Posts

Mike Morell Resigns Out of Conscience because of [Leaks about] Torture

Former Deputy Director of CIA Mike Morell is resigning from Harvard’s Belfer Center because Harvard’s Institute of Politics has hired Chelsea Manning.

I am writing to inform you that I am resigning, effective immediately, as a non-resident Senior Fellow at the Belfer Center.

[snip]

I cannot be part of an organization — The Kennedy School — that honors a convicted felon and leaker of classified information, Ms. Chelsea Manning, by inviting her to be a Visiting Fellow at the Kennedy School’s Institute of Politics. Ms. Manning was found guilty of 17 serious crimes, including six counts of espionage, for leaking hundreds of thousands of classified documents to Wikileaks, an entity that CIA Director Mike Pompeo says operates like an adversarial foreign intelligence service.

Morell goes on to talk about his great stand of conscience.

[T]he Kennedy School’s decision will assist Ms. Manning in her long-standing effort to legitimize the criminal path that she took to prominence, an attempt that may encourage others to leak classified information as well. I have an obligation to my conscience — and I believe to the country — to stand up against any efforts to justify leaks of sensitive national security information.

[snip]

[I]t is my right, indeed my duty, to argue that the School’s decision is wholly inappropriate and to protest it by resigning from the Kennedy School — in order to make the fundamental point that leaking classified information is disgraceful and damaging to our nation.

Of course, you could replace every instance where Morell invokes leaks with torture. You could replace every instance where Morell mentions Kennedy School’s (allegedly) poor decision and replace it with CIA’s.

And then it would become clear where Morell’s values lie.

Chelsea Manning started leaking because she was asked to support the repression of Iraqis engaged in peaceful opposition to Nuri al-Maliki — a view that came to be conventional wisdom long after Manning was in prison for her actions. Manning also exposed US complicity in torture in Iraq and Condi’s efforts to cover up the CIA’s torture. Manning also served seven years for her crimes, including a period where the US government subjected her to treatment most countries consider torture.

Chelsea Manning, too, took a stand of conscience. She stood against torture, which was disgraceful and damaging to our nation. Morell? He took no stand of conscience against torture. Instead, he stands against leaks about torture with which he was complicit.

Or Maybe America Post-9/11 Inspires More Disillusionment?

Michael Hayden thinks he has an explanation for all the whistleblowers. It’s those damn millennials.

How do you make sure every one of [the people who have clearance] was and remains a loyal American or a loyal member of British security services and so on. Beyond that, Catty, there’s another dynamic at work here. In order to do this kind of stuff, we have to recruit from a certain demographic, and I don’t mean to judge them at all, but this group of millennials and related groups simply have different understandings of the words loyalty and secrecy and transparency than certainly my generation did. And so we bring these folks into the agency, good Americans all, I can only assume, but again, culturally they have different instincts than the people who made the decision to hire them.

The reason Chelsea Manning and Edward Snowden leaked vast troves of documents, according to Hayden, is because they’re young and not as loyal as people like him.

That may be true, to a point. Both Manning and Snowden seem to have a cosmopolitanism that a lot of Americans — those Americans raised during the Cold War — don’t have. We live in a globe now, just just America, and it’s possible Manning and Snowden felt some loyalty to humankind, rather than just America.

But there’s another problem with Hayden’s claim. There have been a number of whistleblowers who are of his generation. Consider all the intelligence people who’ve joined VIPS in response to idiotic foreign policy, after all.

Or consider an even more interesting example: Bill Binney. Binney was, during the Cold War, one of the most aggressive spies out there. He has said to me, repeatedly, that he’s the guy who invented Collect it all (though he, of course, wanted privacy protections for Americans). But when his approach came to be rolled out against Americans as part of the War on Terror that Hayden pursued with little self-reflection, Binney balked, quit the NSA, and started complaining that his program had been repurposed to target everyone.

Now, Binney didn’t bring a trove of documents with him. But he’s definitely animated by some of the same things that animated Manning and Snowden.

And Binney is two years older than Hayden.

There are a lot of things that motivate whistleblowers, and Daniel Ellsberg (who is 14 years older than Hayden) has said repeatedly that Snowden is just like he was.

But I do think one thing that has happened is that during the Cold War, for good or ill, Americans believed that they were the force of good. That belief is a lot harder to sustain in this day and age, for a range of reasons (not least the warrantless wiretapping and torture that Hayden facilitated). So just maybe the values remain the same, but America has changed?

On Wikileaks and Chelsea Manning’s Commutation

Today, President Obama commuted Chelsea Manning’s sentence, effective May 17. May she have the fortitude to withstand five more months of prison.

Among the many responses to the commutation, many people are pointing to a tweet Julian Assange wrote in September, promising to agree to US prison if Manning got clemency.

Assange made a very similar comment more recently, on January 12.

To Assange’s credit, he has long called for clemency for Manning; and whatever you think of Assange, his anger against Hillary was in significant part motivated by Clinton’s response to the Manning leaks. Manning might have been able to cooperate against Assange for a lesser sentence, but there was nothing Assange did that was not, also, what the NYT has done.

Indeed, the oddity of Assange’s original tweet is that, as far as has been made public, he has never been charged, not even for aiding Edward Snowden as a fugitive.

Nevertheless, since the comments, Assange’s European lawyer said he stands by his earlier comment (though she points out the US has not asked for extradition).

But I’d like to point to a third tweet, which might explain why Assange would be so willing to be extradited now.

The day after Assange repeated his promise to undergo extradition, just as the uproar over the Trump dossier led Christopher Steele to go into hiding has been roiling, Assange also tweeted a comment at least pretending he thought he might be murdered.

Sure, Assange is paranoid. But while Assange has been hiding behind purportedly American IDed cutouts, claiming plausible deniability that he got the DNC emails from the Russians, he surely knows, now, those people were cut-outs. The Russians, Trump, and any American cutouts that Assange could ID would badly like him to sustain that plausible deniability.

And the Russians have a way of silencing people like that, even in fairly protected places in London.

So while Assange could just be blowing smoke, Assange may well be considering his options, coming to the US on a plea deal versus dealing with Putin’s goons.

All of which might make such deals more attractive.

Update: Here’s Assange’s latest on this.

In Latest Russian Plot, WikiLeaks Reveals Hillary Opposes ISDS

Among the emails released as part of the Podesta leaks yesterday, WikiLeaks released this one showing that, almost a year before she was making the same argument in debates with Bernie Sanders, Hillary was opposed to Investor State Dispute Settlement that is part of the Trans Pacific Partnership. (h/t Matt Stoller) ISDS is the means by which corporations have used trade agreements to operate above the domestic laws of party countries (if you haven’t read this three part series from BuzzFeed to learn about the more exotic ways business are profiting off of ISDS).

The email also appears to echo her later public concern that she had changed her mind on TPP because of KORUS.

