Posts

Fred Upton’s Bid at Protecting Automotive Security Negligence [Updated]

I’ve written about Ed Markey’s SPY Act, one of several efforts to respond to network insecurity in cars. Fred Upton, who represents Kalamazoo, MI, is pushing an alternative version as part of larger reform to the National Highway Traffic Safety Administration. It appears to be an attempt to forestall regulation from other directions. Update: Here’s a draft of the bill.

Take, for example, its call for a privacy policy. Whereas Markey’s bill requires manufacturers to provide a dashboard informing customers about their privacy policy (after all, all cars have an EPA report), Upton’s only requires it to be posted … somewhere.

More importantly, though, the bill establishes a $1 million cap on damages for manufacturers who refuse to have or violate their policy, and it pre-empts FTC action on unfair trade practices (of the sort that just got Wyndham Hotels in trouble).

This section provides that if a manufacturer does not file a privacy policy or violates any of the terms in its policy, the manufacturer is liable to the U.S. Government for a civil penalty of $5,000 per day, with a maximum penalty for a series of violations of $1,000,000. This section also provides that a manufacturer that submits a privacy policy identifying that it meets all seven of the privacy elements described in this section is not subject to civil penalties. It establishes a safe harbor from Section 5 of the Federal Trade Commission Act with respect to any unfair or deceptive act or practice relating to privacy for any manufacturer whose privacy policy and practices meet all seven of the privacy elements described in this section.

Car companies are going to opt to pay that $1M instead of telling their customers how they’re using their driving data.

The cybersecurity requirement likewise serves more to protect companies than to impose sound security on them. Whereas Markey’s bill would require certain things from a cybersecurity policy, Upton’s would let the industry to establish a standard, than permit manufacturers to submit their plans that would fulfill “some or all” standards. Once they submitted those plans they would disappear — they couldn’t be FOIAed, and couldn’t be sued by FTC if they violated those terms.

This section exempts vehicle security and integrity plans submitted by manufacturers from Freedom of Information Act requests.

This section provides that a manufacturer that violates its vehicle security and integrity plan is subject to civil penalties. A manufacturer is not subject to those civil penalties (but doesn’t get the liability protections) if it submits a vehicle security and integrity plan that is approved by the Administrator and implements and maintains the best practices identified in their plan. This section provides that the best practices issued by the Council may not provide a basis for or evidence of liability against a manufacturer whose cybersecurity practices are alleged to be inconsistent with the best practices if the manufacturer has not filed a vehicle security and integrity plan and if the plan does not include the cybersecurity practice at issue.

This section also establishes a safe harbor from Section 5 of the Federal Trade Commission Act with respect to the best practices identified and implemented and maintained in the vehicle security and integrity plan submitted by a manufacturer.

In other words, these plans don’t have to be sound if they can get NHTSA’s buy off on them (remember, NHTSA by it own admission doesn’t have software expertise, which was why Toyota got away with its acceleration problem for so long), and once they were in place if the company mostly fulfilled them they would be largely immune from regulation.

Which is why I believe this section does what I’m afraid it does: make it harder for independent researchers to review carmakers code.

This section establishes that it is unlawful for any person to access, without authorization, electronic control units or critical safety systems in a vehicle, or other systems containing driving data either wirelessly or through a wired connection. It establishes a civil penalty of $100,000 for a person who violates this section.

The actual language of the bill does not include a researcher’s exception.

(1) PROHIBITION.—It shall be unlawful for any person to access, without authorization, an electronic control unit or critical system of a motor vehicle, or other system containing driving data for such motor vehicle, either wirelessly or through a wired connection.

It also imposes a penalty for each thing hacked (so doing research would get really expensive quickly).

Update: NHTSA is no more impressed than I am.

The Committee’s discussion draft includes an important focus on cybersecurity, privacy and technology innovations, but the current proposals may have the opposite of their intended effect. By providing regulated entities majority representation on committees to establish appropriate practices and standards, then enshrining those practices as de facto regulations, the proposals could seriously undermine NHTSA’s efforts to ensure safety. Ultimately, the public expects NHTSA, not industry, to set safety standards.

Nor do the privacy people at FTC, which reads the privacy provisions to be even worse than I did.

