Posts

Richard Burr Prepares to Capitalize on Refusing to Exercise Intelligence Oversight

In James Risen’s new book, he provides new details on what happened to the NSA whistleblowers — Bill Binney, Kurt Wiebe, Ed Loomis, Thomas Drake — who tried to stop President Bush’s illegal wiretap program, adding to what Jane Mayer wrote in 2011. He pays particular attention to the effort Diane Roark made, as a staffer overseeing NSA on the House Intelligence Committee, to alert people that the Agency was conducting illegal spying on Americans.

As part of that, Risen describes an effort Roark made to inform another Congressman of the program, one who had not been briefed: Richard Burr.

Despite the warning from (HPSCI’s Republican Staff Director Tim) Sample not to talk with anyone else on the committee about the program, she privately warned Chris Barton, the committee’s new general counsel, that “there was an NSA program of questionable legality and that it was going to blow up in their faces.” In early 2002, Roark also quietly arranged a meeting between Binney, Loomis, and Wiebe and Richard Burr, a North  Carolina Republican on the House Intelligence Committee. Binney told Burr everything they had learned about the NSA wiretapping program, but Burr hardly said a word in response. Burr never followed up on the matter with Roark, and there is no evidence he ever took any action to investigate the NSA program.

I’m not actually surprised that Burr learned the Intelligence Community was engaging in illegal behavior and did nothing. From what we’ve seen in his response to torture, he has served entirely to help CIA cover up the program and protect the torturers. Indeed, in his treatment of John Brennan’s confirmation, he made efforts to ensure Brennan would have to protect the torturers too.

So it’s no surprise that Burr heard details of an illegal program and ignored them.

Still, it’s worth highlighting this detail because, if Democrats do lose the Senate as they are likely to do in November, Richard Burr will most likely become Senate Intelligence Committee Chair. While Dianne Feinstein may be a badly flawed Chair overseeing the IC, Burr will be a nightmare, unloosing them to do whatever they’re ordered.

That’s the kind of career advancement that comes to a guy who remains silent about wrongdoing.

How FISA Dockets (Appear To) Work and Why Snowden Likely Got Few or No PayPal Documents

Because Bill Binney made an observation about the high docket number of the phone dragnet order released this year, Sibel Edmonds has decided that Glenn Greenwald is hiding a bunch of Edward Snowden documents to protect Pierre Omidyar showing PayPal cooperated with NSA.

Here’s what Binney said, according to him.

Unfortunately, Sibel attributes some of her words to me. I do not know that PAYPAL is involved – only that financial data is being used by NSA. And, based on the “BR” number 13/80 on the Verizon court order to give records to NSA, I estimated that this program involved 78 companies. These would include: telecom’s, internet service providers, banks/finance/credit cards, travel, plus others. So, there’s a lot of business data being collected by NSA and the FBI. In the future, if I am to be quoted, I will have to I will have to insist on a pre-publication review. [my emphasis]

Now, like Peter Kofod, I don’t doubt that PayPal gives a ton of data to the national security state (more on what probably happens below).

But Binney’s comment appears to be based on a misunderstanding of how the FISA docket numbering works (though not one that changes his observation that “there’s a lot of business data being collected by NSA and the FBI”): that each docket pertains to a different company.

Given the filings we’ve seen from voluminous years — particularly 2009 — it is clear that DOJ uses one docket for all providers on a particular order. For example, 3 of the 4 docket numbers used for the phone dragnet in 2009 were 08-13, 09-06, and 09-13. For the entire 3 month period the primary order covers, all the orders and correspondence related to that primary order bears the original docket number. Even in the case where Judge Walton cut off and then resumed production (see 09-13 above) from just one provider got handled in that docketing system. The now public FISC docket appears to continue this practice, with BR 13-109 and BR 13-158 including all the correspondence on a particular order (in addition, there are the Misc dockets for lawsuits, and the 2007 docket tied to Protect America Act for the Yahoo challenge).

And over the years, the list of providers included on the dockets appears to have gotten much longer. Here’s the redacted list of providers from the original 2006 order:

Screen shot 2013-12-13 at 7.51.09 PM

Here’s the redacted list of providers from the most recent order:

Screen shot 2013-12-13 at 7.54.25 PM

 

The additional providers are probably smaller providers, as well as VOIP providers.