After our last talk with HRC, we revised our letter to oppose ISDS and include her caution about South Korea.

Sure, other Podesta emails show Hillary supporting a broad region of free trade (and labor) in the Americas. But this more recent email confirms that the views she expressed in debate were more than just an attempt to counter Bernie’s anti-trade platform.

Whether or not this is newsworthy enough to justify the WL dump, it is noteworthy in light of NYT’s rather bizarre article from some weeks back suggesting that WL always sides with Putin’s goals. As I noted, the article made a really strained effort to claim that WL exposed TPP materials because it served Putin’s interests. Now, here, WL is is releasing information that makes Hillary look better on precisely that issue.

That doesn’t advance the presumed narrative of helping Trump defeat Hillary!

Then, as I noted yesterday, in spite of all the huff and puff from Kurt Eichenwald, the release of a Sid Blumenthal email used by Trump is another case where the WL release, as released, doesn’t feed the presumed goals of Putin.

Which brings me to this Shane Harris piece, which describes four different NatSec sources revealing there’s still a good deal of debate about WL’s ties to Russia.

Military and intelligence officials are convinced that WikiLeaks is an ongoing threat to U.S. national security and privacy owing to its leaks of classified documents and emails. But its precise relationship with Russia has been a subject of internal debate. Some do see the group as being in cahoots with the Kremlin. But others find that WikiLeaks is acting mainly as the beneficiary of stolen documents, not unlike a journalistic organization.

There are some funny aspects to this story. Nothing in it considers the significant evidence that WL is (and has reason to be) affirmatively anti-Hillary, which means its interests may align with Russia, even if it doesn’t take orders from Russia.

It also suggests that if the spooks can prove some tie between WL and Russia, they can spy on it as an agent of foreign power.

But those facts don’t mean WikiLeaks isn’t acting at Russia’s behest. And that’s not a trivial matter. If the United States were to determine that WikiLeaks is an agent of a foreign power, as defined in U.S. law, it could allow intelligence and law enforcement agencies to spy on the group—as they do on the Russian government. The U.S. can also bring criminal charges against foreign agents.

WL has been intimately involved in two separate charges cases of leaking-as-espionage in the US, Chelsea Manning and Edward Snowden. The government has repeatedly told courts that it has National Security/Criminal investigations, plural, into WikiLeaks, and when pressed for details about how and whether the government is collecting on supporters and readers of WikiLeaks, the government has in part hidden those details under a b3 FOIA exemption, meaning a statute prevents disclosing it, while extraordinarily refusing to reveal what statute that is. We certainly know that FBI has used multiple informants to spy on WL and used a variety of collection methods against Jacob Appelbaum, including (according to Appelbaum) physical tails.

So there’s not only no doubt that the US government believes it can spy on WikiLeaks (which is, after all, headed by a foreigner and not a US organization), but that it already does, and has been doing for at least six years.

Perhaps Harris’ sources really mean they’ve never found a way to indict Julian Assange before, but if they can claim he’s working for Putin, then maybe they’ll overcome past problems of indicting him because it would criminalize journalism. If that’s the case, it may be shading analysis of WL, because the government would badly like a reason to shut down WL (as the comments about the direct threat to the US in the story back up).

As I’ve said before, the role of WL in this and prior leak events is a pretty complex one, one that if approached too rashly (or too sloppily) could have ramifications for other publishers. While a lot of people are rushing to collapse this (in spite of what sounds like a continuing absence of directly incriminating evidence) into a nation-state conflict, things like this TPP email suggest it’s not that simple.

A Cosmopolitan Defense of Snowden

A bunch of human rights groups have started a campaign calling on President Obama to pardon Edward Snowden, to coincide with the release of the Snowden movie today.

With regards to Snowden’s fate, I believe — as I have from the start — that US interest would have been and would be best served if a safe asylum for Snowden were arranged in a friendly country. I had said France at the time, but now Germany would be the obvious location. Obama is not going to pardon Snowden, and Presidents Hillary or Trump are far less likely to do so, not least because if a president pardoned Snowden it would be an invitation for a metaphorical or literal assassination attempt. But I also think it would have always served US interests to keep Snowden out of a place like Russia. That ship has already sailed, but I still think we insist on making it impossible for him to leave Russia (by pressuring allies like Germany that might otherwise have considered asylum) largely out of self-destructive motives, an urge to prove our power that often overrides our interests.

That’s all background to recommending you read this post from Jack Goldsmith arguing against pardon for Snowden. While I disagree with big parts of it, it is the most interesting piece I’ve seen on the Snowden pardon question, for or against.

Like me, Goldsmith believes there’s no chance Snowden will get a pardon, even while admitting that Snowden’s disclosures brought worthwhile transparency to the Intelligence Community. Unlike me, he opposes a pardon, in part, because of the damage Snowden did, a point I’ll bracket for the moment.

More interestingly, Goldsmith argues that a pardon should be judged on whether Snowden’s claimed justification matches what he actually did.

Another difficulty in determining whether a pardon is warranted for Snowden’s crimes is that the proper criteria for a pardon are elusive.  Oliver Wendell Holmes once declared that a pardon “is the determination of the ultimate authority that the public welfare will be better served by inflicting less” than what the criminal law specified.  But how to measure or assess the elusive public welfare?  The Constitution delegates that task exclusively to the President, who can use whatever criteria he chooses.  Many disagreements about whether a pardon is appropriate are at bottom disagreements about what these criteria should be.  Some will question whether Snowden should be pardoned even if his harms were trivial and the benefits he achieved were great.  Indeed, presidents don’t usually grant pardons because a crime brought benefits.  My own view is that in this unusual context, it is best to examine the appropriateness of a pardon in the first instance through an instrumental lens, and also to ask how well Snowden’s stated justification for his crimes matches up with the crimes he actually committed.

Goldsmith goes on to engage in what I consider a narrowly bracketed discussion of Snowden’s leaks about violations of US law (for example, he, as everyone always does, ignores NSA double dipping on Google and Yahoo servers overseas), claiming to assess whether they were violations of the Constitution, but in fact explicitly weighing whether they were a violation of the law.

His exposure of the 702 programs (PRISM and upstream collection) is harder to justify on these grounds, because these programs were clearly authorized by public law and have not sparked nearly the same criticism, pushback, or reform.

After substituting law for Constitution, the former OLC head (the guy who approved of much of Stellar Wind by claiming FISA exclusivity didn’t really mean FISA exclusivity) makes what is effectively an Article II argument — one nowhere nearly as breathtaking as Goldsmith’s Stellar Wind one. Most of Snowden’s leaks can’t be unconstitutional, Goldsmith argues, because they took place overseas and were targeted at non-US persons.

