable. It is to win our wars. Everything else in your professional career is but corollary to this vital dedication. All other public purpose, all other public projects, all other public needs, great or small, will find others for their accomplishments; but you are the ones who are trained to fight.

Yours is the profession of arms, the will to win, the sure knowledge that in war there is no substitute for victory, that if you lose, the Nation will be destroyed, that the very obsession of your public service must be Duty, Honor, Country.

Others will debate the controversial issues, national and international, which divide men’s minds. But serene, calm, aloof, you stand as the Nation’s war guardians, as its lifeguards from the raging tides of international conflict, as its gladiators in the arena of battle. For a century and a half you have defended, guarded and protected its hallowed traditions of liberty and freedom, of right and justice.

Let civilian voices argue the merits or demerits of our processes of government. Whether our strength is being sapped by deficit financing indulged in too long, by federal paternalism grown too mighty, by power groups grown too arrogant, by politics grown too corrupt, by crime grown too rampant, by morals grown too low, by taxes grown too high, by extremists grown too violent; whether our personal liberties are as firm and complete as they should be.

These great national problems are not for your professional participation or military solution. Your guidepost stands out like a tenfold beacon in the night: Duty, Honor, Country.

At a moment of crisis, at a moment when his own credibility is under strain, Keith Alexander has chosen to address the military, civilian, and contractor employees of the NSA as unthinking warriors, isolated from the critical issues swirling around them at the moment. He has chosen to frame NSA as a war machine, not as a defense machine.

The employees of NSA’s first duty is to the Constitution, not the secret battles Alexander wants to escalate and win at all costs. I do hope they don’t despair of that duty.

FISA Amendments Act Minimization: Preventing Serious Harm to Corporate Persons

/8 Comments/in , , /by

As I was working through some other things last night, I had an opportunity to compare the minimization standards for the FISA Amendments Act (see section h) with the standards under which the actual minimization procedures allow the retention of purely domestic communications (that is, between parties that are all within the United States). These procedures are in addition to procedures that affect foreign communications (with one of the participants a non-US person outside the US).

Last night, I suggested there were 3 “normal” standards and one that doesn’t appear in the law pertaining to cybersecurity and encrypted communications. But that’s not entirely right. The last standard in the actual law reads,

(4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than 72 hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.

That is, the actual law allows retention of information for up to 72 hours (presumably to process, which is moot anyway, since they’re actually keeping this data 5 years), unless the court or the Attorney General says it must be kept longer because it pertains to threat of death of serious bodily harm.

But in the minimization standards themselves, here’s how that reads.

A communication identified as a domestic communication will be promptly destroyed upon recognition unless the Director (or Acting Director) of NSA specifically determines, in writing, that:

the communication contains information pertaining to a threat of serious harm to life or property. [my emphasis]

In plain language, the law seems to be about saving human lives. But in paragraphs marked Secret, the government has redefined threat of death or “serious bodily harm to any person” as “serious harm to life or property.”

And while it’s just a guess here, I’m guessing that they switched this language, protecting property, not people, to protect corporate people.

In any case, spying on entirely domestic communications to protect against threats entirely to property, not life, sure seems like a giant loophole in a program that is supposed to be focused exclusively on foreign intelligence.

Keith Alexander’s Secret Lie: Retention and Distribution of Domestic Encrypted and Hacking Communications?

/19 Comments/in , , /by

As I noted in my last two posts, Keith Alexander has admitted that the classified lie Mark Udall and Ron Wyden accused him of telling “could have more precisely described the requirements of collection under FISA Amendments Act.”

He then goes onto repeat the many claims about Section 702, which are different forms of saying that it may not collect information on someone knowingly in the US.

Which leads me to suspect that the lie Udall and Wyden described is that the program can retain and distribute domestic communications, which are defined as “communications in which the sender and all intended recipients are reasonably believed to be located in the United States at the time of acquisition.”

