Posts

Snowden: “A Classified Executive Order”

/10 Comments/in , /by

NSA Authorities TimelineYesterday, I noted that the subject of Edward Snowden’s emailed question to NSA’s Office of General Counsel pertained to one of the under-reported themes of his leaks, the way NSA uses EO 12333 to collect data on Americans that either clearly was or might have been covered by stricter laws passed by Congress. I also noted how unbelievably shitty the NSA training programs released to ACLU and EFF are, particularly the way seemingly outdated documents that remain in effect appear to allow spying on Americans prohibited by statute.

I’d like to return to the precise language Snowden used to refer to this email exchange (and a thus-far unreleased exchange he claims to have had with NSA’s Compliance folks).

Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. 

I suggested yesterday that this was likely a conflict over whether EO 12333 superseded laws passed by Congress, including but not limited to FISA.

But note: Snowden says he asked about a “classified” EO.

EO 12333 is unclassified.

So there are two possibilities. First, that there’s a classified EO — one that remains classified  — that we don’t know about, one Congress may not even be fully cognizant of (on the premise that this EO supersedes the law).

That’s possible. But EO 12333 is the only EO referenced in USSID 18’s list of references.

USSID 18 References

The other possibility is far more interesting.

As I noted, the documents laying out the core regulations governing NSA conflict badly, largely because many of the documents are very dated, and have been (or should have been) superseded by recent laws (like the FISA Amendments Act) and court decisions (like John Bates’ 2011 ruling on upstream collection).

Of particular interest is NSA/CSS Policy 1-23 (starting at PDF 110). That policy is interesting, first of all, because it was first issued on March 11, 2004 by Michael Hayden. That is, this policy dates to the very day when Michael Hayden agreed to continue the illegal wiretap program even as half of DOJ threatened to quit.

The policy was updated twice, once to make what were considered minor adjustments in policy in 2007, and once in 2009 to incorporate FISA Amendments Act changes. Thus, the policy at least purports to fully incorporate FAA. The 2009 reissue — and its classified annex — is considered among the signature authorizing milestones according to a timeline leaked by Snowden, above, and the only one that mentions a classified annex.

But — as I noted yesterday — the policy still relies on (and incorporates) a classified annex to EO 12333 that was written in 1988 (though the document itself bears the March 11, 2004 date). Read more

NSA’s Training Programs Are a Mess

/5 Comments/in /by

OGC Questions
In addition to the way NSA claims to be operating under EO 12333 at times when it might be operating under some law passed by Congress, there’s another reason why Snowden’s question to NSA’s Office of General Counsel is worthwhile (though I doubt it’s why he asked).

NSA’s training programs — at least as released to ACLU and EFF under FOIA — are a horrible contradictory mess.

Two training programs closely related to the one he emailed in response to got released last year (though neither appears to be the training program in question): A “Core Intelligence Oversight Training” dating to sometime in 2009 or later, and this Office of General Counsel Powerpoint that is referred to as a Cryptological School Course, from which the image above was taken. (Side note: I repeat what I have said in the past: from a training methodology standpoint, these “training programs” are unbelievably shitty, which is particularly notable given that DOD does pay for a lot of state-of-the-art training programs on other topics.)

The Core Intelligence Oversight Training isn’t really training at all. It’s just a reproduction of the regulations in question. It includes:

  • The 2008 update of EO 12333, but with the original 1981 date attached
  • DOD 5240 1-R, dated 1982
  • NSA/CSS Policy 1-23, issued on March 11, 2004 (interesting date to update such a policy!), and revised twice, most recently May 29, 2009; it includes an Annex that serves as a classified annex to EO 12333 that is dated April 26, 1988
  • DTM 08-052, dated Jun 17, 2009; it cites EO 12333 “as amended” but doesn’t provide any amendment date

Several of these documents purport to implement or refer to FISA, but only the NSA/CSS Policy post-dates the detailed implementation of FISA Amendments Act (and it precedes key changes to the current minimization procedures tied to FISA).