What I do not get, and what I have never seen Snowden or anyone explain, is how his oath to the U.S. Constitution justified the theft and disclosure of the vast number of documents that had nothing to do with operations inside the United States or U.S. persons.  (Every one of the arguments I read for Snowden’s pardon yesterday focused on his domestic U.S. revelations and ignored or downplayed that the vast majority of revelations that did not involve U.S. territory or citizens.)  To take just a few of hundreds of examples, why did his oath to the Constitution justify disclosure that NSA had developed MonsterMind, a program to respond to cyberattacks automatically; or that it had set up data centers in China to insert malware into Chinese computers and had penetrated Huawei in China; or that it was spying (with details about how) in many other foreign nations, on Bin Laden associate Hassam Ghul’s wife, on the UN Secretary General,  and on the Islamic State; or that it cooperates with intelligence services in Sweden and Norway to spy on Russia?; and so on, and so on.  These and other similar disclosures (see here for many more) concern standard intelligence operations in support of national security or foreign policy missions that do not violate the U.S. Constitution or laws, and that did extraordinary harm to those missions.  The losses of intelligence that resulted are not small things, since intelligence information, and especially SIGINT, is a core element of American strength and success (and not just, as many seem to think, related to counterterrorism).  It doesn’t matter that leaks in this context sparked modest reforms (e.g., PPD 28).  The Constitution clearly permits foreign intelligence surveillance, and our elected representatives wanted these obviously lawful practices to remain secret.

Having laid out a (compared to his Stellar Wind defense) fairly uncontroversial argument about the current interpretation of the Constitution reserving wiretapping of non-Americans to the President (though my understanding of the actual wiretapping in the Keith decision, of Americans in Africa, would say Presidents can’t wiretap Americans overseas without more process than Americans’ communications collected under bulk collection overseas currently get), Goldsmith goes onto make his most important point.

The real defense of Snowden stems not from our own Constitution, but from a moral and ethical defense of American values.

What might be the moral and ethical case for disclosing U.S. intelligence techniques against other countries and institutions?  (I will be ignore possible cosmopolitan impulses for Snowden’s theft and leaks, which I think damage the case for a pardon for violations of U.S. law.)  I think the most charitable moral/ethical case for leaking details of electronic intelligence operations abroad, including against our adversaries, is that these operations were harming the Internet, were hypocritical, were contrary to American values, and the like, and Snowden’s disclosures were designed to save the Internet and restore American values.  This is not a crazy view; I know many smart and admirable people who hold it, and I believe it is ethically and morally coherent.

This is a remarkable paragraph. First, it defines what is, I think, the best defense of Snowden. American values and public claims badly conflict with what we were and still are doing on the Internet. I’d add, that this argument also works to defend Chelsea Manning’s leaks: she decided to leak when she was asked to assist Iraqi torture in the name of Iraqi liberation, a dramatic conflict of US stated values with our ugly reality.

But the paragraph is also interesting for the way Goldsmith, almost as an aside, “ignore[s] possible cosmopolitan impulses for Snowden’s theft and leaks, which I think damage the case for a pardon for violations of U.S. law.” I take this to argue that if you’re leaking to serve some universal notion of greater good — some sense of world citizenship — then you can’t very well ask to be pardoned by US law. Perhaps, in that case, you can only ask to be pardoned by universal or at least international law. I’ll come back to this.

Goldsmith contrasts the moral and ethical case based on American values with his own, a moral and ethical one that justifies US spying to serve US interests in a complex and dangerous world.

But it is also not a crazy view, and it is also ethically and morally coherent, to think that U.S. electronic intelligence operations abroad were entirely lawful and legitimate efforts to serve U.S. interests in a complex and dangerous world, and that Snowden’s revelations violated his secrecy pledges and U.S. criminal law and did enormous harm to important American interests and values.

For the record, I think Snowden has said some of US spying does serve US interests in a complex and dangerous world. But from that view, the old defender of Article II argues that a President — the guy or gal who by definition is the only one can decide to pardon Snowden — must always adhere to the latter (Goldsmith’s) moral and ethical stance.

Unfortunately for Snowden’s pardon gambit,  President Obama, and any one who sits in the Oval Office charged with responsibility for American success around the globe, will (and should) embrace the second moral/ethical perspective, and will not (and should not) countenance the first moral/ethical perspective, which I take to be Snowden’s.

Goldsmith then ends where I began, with a more polite explanation that any president that pardoned Snowden would be inviting metaphorical or literal assassination. He also suggests the precedent would lead to more leaks. But that seems to ignore 1) that Snowden leaked even after seeing what they did to Manning (that is, deterrence doesn’t necessarily work) 2) the Petraeus precedent has already exposed the classification system as one giant load of poo.

Anyway, by my reading, Goldsmith argues that this debate pits those motivated out of American values versus those motivated out of perceived American interests, and that any President must necessarily operate from the latter.

I’m interested in that because I think the former motivation really does explain a goodly number of the leakers and whistleblowers I know. People a generation older than me, I think, may have been true believers in the fight against the Evil Empire during the Cold War, only to realize we risk becoming the Evil Empire they spent their life fighting. Every time I see Bill Binney, he makes morbid cracks about how he was the guy who invented “Collect it all,” back when he was fighting Russia. People a generation younger than me — Snowden, Manning, and likely a lot more — more often responded out of defense of all that is great in America after 9/11, only to find that that we have not adhered to that greatness in prosecuting the war on terror. These are gross generalizations. But I think the conflict is real among a lot of people, and it’s one that will always fight increasingly diligent efforts to tamp down dissent.

That said, I want to note something else Goldsmith did, while making his aside that anyone making a cosmopolitan defense of Snowden cannot ask for a pardon under US law (a view I find fairly persuasive, which may be why I think a reasonable outcome is for Snowden to live out his life in Germany). In making that aside, Goldsmith effectively dismissed the possibility that living US values rather than interests might be both cosmopolitan and in our national interest.

I’ve talked about this repeatedly — the degree to which Snowden’s disclosures (and, to a lesser extent, Manning’s) served to expose some lies that are critical to American hegemony. Our hegemonic position relies — according to people like Goldsmith and, perhaps in reality, though the evidence is mixed — on our global dragnet, which in turn serves our global military presence. But it has also relied on an ideology, every bit as important as ideology was during the Cold War, that espoused democracy and market capitalism and, underscoring both of those, a belief in the worth of every individual (and by extension, individual nation) to compete on equal terms. Without that ideology, we’re just a garden variety empire, which is a lot harder to sustain because it requires more costly (in terms of dollars and bodies) coercion rather than persuasion.

And Snowden’s leaks showed we used our preferential position astride the world’s telecommunications network and our claim to serve freedom of expression to serve as the hegemon. Hell, the aftermath of that shows it even more! Country after country has backed off giving Snowden asylum — the proper cosmopolitan resolution — because the US retains enough raw power and/or access to the fruits of the dragnet to persuade countries that’s not in their “interest.”