The minimization procedures actually describe four kinds of domestic communications that can be distributed with written NSA Director determination. Three of those — significant foreign intelligence information, evidence of a crime imminently being committed, and threat of serious harm to life or property — were generally known. But there is a fourth which I think is probably huge collection:

Section 5(3)

The communication is reasonably believed to contain technical data base information, as defined in Section 2(i), or information necessary to understand or assess a communications security vulnerability. Such communication may be provided to the FBI and/or disseminated to other elements of the United States Government. Such communications may be returned for a period sufficient to allow a thorough exploitation and to permit access to data that are, or are reasonably believed likely to become, relevant to a current or future foreign intelligence requirement. Sufficient duration may vary with the nature of the exploitation.

a. In the context of a cryptanalytic effort, maintenance of technical data bases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any time period during which encrypted material is subject to, or of us in, cryptanalysis.

b. In the case of communications that are not enciphered or otherwise thought to contain secret meaning, sufficient duration is five years unless the Signal Intelligence Director, NSA, determines in writing that retention for a longer period is required to respond to authorized foreign intelligence or counterintelligence requirements,

Technical data base information, according to the definitions, “means information retained for cryptanalytic, traffic analytic, or signal exploitation purposes.”

In other words, hacking.

Encrypted communications and evidence of hacking have secretly been included in a law purportedly about foreign intelligence collection. And they can keep that information as long as it takes, exempting it from normal minimization requirements.

To be clear, the government still has to get the communication believing (according to its 51% rule) that it has one foreign component. But if Keith Alexander says so, NSA can keep it, forever, even after it finds out it is a domestic communication.

Update: Here’s the July 2012 letter to Clapper. Here’s Clapper’s August 2012 response — the good bits of which are all classified.

NSA’s Querying of US Person Data, Take Two

/12 Comments/in , /by

Update: Alexander’s office has conceded Udall and Wyden’s point about the classified inaccuracy. It also notes:

With respect to the second point raised in your 24 June 2013 letter, the fact sheet did not imply nor was it intended to imply “that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.”

He then cites two letters from James Clapper’s office which I don’t believe have been published.

Joshua Foust tries to refute this post and in doing so proves once again he doesn’t understand the meaning of “target” under Section 702.

Out of courtesy to him, I’m going to rewrite this post to help him understand it. The issue is not whether the US can “target” a US person without a warrant. They can’t. The issue is what the US does with US person data they collect incidentally off a legal target (which must be a foreigner overseas collected for a legitimate intelligence purpose).

At issue is this sentence in the Mark Udall/Ron Wyden letter to Keith Alexander.

Separately, this same fact sheet states that under Section 702, “Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.” We believe that this statement is somewhat misleading, in that it implies that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.

The passage says that the claim, “any inadvertently acquired communication of or concerning a US person must be promptly destroyed” is “somewhat misleading,” for two reasons:

  1. It implies that the NSA has the ability to determine how many American communications it has collected under section 702
  2. It implies that the law does not allow the NSA to deliberately search for the records of particular Americans

Now, before I get into bullet point 2, which is the one in question, note that this entire passage is talking about “inadvertently acquired communication of or concerning a US person.” This is not information on someone who has been targeted. It discusses what happens to information collected along with the communications of those who’ve been targeted (say, by emailing the target). Therefore, this entire passage is irrelevant to the issue of what happens with the targeted person’s communication. The Udall/Wyden claim is not about targeting in the least; it is about incidental collection.

Okay, bullet point 2: Udall and Wyden claim that Alexander’s fact sheet is misleading because it implies the law does not allow the NSA to deliberately search for the records of particular Americans. They could be wrong, but their claim is that it is misleading for Alexander to suggest that the law does not allow the NSA to deliberately search for the records of particular Americans. That means they believe the law does allow the NSA to deliberately search for the records of particular Americans, otherwise they wouldn’t think his statement was misleading.

Now, if it were just Udall and Wyden making this claim, it’d be a he-said/he-said. But  pointed out that this claim is not new at all. It’s not even one limited to Udall and Wyden. In the FAA report released by Dianne Feinstein last year, it said,

Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession.

First, the report describes a debate the committee had:

The Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained.

The committee debated two things:

  1. Whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited.
  2. Whether querying information collected under Section 702 to find communications of a particular United States person should be more robustly constrained.