So just 4 and on rare occasions 5 of the Section 215 (“BR”) docket numbers in any given year (and, for the life of the program, just 4 of the PR/TT docket numbers) covered all the providers.

But that may, in fact, mean far more companies are getting Section 215 orders, even bulk orders. As I laid out in this post, the numbers of Section 215 orders have gone up in the last several years (Julian Sanchez has speculated that previously some of this collection was done via National Security Letter, which is a pretty good bet).

Section 215 orders

And as they’ve gone up, the FISA Court has been modifying far more orders — it modified 86% of the orders in 2011. It has been modifying orders to add minimization procedures (it modified 176 orders in 2011 to add minimization requirements). Given that you only need to have significant minimization procedures if you’re getting a lot of innocent people’s data, and given that these orders would also be on a 90-day cycle, that may mean there were 44 bulk collection programs in 2011.

But, as Binney said, that’s going to include a lot of different kinds of companies. We know they’ve used Section 215 to collect precursor chemical purchase records. They likely cover credit cards records, other financial records, gun purchases, health and medical records, and other computer records. There have even been questions about using Section 215 to collect URL search terms.

PayPal is one possible or even likely recipient of these, but only one out of a bunch. Read more

Bill Binney Told You So

Remember when Bill Binney said NSA was compiling dossiers of Americans, but Keith Alexander said that wasn’t true?

A former NSA official has accused the NSA’s director of deception during a speech he gave at the DefCon hacker conference on Friday when he asserted that the agency does not collect files on Americans.

William Binney, a former technical director at the NSA, said during a panel discussion that NSA Director Gen. Keith Alexander was playing a “word game” and that the NSA was indeed collecting e-mails, Twitter writings, internet searches and other data belonging to Americans and indexing it.

“Unfortunately, once the software takes in data, it will build profiles on everyone in that data,” he said. “You can simply call it up by the attributes of anyone you want and it’s in place for people to look at.”

[snip]

Binney was contradicting statements made on Friday by Alexander, who told the crowd of hackers and security professionals that his agency “absolutely” does not maintain files on Americans.

“And anybody who would tell you that we’re keeping files or dossiers on the American people,” Alexander continued, “knows that’s not true.”

The tantalizing reporting duo of Laura Poitras and James Risen (writing at NYT) report the NSA is … compiling graphs that show Americans’ connections with foreign targets, using both communications metadata and public resources like bank, insurance, Facebook, flight, voting property, and GPS information.

Since 2010, the National Security Agency has been exploiting its huge collections of data to create sophisticated graphs of some Americans’ social connections that can identify their associates, their locations at certain times, their traveling companions and other personal information, according to newly disclosed documents and interviews with officials.

[snip]

The policy shift was intended to help the agency “discover and track” connections between intelligence targets overseas and people in the United States, according to an N.S.A. memorandum from January 2011. The agency was authorized to conduct “large-scale graph analysis on very large sets of communications metadata without having to check foreignness” of every e-mail address, phone number or other identifier, the document said. Because of concerns about infringing on the privacy of American citizens, the computer analysis of such data had previously been permitted only for foreigners.

The agency can augment the communications data with material from public, commercial and other sources, including bank codes, insurance information, Facebook profiles, passenger manifests, voter registration rolls and GPS location information, as well as property records and unspecified tax data, according to the documents. They do not indicate any restrictions on the use of such “enrichment” data, and several former senior Obama administration officials said the agency drew on it for both Americans and foreigners.

It sure sounds like a dossier to me.

But then, the safe bet was always to assume Keith Alexander (and James Clapper, who also denied this) was lying.

On the Meanings of “Dishonor” and “Hack”

The former NSA IG (and current affiliate of the Chertoff Group profiteers, though he didn’t disclose that financial interest) Joel Brenner has taken to the pages of Lawfare to suggest anyone trying to force some truth out of top Intelligence Community officials is dishonorable.

On March 12 of this year, Senator Ron Wyden asked James Clapper, the director of national intelligence, whether the National Security Agency gathers “any type of data at all on millions or hundreds of millions of Americans.”