This is an issue that has gotten far too little attention in the wake of the Snowden leaks: to what degree is the cost of the Snowden leaks measured in terms of exposing to the subjects of our hegemon facts that their leaders already knew (either because they were and are willing co-participants in the spying or knowledgeable adversaries engaged in equally ambitious but less effective surveillance)? I don’t doubt there are individual programs that have been compromised, though thus far the IC has badly hurt its case by making claims (such as that Al Qaeda only adopted encryption in response to Snowden, or that Snowden taught terrorists how to use burner phones) that are easily falsifiable. But a big part of the leaks are about the degree to which the US can (and does passively in many cases via bulk collection) spy on everyone.

But to me, the big cost has been in terms of exposing America’s hegemonic ideology as the fiction that ideologies always become if they aren’t from the start.

Note, I fully accept that that may be an unacceptable cost. America’s hegemony was already weakening; I believe Snowden’s disclosures simply accelerated that. It is absolutely possible that the weakening of US hegemony will create a vacuum of power that will leave chaos. That chaos may, may have already, led to a desire for strongmen in response. There were outside factors playing into all of this. The Iraq War did far more to rot America’s hegemonic virtue than Edward Snowden’s leaks ever could have. And it’s not clear that an empire based on oil can provide the leadership we need to fight climate change, which will increasingly be the source of chaos. But I accept that it is possible Snowden accelerated a process that may lead to horrible outcomes.

Here’s the thing, though: this younger generation of leakers — of dissident servants of the hegemon — don’t need to be cured of a lifetime of ideology. It may take, as it did with Manning, no more than critical assessment of some flyers confiscated by our so-called partners in liberation for the ideology cementing our hegemonic authority to crumble.

Our hegemony depends on the ideology of our values. That seems to both have been the trigger for and may justify the cosmopolitan interest in exposing our hypocrisy. And whether or not Americans should give a shit about the freedom of non-American subjects of the hegemon, to the extent that servants of that ideology here find the hypocrisy unsustainable, we’re likely to have more Mannings and more Snowdens.

Our global dragnet may very well serve the ethics of those who serve presidentially-defined American interests. As such, Snowden’s leaks are surely seen as unforgivable damage.

But it is also possible that American hegemony is only — was only — sustainable to the degree that we made sure that global dragnet was limited by the values that have always been critical to the ideology underlying our hegemony.

Why Do They Call It Panama Papers, Anyway?

Over the weekend, a bunch of media outlets let loose shock and awe in bulk leak documents, PanamaPapers, with project leaders ICIJ and Sueddeutsche Zeitung — as well as enthusiastic partner, Guardian — rolling out bring spreads on a massive trove of data from the shell company law firm Mossack Fonseca.

If all goes well, the leak showing what MF has been doing for the last four decades will lead us to have a better understanding of how money gets stripped from average people and then hidden in places where it will be safe from prying eyes.

Before I raise some questions about the project, I wanted to point to one of the best pieces of journalism I’ve seen from the project so far: this Miami Herald piece showing how its high end real estate boom has been facilitated by the money laundering facilitated by MF.

At the end of 2011, a company called Isaias 21 Property paid nearly $3 million — in cash — for an oceanfront Bal Harbour condo.

But it wasn’t clear who really owned the three-bedroom unit at the newly built St. Regis, an ultra-luxury high-rise that pampers residents with 24-hour room service and a private butler.

In public records, Isaias 21 listed its headquarters as a Miami Beach law office and its manager as Mateus 5 International Holding, an offshore company registered in the British Virgins Islands, where company owners don’t have to reveal their names.

[snip]

Buried in the 11.5 million documents? A registry revealing Mateus 5’s true owner: Paulo Octávio Alves Pereira, a Brazilian developer and politician now under indictment for corruption in his home country.

A Miami Herald analysis of the never-before-seen records found 19 foreign nationals creating offshore companies and buying Miami real estate. Of them, eight have been linked to bribery, corruption, embezzlement, tax evasion or other misdeeds in their home countries.

That’s a drop in the ocean of Miami’s luxury market. But Mossack Fonseca is one of many firms that set up offshore companies. And experts say a lack of controls on cash real-estate deals has made Miami a magnet for questionable currency.

The story is deeply contextualized with localized reporting that goes beyond the leaked documents. And it can lead to policy changes — restrictions on cash real estate transactions — that can help to stem (or at least redirect) the flow of this corrupt money. You could tell similar stories from big cities around North America (this has been a particular focus in NYC and Vancouver). And with effort, cities could crack down on such cash transactions, with all the negative effects they bring to localities.

But much of the other reporting so far remains at the level of shock and awe. Biggest leak ever! Putin Putin Putin! And much of the reporting reflects not just editorial bias, but some apparent innumeracy (though no one has yet released the real numbers) to claim that people from evil countries are proportionally more corrupt than people from good countries like the UK.

Where did these documents come from?

Screen Shot 2016-04-04 at 10.00.01 AM

Here’s how SZ describes how they got these documents.

Over a year ago, an anonymous source contacted the Süddeutsche Zeitung (SZ) and submitted encrypted internal documents from Mossack Fonseca, a Panamanian law firm that sells anonymous offshore companies around the world. These shell companies enable their owners to cover up their business dealings, no matter how shady.

In the months that followed, the number of documents continued to grow far beyond the original leak. Ultimately, SZ acquired about 2.6 terabytes of data, making the leak the biggest that journalists had ever worked with. The source wanted neither financial compensation nor anything else in return, apart from a few security measures.

Nowhere I’ve seen explains where this source got the documents.

For almost three years, we have openly debated what I consider a fair question: what was Edward Snowden’s motivation for stealing the NSA’s crown jewels and was any foreign country involved? People have also asked questions about how he accessed so much: Did he steal colleagues’ passwords? Did he join Booz Allen solely to be able to steal documents? I think the evidence supports an understanding that his motives were good and his current domicile an unfortunate outcome. And we know some details about how he managed to get what he did — but the key detail is that he was a Sysadmin in a location where insider detection systems were not yet implemented and credentials to have unaudited access to many of the documents he obtained. Those details are a key part of understanding some of the story behind his leaks (and how NSA and GCHQ are organized).

Somehow, journalists aren’t asking such questions when it comes to this leak, the Unaoil leak that broke last week, or the leak of files on British Virgin Isles have activity a few years back (which, like this project, ICIJ also had a central role in). I’m sympathetic to the argument that IDing who stole these documents would put her or him in terrible danger (depending on who it is). But I also think this level of description the Intercept gave — in the first paragraph of a story about stolen recordings of jailhouse phone calls that revealed improper retention of attorney client conversations — would be useful.

The materials — leaked via SecureDrop by an anonymous hacker who believes that Securus is violating the constitutional rights of inmates — comprise over 70 million records of phone calls, placed by prisoners to at least 37 states, in addition to links to downloadable recordings of the calls. [my emphasis]

The Intercept’s source, knowing of the problem, hacked recordings from an inadequately protected server.