Under this proposal, manufacturers can satisfy the requirements of this section without providing any substantive protections for consumer data. For example, a manufacturer’s policy could qualify for a safe harbor even if it states that the manufacturer collects numerous types of personal information, sells the information to third parties, and offers no choices to opt out of such collection or sale. Moreover, because the safe harbor exempts a manufacturer from FTC oversight, and Section 32402(d)(2) provides a separate exemption from civil penalties, a manufacturer that submits a privacy policy that meets the requirements of Section 32402(b) but does not follow it would not be subject to any enforcement mechanism.

Like me, it reads the hacking provision to prohibit research, thus leading to less cybersecurity.

By prohibiting such access even for research purposes, this provision would likely disincentivize such research, to the detriment of consumers’ privacy, security, and safety.

And it has the same concerns I do about providing immunity for crappy cybersecurity practices.

Finally, the proposed safe harbor is so broad that it would immunize manufacturers from liability even as to deceptive statements made by manufacturers relating to the best practices that they implement and maintain. For example, false claims on a manufacturer’s website about its use of firewalls, encryption, or other specific security features would not be actionable if these subjects were also covered by the best practices.

In sum, the Commission understands the desire to provide businesses with certainty and incentives, in the form of safe harbors, to implement best practices. However, the security provisions of the discussion draft would allow manufacturers to receive substantial liability protections in exchange for potentially weak best practices instituted by a Council that they control. The proposed legislation, as drafted, could substantially weaken the security and privacy protections that consumers have today.

GM Supports Obtaining Cybersecurity Immunity Just after Hack Vulnerability Revealed

Dianne Feinstein just gave a long speech on the Senate floor supporting the Cyber Information Sharing Act.

She listed off a list of shocking hacks that happened in the last year or so — though made no effort (or even claim) that CISA would have prevented any of them.

She listed some of the 56 corporations and business organizations that support the bill.

Most interestingly, she boasted that yesterday she received a letter from GM supporting the bill. We should pass CISA, Feinstein suggests, because General Motors, on August 4, 2015, decided to support the bill.

I actually think that’s reason to oppose the bill.

As I have written elsewhere — most recently this column at the DailyDot — one of my concerns about the bill is the possibility that by sharing data under the immunity afforded by the bill, corporations might dodge liability where it otherwise might serve as necessary safety and security leverage.

Immunizing corporations may make it harder for the government to push companies to improve their security. As Wyden explained, while the bill would let the government use data shared to prosecute crimes, the government couldn’t use it to demand security improvements at those companies. “The bill creates what I consider to be a double standard—really a bizarre double standard in that private information that is shared about individuals can be used for a variety of non-cyber security purposes, including law enforcement action against these individuals,” Wyden said, “but information about the companies supplying that information generally may not be used to police those companies.”

Financial information-sharing laws may illustrate why Wyden is concerned. Under that model, banks and other financial institutions are obligated to report suspicious transactions to the Treasury Department, but, as in CISA, they receive in return immunity from civil suits as well as consideration in case of sanctions, for self-reporting. “Consideration,” meaning that enforcement authorities take into account a financial institution’s cooperation with the legally mandated disclosures when considering whether to sanction them for any revealed wrongdoing. Perhaps as a result, in spite of abundant evidence that banks have facilitated crimes—such as money laundering for drug cartels and terrorists—the Department of Justice has not managed to prosecute them. When asked during her confirmation hearing why she had not prosecuted HSBC for facilitating money laundering when she presided over an investigation of the company as U.S. Attorney for the Eastern District of New York, Attorney General Loretta Lynch said there was not sufficient “admissible” evidence to indict, suggesting they had information they could not use.

In the same column, I pointed out the different approach to cybersecurity — for cars at least — of the SPY Act — introduced by Ed Markey and Richard Blumenthal — which affirmatively requires certain cybersecurity and privacy protections.

Increased attention on the susceptibility of networked cars—heightened by but not actually precipitated by the report of a successful remote hack of a Jeep Cherokee—led two other senators, Ed Markey and Richard Blumenthal, to adopt a different approach. They introduced the Security and Privacy in Your Car Act, which would require privacy disclosures, adequate cybersecurity defenses, and additional reporting from companies making networked cars and also require that customers be allowed to opt out of letting the companies collect data from their cars.

The SPY Car Act adopts a radically different approach to cybersecurity than CISA in that it requires basic defenses from corporations selling networked products. Whereas CISA supersedes privacy protections for consumers like the Electronic Communications Privacy Act, the SPY Car Act would enhance privacy for those using networked cars. Additionally, while CISA gives corporations immunity so long as they share information, SPY Car emphasizes corporate liability and regulatory compliance.