“No, sir,” replied the director, visibly annoyed. “Not wittingly.”

Wyden is a member of the Senate Select Committee on Intelligence and had long known about the court-approved metadata program that has since become public knowledge. He knew Clapper’s answer was incorrect. But Wyden, like Clapper, was also under an oath not to divulge the story. In posing this question, he knew Clapper would have to breach his oath of secrecy, lie, prevaricate, or decline to reply except in executive session—a tactic that would implicitly have divulged the secret. The committee chairman, Senator Diane Feinstein, may have known what Wyden had in mind. In opening the hearing she reminded senators it would be followed by a closed session and said,  “I’ll ask that members refrain from asking questions here that have classified answers.” Not dissuaded, Wyden sandbagged he [sic] director.

This was a vicious tactic, regardless of what you think of the later Snowden disclosures. Wyden learned nothing, the public learned nothing, and an honest and unusually forthright public servant has had his credibility trashed.

Brenner of course doesn’t mention that Clapper had had warning of this question, so should have provided a better non-answer. Later in his post, he understates how revealing telephone metadata can be (and of course doesn’t mention it can also include location). He even misstates how often the phone metadata collection has been queried (it was queried on 300 selectors, not “accessed only 300 times”).

But the really hackish part of his argument is in pretending this whole exchange started on March 12.

It didn’t. It started over a year ago and continued through last week when Keith Alexander had to withdraw a “fact sheet” purporting to lay out the “Section 702 protections” Americans enjoy (see below for links to these exchanges).

The exchange didn’t start out very well, with two Inspectors General working to ensure that Wyden and Mark Udall would not get their unclassified non-answer about how many Americans are surveilled under Section 702’s back door until after the Intelligence Committee marked up the bill.

But perhaps the signature exchange was this October 10, 2012 Wyden letter (with 3 other Senators) to Keith Alexander and Alexander’s November 5, 2012 response.

On July 27, 2012, Alexander put on a jeans-and-t-shirt costume and went to DefCon to suck up to hackers. After giving a schmaltzy speech including lines like, “we can protect the networks and have civil liberties and privacy,” DefCon founder Jeff Moss asked Alexander about recent Bill Binney allegations that the NSA was collecting communications of all Americans. Wired reported the exchange here.

It was this exchange — Keith Alexander’s choice to make unclassified statements to a bunch of hackers he was trying to suck up to — that underlies Wyden’s question. And Wyden explicitly invoked Alexander’s comments in his March 12 question to Clapper.

In Wyden’s letter, he quoted this, from Alexander.

We may, incidentally, in targeting a bad guy hit on somebody from a good guy, because there’s a discussion there. We have requirements from the FISA Court and the Attorney General to minimize that, which means nobody else can see it unless there’s a crime that’s been committed.

Wyden then noted,

We believe that this statement incorrectly characterized the minimization requirements that apply to the NSA’s FISA Amendments Act collection, and portrays privacy protections for Americans’ communications as being stronger than they actually are.

This is almost precisely the exchange that occurred last week, when Wyden and Udall had to correct Alexander’s public lies about Section 702 protections again. 8 months later and Alexander is reverting to the same lies about protections for US Persons.

In the letter, Wyden quoted from Alexander again,

You also stated, in response to the same question, that “…the story that we have millions or hundreds of millions of dossiers on people is absolutely false. We are not entirely clear what the term “dossier” means in this context, so we would appreciate it if you would clarify this remark.

And asked,

Are you certain that the number of American communications collected is not “millions or hundreds of millions”? If so, then clearly you must have some ability to estimate the scale of this number, at least some range in which you believe it falls. If this is the case, how large could this number possibly be? How small could it possibly be?

Does the NSA collect any type of data at all on “millions or hundreds of millions of Americans”?

This last question was precisely the question Wyden asked Clapper 5 months later on March 12 (Alexander’s response in November didn’t even acknowledge this question — he just blew it off entirely).

As Wyden emphasized, Alexander is the one who chose to make misleading assertions in unclassified form, opening up the door for demands for an unclassified response.