As the Guardian’s own graphic makes clear, this leak dwarfs the leaks by Chelsea Manning and Hervé Falciani (the security engineer behind the HSBC leak). It probably dwarfs the Snowden leak (though oddly the Guardian, which had fingers in both, doesn’t include Snowden in its graphic). That ought to raise real questions about how someone could access so much more information than tech experts with key credentials working at the core of security in the targeted organizations could. And those questions are worth asking because if these files come from an external hacker — a definite possibility — than it ought to raise questions about how they were able to get so much undetected and even — as everyone felt appropriate to ask with Snowden — whether an intelligence agency was involved.

Where are the corrupt Americans?

As with the BVI leak before it, thus far this leak has included no details on any Americans. Some have suggested that’s because the Panama trade deal already brought transparency on US persons’ activities through the haven of Panama, except these files go back four decades and. Americans not only used Panama as a haven before that, but the CIA used it as a key laundering vehicle for decades, as Manuel Noriega would be all too happy to explain if western countries would let him out of prison long enough to do so.  Moreover, the files are in no way restricted to Panama (indeed, some of the stories already released describe the establishment of shell companies within the US).

Screen Shot 2016-04-04 at 10.17.39 AMNot only haven’t we heard about any Americans, but even for the close American friends identified so far — starting with Saudi Crown Prince and close CIA buddy Mohammed bin Nayef — the details provided to date are scanty, simply the name of the shell he was using.

Craig Murray has already been asking similar questions.

Russian wealth is only a tiny minority of the money hidden away with the aid of Mossack Fonseca. In fact, it soon becomes obvious that the selective reporting is going to stink.

The Suddeutsche Zeitung, which received the leak, gives a detailed explanation of the methodology the corporate media used to search the files. The main search they have done is for names associated with breaking UN sanctions regimes. The Guardian reports this too and helpfully lists those countries as Zimbabwe, North Korea, Russia and Syria. The filtering of this Mossack Fonseca information by the corporate media follows a direct western governmental agenda. There is no mention at all of use of Mossack Fonseca by massive western corporations or western billionaires – the main customers. And the Guardian is quick to reassure that “much of the leaked material will remain private.”

What do you expect? The leak is being managed by the grandly but laughably named “International Consortium of Investigative Journalists”, which is funded and organised entirely by the USA’s Center for Public Integrity. Their funders include

Ford Foundation
Carnegie Endowment
Rockefeller Family Fund
W K Kellogg Foundation
Open Society Foundation (Soros)

among many others. Do not expect a genuine expose of western capitalism. The dirty secrets of western corporations will remain unpublished.

Expect hits at Russia, Iran and Syria and some tiny “balancing” western country like Iceland. A superannuated UK peer or two will be sacrificed – someone already with dementia.

Now, in response to people like me and Murray and Moon of Alabama asking those questions, the SZ editor in charge of their side of the project promises dirt on Americans will be coming. Let’s hope so, because this is a worthwhile leak of data, and it would be unfortunate for Americans and Brits to be deprived of learning more about the corruption among their elite.

Does this project follow up on Ken Silverstein’s earlier reporting?

Back in December 2014, Ken Silverstein did a fairly thorough review of MF at Vice (though he worked at the Intercept at the time).

[A] yearlong investigation reveals that Mossack Fonseca—which theEconomist has described as a remarkably “tight-lipped” industry leader in offshore finance—has served as the registered agent for front companies tied to an array of notorious gangsters and thieves that, in addition to Makhlouf, includes associates of Muammar Gaddafi and Robert Mugabe, as well as an Israeli billionaire who has plundered one of Africa’s poorest countries, and a business oligarch named Lázaro Báez, who, according to US court records and reports by a federal prosecutor in Argentina, allegedly laundered tens of millions of dollars through a network of shell firms, some which Mossack Fonseca had helped register in Las Vegas.

Documents and interviews I’ve conducted also show that Mossack Fonseca is happy to help clients set up so-called shelf companies—which are the vintage wines of the money-laundering business, hated by law enforcement and beloved by crooks because they are “aged” for years before being sold, so that they appear to be established corporations with solid track records—including in Las Vegas. One international asset manager who talked to Mossack Fonseca about doing business with them told me that the firm offered to sell a 50-year-old shelf company for $100,000.

If shell companies are getaway cars for bank robbers, then Mossack Fonseca may be the world’s shadiest car dealership.

Silverstein clearly had some documents, though there’s no indication he had the trove that started getting leaked to SZ and ICIJ in early 2015, just weeks after Silverstein’s story.

On Twitter, Silverstein suggested his story never got published because this was the period when the Intercept wasn’t publishing (I had something similar happen to me while there).

But given the close continuity between Silverstein’s story and SZ receipt of the first documents, are they part of the same effort?

Why do they call it the Panama Papers?

These aren’t papers showing the corruption that flows through Panama (for that matter, neither did the BVI leaks show all the corruption that flows through BVI, and there’s a significant BVI aspect to this leak). Rather, they show the corruption flowing through a Panamian-based but global firm, Mossack Fonseca. Reporting on this tells us MF is only the fourth largest of these laundering specialists.

So, aside from the fact that few people have heard of MF, why are we calling this the Panama Papers and not “Here’s what the fourth largest of these companies is involved with”?

All of which is to say as huge as this leak is — which is good! — it’s still just a tiny fraction of what’s out there.

Let the resignations begin

None of this is meant to undermine the importance of this leak or the reporting the team of journalists covering it. Indeed, the story already threatens to take down the Prime Minister of Iceland whose conflict of interest the files revealed. We should have more of these leaks, covering all the havens and shell-creators.

Just remember, as you’re watching the coverage, that we’re getting selective coverage of one particular corner of that industry (ICIJ has said something about releasing files in several months). By all means let’s go after the crooks this story exposes, but let’s remember the crooks who, for whatever reason, aren’t included in this one.

Update: Fusion, which is part of the data sharing, admits there are only 211 Americans identified in the stash, though thus far this is just from recent years (that is, the years that might be affected by the trade agreement).

International Consortium of Investigative Journalists (ICIJ) has only been able to identify 211 people with U.S. addresses who own companies in the data (not all of whom we’ve been able to investigate yet). We don’t know if those 211 people are necessarily U.S. citizens.

All that said, the very good experts (including Jack Blum, who’s as good on these issues as anyone) don’t have very compelling explanations why there aren’t Americans in the stash.

Update: McClatchy describes some of the 200-some Americans whose passports show up in the files. All the ones it describes have been prosecuted (though several got light punishments).

The Leak Hypocrisy of the Hillary Shadow Cabinet

In what has become a serial event, the State Department and Intelligence Community people handling Jason Leopold’s FOIA of Hillary Clinton emails have declared yet more emails to be Top Secret.