And read together, these documents are utterly confusing.

My favorite is this part of DOD 5240, which would seem to contradict James “Too Cute by Half” Clapper’s definition of collection.

Collection. Information shall be considered as “collected” only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties. Thus, information volunteered to a DoD intelligence component by a cooperating source would be “collected” under this procedure when an employee of such component officially accepts, in some manner, such information for use within that component. Data acquired by electronic means is “collected” only when it has been processed into intelligible form.

But both its definition of electronic surveillance and its rules on collecting the content of Americans overseas were superseded by FAA’s requirement of an order to collect on US persons overseas (and no longer considers electronic surveillance overseas electronic surveillance).

Except as provided in paragraph C5.2.5., below, DoD intelligence components may conduct electronic surveillance against a United States person who is outside the United States for foreign intelligence and counterintelligence purposes only if the surveillance is approved by the Attorney General.

The “updated” documents don’t help either. Because NSA/CSS Policy 1-23 relies on the annex dating to 1988, it claims NSA can collect on the content of Americans with Attorney General approval for 90 days.

(4) with specific prior approval by the Attorney General based on a finding by the Attorney General that there is probable cause to believe the United States person is an agent of a foreign power and that the purpose of the interception or selection is to collect significant foreign intelligence. Such approvals shall be limited to a period of time not to exceed ninety days for individuals and one year for entities.

Remember, this is purportedly “training,” and yet I’m not clear how an NSA trainee would learn that collecting content on Americans overseas requires a FISA order.

Trainees could get that information from the 2009 Cryptological School Course, which properly defines electronic surveillance and lays out Section 703-5.

But even that training course is out of date. For example, it says NSA cannot use FAA authorities to target “anything/anyone in the US,” but upstream collection under 702 targets those using certain selectors as content in the US. And even the 2011 minimization procedures limiting upstream collection don’t require destruction of upstream communications in which all communicants are in the US.

This program also includes the oblique comment that searching in databases of raw data constitutes a “collection/targeting” activity.

To protect the privacy rights of U.S. citizens, Department of Justice has determined searches of these databases are a collection/targeting activity.

Which would seem to conflict with the definition of collection a trainee got from DOD 5240.

I realize experienced NSA professionals have a better idea of how these various regulations all fit together. And I realize some of this is controlled through access controls that ensure NSA people only access the most up-to-date rules.

But these documents are billed as training, about the core restrictions regarding their collection. And they are downright contradictory.

I don’t think that’s why Snowden asked the OGC the question he did. Though the response he got regarding precedence of the various agency directives — that “DOD and ODNI regulations are afforded similar precedence though subject matter or date could result in one having precedence over another” — would only exacerbate any confusion a trainee had.

But if the training program Snowden was using is anything like these documents, there’d be good reason to believe that inexperienced trainees were not getting a clear idea of what they were allowed to do with US person data.

Update: One more point about these training programs, especially the classified annex to EO 12333 that dates to 1988. This is a problem that both PCLOB and HPSCI have identified and tried to fix (though HPSCI did not include their bill language to do so in either the USA Freedumber or the unclassified parts of the Intelligence Authorization). This shows why it is important: because NSA people are being trained on materials that tell them they can collect US person data overseas without a FISA order.

Snowden’s Emailed Question Addresses One Abuse Revealed by His Leaks

/34 Comments/in , /by

In an effort to rebut Edward Snowden’s claims that he raised concerns via proper channels, NSA just released an email Snowden sent to NSA’s Office of General Counsel. The email reveals their own training is not clear about something central to Snowden’s leaks: whether laws passed by Congress take precedence over EO 12333.

In the email, Snowden describes a training program on USSID 18, NSA’s internal guidelines on protecting US person data. Snowden’s email reads, in part,

Hello, I have a question regarding the mandatory USSID 18 training.