Bullet point 1 makes it clear they were debating whether they should prohibit this activity. If they had to consider that, it means that it is not prohibited (which is precisely what Udall and Wyden say–that the law allows it). Bullet point 2 says they also considered whether they should “more robustly constrain” it, which suggests (though does not prove) that it is going on now, otherwise there’d be nothing to constrain.

The IC IGs won’t tell us how much of this goes on–they claim they have no way of counting it, which ought to alarm you, because it says they’re not actually tracking it via some kind of auditing function.

I defer to his conclusion that obtaining such an estimate was beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission. He further stated that his office and NSA leadership agreed that an IG review of the sort suggested would itself violate the privacy of U.S. persons.

Now, as I already laid out, what we’re talking about is not targeting a US person–focusing collection on that person. What we’re talking about is what you can do with the US person data collected “incidentally” with the communications collected of that targeted person. That information–as the minimization guidelines describe–is lawfully collected. The big question is what you can do with it once you have collected it, and in many but not all cases there are restrictions against circulating that information before you’ve hidden the identity of the US person in question.

The last part of the passage from the SSCI says,

With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession.

Again, some amount of US person data is collected under Section 702 along with the data of the targeted person (if it weren’t, they wouldn’t need minimization procedures). It is lawfully collected. The question is what you’re allowed to do with it. And as part of the debate the committee had about whether they were going to “prohibit” or “more robustly constrain” the querying of US person data that was lawfully collected as incidental data, SSCI describes the Intelligence Community (which includes, in part, the NSA, the CIA, and the FBI) providing several reasons why it might need to conduct queries of this data. And the committee agreed that these reasons were “legitimate foreign intelligence needs.”

The minimization procedures from 2009, at least, require destruction of US person data if it is “clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information).” (3(b)(1)) What is not immediately destroyed may be kept for up to 5 years. But it only destroys the stuff that is “clearly not relevant,” not data that might be relevant to the purpose of the investigation.

Now, while the language is not exact, the SSCI report’s description of data that has a “legitimate foreign intelligence” surely includes “foreign intelligence information.” This is kind of backwards (which may be part of complaint from Udall and Wyden), but unless the information is clearly not relevant — and the intelligence community says some of this data has legitimate intelligence purposes — then it is retained. This is probably why Udall and Wyden think Alexander’s “must be promptly destroyed” is misleading, because if the IC thinks they might need to query it because it would serve a legitimate foreign intelligence purpose, then it is not.

So who makes this decision whether to keep the data? “NSA analyst(s) will determine whether it … is reasonably believed to contain foreign intelligence information.” (3(b)(4)) The NSA, not FBI or CIA.

And this data cannot just be retained. It can also be “forwarded to analytic personnel responsible for producing intelligence information from the collected data.” (3(b)(2))

Now, in most cases, that information must be anonymized (which is what Kurt Eichenwald discusses here, which Foust cites). But it has always been the case there are exceptions to that rule. Some exceptions are if:

  • The Director of NSA specifically determines, in writing, that the communication is reasonably believed to contain significant foreign intelligence information. (5(1)) In that case the information goes to the FBI. [Update: This distribution is permitted with domestic communication–that is, US to US person.]
  • A recipient requiring the identity of such person for the performance of official duties needs the identity of the United States person to understand foreign intelligence information or assess its importance. (6(b)(2) This sometimes, but not always, happens after an initial distribution.

There are actually a slew more exceptions but these two should suffice. Again, these rules on distribution (except as they affect technical data base information, which might be relevant here, but not necessary) are not new with FAA. They’ve long been in place.

Again, this is all about what happens to incidentally collected data, not the data of the person actually targeted. Which is why these two passages are irrelevant to the entire point (the second of which Foust thought I was leaving out because it hurt my point).

As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause.

[snip]

The Department of Justice and Intelligence Community reaffirmed that any queries made of Section 702 data will be conducted in strict compliance with applicable guidelines and procedures and do not provide a means to circumvent the general requirement to obtain a court order before targeting a U.S. person under FISA.