The furor over Hillary Clinton’s use of a private email account grew more serious for the Democratic presidential front-runner Friday as the State Department designated 22 of the messages from her account “top secret.”

It was the first time State has formally deemed any of Clinton’s emails classified at that level, reserved for information that can cause “exceptionally grave” damage to national security if disclosed.

State did not provide details on the subject of the messages, which represent seven email chains and a total of 37 pages. However, State spokesman John Kirby said they are part of a set the intelligence community inspector general told Congress contained information classified for discussing “Special Access Programs.”

Now, as I have said before, one thing that is going on here is that CIA is acting just like CIA always does when it declares publicly known things, including torture and drones, to be highly secret. It appears likely that these Top Secret emails are yet another set of emails about the worst kept secret in the history of covert programs, CIA’s drone killing in Pakistan. And so I am sympathetic, in principle, to Hillary’s campaign claims that this is much ado about nothing.

But they might do well to find some other spokesperson to claim that this is just overclassification run amok.

“This is overclassification run amok. We adamantly oppose the complete blocking of the release of these emails,” campaign spokesman Brian Fallon said on Twitter. Appearing on MSNBC after the news broke, Fallon vowed to fight the decision.

“You have the intelligence community, including an Intelligence Community Inspector General, as well as the inspector general at the State Department, that have been insisting on certain ways of deciding what is classified and what’s not,” he said. “We know that there has been disagreement on these points, and it has spilled out into public view at various points over the last several months. It now appears that some of the loudest voices in this interagency review that had some of the strongest straightjacket-type opinions on what should count as classified, have prevailed. That’s unfortunate. We strongly disagree with the finding that has been reached today, and we are going to be contesting it and seeking to have these emails released.”

Alternately Hillary can declare that if she is elected, she’ll pardon both Jeffrey Sterling and Chelsea Manning.

Sterling’s prosecution for, in part, having 3 documents about dialing a rotary phone in his home that were retroactively classified Secret, happened while Brian Fallon presided over DOJ’s Office of Public Affairs; Fallon sat by as James Risen got questioned about his refusal to testify. Sterling’s retention of documents that weren’t marked Secret is surely the same kind of “overclassification run amok,” and by the same agency at fault here, that Fallon is now complaining about. So shouldn’t Fallon and Clinton be discussing a pardon for Sterling?

Then there’s Manning. As Glenn Greenwald noted, in that case Clinton had a different attitude about the sensitivity of documents classified Secret or less.

Manning was convicted and sentenced to 35 years in prison. At the time, the only thing Hillary Clinton had to say about that was to issue a sermon about how classified information “deserves to be protected and we will continue to take necessary steps to do so” because it “affect[s] the security of individuals and relationships.”

So if the nation’s secrets aren’t really as secret as DOJ and State and DOD have claimed, shouldn’t these two, along with people like Stephen Jin-Woo Kim, be pardoned?

Amid Fallon and Clinton’s prior support for this level of classification, there’s something else odd about the response to this scandal (which I have said is largely misplaced from the stupid decision to run her own server to the issue of classified information).

First, the response from many supporters — and it’s a point I’ve made too — is that this doesn’t reflect on Hillary because she mostly just received these emails, she didn’t send them. That’s true. And it largely limits any legal liability Hillary herself would have.

But this particular response comes against the backdrop of Hillary attacking Bernie for not giving a foreign policy speech before Iowa (a critique I’m somewhat sympathetic with, although debates have been focused on it), and against this approving story in the Neocon press on Hillary forming a shadow cabinet.

Team Hillary is in the process of setting up formal advisory teams and working groups divided into regional and thematic subjects, similar to the structure of the National Security Council, several participants in the project told me. Unlike in 2008, when Clinton and Barack Obama competed for advisers, this time around all the Democratic foreign-policy types are flocking to her team because Clinton is the only game in town.

The groups report up to the campaign’s senior foreign policy adviser, Jake Sullivan, who was Clinton’s deputy chief of staff and director of policy planning when she was secretary of state.

As it notes, this shadow cabinet reports to Jake Sullivan. Sullivan is, according to one report, the staffer who sent the most emails that have since been declared classified.

Nearly a third of the classified messages released so far from former Secretary of State Hillary Rodham Clinton’s emails came from one man: Jake Sullivan, who served as her deputy chief of staff in the department, and is now the top foreign policy adviser to her presidential campaign.

If Hillary’s supporters argue that she can’t be held responsible because she didn’t send these, does that mean they would hold Sullivan, Hillary’s presumptive National Security Advisor, responsible instead?

Then there’s this detail about outside advisors to this shadow cabinet: it includes Leon Panetta, who not only leaked highly classified information in his memoir, but also would have been busted for exposing the Navy SEALs who offed Osama bin Laden if the game weren’t so rigged to excuse senior leakers.

In addition to the working groups, Sullivan relies on a somewhat separate group of senior former officials who have more frequent interaction with the campaign leadership and Clinton herself. Many of these advisers aren’t publicly affiliated with the campaign because they have leadership roles with organizations that have not endorsed any candidate for president.

But sources close to the campaign told me that Clinton, Sullivan and campaign chairman John Podesta are in regular contact with former National Security Advisor Tom Donilon, former Defense Secretary Leon Panetta and former Secretary of State Madeleine Albright.

Is the effort to keep the identities of the men who killed OBL secret also, “overclassification run amok”? Or does Panetta’s role in Hillary’s foreign policy team suggest her crowd really is that hypocritical about who can leak classified information?

I’d really love it if Hillary came out strongly against the paranoid secrecy that stifles our foreign policy (and just yesterday led to Ashkan Soltani losing a position as a technical advisor for the White House, presumably because of his role in reporting the Snowden documents).

But thus far that’s not what she’s doing: her campaign is making a limited critique of this paranoid secrecy, only applicable when it impacts those close to her.

It’s Not Just the FISA Court, It’s the Game of Surveillance Whack-a-Mole

In response to this post from Chelsea Manning, the other day I did the first in what seems to have become a series of posts arguing that we should eliminate the FISA Court, but that the question is not simple. In that post, I laid out the tools the FISC has used, with varying degrees of success, in reining in Executive branch spying, especially in times of abuse.

In this post, I want to lay out how reining in surveillance isn’t just about whether the secret approval of warrants and orders would be better done by the FISC or a district court. It’s about whack-a-mole.