The training states the following:

________

(U) The Hierarchy of Governing Authorities and Documents is displayed from the highest authority to the lowest authority as follows:

U.S. Constitution

Federal Statutes/Presidential Executive Orders (EO)

[snip]

________

I’m not entirely certain, but this does not seem correct, as it seems to imply Executive Orders have the same precedence as law. My understanding is that EOs may be superseded by federal statute, but EOs may not override statute.

An NSA lawyer wrote back (in part),

Executive Orders (E.O.s) have the “force and effect of law.” That said, you are correct that E.O.s cannot override a statute.

The NSA has not revealed whether Snowden called the lawyer with further questions, as he invited Snowden to do. Nor have they said this email to Office of General Counsel is the only email Snowden sent (only that it’s the only one he sent to OGC).

Nevertheless, the email is really suggestive, particularly as it took place when Snowden had already started downloading a slew of information.

That’s because Snowden’s documents (and documents released in response to his leaks) reveal NSA has repeatedly used EO 12333 to push the limits of laws passed by Congress, if not to evade the law altogether.

Here are just two of numerous examples:

NSA Avoids Stricter Minimization Procedures Under the Phone Dragnet: The NSA has fairly strict minimization procedures under the Section 215-authorized phone dragnet, but only NSA’s internal rules (USSID 18) for the EO 12333-authorized phone dragnet. Nevertheless, for the first 3 years of the FISA-authorized program, NSA didn’t follow their Section 215 rules, instead applying the less stringent rules of USSID 18 (effectively letting a DOD Directive supersede the PATRIOT Act). In one of their most egregious violations discovered in 2009, they watch listed 3,000 US persons without giving those people the required First Amendment review, as required by minimization procedures written to fulfill the law. But instead of purging those records upon discovery (or even stopping the watchlisting), they just moved them into the EO 12333-only category. They just kept spying on the US persons using only data collected under EO 12333.

And these 2009 violations are not isolated. At least as recently as 2011, the NSA was still engaging in this authority arbitrage; a training program from that year makes it clear NSA trained analysts to re-run queries under EO 12333, if possible, to get around the dissemination requirements of Section 215. (Update: I’m not saying this particular arbitrage is illegal; it’s not. But it does show how NSA games these authorities.)

NSA Collects US Person Content by Getting It Overseas: Because of the structure of the Internet, a great deal of US person data exists overseas. We’ve seen discussion of this US person data overseas including at least email content, address books, videocam images, and location. But because NSA collects this via dragnet, not targeted collection, it claims it is not targeting any American, even though it permits the searching of EO 12333 data for US person content, apparently without even Reasonable Articulable Suspicion. And because it is not targeting Americans under their dragnet and back door loopholes, it does not apply FISA Amendment Act restrictions on collecting US person data overseas under Sections 703, 704, and 705. Effectively, it has the ability to avoid those restrictions entirely by using EO 12333 as a dodge.

I’m not the only one concerned about this: at a hearing in February, both Dianne Feinstein and (at more length) Mark Udall raised concerns with National Security Division Assistant Attorney General John Carlin, suggesting some of this EO 12333 data should be treated according to FISA. Carlin — who is supposed to be a key player in overseeing NSA — showed no interest in doing so.

In both these questions, NSA did not allow laws to take precedence over EO 12333. On the contrary, NSA just created ways that it could apply EO 12333 and ignore the law that should have or might have applied.

Not only does Snowden’s question make it clear that the NSA doesn’t make the precedence of law over EO 12333 clear in training, but the lawyer’s response was rather ambiguous on this point as well.

One thing we’ve learned from Snowden’s leaks is that the Executive is (at a minimum) evading the intent of Congress on some of its treatment of US person data. And by releasing this email as part of a pissing contest with Snowden, NSA has made it clear that’s by design, even in their most core training program.

NSA is not telling its analysts that laws passed by Congress — even those offering protection to US person data — must take precedence over the looser protections under EO 12333. Which may be why they’re comfortable collecting so much US person data under EO 12333.

Update: According to Snowden, I’m absolutely right.

Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. It also did not include concerns about how indefensible collection activities – such as breaking into the back-haul communications of major US internet companies – are sometimes concealed under E.O. 12333 to avoid Congressional reporting requirements and regulations.

What If the Democratic Response to Snowden Is to Expand Surveillance?

/30 Comments/in , , /by

I got distracted reading two pieces this morning. This great Andrew O’Hehir piece, on how those attacking Edward Snowden and Glenn Greenwald ought to consider the lesson of Justice Louis Brandeis’ dissent in Olmstead.

In the famous wiretapping case Olmstead v. United States, argued before the Supreme Court in 1928, Justice Louis Brandeis wrote one of the most influential dissenting opinionsin the history of American jurisprudence. Those who are currently engaged in what might be called the Establishment counterattack against Glenn Greenwald and Edward Snowden,including the eminent liberal journalists Michael Kinsley and George Packer, might benefit from giving it a close reading and a good, long think.

Brandeis’ understanding of the problems posed by a government that could spy on its own citizens without any practical limits was so far-sighted as to seem uncanny. (We’ll get to that.) But it was his conclusion that produced a flight of memorable rhetoric from one of the most eloquent stylists ever to sit on the federal bench. Government and its officers, Brandeis argued, must be held to the same rules and laws that command individual citizens. Once you start making special rules for the rulers and their police – for instance, the near-total impunity and thick scrim of secrecy behind which government espionage has operated for more than 60 years – you undermine the rule of law and the principles of democracy.

“Our Government is the potent, the omnipresent teacher,” Brandeis concluded. “For good or for ill, it teaches the whole people by its example. Crime is contagious. If the Government becomes a lawbreaker, it breeds contempt for law; it invites every man to become a law unto himself; it invites anarchy. To declare that in the administration of the criminal law the end justifies the means — to declare that the Government may commit crimes in order to secure the conviction of a private criminal — would bring terrible retribution.”

And this more problematic Eben Moglen piece talking about how Snowden revealed a threat to democracy we must now respond to.

So [Snowden] did what it takes great courage to do in the presence of what you believe to be radical injustice. He wasn’t first, he won’t be last, but he sacrificed his life as he knew it to tell us things we needed to know. Snowden committed espionage on behalf of the human race. He knew the price, he knew the reason. But as he said, only the American people could decide, by their response, whether sacrificing his life was worth it.

So our most important effort is to understand the message: to understand its context, purpose, and meaning, and to experience the consequences of having received the communication.

Even once we have understood, it will be difficult to judge Snowden, because there is always much to say on both sides when someone is greatly right too soon.

I raise them in tandem here because both address the threat of spying to something called democracy. And the second piece raises it amid the context of American Empire (he compares the US to the Roman decline into slavery).

I raise them here for two reasons.

First, because neither directly notes that Snowden claimed he leaked the documents to give us a choice, the “chance to determine if it should change itself.”

“For me, in terms of personal satisfaction, the mission’s already accomplished,” he said. “I already won. As soon as the journalists were able to work, everything that I had been trying to do was validated. Because, remember, I didn’t want to change society. I wanted to give society a chance to determine if it should change itself.”

“All I wanted was for the public to be able to have a say in how they are governed,” he said. “That is a milestone we left a long time ago. Right now, all we are looking at are stretch goals.”

Snowden, at least, claims to have contemplated the possibility that, given a choice, we won’t change how we’re governed.

And neither O’Hehir nor Moglen contemplates the state we’re currently in, in which what we call democracy is choosing to expand surveillance in response to Snowden’s disclosures.

Admittedly, the response to Snowden is not limited to HR 3361. I have long thought a more effective response might (or might not!) be found in courts — that if, if the legal process does not get pre-empted by legislation. I have long thought the pressure on Internet companies would be one of the most powerful engines of change, not our failed democratic process.

But as far as Congress is concerned, our stunted legislative process has started down the road of expanding surveillance in response to Edward Snowden.

And that’s where I find Moglen useful but also problematic.