I’m actually not sure how you could have both CISA and SPY Act, because the former’s immunity would undercut the regulatory limits on the latter. (And I asked both Markey and Blumenthal’s offices, but they blew off repeated requests for an answer on this point.)

Which brings me back to GM’s decision — yesterday!!! — to support CISA.

The hackers that remotely hacked a car used a Jeep Cherokee. But analysis they did last year found the Cadillac Escalade to be the second most hackable car among those they reviewed (and I have reason to believe there are other GM products that are probably even more hackable).

So … hackers reveal they can remotely hack cars on July 21; Markey introduced his bill on the same day. And then on August 4, GM for the first time signs up for a bill that would give them immunity if they start sharing data with the government in the name of cybersecurity.

Now maybe I’m wrong in my suspicion that CISA’s immunity would provide corporations a way to limit their other liability for cybersecurity so long as they had handed over a bunch of data to the government, even if it incriminated them.

But we sure ought to answer that question before we go immunizing corporations whose negligence might leave us more open to attack.

Why Apple Should Pay Particular Attention to Wired’s New Car Hacking Story

This morning, Wired reports that the hackers who two years ago hacked an Escape and a Prius via physical access have hacked a Jeep Cherokee via remote (mobile phone) access. They accessed the vehicle’s Electronic Control Unit and from that were able to get to ECUs controlling the transmission and brakes, as well as a number of less critical items. The hackers are releasing a report [correction: this is Markey’s report], page 86 of which explains why cars have gotten so much more vulnerable (generally, a combination of being accessible via external communication networks, having more internal networks, and having far more ECUs that might have a vulnerability). It includes a list of the most and least hackable cars among the 14 they reviewed.

Screen Shot 2015-07-21 at 8.37.22 AM

Today Ed Markey and Richard Blumenthal are releasing a bill meant to address some of these security vulnerabilities in cars.

Meanwhile — in a remarkably poorly timed announcement — Apple announced yesterday that it had hired Fiat Chrysler’s former quality guy, the guy who would have overseen development of both the hackable Jeep Cherokee and the safer Dodge Viper.

Doug Betts, who led global quality at Fiat Chrysler Automobiles NV until last year, is now working for the Cupertino, Calif.-based electronics giant but declined to comment on the position when reached Monday. Mr. Betts’ LinkedIn profile says he joined Apple in July and describes his title as “Operations-Apple Inc.” with a location in the San Francisco Bay Area but no further specifics.

[snip]

Along with Mr. Betts, whose expertise points to a desire to know how to build a car, Apple recently recruited one of the leading autonomous-vehicle researchers in Europe and is building a team to work on those systems.

[snip]

In 2009, when Fiat SpA took over Chrysler, CEO Sergio Marchionne tapped Mr. Betts to lead the company’s quality turnaround, giving him far-reaching authority over the company’s brands and even the final say on key production launches.

Mr. Betts abruptly left Fiat Chrysler last year to pursue other interests. The move came less than a day after the car maker’s brands ranked poorly in an influential reliability study.

Note, the poor quality ratings that preceded Betts’ departure from Fiat Chrysler pertained especially to infotainment systems, which points to electronics vulnerabilities generally.

As they get into the auto business, Apple and Google will have the luxury that struggling combustion engine companies don’t have — that they’re not limited by tight margins as they try to introduce bells and whistles to compete on the marketplace. But they’d do well to get this quality and security issue right from the start, because the kind of errors tech companies can tolerate — largely because they can remotely fix bugs and because an iPhone that prioritized design over engineering can’t kill you — will produce much bigger problems in cars (though remote patching will be easier in electric cars).

So let’s hope Apple’s new employee takes this hacking report seriously.

Ed Markey May Not Be Adequately Prepared to Vote on USA Freedom Act

Update: I realize something about this classification guide. While it was updated in 2012 (so after the Internet dragnet got shut down) it was dated August 2009, so while it was still running. So that part of this may not be location data. But the FBI almost certainly still does do fun stuff w/PRTT because it’s the one part of PRTT that remains classified.

PRTT1

Ed Markey, who is absolutely superb on tracking Title III surveillance, continues that tradition today with a letter to Eric Holder asking about the US Marshall Program DirtBox surveillance program revealed last week by WSJ.

Among his questions are:

Do other agencies within DOJ operate similar programs, in which airplanes, helicopters or drones with attached cellular surveillance equipment are flown over US airspace?

