Posts

On February 16, DOJ Got a Warrant to Open an iPhone 6 Using Cellebrite

As a number of outlets are reporting, the Israeli security firm Cellebrite is the source the FBI is using to attempt to break into Syed Rizwan Farook’s phone.

Israel’s Cellebrite, a provider of mobile forensic software, is helping the U.S. Federal Bureau of Investigation’s attempt to unlock an iPhone used by one of the San Bernardino, California shooters, theYedioth Ahronoth newspaper reported on Wednesday.

If Cellebrite succeeds, then the FBI will no longer need the help of Apple Inc, the Israeli daily said, citing unnamed industry sources.

Cellebrite officials declined to comment on the matter.

According to the narrative the government is currently telling, it means 33 days after DOJ obtained an All Writs Act on February 16 ordering Apple to help unlock Farook’s phone, and 108 days after FBI first seized the phone on December 3 — during which entire period the FBI now claims they were diligently researching how to crack the phone — on March 20, Cellebrite contacted the FBI out of the blue and told them they can help.

That’s interesting, especially given this search warrant, approved (as coinkydink would have it) on February 16, the very same day DOJ got its AWA in California.

Among the phones DEA obtained a warrant to search was an iPhone 6, a later model than Farook’s phone with default encryption (though running unknown iOS). Here’s what DEA Task Force Officer Shane Lettau had to say about how he (might) access the contents of this iPhone 6.

Screen Shot 2016-03-23 at 10.40.36 AM

To be sure, these phones aren’t the same, nor is the agency. Farook’s is a 5C running iOS 9, this is a 6, and we don’t know what iOS it is running. But if Cellebrite can break into a 6 they presumably can break into a 5C. FBI is seeking access in CA, whereas this MD phone is in DEA’s possession.

The point is, however, that it is inconceivable to claim, as DOJ did 19 times, that the only way they could get into Farook’s phone was with Apple’s help when DOJ was at the same time participating in DEA’s discussions with Cellebrite about whether they could crack a later model phone. It may be that Cellebrite only perfected their technique with iOS 8 and later model phones in recent weeks, or that they could not crack an iOS 9 in December or February but have since perfected that, but DOJ still shouldn’t have been submitting sworn declarations pretending that Cellebrite was not a possible option.

Update: I originally said Farook’s phone was a 5S. I’ve corrected the post to say it is a 5C, h/t JC.

Update: FBI signed a contract with Cellebrite on the same day it announced it had found a solution, though I think it’s for license renewals for 7 machines in Cook County.

 

The Government Changed Its Mind about How Many Databases It Searched in the Hassanshahi Case after It Shut Down the DEA Dragnet

As I noted in this post, the government insists that it did not engage in parallel construction in the case of Shantia Hassanshahi, the Iranian-American busted for sanctions violations using evidence derivative of a search of what the government now claims was a DEA dragnet. “While it would not be improper for a law enforcement agency to take steps to protect the confidentiality of a law enforcement sensitive investigative technique, this case raises no such issue.”

The claim is almost certainly bullshit, true in only the narrowest sense.

Indeed, the changing story the government has offered about how they IDed Hassanshahi based off a single call he had with a phone belonging to a person of interest, “Sheikhi,” in Iran, is instructive not just against the background of the slow reveal of multiple dragnets over the same period. But also for the technological capabilities included in those claims. Basically, the government appears to be claiming they got a VOIP call from a telephony database.

As I lay out below, the story told by the government in various affidavits and declarations (curiously, the version of the first one that appears in the docket is not signed) changed in multiple ways. While there were other changes, the changes I’m most interested in pertain to:

  • Whether Homeland Security Investigator Joshua Akronowitz searched just one database — the DEA toll record database — or multiple databases
  • How Akronowitz identified Google as the provider for Hassanshahi’s phone record
  • When and how Akronowitz became interested in a call to Hassanshahi from another Iranian number
  • How many calls of interest there were

As you can see from the excerpts below, Akronowitz at first claimed to have searched “HSI-accessible law enforcement databases,” plural, and suggested he searched them himself.  In July 2014, in response to a motion to suppress (and after Edward Snowden had disclosed the NSA’s phone dragnet), Akronowitz changed that story and said he sent a research request to a single database, implying someone else did a search of just one database. Akronowitz told the same story in yet another revised affidavit submitted last October. In the declaration submitted in December but unsealed in January, DEA Assistant Special Agent Robert Patterson stuck with the single database story and used the passive voice to hide who did the database query.