He notes that the surveillance before us is not just part of domestic control (indeed, he actually pays less attention to the victims of domestic surveillance than I might have, but his is ultimately a technical argument), but also of Empire.

While I don’t think it’s the primary reason driving the democratic response to Snowden to increase surveillance (I think that also stems from the Deep State’s power and the influence of money on Congress, though many of the surveillance supporters in Congress are also supporting a certain model of US power), I think far too many people act on surveillance out of either explicit or implicit beliefs about the role of US hegemony.

There are some very rational self-interested reasons for Americans to embrace surveillance.

For the average American, there’s the pride that comes from living in the most powerful country in history, all the more so now that that power is under attack, and perhaps the belief that “Us” have a duty to take it to “Them” who currently threaten our power. And while most won’t acknowledge it, even the declining American standard of living still relies on our position atop the world power structure. We get cheap goods because America is the hegemonic power.

To the extent that spying on the rest of the world serves to shore up our hegemonic position then, the average American might well have reason to embrace the spying, because it keeps them in flat screen TVs.

But that privilege is just enjoyed by some in America. Moglen, tellingly, talks a lot about slavery but says nothing about Jim Crow or the other instruments of domestic oppression that have long used authoritarian measures against targeted populations to protect white male power. American history looked at not against the history of a slavery that is past, but rather against the continuity of history in which some people — usually poor and brown and/or female — don’t participate in the American “liberty” and “privacy” Moglen celebrates, our spying on the rest of the world is more of the same, a difference in reach but not in kind. Our war on drugs and war on terror spying domestically is of a piece with our dragnet internationally, if thus far more circumscribed by law (but that law is expanding and that will serve existing structures of power!).

But there’s another reason Americans — those of the Michael Kinsley and George Packer class — might embrace surveillance. That’s the notion that American hegemony is, for all its warts, the least bad power out there. I suspect Kinsley and (to a lesser extent) Packer would go further, saying that American power is affirmatively good for the rest of the world. And so we must use whatever it takes to sustain that power.

It sounds stupid when I say it that way. I’m definitely oversimplifying the thought process involved. Still, it is a good faith claim: that if the US curtails its omnipresent dragnet and China instead becomes the dominant world power (or, just as likely, global order will dissolve into chaos), we’ll all be worse off.

I do think there’s something to this belief, though it suppresses the other alternative — that the US could use this moment to improve the basis from which US exercises its hegemony rather than accept the increasingly coercive exercise of our power — or better yet use the twilight of our hegemony to embrace something more fair (and also something more likely to adequately respond to the global threat of climate change). But I do believe those who claim US hegemony serves the rest of the world believe it fairly uncritically.

One more thing. Those who believe that American power is affirmatively benign power may be inclined to think the old ways of ensuring that power — which includes a docile press — are justified. As much as journalism embraced an adversarial self-image after Watergate, the fundamentally complicit role of journalism really didn’t change for most. Thus, there remains a culture of journalism in which it was justified to tell stories to the American people — and the rest of the world — to sustain American power.

One of those stories, for example, is the narrative of freedom that Moglen embraces.

That is, for those who believe it is worth doing whatever it takes to sustain the purportedly benign American hegemon, it would be consistent to also believe that journalists must also do whatever it takes to sustain purportedly benign system of (white male) power domestically, which we call democracy but which doesn’t actually serve the needs of average Americans.

And for better or worse, those who embrace that power structure, either domestically and/or internationally, expanding surveillance is rational, so long as you ignore the collateral damage.

Update: Tempered critique of Packer because I agree he’s not embracing this journalist as narrative teller as much.

USA Freedumber Will Not Get Better in the “Prosecutors” Committee

/13 Comments/in /by

Having been badly outmaneuvered on USA Freedumber — what was sold as reform but is in my opinion an expansion of spying in several ways — in the House, civil liberties groups are promising a real fight in the Senate.

“This is going to be the fight of the summer,” vowed Gabe Rottman, legislative counsel with the American Civil Liberties Union.