What they say is that the government is prohibited from targeting a US person without a warrant and that any other things done with incidentally collected data must be conducted in strict compliance with applicable guidelines, which are the minimization procedures I just reviewed (though again, those are from 2009 so they may have changed somewhat). The passage very clearly envisions making queries of the data and very clearly considers such queries to be distinct from the targeting of a US person.

And the minimization procedures make it clear that if data is not “clearly not foreign intelligence,” (that is, if it might be foreign intelligence, as this queried data is, according to the IC) then it is retained, at least through the initial (NSA-conducted) review. Where it can be queried, so long as the other minimization procedures are met.

One final thing. Foust is actually wrong when he suggests the IC asked for new authority (in any case, the only conclusion would be that they got it). Rather, in both the SSCI and the Senate Judiciary Committee, Senators tried to limit this authority. In SJC, Mike Lee,  Dick Durbin, and Chris Coons submitted an amendment to (among other things) prohibit,

the searching of the contents of communications acquired under this section [702] in an effort to find communications of a particular United States person…

…Except with an emergency authorization.

Dianne Feinstein fought the amendment by arguing such a prohibition would have made it harder to find Nidal Hasan (whom we didn’t find anyway, and whose communications with Anwar al-Awlaki may well have been traditional FISA collection). But at one level that makes sense.

Sheldon Whitehouse said that such a restriction would “kill this program.”

I may not like what Whitehouse stated. But I do trust his judgement about how central to this program is access to US person communications.

That doesn’t say how much of this stuff goes on (though it does seem to suggest it does). But it does say we ought to at least track it.

Confirmed: NSA Does Search Section 702 Data for Particular US Person Data

/18 Comments/in , /by

Update: To help Joshua Foust understand this topic, I did a second, really basic version of this post here. So if you’re fairly new to all this stuff, you might start there and then come back.

Update: Alexander’s office has conceded Udall and Wyden’s point about the classified inaccuracy. It also notes:

With respect to the second point raised in your 24 June 2013 letter, the fact sheet did not imply nor was it intended to imply “that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.”

He then cites two letters from James Clapper’s office which I don’t believe have been published.

I’ve seen some people complaining that Ron Wyden and Mark Udall didn’t explicitly describe what Keith Alexander’s lies were in the NSA handout on Section 702 collection (note, as of 1PM, NSA has taken down their handout from their server). I’m okay with them leaving big breadcrumbs instead, not least because until we fix intelligence oversight, we’re going to need people like them who manage to stay on the committees but lay these signposts.

That said, I think people are underestimating how big of a signpost they did leave. Consider this, from their letter:

Separately, this same fact sheet states that under Section 702, “Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.” We believe that this statement is somewhat misleading, in that it implies that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans. [my emphasis]

Last year’s SSCI report on extending the FISA Amendments Act strongly implied that the government interpreted the law to mean it could search for records of particular Americans.

During the Committee’s consideration of this legislation, several Senators expressed a desire to quantify the extent of incidental collection under Section 702. I share this desire. However, the Committee has been repeatedly advised by the ODNI that due to the nature of the collection and the limits of the technology involved, it is not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under Section 702 authority. Senators Ron Wyden and Mark Udall have requested a review by the Inspector General of the NSA and the Inspector General of the Intelligence Community to determine whether it is feasible to estimate this number. The Inspectors General are conducting that review now, thus making an amendment on this subject unnecessary.

Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession. [my emphasis]

This passage made it clear that the Intelligence Community had demanded the ability to search on US person data already collected. Wyden and Udall’s letter makes that even more clear.

And the minimization procedures leaked last week support this (though note, these date to 2009 and might have been ruled to violate the Fourth Amendment since, though I suspect they haven’t).

They make it clear that US person communications will be retained if they contain foreign intelligence information (a term not defined in the procedures), including those they collected because (they claim) they’re unable to filter it out.

3(b)

(1) Personnel will exercise reasonable judgment in determining whether information acquired must be minimized and will destroyed inadvertently acquired communications of or concerning a United States person at the earliest practicable point in the processing cycle at which such communication can be identified either: as clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information)

[snip]

The communications that may be retained include electronic communications acquired because of limitations on NSA’s ability to filter communications.