While Akronowitz’ story didn’t change regarding how he discovered that Hassanshahi’s phone was a Google number, it did get more detailed in the July 2014 affidavit, which explained that he had first checked with another VOIP provider before being referred to Google.

Perhaps most interestingly, the government’s story changed regarding how many calls of interest there were, and between what numbers. In January 2013, Akronowitz said “a number of telephone calls between ‘Sheikhi’s’ known business telephone number and telephone number 818-971-9512 had occurred within a relatively narrow time frame” (though he doesn’t tell us what that time frame was). He also says that his Google subpoena showed “numerous calls to the same Iranian-based telephone number during a relatively finite period of time.” He neither explained that this number was not Sheikhi’s number — it was a different Iranian number — nor what he means by “a relatively finite period of time.”  His July and October affidavits said his research showed a contact, “on one occasion, that is, on July 4, 2011,” with Sheikhi’s number. The July affidavit maintained the claim that there were multiple calls between Hassanshahi’s number and an Iranian one: “numerous phone calls between Hassanshahi’s ‘818’ number and one Iranian phone number.” But by October, Akronowitz conceded that the Google records showed only “that Hassanshahi’s ‘818’ number made contact with an Iranian phone number (982144406457) only once, on October 5, 2011” (as well as a “22932293” number that he bizarrely claimed was a call to Iran).  Note, Akronowitz’ currently operative story would mean the government never checked whether there were any calls between Hassanshahi and Sheikhi between August 24 and September 6 (or after October 6), which would be rather remarkable. Patterson’s December affidavit provided no details about the date of the single call discovered using what he identified as DEA’s database, but did specify that the call was made by Hassanshahi’s phone, outbound to Iran. (Patterson didn’t address the later Google production, as that was pursuant to a subpoena.)

To sum up, before Edward Snowden’s leaks alerted us to the scope of NSA’s domestic and international dragnet, Akronowitz claimed he personally had searched multiple databases and found evidence of multiple calls between Hassanshahi’s phone number and Sheikhi’s number, as well as (after getting a month of call records from Google) multiple calls to another Iranian number over unspecified periods of time. After Snowden’s leaks alerted us to the dragnet, after Dianne Feinstein made it clear the NSA can search on Iranian targets in the Section 215 database, which somehow counts as a terrorist purpose, and after Eric Holder decided to shut down just the DEA dragnet, Akronowitz changed his story to claim he had found just one call between Hassanshahi and Shiekhi, and — after a few more months — just one call from another Iranian number to Hassanshahi. Then, two months later, the government claimed that the only database that ever got searched was the DEA one (the one that had already been shut down) which — Patterson told us — was based on records obtained from “United States telecommunications service providers” via a subpoena.

Before I go on, consider that the government currently claims it used just a single phone call of interest — and the absence of any additional calls in a later months’s worth of call records collected that fall — to conduct a warrantless search of a laptop in a state (CA) where such searches require warrants, after having previously claimed there was a potentially more interesting set of call records to base that search on.

Aside from the government’s currently operative claim that it would conduct border searches based on the metadata tied to a single phone call, I find all this interesting for two reasons.

First, the government’s story about how many databases got searched and how many calls got found changed in such a way that the only admission of an unconstitutional search to the judge, in December 2014, involved a database that had allegedly been shut down 15 months earlier.

Maybe they’re telling the truth. Or maybe Akronowitz searched or had searched multiple databases — as he first claimed — and found the multiple calls he originally claimed, but then revised his story to match what could have been found in the DEA database. We don’t know, for example, if the DEA database permits “hops,” but he might have found a more interesting call pattern had he been able to examine hops (for example, it might explain his interest in the other phone number in Iran, which otherwise would reflect no more than an immigrant receiving a call from his home country).

All of this is made more interesting because of my second point: the US side of the call in question was an Internet call, a Google call, not a telephony call. Indeed, at least according to Patterson’s declaration (records of this call weren’t turned over in discovery, as far as I can tell), Hassanshahi placed the call, not Sheikhi.

I have no idea how Google calls get routed, but given that Hassanshahi placed the call, there’s a high likelihood that it didn’t cross a telecom provider’s backbone in this country (and god only knows how DEA or NSA would collect Iranian telephony provider records), which is who Patterson suggests the calls came from (though there’s some room for ambiguity in his use of the term “telecommunications service providers”).

USAT’s story on this dragnet suggests the data all comes from telephone companies.

It allowed agents to link the call records its agents gathered domestically with calling data the DEA and intelligence agencies had acquired outside the USA. (In some cases, officials said the DEA paid employees of foreign telecom firms for copies of call logs and subscriber lists.)