If advocates are able to change the House bill’s language to prohibit NSA agents from collecting large quantities of data, “then that’s a win,” he added.

“The bill still is not ideal even with those changes, but that would be an improvement,” Rottman said.

[snip]

“We were of course very disappointed at the weakening of the bill,” said Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute. “Right now we really are turning our attention to the Senate to make sure that doesn’t happen again.”

[snip]

One factor working in the reformers’ favor is the strong support of Senate Judiciary Chairman Patrick Leahy (D-Vt.).

Unlike House Judiciary Chairman Bob Goodlatte (R-Va.), who only came to support the bill after negotiations to produce a manager’s amendment, Leahy was the lead Senate sponsor of the USA Freedom Act.

The fact that Leahy controls the committee gavel means he should be able to guide the bill through when it comes up for discussion next month, advocates said.

“The fact that he is the chairman and it’s his bill and this is an issue that he has been passionate about for many years” is comforting, Greene said.

I hope they prove me wrong. But claims this will get better in the Senate seem to ignore the recent history of the Senate Judiciary Committee’s involvement in surveillance bills, not to mention the likely vote counts.

It is true Pat Leahy wants real reform. And he has a few allies on SJC. But in recent years, every surveillance-related bill that came through SJC has been watered down when Dianne Feinstein offered an alternative (which Leahy sometimes adopted as a manager’s amendment, perhaps realizing he didn’t have the votes). After DiFi offered reform, Sheldon Whitehouse (who a number of less sophisticated SJC members look to as a guide on these issues) enthusiastically embraced it, and everyone fell into line. Often, a Republican comes in and offers a “bipartisan reform” (meaning conservative Republicans joining with the Deep State) that further guts the bill.

This is how the Administration (shacking up with Jeff Sessions) defeated an effort to rein in Section 215 and Pen Registers in 2009.

This is how DiFi defeated an effort to close the backdoor loophole in 2012.

As this was happening in 2009, Russ Feingold called out SJC for acting as if it were the “Prosecutors Committee,” rather than the Judiciary Committee.

(Note, in both of those cases as well as on the original passage of Section 702, I understood fairly clearly what the efforts to stymie reform would do, up to 4 years before those programs were publicly revealed; I’ve got a pretty good record on this front!)

And if you don’t believe this is going to happen again, tell me why this whip count is wrong:

Screen shot 2014-05-26 at 5.18.49 PM

If my read here is right, the best case scenario — short of convincing Sheldon Whitehouse some of what the government wants to do is unconstitutional, which John Bates has already ruled that it is — is relying on people like Ted Cruz (whose posturing on civil liberties is often no more than that) and Jeff Flake (who was great on these issues in the House but has been silent and absent throughout this entire debate). And that’s all to reach a 9-9 tie in SJC.

Which shouldn’t be surprising. Had Leahy had the votes to move USA Freedom Act through SJC, he would have done so in October.

That was the entire point of starting in the House: because there was such a large number of people (albeit, for the  most part without gavels) supporting real reform in the House. But because reformers (starting with John Conyers and Jerry Nadler) uncritically accepted a bad compromise and then let it be gutted, that leverage was squandered.

Right now, we’re looking at a bill that outsources an expanded phone dragnet to the telecoms (with some advantages and some drawbacks), but along the way resets other programs to what they were before the FISC reined them in from 2009 to 2011. That’s the starting point. With a vote count that leaves us susceptible to further corruption of the bill along the way.

Edward Snowden risked his freedom to try to rein in the dragnet, and instead, as of right now it looks like Congress will expand it.

Update: I’ve moved Richard Blumenthal into the “pro reform” category based on this statement after the passage of USA Freedumber. Thanks to Katherine Hawkins for alerting me to the statement.

Why Can’t Jason Leopold Have the Information Mike Rogers Already Leaked, and in Less Than Four Months?

/4 Comments/in , /by

131218 Snowden Report
Noted FOIA terrorist Jason Leopold liberated a copy of the Defense Intelligence Agency’s damage assessment about Edward Snowden’s leaks (story, document).