What types of court order, if any, are sought and obtained to authorize searches conducted under this program?

In what kind of investigations are the “dirtbox” and similar technology used to locate targets? Are there any limitations imposed on the kinds of investigations in which the dirtbox and similar technology can be used?

According to media reports, the dirtbox technology, which is similar to a so-called “stingray” technology, works by mimicking the cellular networks of U.S. wireless carriers. Upon what specific legal authority does the Department rely to mimic these cellular networks?

Do the dirtbox and stingray send signals through the walls of innocent people’s homes in order to communicate with and identify the phones within?

What, if any, policies govern the collection, retention, use and sharing of this information?

Are individuals–either those suspected of committing crimes or innocent individuals–provided notice that information about their phones was collected? If yes, explain how. If no, why not?

I could be spectacularly wrong on this point, but I very very strongly believe the answer to some of his questions lie in a bill Markey is all set to vote for tomorrow.

We know that the government — including the FBI — uses Title III Pen Registers to obtain authorization to use Stingrays; so one answer Markey will get is “Title III PRTT” and “no notice.”

Given that several departments at DOJ use PRTT to get Stingrays on the criminal side, it is highly likely that a significant number of the 130-ish PRTT orders approved a year are for Stingray or related use.

Using that logic gets us to the likelihood that FBI’s still unexplained PRTT program — revealed in this 2012 NSA declassification guide — also uses Stingray technology to provide location data. That’s true especially given that NSA would have no need to go to FBI to get either phone or email contacts, because it has existing means to obtain that (though if the cell phone coverage of the Section 215 dragnet is as bad as they say, it may require pen registers for that).

PRTT2

PRTT3

PRTT4

The guide distinguishes between individual orders, which are classified SECRET, and “FBI Pen Register Trap Trace,” which therefore seems to be more programmatic. The FBI PRTT is treated almost exactly like the then undisclosed phone dragnet was in the same review, as a highly classified program where even minimized information is TS/SCI.

Now, it’s possible (ha!) that this is a very limited program, just targeting individual targets in localized spots for a brief period of time.

It’s also possible the government scaled this back after the US v. Jones decision.

But it’s equally possible that this is a bulky dragnet akin to the phone dragnet, one that will be invisible in transparency measures under USA Freedom Act because location trackers are excluded from that reporting.

I do hope Markey insists on getting answers to his questions before he votes for this bill tomorrow.

Every Senator Who Supports USA Freedom May Be Affirmatively Ratifying a Financial Dragnet

Now that I’ve finally got around to reading the so-called transparency provisions in Patrick Leahy’s USA Freedom Act, I understand that one purpose of the bill, from James Clapper’s perspective, is to get Congress to ratify some kind of financial dragnet conducted under Section 215.

As I’ve laid out in detail before, there’s absolutely no reason to believe USA Freedom Act does anything to affect non-communications collection programs.

That’s because the definition of “specific selection term” permits (corporate) persons to be used as a selector, so long as they aren’t communications companies. So Visa, Western Union, and Bank of America could all be used as the selector; Amazon could be for anything not cloud or communications-related. Even if the government obtained all the records from these companies — as reports say it does with Western Union, at least — that would not be considered “bulk” because the government defines “bulk” as collection without a selector. Here, the selector would be the company.

And as I just figured out yesterday, the bill requires absolutely no individualized reporting on traditional Section 215 orders that don’t obtain communications. Here’s what the bill requires DNI to report on traditional 215 collection.

(D) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of—
(i) the number of targets of such orders;
(ii) the number of individuals whose communications were collected pursuant to such orders; and
(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

The bill defines “individuals whose communications were collected” this way:

(3) INDIVIDUAL WHOSE COMMUNICATIONS WERE COLLECTED.—The term ‘individual whose communications were collected’ means any individual—
(A) who was a party to an electronic communication or a wire communication the contents or noncontents of which was collected; or
(B)(i) who was a subscriber or customer of an electronic communication service or remote computing service; and
(ii) whose records, as described in subparagraph (A), (B), (D), (E), or (F) of section 2703(c)(2) of title 18, United States Code, were collected.

Thus, the 215 reporting only requires the DNI to provide individualized reporting on communications related orders. It requires no individualized reporting at all on actual tangible things (in the tangible things provision!). A dragnet order collecting every American’s Visa bill would be reported as 1 order targeting the 4 or so terrorist groups specifically named in the primary order. It would not show that the order produced the records of 310 million Americans.