[snip]

Instead of simply asking phone companies for records about calls made by people suspected of drug crimes, the Justice Department began ordering telephone companies to turn over lists of all phone calls from the USA to countries where the government determined drug traffickers operated, current and former officials said.

[snip]

Former officials said the operation included records from AT&T and other telecom companies.

But if this call really was placed from a Google number, it’s not clear it would come up under such production, even under production of calls that pass through telephone companies’ backbones. That may reflect — if the claims in this case are remotely honest — that the DEA dragnet, at least, gathered call records not just from telecom companies, but also from Internet companies (remember, too, that DOJ’s Inspector General has suggested DEA had or has more than one dragnet, so it may also have been collecting Internet toll records).

And that — coupled with the government’s evolving claims about how many databases got checked and how many calls that research reflected — may suggest something else. Given that the redactions on the providers obliged under the Section 215 phone dragnet orders haven’t changed going back to 2009, when it was fairly clear there were just 3 providers (AT&T, Sprint, and Verizon), it may be safe to assume that’s still all NSA collects from. A never-ending series of leaks have pointed out that the 215 phone dragnet increasingly has gaps in coverage. And this Google call would be precisely the kind of call we would expect it to miss (indeed, that’s consistent with what Verizon Associate General Counsel — and former DOJ National Security Division and FBI Counsel — Michael Woods testified to before the SSCI last year, strongly suggesting the 215 dragnet missed VOIP). So while FISC has approved use of the “terrorist” Section 215 database for the terrorist group, “Iran,” (meaning NSA might actually have been able to query on Sheikhi), we should expect that this call would not be in that database. Mind you, we should also expect NSA’s EO 12333 dragnet — which permits contact chaining on US persons under SPCMA — to include VOIP calls, even with Iran. But depending on what databases someone consulted, we would expect gaps in precisely the places where the government’s story has changed since it decided it had searched only the now-defunct DEA database.

Finally, note that if the government was sufficiently interested in Sheikhi, it could easily have targeted him under PRISM (he did have a GMail account), which would have made any metadata tied to any of his Google identities broadly shareable within the government (though DHS Inspectors would likely have to go through another agency, quite possibly the CIA). PRISM production should return any Internet phone calls (though there’s nothing in the public record to indicate Sheikhi had an Internet phone number). Indeed, the way the NSA’s larger dragnets work, a search on Sheikhi would chain on all his correlated identifiers, including any communications via another number or Internet identifier, and so would chain on whatever collection they had from his GMail address and any other Google services he used (and the USAT described the DEA dragnet as using similarly automated techniques).  In other words, when Akronowitz originally said there had been multiple “telephone calls,” he may have instead meant that Sheikhi and Hassanshahi had communicated, via a variety of different identifiers, multiple times as reflected in his search (and given what we know about DEA’s phone dragnet and my suspicion they also had an Internet dragnet, that might have come up just on the DEA dragnets alone).

The point is that each of these dragnets will have slightly different strengths and weaknesses. Given Akronowitz’ original claims, it sounds like he may have consulted dragnets with slightly better coverage than just the DEA phone dragnet — either including a correlated DEA Internet dragnet or a more extensive NSA one — but the government now claims that it only consulted the DEA dragnet and consequently claims it only found one call, a call it should have almost no reason to have an interest in.

Read more

Everything in the War on Terror Came from the War on Drugs

bmaz has long insisted, correctly, that all the tricks they have used in the war on terror came first from the war on drugs.

The USA Today’s Brad Heath demonstrates how true that is with a blockbuster story on a DEA dragnet, called the USTO, of US to international calls covering up to 116 countries that operated similarly to the NSA dragnet. It dates back to the last days of Poppy Bush’s administration. And key figures — especially Robert Mueller, but also Eric Holder — played roles in it in their earlier Executive Branch careers. And, no surprise, the DEA never gave discovery on the collection to defendants.

Definitely read the whole thing. But I’m particularly interested in the last paragraphs, which explain what happened to it. After Snowden exposed the NSA version of the dragnet (which includes the US, as well as foreign countries) and the government kept arguing that was justified because of its special intelligence purpose, the claims they made to justify the DEA dragnet started to fall apart. Plus, it has become less useful anyway, now that more people use the Intertoobz.

It was made abundantly clear that they couldn’t defend both programs,” a former Justice Department official said. Others said Holder’s message was more direct. “He said he didn’t think we should have that information,” a former DEA official said.