That’s because, right now, there are four ways the government gives itself legal cover for expansive surveillance:

  • FISC, increasingly including programs
  • EO 12333, including SPCMA
  • Magistrate warrants and orders without proper briefing
  • Administrative orders and/or voluntary cooperation

FISA Court

The government uses the FISA court to get individualized orders for surveillance in this country and, to a less clear extent, surveillance of Americans overseas. That’s the old-fashioned stuff that could be done by a district court. But it’s also one point where egregious source information — be it a foreign partner using dubious spying techniques, or, as John Brennan admitted in his confirmation hearing, torture — gets hidden. No defendant has ever been able to challenge the basis for the FISA warrant used against them, which is clearly not what Congress said it intended in passing FISA. But given that’s the case, it means a lot of prosecutions that might not pass constitutional muster, because of that egregious source information, get a virgin rebirth in the FISC.

In addition, starting 2004, the government started using the FISA Court to coerce corporations to continue domestic collection programs they had previously done voluntarily. As I noted, while I think the FISC’s oversight of these programs has been mixed, the FISC has forced the government to hew closer (though not at) the law.

EO 12333, including SPCMA

The executive branch considers FISA just a subset of EO 12333, the Reagan Executive Order governing the intelligence community — a carve out of collection requiring more stringent rules. At times, the Intelligence Community have operated as if EO 12333 is the only set of rules they need to follow — and they’ve even secretly rewritten it at least once to change the rules. The government will always assert the right to conduct spying under EO 12333 if it has a technical means to bypass that carve out. That’s what the Bush Administration claimed Stellar Wind operated under. And at precisely the time the FISC was imposing limits on the Internet dragnet, the Executive Brach was authorizing analysis of Americans’ Internet metadata collected overseas under SPCMA.

EO 12333 derived data does get used against defendants in the US, though it appears to be laundered through the FISC and/or parallel constructed, so defendants never get the opportunity to challenge this collection.

Magistrate warrants and orders

Even when the government goes to a Title III court — usually a magistrate judge — to get an order or warrant for surveillance, that surveillance often escapes real scrutiny. We’ve seen this happen with Stingrays and other location collection, as well as FBI hacking; in those cases, the government often didn’t fully brief magistrates about what they’re approving, so the judges didn’t consider the constitutional implications of it. There are exceptions, however (James Orenstein, the judge letting Apple challenge the use of an All Writs Act to force it to unlock a phone, is a notable one), and that has provided periodic checks on collection that should require more scrutiny, as well as public notice of those methods. That’s how, a decade after magistrates first started to question the collection of location data using orders, we’re finally getting circuit courts to review the issue. Significantly, these more exotic spying techniques are often repurposed foreign intelligence methods, meaning you’ll have magistrates and other TIII judges weighing in on surveillance techniques being used in parallel programs under FISA. At least in the case of Internet data, that may even result in a higher standard of scrutiny and minimization being applied to the FISA collection than the criminal investigation collection.

Administrative orders and/or voluntary cooperation

Up until 2006, telecoms willing turned over metadata on Americans’ calls to the government under Stellar Wind. Under Hemisphere, AT&T provides the government call record information — including results of location-based analysis, on all the calls that used its networks, not just AT&T customers — sometimes without an order. For months after Congress was starting to find a way to rein in the NSA phone dragnet with USA Freedom Act, the DEA continued to operate its own dragnet of international calls that operated entirely on administrative orders. Under CISA, the government will obtain and disseminate information on cybersecurity threats that it wouldn’t be able to do under upstream 702 collection; no judge will review that collection. Until 2009, the government was using NSLs to get all the information an ISP had on a user or website, including traffic information. AT&T still provides enhanced information, including the call records of friends and family co-subscribers and (less often than in the past) communities of interest.

These six examples make it clear that, even with Americans, even entirely within the US, the government conducts a lot of spying via administrative orders and/or voluntary cooperation. It’s not clear this surveillance had any but internal agency oversight, and what is known about these programs (the onsite collaboration that was probably one precursor to Hemisphere, the early NSL usage) makes it clear there have been significant abuses. Moreover, a number of these programs represent individual (the times when FBI used an NSL to get something the FISC had repeatedly refused to authorize under a Section 215 order) or programmatic collection (I suspect, CISA) that couldn’t be approved under the auspices of the FISC.

All of which is to say the question of what to do to bring better oversight over expansive surveillance is not limited to the short-comings of the FISC.  It also must contend with the way the government tends to move collection programs when one method proves less than optimal. Where technologically possible, it has moved spying offshore and conducted it under EO 12333. Where it could pay or otherwise bribe and legally shield providers, it moved to voluntary collection. Where it needed to use traditional courts, it often just obfuscated about what it was doing. The primary limits here are not legal, except insofar as legal niceties and the very remote possibility of transparency raise corporate partner concerns.

We need to fix or eliminate the FISC. But we need to do so while staying ahead of the game of whack-a-mole.

The FISA Court’s Uncelebrated Good Points

I’m working on a post responding to this post from Chelsea Manning calling to abolish the FISA Court. Spoiler alert: I largely agree with her, but I think the question is not that simple.

As background to that post, I wanted to shift the focus from a common perception of the FISC — that it is a rubber stamp that approves all requests — to a better measure of the FISC — the multiple ways it has tried to rein in the Executive. I think the FISC has, at times, been better at doing so than often given credit for. But as I’ll show in my larger post, those efforts have had limited success.

Minimization procedures

The primary tool the FISC uses is in policing the Executive is minimization procedures approved by the court. Royce Lamberth unsuccessfully tried to use minimization procedures to limit the use of FISA-collected data in prosecutions (and also, tools for investigation, such as informants). Reggie Walton was far more successful at using and expanding very detailed limits on the phone — and later, the Internet — dragnet to force the government to stop treating domestically collected dragnet data under its own EO 12333 rules and start treating it under the more stringent FISC-imposed rules. He even shut down the Internet dragnet in fall (probably October 30) 2009 because it did not abide by limits imposed 5 years earlier by Colleen Kollar-Kotelly.

There was also a long-running discussion (that involved several briefs in 2006 and 2009, and a change in FISC procedure in 2010) about what to do with Post Cut Through Dialed Digits (those things you type in after a call or Internet session has been connected) collected under pen registers. It appears that FISC permitted (and probably still permits) the collection of that data under FISA (that was not permitted under Title III pen registers), but required the data get minimized afterwards, and for a period over collected data got sequestered.

Perhaps the most important use of minimization procedures, however, came when Internet companies stopped complying with NSLs requiring data in 2009, forcing the government to use Section 215 orders to obtain the data. By all appearances, the FISC imposed and reviewed compliance of minimization procedures until FBI, more than 7 years after being required to, finally adopted minimization procedures for Section 215. This surely resulted in a lot less innocent person data being collected and retained than under NSL collection. Note that this probably imposed a higher standard of review on this bulky collection of data than what existed at magistrate courts, though some magistrates started trying to impose what are probably similar requirements in 2014.

Such oversight provides one place where USA Freedom Act is a clear regression from what is (today, anyway) in place. Under current rules, when the government submits an application retroactively for an emergency search of the dragnet, the court can require the government to destroy any data that should not have been collected. Under USAF, the Attorney General will police such things under a scheme that does not envision destroying improperly collected data at all, and even invites the parallel construction of it.