The report, as anticipated, doesn’t appear to talk about actual damage DOD has suffered. Instead, it appears to talk about the damage that might happen if the information that has been “compromised” (that is, accessed by Snowden’s scraper) actually gets released.

But we can’t really tell because the report is heavily redacted (the screen shot here and the top of the first page is the most intact section of the report).

Which is odd, given that — as Shane Harris reported in January (and I noted here) — the Administration declassified some of this report so it could be leaked to discredit Snowden.

A congressional staffer who is familiar with the report’s findings said that the lawmakers chose to make some of its contents public in order to counter what they see as a false impression of Snowden as a principled whistleblower who disclosed abuses of power.

“Snowden has been made out by some people to be a hero. What we need to do is really look at the effect of his leaks and see that what he’s done is really harm our country and put citizens at risk. The purpose [of releasing some findings] is to clear the record and show that he’s not a hero,” the staffer told Foreign Policy.

The staffer said that the administration approved the information that the lawmakers disclosed in advance.

Which makes the timing of this even weirder. It took the Administration no more than 23 days to provide the report to Mike Rogers and Dutch Ruppersberger and then approve the language they went on to blab.

But it has taken DOD around 4 months — and  a lawsuit — for Leopold to get what little he got.

And, as he mentions in his story, he hasn’t even gotten the information that must be among the information okayed for blabbing

Here’s the information (italicized) that must have been okayed for blabbing.

A Pentagon review has concluded that the disclosure of classified documents taken by former NSA contractor Edward Snowden could “gravely impact” America’s national security and risk the lives of U.S. military personnel, and that leaks to journalists have already revealed sources and methods of intelligence operations to America’s adversaries. At least, that’s how two members of Congress who have read the classified report are characterizing its findings. But the lawmakers — who are working in coordination with the Obama administration and are trying to counter the narrative that Snowden is a heroic whistleblower — offered no specific examples to substantiate their claims.

In harsh language that all but accused Snowden of treason, the top members of the House Intelligence Committee said the report shows that Snowden downloaded “1.7 million intelligence files,” which they described as “the single largest theft of secrets in the history of the United States.”

While the phrase “will have a GRAVE impact on U.S. national defense” [caps original] is unredacted in the report, neither the number — 1.7 million intelligence files” — nor the superlative claim — “the single largest theft of secrets in the history of the US” — appears unredacted in Leopold’s version of the report.

That is, either Rogers and Ruppersberger made that shit up. Or the Obama Administration is selectively declassifying again.

And taking their sweet time to do so.

NSA Collection: Show Me the $$

/27 Comments/in /by

As part of its superb piece on NSA spying on Tuesday, Frontline included interviews with key sources. In my opinion, the most enlightening was that with former HPSCI staffer Diane Roark, so you should read that entire interview (especially her comments on NSA at 9/11).

Both she and Tom Drake mention a part of the illegal NSA program that has been largely forgotten: the financial records. Here’s Roark’s non-denial.

And from what you knew at that point, what type of information was taken, and how pervasive was the collection?

It is now quite obvious, since the Snowden revelations, that the program grew progressively over time. Initially, I knew that it involved a lot of broad domestic surveillance, bulk collection, domestically. And I knew that it involved emails, landlines, regular house phones, cell phones. I also knew that they had branched out into non-communications data.

Which is what, bank records? 

I’m not really — they have not acknowledged that. All I can tell you is that when I met the second time with Gen. Hayden in July, I said to him that it appeared the program was expanding, not only in number of servers, but also that two new data categories had recently been added, and he nodded to confirm that. I knew that one of those data programs was not communications data. …

And other commentators have made allusions to other personal data that may be collected. Of course, we all know that transportation data, airline data is connected. We know that international banking data is collected; that has been acknowledged. But there have been allusions to other items, too, by people hypothetically, such as credit, medical, banking and so on.