By then, agents said USTO was suffering from diminishing returns. More criminals — especially the sophisticated cartel operatives the agency targeted — were communicating on Internet messaging systems that are harder for law enforcement to track.

Still, the shutdown took a toll, officials said. “It has had a major impact on investigations,” one former DEA official said.

The DEA asked the Justice Department to restart the surveillance program in December 2013. It withdrew that request when agents came up with a new solution. Every day, the agency assembles a list of the telephone numbers its agents suspect may be tied to drug trafficking. Each day, it sends electronic subpoenas — sometimes listing more than a thousand numbers — to telephone companies seeking logs of international telephone calls linked to those numbers, two official familiar with the program said.

The data collection that results is more targeted but slower and more expensive. Agents said it takes a day or more to pull together communication profiles that used to take minutes.

This lesson is instructive for the NSA dragnet. It points to one reason why the NSA dragnet may not get all the “calls” it wants: because of messaging that bypasses the telecom backbone. And it shows that an alternative approach can be used.

 

Remember, the President’s Review Group Consulted with ATF

In a follow-up to its release on the DEA’s use of a license plate reader database the other day, ACLU reveals an email that shows ATF in Phoenix considered using the database to track people leaving gun shows in April 2009.

The April 2009 email states that “DEA Phoenix Division Office is working closely with ATF on attacking the guns going to [redacted] and the gun shows, to include programs/operation with LPRs at the gun shows.” The government redacted the rest of the email, but when we received this document we concluded that these agencies used license plate readers to collect information about law-abiding citizens attending gun shows. An automatic license plate reader cannot distinguish between people transporting illegal guns and those transporting legal guns, or no guns at all; it only documents the presence of any car driving to the event. Mere attendance at a gun show, it appeared, would have been enough to have one’s presence noted in a DEA database.

Responding to inquiries about the document, the DEA said that the monitoring of gun shows was merely a proposal and was never implemented.

Given the timing, location, and target — 2009, Arizona, and legal permanent residents, or Green Card holders — this consideration intersects interestingly with Fast and Furious.

But don’t worry, DEA says, this was just a consideration, tracking the movements of legal gun show attendees didn’t really happen.

All that said, I couldn’t help but remember that among the more obvious intelligence agencies the President’s Review Group into the NSA consulted in 2013 was ATF, which suggests that ATF is using at least some of the nifty toys NSA is using. As I noted at the time, that may be quite explicable, in that Section 215 has been used to track explosives precursors (and probably has been used to track acetone and hydrogen peroxide — where are TATP precursors, fertilizer, and maybe even pressure cookers).

But the fact that ATF is considering tapping into other agencies dragnets does raise further questions for me about why the PRG would need to consult with ATF.

Pablo Escobar on a Train Using Data for Other Purposes

Yesterday, AP reported that the DEA paid an Amtrak secretary $854,460 over 20 years to hand over train passenger lists.

According to a report released Monday by Amtrak’s inspector general, the DEA paid an Amtrak secretary $854,460 to be an informant. The employee was not publicly identified except as a “secretary to a train and engine crew.”

Amtrak’s own police agency is already in a joint drug enforcement task force that includes the DEA. According to the inspector general, that task force can obtain Amtrak confidential passenger reservation information at no cost.

There’s a lot that’s weird about this story. That Amtrak’s IG, and not DEA’s IG (that is, DOJ’s) IG found this problem. That the secretary was permitted to just fade into retirement.

But I’m most intrigued that DEA treated the secretary taking these bribes as an informant — with an anonymous federal law enforcement official justifying such an approach by pointing to the chemical company informant that helped bust Pablo Escobar.

It’s not unprecedented for law enforcement to have professional people who are informants employed in transportation and other industries, said a federal law enforcement official who is familiar with the incident involving Amtrak. The official spoke on condition of anonymity because the person was not authorized to speak on the record.

The official said that years ago during the investigation of drug lord Pablo Escobar, an informant at a U.S. chemical company provided a major assist to law enforcement by informing authorities that thousands of gallons of acetone were being shipped to Colombia. Acetone is used to manufacture cocaine.

DEA could have gotten this information for free, but it instead chose to dump 850K into getting it via other means, and the law enforcement side of this picture (DOJ) has not checked to see what DEA did with this data.

I can imagine why DEA would want to work via “informant” rather than regular law enforcement information sharing venues (and Amtrak is definitely part of that network). At the very least, it would permit them to shield the source of their data (as they shield the source of their data in the AT&T Hemisphere program). But it would also permit them to use the information for other off-book purposes.