I’m guessing this is not a mistake, which is why I’m so certain there’s a financial dragnet the government is trying to hide.

Under the bill, of course, Visa and Western Union could decide they wanted to issue a privacy report. But I’m guessing if it would show 310 million to 310,000,500 of its customers’ privacy was being compromised, they would be unlikely to do that.

So the bill would permit the collection of all of Visa’s records (assuming the government could or has convinced the FISC to rubber stamp that, of course), and it would hide the extent of that collection because DNI is not required to report individualized collection numbers.

But it’s not just the language in the bill that amounts to ratification of such a dragnet.

As the government has argued over and over and over, every time Congress passes Section 215’s “relevant to” language unchanged, it serves as a ratification of the FISA Court’s crazy interpretation of it to mean “all.” That argument was pretty dodgy for reauthorizations that happened before Edward Snowden came along (though its dodginess did not prevent Clare Eagan, Mary McLaughlin, and William Pauley from buying it). But it is not dodgy now: Senators need to know that after they pass this bill, the government will argue to courts that it ratifies the legal interpretations publicly known about the program.

While the bill changes a great deal of language in Section 215, it still includes the “relevant to” language that now means “all.” So every Senator who votes for USAF will make it clear to judges that it is the intent of Congress for “relevant to” to mean “all.”

And it’s not just that! In voting for USAF, Senators would be ratifying all the other legal interpretations about dragnets that have been publicly released since Snowden’s leaks started.

That includes the horrible John Bates opinion from February 19, 2013 that authorized the government to use Section 215 to investigate Americans for their First Amendment protected activities so long as the larger investigation is targeted at people whose activities aren’t protected under the First Amendment. So Senators would be making it clear to judges their intent is to allow the government to conduct investigations into Americans for their speech or politics or religion in some cases (which cases those are is not entirely clear).

That also includes the John Bates opinion from November 23, 2010 that concluded that, “the Right to Financial Privacy Act, … does not preclude the issuance of an order requiring the production of financial records to the Federal Bureau of Investigation (FBI) pursuant to the FISA business records provision.” Given that Senators know (or should — and certainly have the ability to — know) about this before they support USAF, judges would be correct in concluding that it was the intent of Congress to permit the government to collect financial records under Section 215.

So Senators supporting this bill must realize that supporting the bill means they are supporting the following:

  • The interpretation of “relevant to” to permit the government to collect all of a given kind of record in the name of a standing FBI terrorism investigation.
  • The use of non-communication company corporate person names, like Visa or Western Union, as the selector “limiting” collection.
  • The use of Section 215 to collect financial records.
  • Not requiring the government to report how many Americans get sucked up in any financial (or any non-communications) dragnet.

That is, Senators supporting this bill are not only supporting a possible financial dragnet, but they are helping the government hide the existence of it.

I can’t tell you what the dragnet entails. Perhaps it’s “only” the Western Union tracking reported by both the NYT and WSJ. Perhaps James Cole’s two discussions of being able to collect credit card records under this provision means they are. Though when Leahy asked him if they could collect credit card records to track fertilizer purchases, Cole suggested they might not need everyone’s credit cards to do that.

Leahy: But if our phone records are relevant, why wouldn’t our credit card records? Wouldn’t you like to know if somebody’s buying, um, what is the fertilizer used in bombs?

Cole: I may not need to collect everybody’s credit card records in order to do that.

[snip]

If somebody’s buying things that could be used to make bombs of course we would like to know that but we may not need to do it in this fashion.

We don’t know what the financial dragnet is. But we know that it is permitted — and deliberately hidden — under this bill.

Below the rule I’ve put the names of the 18 Senators who have thus far co-sponsored this bill. If one happens to be your Senator, it might be a good time to urge them to reconsider that support.


Patrick Leahy (202) 224-4242

Mike Lee (202) 224-5444

Dick Durbin (202) 224-2152

Dean Heller (202) 224-6244

Al Franken (202) 224-5641

Ted Cruz (202) 224-5922

Richard Blumenthal (202) 224-2823

Tom Udall (202) 224-6621

Chris Coons (202) 224-5042

Martin Heinrich (202) 224-5521

Ed Markey (202) 224-2742

Mazie Hirono (202) 224-6361

Amy Klobuchar (202) 224-3244

Sheldon Whitehouse (202) 224-2921

Chuck Schumer (202) 224-6542

Bernie Sanders (202) 224-5141

Cory Booker (202) 224-3224

Bob Menendez (202) 224-4744

Sherrod Brown (202) 224-2315

 

 

The Tracking Device in Your Pocket

Eric Lichtblau has a story summarizing what Ed Markey discovered after he asked cellphone companies to tell him how many law enforcement requests they respond to every year. And while some of the companies (AT&T and Cricket, at least) claim the numbers are exploding because their subscriber base is too, the numbers are still troubling.