(2) Communications of or concerning United States persons that may be related to the authorized purpose of the acquisition may be forwarded to analytic personnel responsible for producing intelligence information from the collected data.

The procedures make it clear that, with authorization from the NSA Director, even communications entirely between US persons may be retained (see section 5) if they are of significant intelligence value. Communications showing a communications security vulnerability may also be retained (this permission, related to cybersecurity, was not made public in the NSA handout).

And here’s perhaps the most interesting way of keeping US person data.

6(c)

(1) NSA may provide to the Central Intelligence Agency (CIA) unminimized communications acquired pursuant to section 702 of the Act. CIA will identify to NSA targets for which NSA may provide unminimized communications to CIA. CIA will process any such unminimized communications received from NSA in accordance with CIA minimization procedures …

(2) NSA may provide to the FBI unminimized communications acquired pursuant to section 702 of the Act. FBI will identify to NSA targets for which NSA may provide unminimized communications to the FBI. FBI will process any such unminimized communications received from NSA in accordance with FBI minimization procedures …

This is a kind of collection that Pat Leahy seems to believe escapes review by current Inspector General reviews of the program, as he tried to mandate such reviews in last year’s reauthorization.

The minimization procedures also appear to support Julian Sanchez’ guesstimate of how they could pull up US person contacts, since a phone number or unique name are not explicitly included among the identifiers that would constitute IDing a US person.

Now, all that doesn’t specifically address the other lie Wyden and Udall invoked, which they describe “portrays protections for Americans’ privacy as being significantly stronger than they actually are.” But I think the points I’ve laid out above — particularly the cybersecurity collection that is entirely unmentioned in the 702 sheet — probably lays out the gist of Alexander’s lies.

The government has spent the entire time since these documents were revealed trying to lie to Americans about whether their contacts with foreigners can be retained and read. And those lies keep getting exposed.

Shorter WaPo: It Would Take Months to Know about Spying Misconduct

/11 Comments/in , , /by

For what it’s worth, I consider reports that the government doesn’t know what Edward Snowden took to be disinformation. And indeed, claims to that effect in this WaPo article are sourced to: “one former government official,”a “former senior U.S. official,” and “a former senior U.S. intelligence official who served in Russia.” There’s also “a senior intelligence official” who says only it’ll take months to complete the damage assessment on Snowden’s materials, which is different from claiming (as the other sources do) that Russia and China have what he took. And a “second senior intelligence official” who fearmongers improbably about how much easier this will make things on the terrorists.

But ultimately, most of the people claiming NSA doesn’t know what Snowden took are former officials, presumably out of the loop on such issues (unless, of course, they’re Booz Allen Hamilton revolving doormen).

Funny thing is, if all that were true — if the government is still struggling to figure out what Snowden took a month after he left NSA — it indicates that the government would not know if a Sysadmin at the NSA had spied on Americans, if ever, until months after someone did so.

But, promise, this giant dragnet is secure.

Update: Mark Hosenball’s version of this apparently organized leak (his is sourced to “several U.S. officials,” “one non-government source familiar with Snowden’s materials,” and “2 U.S. national security sources,” makes it fairly clear the government intends to release this disinformation — along with incorrect claims about the history of WikiLeaks — as a way to fearmonger about that connection.

Although WikiLeaks initially made the diplomatic cables available to media outlets, including the Guardian and New York Times, who redacted potentially sensitive information before publishing them, the website eventually released an entirely unredacted archive of the material, to the dismay of the Obama Administration. U.S. officials said the information put sources at risk and damaged relations with foreign governments.

The disinformation people spreading this story apparently are less worried about confirming genuine concerns about the security of these programs than they are about trying to catch up to WikiLeaks involvement with a new line of fearmongering.

Update: I changed the title of this after it was published.

Wyden & Udall to Alexander: Why Do You People Keep Lying?

/10 Comments/in , /by

According to a letter Ron Wyden and Mark Udall sent Keith Alexander, the NSA is still lying publicly. At issue are two inaccuracies in the information sheet the NSA released about Section 702 implementation.