But that appears not to be the concern of the IGs involved.

FBI Will Now Videotape In Custody Interrogations

[Significant Update Below]

My hometown paper, the Arizona Republic, broke some critically important news a few minutes ago. The story by Dennis Wagner, a superb reporter at the Republic for a very long time, tells of a monumental shift in the policy of DOJ agencies in relation to interrogations and confessions of those in custody.

There was no news release or press conference to announce the radical shift. But a DOJ memorandum —obtained by The Arizona Republic — spells out the changes to begin July 11.

“This policy establishes a presumption that the Federal Bureau of Investigation (FBI), the Drug Enforcement Administration (DEA) the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) and the United States Marshals Service (USMS) will electronically record statements made by individuals in their custody,” says the memo to all federal prosecutors and criminal chiefs from James M. Cole, deputy attorney general.

“This policy also encourages agents and prosecutors to consider electronic recording in investigative or other circumstances where the presumption does not apply,” such as in the questioning of witnesses.

This has been a long time coming and is notable in that it covers not just the FBI, but DEA, ATF and US Marshals. Calling it a monumental shift may be, in fact, a bit of an understatement. In the course of a series of false confession cases in the 90’s, attempts to get this instated as policy in the District of Arizona were fought by the DOJ tooth and nail. As other local agencies saw the usefulness of audio and/or video taping, DOJ authorities fought the notion like wounded and cornered dogs. That was not just their position in the 90’s, it has always been thus:

Since the FBI began under President Theodore Roosevelt in 1908, agents have not only shunned the use of tape recorders, they’ve been prohibited by policy from making audio and video records of statements by criminal suspects without special approval.

Now, after more than a century, the U.S. Department of Justice has quietly reversed that directive by issuing orders May 12 that video recording is presumptively required for interrogations of suspects in custody, with some exceptions.

What has historically occurred is an agent (usually in pairs) did interviews and then recounted what occurred in what is called a “302” report based on their memories, recollections and handwritten notes (which were then usually destroyed). This created the opportunity not just for inaccuracy, but outright fabrication by overly aggressive agents. Many defendants have been wrongfully convicted, and some who were guilty got off because competent defense attorneys made fools of agents, and their bogus process, in court.

In short, presumptive taping is smart for both sides, and absolutely in the interests of justice. It still remains inexplicable why the DOJ maintained this intransigence so long when every competent police procedures expert in the world has been saying for decades that taping should be the presumption.

Now it should be noted that the policy will only apply to “in custody” interrogations and not ones where there has been no formal arrest which is, of course, a gaping hole considering how DOJ agents blithely work suspects over under the ruse they are not yet in custody. There will also clearly be an exigent circumstances/public safety exception which are also more and more frequently abused by DOJ (See: here, here and here for example).

So, we will have to wait to see the formal written guidance, and how it is stated in the relevant operation manuals for agents and US Attorneys, to get a full bead on the scope of change. And, obviously, see how the written policies are implemented, and what exceptions are claimed, in the field.

But the shift in interrogation policy today is monumental and is a VERY good and positive step. Today is a day Eric Holder should be proud of, and it was far too long in arriving.

UPDATE: When I first posted this I did not see the actual memo attached to Dennis Wagner’s story in the Arizona Republic; since that time I have been sent the actual memo by another source, and it is also available as a link in the Republic story that broke this news. Here are a couple of critical points out of the actual memo dated May 12, 2014:

The policy establishes a presumption in favor o f electronically recording custodial interviews, with certain exceptions, and encourages agents and prosecutors to consider taping outside of custodial interrogations. The policy will go into effect on Friday, July 11, 2014.

By my information, the gap in implementation is because DOJ wanted to do some top down discussion and orientation on the new policy, which makes some sense given the quantum nature of this shift. My understanding is that this is already ongoing, so DOJ seems to be serious about implementation.

But, more important is the news about non-custodial situations. That was a huge question left unanswered initially, as I indicated in the original part of this post. That agents and attendant prosecutors will be encouraged to record these instances as well is, well, encouraging!

The exceptions, which are outlined is Section II of the memo are pretty much exactly as I indicated should be expected above.

Notable in the Presumptions contained in Section I of the memo is that the rule applies to ALL federal crimes. No exceptions, even for terrorism. Also, the recording may be either overt or covert, which is not different from that which I have seen in many other agencies that have long recorded interrogations. Section III specifically excludes extraterritorial situations from the rule. Frankly, I am not sure why that is necessary, the ability to record is pretty ubiquitous these days, extraterritorial should be no problem for presumptive recording.