Since you made your remarks in an unclassified forum, we would appreciate an unclassified response to these questions, so that your remarks can be properly understood by Congress and the public, and not interpreted in a misleading way.

In other words, Brenner presents the context of Wyden’s question to Clapper completely wrong. He pretends this exchange was about one cleared person setting up another cleared person to answer a question. But Brenner ignores (Wyden’s clear invocation of it notwithstanding) that this exchange started when a cleared person, General Alexander, chose to lie to the public.

And now that we’ve seen the minimization standards, we know just how egregious a lie Alexander told to the hackers at DefCon. It’s bad enough that Alexander didn’t admit that anything that might possibly have a foreign intelligence purpose could be kept and, potentially, disseminated, a fact that would affect all Americans’ communications.

But Alexander was talking to high level hackers, probably the group of civilians who encrypt their online communications more than any other.

And Alexander knows that the NSA keeps encrypted communications indefinitely, and with his say-so, can keep them even if they’re known to be entirely domestic communications.

In other words, in speaking to the group of American civilians whose communications probably get the least protections from NSA (aside from the encryption they themselves give it), Alexander suggested their communications would only be captured if they were talking to bad guys. But the NSA defines “those who encrypt their communications” as bad guys by default.

He was trying to suck up to the hackers, even as he lied about the degree to which NSA defines most of them as bad guys.

Brenner gets all upset about his colleagues being “forced” to lie in public. But that’s not what’s going on here: James Clapper and, especially, Keith Alexander are choosing to lie to the public.

And if it is vicious for an intelligence overseer to call IC officials on willful lies to the public, then we’ve got a very basic problem with democracy. Read more

FAA Extension: The Data Gaps about Our Data Collection

As I noted the other day, part of the point of the language Ron Wyden got declassified the other day seemed to be to call out a misrepresentation in Dianne Feinstein’s Additional Views in the Senate Intelligence Report on the extension of the FISA Amendments Act. DiFi had claimed that “the FISA Court … has repeatedly held that collection carried out pursuant to the Section 702 minimization procedures used by the government is reasonable under the Fourth Amendment.” She neglected to mention that, “on at least one occasion the Foreign Intelligence Surveillance Court held that some collection carried out pursuant to the Section 702 minimization procedures used by the government was unreasonable under the Fourth Amendment.”

But since Wyden pointed back to that language, I wanted to note something else in the paragraph in which DiFi’s misleading claim appears: She suggests there is substantial reporting on the program.

This oversight has included the receipt and examination of over eight assessments and reviews per year concerning the implementation of FAA surveillance authorities, which by law are required to be prepared by the Attorney General, the Director of National Intelligence, the heads of various elements of the intelligence community, and the Inspectors General associated with those elements. In addition, the Committee has received and scrutinized un- redacted copies of every classified opinion of the Foreign Intelligence Surveillance Court (FISA Court) containing a significant construction or interpretation of the law, as well as the pleadings submitted by the Executive Branch to the FISA Court relating to such opinions.

[snip]

Third, the numerous reporting requirements outlined above provide the Committee with extensive visibility into the application of these minimization procedures and enable the Committee to evaluate the extent to which these procedures are effective in protecting the privacy and civil liberties of U.S. persons. [my emphasis]

But in her sentence claiming the FISA Court keeps approving the program, she reveals that the Court is not getting all those reports.

Notably, the FISA Court, which receives many of the same reports available to the Committee, has repeatedly held that collection carried out pursuant to the Section 702 minimization procedures used by the government is reasonable under the Fourth Amendment.

[my emphasis]

The Court receives “many” of the same reports. Which suggests it doesn’t see all of them.

That comment is all the more interesting because of something Pat Leahy said at least week’s Senate Judiciary Committee mark-up of the bill.

Congress has been provided with information related to the implementation of the FISA Amendments Act, along with related documents from the FISA Court. Based on my review of this information, and after a series of classified briefings, I do not believe that there is any evidence that the law has been abused, or that the communications of U.S. persons are being intentionally targeted.

[snip]

My views about the implementation of these surveillance authorities are based on the information we have available now – but there is more that we need to know. For example, important compliance reviews have not yet been completed by the Inspectors General of the Department of Justice or the NSA. Read more