We were disappointed to see that this fact sheet contains an inaccurate statement about how the section 702 authority has been interpreted by the US government. In our judgment this inaccuracy is significant, as it portrays protections for Americans’ privacy as being significantly stronger than they actually are.

While I’m not certain what inaccuracy they’re talking about here, I suspect it has to do with the US person contact info collected along with targets. Even a comparison of the minimization order and the NSA’s claims make it clear US person communication can be swept up more easily than they claim.

Then there’s this complaint, which explicitly objects to the suggestion that the government manages to purge US person data, which of course they also claim they don’t track.

Separately, this same fact sheet states that under Section 702, “Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.” We believe that this statement is somewhat misleading, in that it implies that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans. In fact, the intelligence community has told us repeatedly that it is “not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under the authority” of the FISA Amendments Act.

They make it clear the claim this information gets purged is false.

Obama’s Stubbornness and the Risk of Snowden

/56 Comments/in , , , /by

At the outset of this post, let me lay out my following assumptions (I can’t prove these points, but I suspect them):

  • The documents released so far by Guardian and WaPo — information on the Section 215 program, PRISM, and the PPD on cyberwar — have done negligible damage to our security (indeed, even Sheldon Whitehouse, a big defender of these programs, said the government should have been transparent about them earlier)
  • China already knew the content of Edward Snowden’s public revelations about our hacking into Chinese networks (we know China’s compromises of us, so it is unlikely China, which is more successful and aggressive at hacking than we are, doesn’t know our compromises of it); the revelations on this front so far have served primarily to even out the playing field on mutual accusations of hacking
  • Snowden personally (and his laptops) have information that China and Russia could both find of more use, particularly given that some of our programs targeting them were run out of HI
  • Snowden may also have things that might be of use to others, such as organized crime (If I were planning on longevity and had access, for example, I would take some zero day exploits when I left the NSA, though the street value of them would diminish once NSA had inventoried what I took)
  • The reporting I’ve seen has not confirmed reports that either China or Russia has debriefed Snowden or scanned his computers (indeed, this report on China’s involvement in his departure from Hong Kong suggests they did not talk with him directly)
  • Julian Assange knows where Snowden is, leading to the possibility he has escaped Russia to a country that has not yet been named in reports of Snowden’s escape (named countries have included Venezuela, Cuba, Ecuador, and Iceland)

All of that is a roundabout way of saying that Snowden could do great damage to the US, but may not have yet, and certainly hadn’t by the time he first revealed himself in Hong Kong.

If that’s right, then it seems the Obama approach has been precisely the wrong approach in limiting potential damage to national security. The best way to limit damage, for example, would be to get Snowden to a safe place where our greatest adversaries can’t get to him, where we could make an eternal stink about his asylum there, but still rest easy knowing he wasn’t leaking further secrets. Indeed, if he were exiled in some place like France, we’d likely have more influence over what he was allowed to do than if he gets to Ecuador, for example.

The most likely approach to lead to further damage, however, is to charge him with Espionage. This not only raises the specter of the treatment we’ve given Bradley Manning — giving Snowden Denise Lind’s judgement that Manning’s rights were violated to include in any asylum application — but also easily falls under what states can call political crimes, which permits them to ignore extradition requests. That is, we appear to be pursuing the approach that could lead to greater damage.

By contrast, letting Snowden get someplace safe is perfectly equivalent to letting the CIA off for torture (or, for that matter, James Clapper off for lying to Congress). It’s a violation of rule of law, but it also serves to minimize the tremendous damage the spooks might do to retaliate. Obama has chosen this path already when the criminals were his criminals; he clearly doesn’t have the least bit of compunction of setting aside rule of law for pragmatic reasons. But in Snowden’s case, he seems to be pursuing a strategy that not only might increase the likelihood of damage, but also lets China and Russia retaliate for perceived slights along the way.

All this is just an observation. I believe Obama’s relentless attacks on whistleblowers and his ruthless enforcement of information asymmetry have actually raised the risk of something like this. And he seems to be prioritizing proving the power of the US (which has, thus far, only proved our diminishing influence) over limiting damage Snowden might do.