Those are the highlights of the memo. It is short and worth a read on your own.

NSA Collects All Phone Calls from One of World’s Most Secretive Tax Havens, But Doesn’t Track That

In its report on how the NSA collects every cell phone conversation that takes place in the Bahamas, The Intercept focuses on the use of such intercepts for drug investigations (indeed, one of the other countries targeted in the MYSTIC program is Mexico, which clearly has a DEA angle).

But one memo indicates that SOMALGET data is covertly acquired under the auspices of “lawful intercepts” made through Drug Enforcement Administration “accesses”– legal wiretaps of foreign phone networks that the DEA requests as part of international law enforcement cooperation.

When U.S. drug agents need to tap a phone of a suspected drug kingpin in another country, they call up their counterparts and ask them set up an intercept. To facilitate those taps, many nations – including the Bahamas – have hired contractors who install and maintain so-called lawful intercept equipment on their telecommunications.

Perhaps the most telling part of the article, however, is that NSA/DEA don’t appear to be using this facility to track money launderers.

If the U.S. government wanted to make a case for surveillance in the Bahamas, it could point to the country’s status as a leading haven for tax cheats, corporate shell games, and a wide array of black-market traffickers. The State Department considers the Bahamas both a “major drug-transit country” and a “major money laundering country” (a designation it shares with more than 60 other nations, including the U.S.). According to the International Monetary Fund, as of 2011 the Bahamas was home to 271 banks and trust companies with active licenses. At the time, the Bahamian banks held $595 billion in U.S. assets.

They’re tracking pot, but not bothering to track the dollars that drive the pot.

So aside from the hubris of stealing off of the cell phone calls from Bahama, this is also a testament to the US’ misplaced priorities, its inability to understand how its coddling of tax havens serve to drive the drug trade.

Faster and Furiouser Domestic Spying: Why Would the NSA Review Group Talk to the ATF?

Because I’m working on a post on John Bates’ response to the NSA Review Group recommendations, I happened to re-review the list of people the Review Group spoke with today (see page 277; Bates was the only one from the FISA Court they spoke with),

See if you find anything odd with this list of entities the Review Group spoke with from the Executive Branch (here’s a handy list of intelligence agencies to compare it to):

Assistant to the President for Homeland Security & Counterterrorism

Bureau of Alcohol, Tobacco, Firearms and Explosives

Central Intelligence Agency

Defense Intelligence Agency

Department of Commerce

Department of Defense

Department of Homeland Security

Department of Justice

Department of State

Drug Enforcement Agency

Federal Bureau of Investigations

National Archives and Records Administration

National Counterterrorism Center

National Institute for Standards and Technology

National Reconnaissance Office

National Security Advisor

National Security Agency

Office of the Director of National Intelligence

President’s Intelligence Advisory Board

Privacy and Civil Liberties Oversight Board

Program Manager for the Information Sharing Environment (PM-ISE)

Special Assistant to the President for Cyber Security

Treasury Department

Much of the list makes sense. You’ve got the people largely in charge of terrorism (NCTC, Lisa Monaco, FBI, Treasury), you’ve got some of the people in charge of cyber and/or corrupting encryption standards (DHS, Michael Daniel, NIST), you’ve got the people who have to deal with angry foreign leaders (State), you’ve got people in charge of data sharing and storage (PM-ISE and NARA), and you’ve got Commerce (which serves to boost, but also coerce, the tech companies on these issues).

There are some absences. I’m surprised Department of Energy, which plays a key role in counterproliferation, isn’t on here. It’s light on counterintelligence functions, both at DNI and things like AFOSI (which I believe has some nifty cybertools). I’m also a little surprised DOD was represented as a whole, but not some of the branch intelligence organizations. Similarly, DHS was represented as a whole, but not some of its relevant branches (TSA, CBP, and Secret Service).

And then there’s the Drug Enforcement Agency, which is on the list.

And even more alarmingly, the Bureau of Alcohol, Tobacco, Firearms and Explosives.

Don’t get me wrong, neither is all that surprising. We know some of the tools covered by the Review Group — notably National Security Letters — have actually been (mis)used in drug investigations as well as in terrorism ones. Given the logic of the certifications we know exist — not to mention the Administration’s fear-mongering and increasing focus on Transnational Crime Organizations not run by Jamie Dimon — I wouldn’t be surprised if Section 702 were used to fight the war on drugs, if it hasn’t already been. And the drug war certainly is a foreign intelligence priority for EO 12333 collection. Given NSA’s increasing inclusion of drug cartels in the boilerplate comments it releases about Snowden stories, I expect we’ll hear some nifty things about the war on drugs before this is out.