In the first public accounting of its kind, cellphone carriers reported that they responded to a startling 1.3 million demands for subscriber information last year from law enforcement agencies seeking text messages, caller locations and other information in the course of investigations.

The cellphone carriers’ reports, which come in response to a Congressional inquiry, document an explosion in cellphone surveillance in the last five years, with the companies turning over records thousands of times a day in response to police emergencies, court orders, law enforcement subpoenas and other requests.

The reports are all here–I’ll do a followup once I’ve read them. In the meantime, consider this a working thread if you read the reports.

Congress Thinks BP Commission Needs Subpoena Power, Too

A bunch of hippie members of Congress noticed the same thing about Obama’s BP Commission that I noticed: it lacks subpoena power.

So Lois Capps and Ed Markey in the House and Jeanne Shaheen and several of her colleagues are pushing legislation to give the Commission subpoena power.

U.S. Senator Jeanne Shaheen (D-NH), along with nine Senate colleagues, today introduced legislation to grant subpoena power to the bipartisan National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling, which President Obama created by executive order on May 22.  Congress has previously granted subpoena power to presidential commissions investigating national crises, including the Warren Commission and the Three Mile Island Commission.  Joining Shaheen on this legislation are Senators John Kerry (D-MA), Byron Dorgan (D-ND), Patty Murray (D-WA), Mary Landrieu (D-LA), Bob Menendez (D-NJ), Bob Casey (D-PA),  Amy Klobuchar (D-MN), Mark Begich (D-AK), and Kirsten Gillibrand (D-NY). The Senators strongly believe that the BP Commission must have subpoena power to ensure access to all the evidence it needs to undertake a complete investigation on the causes of the spill and make meaningful recommendations on how to prevent similar disasters. Today, Representatives Lois Capps (D-CA) and Ed Markey (D-MA) plan to introduce similar legislation in the House.

Here’s the House version of the bill.

Now, I’ve actually been told that Obama, by himself, couldn’t give the commission subpoena power–I’m trying to clarify that.

I’m still not entirely convinced this won’t be a whitewash designed to enable future drilling in any case. But subpoena power sure would help.

BP’s Own Internal Documents Prove It Knew Its Oil Leak Estimates Were Bogus

In today’s Natural Resources Hearing on the BP Disaster, Ed Markey brought out proof that BP knew it was lying about the flow of oil from its disaster. He brought two BP documents showing that even when their Chief Operating Officer Doug Suttles was giving low-ball estimates of 1,000 BBL/day, BP’s own internal documents showed that their best guess was 5,758 BBL/day.

The fact is BP has not been entirely candid and open with the American people about this disaster. Mr. Secretary, initially, BP estimated that 1,000 barrels of oil per day were leaking into the Gulf. On April 28, 2010, a new leak was discovered and Coast Guard officials pushed BP to increase the estimate to at least 5,000 barrels per day. However, BP’s Chief Operating Officer Doug Suttles was initially quoted that day–April 28–saying that he believed that the flow rate of 1,000 barrels per day was accurate and that “Due to its location, we do not believe that this new leak changes the amount currently believed to be released.”

Yesterday, BP provided me with an internal document dated April 27, 2010, and cited as BP Confidential that shows a low estimate, a best guess, and a high estimate of the amount of oil that was leaking. According to this BP document, the company’s low estimate of the leak on April 27 was 1,063 barrels per day. It’s best guess was 5,758 barrels per day. It’s high estimate was 14,266 barrels per day. BP has also turned over another document dated April 26 which includes a 5,000 barrel per day figure as well. So when BP was citing the 1,000 barrel per day figure to the American people on April 28, their own internal documents from the day before show that their best guess was a leak of 5,768 [sic] barrels per day and their high estimate was more than 14,000 barrels that were spilling into the Gulf every day. [my emphasis]

As Markey goes on to point out, BP’s intentional low-balling might have been designed to help them argue for a $5-15 million penalty per day as opposed to a $14-42 million penalty.

Secretary Salazar promised several times during the hearing that the government would release its own estimate of the flow sometime today.