First Amendment review

The FISC has also had some amount — perhaps significant — success in making the Executive use a more restrictive First Amendment review than it otherwise would have. Kollar-Kotelly independently imposed a First Amendment review on the Internet dragnet in 2004. First Amendment reviews were implicated in the phone dragnet changes Walton pushed in 2009. And it appears that in the government’s first uses of the emergency provision for the phone dragnet, it may have bypassed First Amendment review — at least, that’s the most logical explanation for why FISC explicitly added a First Amendment review to the emergency provision last year. While I can’t prove this with available data, I strongly suspect more stringent First Amendment reviews explain the drop in dragnet searches every time the FISC increased its scrutiny of selectors.

In most FISA surveillance, there is supposed to be a prohibition on targeting someone for their First Amendment protected activities. Yet given the number of times FISC has had to police that, it seems that the Executive uses a much weaker standard of First Amendment review than the FISC. Which should be a particularly big concern for National Security Letters, as they ordinarily get no court review (one of the NSL challenges that has been dismissed seemed to raise First Amendment concerns).

Notice of magistrate decisions

On at least two occasions, the FISC has taken notice of and required briefing after magistrate judges found a practice also used under FISA to require a higher standard of evidence. One was the 2009 PCTDD discussion mentioned above. The other was the use of combined orders to get phone records and location data. And while the latter probably resulted in other ways the Executive could use FISA to obtain location data, it suggests the FISC has paid close attention to issues being debated in magistrate courts (though that may have more to do with the integrity of then National Security Assistant Attorney General David Kris than the FISC itself; I don’t have high confidence it is still happening). To the extent this occurs, it is more likely that FISA practices will all adjust to new standards of technology than traditional courts, given that other magistrates will continue to approve questionable orders and warrants long after a few individually object, and given that an individual objection isn’t always made public.

Dissemination limits

Finally, the FISC has limited Executive action by limiting the use and dissemination of certain kinds of information. During Stellar Wind, Lamberth and Kollar-Kotelly attempted to limit or at least know which data came from Stellar Wind, thereby limiting its use for further FISA warrants (though it’s not clear how successful that was). The known details of dragnet minimization procedures included limits on dissemination (which were routinely violated until the FISC expanded them).

More recently John Bates twice pointed to FISA Section 1809(a)(2) to limit the government’s use of data collected outside of legal guidelines. He did so first in 2010 when he limited the government’s use of illegally collected Internet metadata. He used it again in 2011 when he used it to limit the government’s access to illegally collected upstream content. However, I think it likely that after both instances, the NSA took its toys and went elsewhere for part of the relevant collection, in the first case to SPCMA analysis on EO 12333 collected Internet metadata, and in the second to CISA (though just for cyber applications). So long as the FISC unquestioningly accepts EO 12333 evidence to support individual warrants and programmatic certificates, the government can always move collection away from FISC review.

Moreover, with USAF, Congress partly eliminated this tool as a retroactive control on upstream collection; it authorized the use of data collected improperly if the FISC subsequently approved retention of it under new minimization procedures.

These tools have been of varying degrees of usefulness. But FISC has tried to wield them, often in places where all but a few Title III courts were not making similar efforts. Indeed, there are a few collection practices where the FISC probably imposed a higher standard than TIII courts, and probably many more where FISC review reined in collection that didn’t have such review.

What’s So Tricky about DOD’s PKI That It Needs to Expose Thousands of Service Members?

Motherboard decided to call out DOD for not using STARTTLS to encrypt the transiting email of much of DOD’s emails.

[A]s encryption spreads to government sites, it hasn’t reached government emails yet. Most of the military as well as the intelligence community do not use encryption to protect emails travelling across the internet.

[snip]

In fact, according to an online testing tool, among the military only the Air Force encrypts emails in transit using a technology called STARTTLS, which has existed since 2002. Other branches of the Pentagon, including the Army, the Navy, the Defense Security Service, and DARPA, don’t use it. Even the standard military email provider mail.mil, doesn’t support STARTTLS.

[snip]

In a statement emailed to Motherboard, a spokesperson for the Defense Information Systems Agency (DISA), the Pentagon’s branch that oversees email and other technologies, said the DISA’s DOD Enterprise Email (DEE) does not support STARTTLS.

This part of the story is bad enough. I take it to mean that as people stationed overseas email home, their email — and therefore significant hints about deployment — would be accessible to anyone who wanted to steal them in transit. While more sensitive discussions would be secure, there would be plenty accessible to Russia or China or technically savvy terrorists to make stealing the email worthwhile.

But I’m just as struck by DOD’s excuse.

“STARTTLS is an extension for the Post Office Protocol 3 and Internet Message Access protocols, which rely on username and password for system access,” the spokesperson wrote. “To remain compliant with DOD PKI policy, DEE does not support the use of username and password to grant access, and does not leverage either protocol.”

First of all, this doesn’t make any sense. The Public Key Infrastructure system, which controls access to DOD networks, should be totally separate from the email system.

Worse still: we know a little bit about what — and when — DOD implemented its PKI, because it came up in Congressional hearings in the wake of the Chelsea Manning leaks. Here’s what DOD’s witnesses explained back in 2011.

One of the major contributing factors in the WikiLeaks incident was the large amount of data that was accessible with little or no access controls. Broad access to information can be combined with access controls in order to mitigate this vulnerability. While there are many sites on SIPRNet that do have access controls, these are mostly password-based and therefore do not scale well. The administration of thousands of passwords is labor intensive and it is difficult to determine who should (and should not) have access.

DoD has begun to issue a Public Key Infrastructure (PKI)-based identity credential on a hardened smart card. This is very similar to the Common Access Card (CAC) we use on our unclassified network. We will complete issuing 500,000 cards to our SIPRNet users, along with card readers and software, by the end of 2012. This will provide very strong identification of the person accessing the network and requesting data. It will both deter bad behavior and require absolute identification of who is accessing data and managing that access.

In conjunction with this, all DoD organizations will configure their SIPRNetbased systems to use the PKI credentials to strongly authenticate end-users who are accessing information in the system. This provides the link between end users and the specific data they can access – not just network access. This should, based on our experience on the unclassified networks, be straightforward.

DoD’s goal is that by 2013, following completion of credential issuance, all SIPRNet users will log into their local computers with their SIPRNet PKI/smart card credential. This will mirror what we already do on the unclassified networks with CACs.

Remember, this describes the log-in process to DOD’s classified network, generally, not to email.

The point is, though, that in response to an internal leaker, DOD only rolled out the kind of network controls most businesses have on its Secret (not Top Secret) network in 2011. Even if there were something about that roll-out that did impact email, what DOD would have you believe that as late as 2011, they made decisions that resulted in keeping email insecure in transit.