Similarly, one of the first things we learned the government was using Section 215 and/or NSLs to collect was purchase records for beauty supplies, otherwise known as explosives precursors. Since then, Members of Congress have talked about tracking fertilizer purchases. And I’d be shocked if there weren’t at least a half-hearted attempt to track pressure cooker purchases. I guess, from ATF’s inclusion among the Review Group’s interlocutors, we know a little bit about where this data resides: in probably the most fucked up law enforcement agency in government (though maybe that’s Immigration and Customs Enforcement, which thankfully was not considered central enough to talk to the Review Group).

Still, given the increasing number of signals that these authorities have been used to track gun purchases, and ATF’s notorious failures at tracking gun purchases in the past, I wonder whether they’re involved not just to talk about explosives purchases, but also gun records?

The Review Group warned that,

Like other agencies, there are situations in which NSA does and should provide support to the Department of Justice, the Department of Homeland Security, and other law enforcement entities. But it should not assume the lead for programs that are primarily domestic in nature.

For a variety of reasons (both reasonable and unreasonable), it is much harder to claim that tracking gun purchases pertains to counterterrorism or another foreign intelligence purpose than tracking acetone purchases.

Is this one of the domestic security functions the Review Group worried about?

US Justice: A Rotting Tree of Poisonous Fruit?

Saturday, the NYT reported that other agencies within government struggle to get NSA to share its intelligence with them.

Agencies working to curb drug trafficking, cyberattacks, money laundering, counterfeiting and even copyright infringement complain that their attempts to exploit the security agency’s vast resources have often been turned down because their own investigations are not considered a high enough priority, current and former government officials say.

Of the 1,410 words in the article, 313 words are explicitly attributed to Tim Edgar, who used to work for ACLU but starting in 2006 worked first in the Office of Director of National Intelligence and then in the White House. Another 27 are attributed to “a former senior White House intelligence official,” the same description used to introduce Edgar in the article.

The article ends with Edgar expressing relief that NSA succeeded in withholding material (earlier he made a distinction between sharing raw data and intelligence reports) from agencies executing key foreign policy initiatives in the age of cyberwar and Transnational Criminal Organizations, and in so doing avoid a “nightmare scenario.”

As furious as the public criticism of the security agency’s programs has been in the two months since Mr. Snowden’s disclosures, “it could have been much, much worse, if we had let these other agencies loose and we had real abuses,” Mr. Edgar said. “That was the nightmare scenario we were worried about, and that hasn’t happened.”

Today, San Francisco Chronicle reminds that NSA does hand over evidence of serious criminal activities if it finds it while conducting foreign intelligence surveillance, and prosecutors often hide the source of that original intelligence.

Current and former federal officials say the NSA limits non-terrorism referrals to serious criminal activity inadvertently detected during domestic and foreign surveillance. The NSA referrals apparently have included cases of suspected human trafficking, sexual abuse and overseas bribery by U.S.-based corporations or foreign corporate rivals that violate the Foreign Corrupt Practices Act.

[snip]

“If the intelligence agency uncovers evidence of any crime ranging from sexual abuse to FCPA, they tend to turn that information over to the Department of Justice,” Litt told an audience at the Brookings Institution recently. “But the Department of Justice cannot task the intelligence community to do that.”

[snip]

“The problem you have is that in many, if not most cases, the NSA doesn’t tell DOJ prosecutors where or how they got the information, and won’t respond to any discovery requests,” said Haddon, the defense attorney. “It’s a rare day when you get to find out what the genesis of the ultimate investigation is.”

The former Justice Department official agreed: “A defense lawyer can try to follow the bouncing ball to see where the tip came from — but a prosecutor is not going to acknowledge that it came from intelligence.”

And (as bmaz already noted) Reuters reminds that the DEA has long had its own electronic surveillance capability, and it often hides the source of intelligence as well.

Although these cases rarely involve national security issues, documents reviewed by Reuters show that law enforcement agents have been directed to conceal how such investigations truly begin – not only from defense lawyers but also sometimes from prosecutors and judges.

The undated documents show that federal agents are trained to “recreate” the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant’s Constitutional right to a fair trial. If defendants don’t know how an investigation began, they cannot know to ask to review potential sources of exculpatory evidence – information that could reveal entrapment, mistakes or biased witnesses.