Update: This fearmongering WaPo article nevertheless quotes a former senior US official admitting that what Snowden has released so far wouldn’t help China or Russia.

A former senior U.S. official said that the material that has leaked publicly would be of limited use to China or Russia but that if Snowden also stole files that outline U.S. cyber-penetration efforts, the damage of any disclosure would be multiplied.

Keith Alexander’s “Packets in Flight” Turn Hackers into Terrorists

/12 Comments/in , , /by

Keith Alexander showed up to chat with a typically solicitous George Stephanopoulos yesterday. The interview demonstrates something I’ll be increasingly obsessed with in upcoming weeks.

The government is using the limited success of NSA’s counterterrorism spying to justify programs that increasingly serve a cybersecurity function — a function Congress has not enthusiastically endorsed.

The interview starts with Alexander ignoring Steph’s first question (why we didn’t find Snowden) and instead teeing up 9/11 and terror terror terror.

And when you think about what our mission is, I want to jump into that, because I think it reflect on the question you’re asking.

You know, my first responsibility to the American people is to defend this nation. And when you think about it, defending the nation, let’s look back at 9/11 and what happened.

The intel community failed to connect the dots in 9/11. And much of what we’ve done since then were to give us the capabilities — and this is the business record FISA, what’s sometimes called Section 215 and the FAA 702 — two capabilities that help us connect the dots.

The reason I bring that up is that these are two of the most important things from my perspective that helps us understand what terrorists are trying to do. And if you think about that, what Snowden has revealed has caused irreversible and significant damage to our country and to our allies.

When — on Friday, we pushed a Congress over 50 cases where these contributed to the understanding and, in many cases, disruptions of terrorist plots.

Steph persists with his original question and gets Alexander to repeat that they’ve “changed the passwords” at NSA to prevent others from leaking.

Steph then asks Alexander about Snowden’s leaks of details on our hacking of China (note, no one seems to be interested in this article, which is just as revealing about our hacking of China as Snowden’s revelations).

Note how, even here, Alexander says our intelligence collection in China is about terrorism.

STEPHANOPOULOS: In the statement that Hong Kong put out this morning, explaining why they allowed Snowden to leave, they also say they’ve written to the United States government requesting clarification on the reports, based on Snowden’s information, that the United States government attacked (ph) computer systems in Hong Kong.

He said that the NSA does all kinds of things like hack Chinese cell phone companies to steal all of your SMS data.

Is that true?

ALEXANDER: Well, we have interest in those who collect on us as an intelligence agency. But to say that we’re willfully just collecting all sorts of data would give you the impression that we’re just trying to canvas the whole world.

The fact is what we’re trying to do is get the information our nation needs, the foreign intelligence, that primary mission, in this case and the case that Snowden has brought up is in defending this nation from a terrorist attack.

Alexander then shifts the issue and suggests we’re collecting on China because it is collecting on us.

Now we have other intelligence interests just like other nations do. That’s what you’d expect us to do. We do that right. Our main interest: who’s collecting on us?

Alexander next goes on to answer Steph’s question about whether we broke Hong Kong law by saying this hacking doesn’t break our law. Read more

Government Spying: Why You Can’t ‘Just Trust Us’

/33 Comments/in , , , , , , , , /by

imagesOkay you Wheelhouse mopes, Marcy, Jim and I are all in San Jose at Netroots. Not sure the jail in this here town is big enough to hold us all. Marcy already put up two posts earlier today, but posting may be a bit spotty, we shall see. I have an important one that will probably go up tomorrow morning on the Aaron Swartz case.

At any rate, to give some extra fodder here, and because Ms. Wheeler is terminally lame at noticing our own blog when she writes articles elsewhere, I am hereby placing you on notice that she has a great article that went up late yesterday at The Nation titled:

Government Spying: Why You Can’t ‘Just Trust Us’

Go read it, you will be glad you did! Other than that, use this as an open thread for Trash Talk (GO SPURS!), and anything and everything else you want to yammer about.