As bmaz also noted, none of this was very secret or new. The FISA sharing is clearly permitted by the minimization procedures. Litigation on it 11 years ago suggested it may be even more abusive than laid out under the law. And bmaz has personally been bitching about the DEA stuff as long as I’ve known him.

These articles suggesting there may be more sharing than the NYT made out on Saturday, then, are primarily reminders that when the fruits of this intelligence get shared, the source of the intelligence often remains hidden from those it is used against.

Which brings me to this WSJ op-ed Edgar published last week. Read more

About the Reuters DEA Special Operations Division Story

Reuters is out this morning with what is being hailed as somewhat of an eye opening expose on the Drug Enforcement Agency’s Special Operations Division. The article is very good and should be read in full, but I would like to make a couple of quick points.

First, the headline is misleading. The caption is:

Exclusive: U.S. directs agents to cover up program used to investigate Americans

Well, not really (and, in fairness, the actual body of the article is about a practice that is a result of the SOD). DEA’s Special Ops Division is neither new nor secret in the least, and there is no way to “cover it up”. Google it; I got “About 289,000 results (0.29 seconds)” as a return. You will get something similar. The revelation that SOD was used in the Viktor Bout case is also not new, here is a Time story detailing it from 2011.

In fact, any criminal defense attorney who did cocaine hub conspiracy cases in the 90’s could have told you most of the Reuter’s article in their sleep. That was exactly the scene that DEA-SOD was born from. As the war on drugs went nuclear, the DEA devised what they termed the “Kingpin Strategy”:

In 1992, the DEA instituted the Kingpin Strategy that focused investigative and enforcement efforts on specific drug trafficking organizations. The DEA planned to dis- able major organizations by attacking their most vulnerable areas—the chemicals needed to process the drugs, their finances, communications, transportation, and leadership structure.

The Kingpin Strategy held that the greatest impact on the drug trade took place when major drug organizations were dis- rupted, weakened, and destroyed. This strategy focused enforcement efforts and resources against the highest-level traffickers and their organizations, and provided a systematic way of attacking the various vulnerabilities of the organiza- tions. By systematically attacking each of these vulnerabilities, the strategy aimed to destroy the entire organization, and with it, the organization’s capacity to finance, produce, and distrib- ute massive amounts of illegal drugs. Each blow weakened the organization and improved the prospects for arresting and prosecuting the leaders and managers of the organizations.

The Kingpin Strategy evolved from the DEA’s domestic and overseas intelligence gathering and investigations.

And from Kingpin sprung the Special Operations Division:

Under the original Kingpin Strategy, DEA headquarters often dictated the selection of Kingpin targets. In response to the SACs’ concerns, Administrator Constantine agreed to allow them more latitude in target selection. In conjuction with this decision, he established the Special Operations Division at Newington, Virginia, in 1994 to coordinate multi-jurisdictional investigations against major drug trafficking organizations responsible for the flow of drugs into the United States.

The above is from a history of the DEA right there on the Justice Department’s website, so “covering up” SOD is kind of a non-starter. However, what IS being covered up, and what really is the substance of the body of the Reuter’s article, is the practice of “parallel construction” of cases:

The undated documents show that federal agents are trained to “recreate” the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant’s Constitutional right to a fair trial. If defendants don’t know how an investigation began, they cannot know to ask to review potential sources of exculpatory evidence – information that could reveal entrapment, mistakes or biased witnesses.
…..
After an arrest was made, agents then pretended that their investigation began with the traffic stop, not with the SOD tip, the former agent said. The training document reviewed by Reuters refers to this process as “parallel construction.”

The two senior DEA officials, who spoke on behalf of the agency but only on condition of anonymity, said the process is kept secret to protect sources and investigative methods. “Parallel construction is a law enforcement technique we use every day,” one official said. “It’s decades old, a bedrock concept.”

Yes. Exactly. And, as the “senior DEA officials” admitted, this, too, is not new in the least. Again, the Reuter’s quote of the incredulous former Judge Nancy Gertner aside, any number of longtime members of NACDL could have told you all of this at any point in time since the mid 90’s.

The takeaway that is important from the Reuters piece is that all the frothing about “golly, what if those NSA capabilities bleed out of terrorism and into traditional criminal cases” is nuts. It already is, and has been for a long time. It is the “clean teaming” of criminal prosecutions. And it is a direct and tangible fraud upon defendants, the courts, Due Process and several other important Constitutional concepts.

It is not a matter of what if it happens, it IS happening.