And here’s Drake’s more explicit mention of it.

You watched the president [George W. Bush] come out and say this is a valuable program; one side of the communications has to be outside; we’re following terrorists; this has prevented attacks on our country. The vice president [Dick Cheney] attacks the Times for publishing. You’re watching this, and you know what’s going on inside. What are you thinking?

This actually was part of the triggering event for me in which increasingly I knew I was going to have to touch the third rail, back to your earlier question. I realized that they were lying, that they were desperate to protect the domestic surveillance program. And so they could use the excuse, although it was still in violation of FISA, that as long as one link somehow was tied to a suspected terrorist, that justified collecting or targeting the link that was in the United States proper.

That was just the tip of the iceberg. The far larger program was the dragnet surveillance, the vast bulk copy of millions and millions of phone records, email records, Internet usage and financial transactional and credit card information.

Since the Snowden leaks started we’ve heard almost nothing about this. There have been the two stories about the CIA collecting Western Union records with at least one end foreign. There is the 2010 Section 215 order tied to an allegedly specific investigation, which must long post-date the CIA-related orders.

What happened to this collection? Is it the April 2, 2004 modification we have never learned about? Is it the second secret Section 215 appendix included in Glenn Fine’s 2008 report? Have they been accomplishing this via NSLs, or perhaps only recently moved it to Section 215? I have suggested in the past that for domestic records, FBI would be the likely lead … is that right?

The financial records collection has, outside of Shane Harris’ book (on TIA), completely disappeared.

But it must be under a new shell somewhere.

Chuck Grassley: Insider Threat Program Poses Threat to Whistleblowers

/16 Comments/in /by

Chuck Grassley rarely gets the credit he deserves for championing whistleblowers. But, while there have been notable exceptions, Grassley has long defended both generalized protections for whistleblowers, as well as whistleblowers themselves.

Yesterday, he gave a long speech on the Whistleblower Protection Act. As part of it, he laid out a number of ways President Obama’s Insider Threat detection program threatened whistleblowers.

He described how the FBI has refused to explain whether Insider Threat Program training adequately distinguishes between whistleblowers and inside threats. Just last week, FBI walked out in the middle of a briefing for Grassley and Pat Leahy!

Meanwhile, the FBI fiercely resists any efforts at Congressional oversight, especially on whistleblower matters.  For example, four months ago I sent a letter to the FBI requesting its training materials on the Insider Threat Program.  This program was announced by the Obama Administration in October 2011.  It was intended to train federal employees to watch out for insider threats among their colleagues.  Public news reports indicated that this program might not do enough to distinguish between true insider threats and legitimate whistleblowers.  I relayed these concerns in my letter.  I also asked for copies of the training materials.  I said I wanted to examine whether they adequately distinguished between insider threats and whistleblowers.

In response, an FBI legislative affairs official told my staff that a briefing might be the best way to answer my questions.  It was scheduled for last week.  Staff for both Chairman Leahy and I attended, and the FBI brought the head of their Insider Threat Program.  Yet the FBI didn’t bring the Insider Threat training materials as we had requested.  However, the head of the Insider Threat Program told the staff that there was no need to worry about whistleblower communications.  He said whistleblowers had to register in order to be protected, and the Insider Threat Program would know to just avoid those people.

Now I have never heard of whistleblowers being required to “register” in order to be protected.  The idea of such a requirement should be pretty alarming to all Americans.  Sometimes confidentiality is the best protection a whistleblower has.  Unfortunately, neither my staff nor Chairman Leahy’s staff was able to learn more, because only about ten minutes into the briefing, the FBI abruptly walked out.  FBI officials simply refused to discuss any whistleblower implications in its Insider Threat Program and left the room.  These are clearly not the actions of an agency that is genuinely open to whistleblowers or whistleblower protection.

Grassley raises concerns that the monitoring of intelligence community employees will help the IC track whistleblowers who communicate properly to Congress.

Like the FBI, the intelligence community has to confront the same issue of distinguishing a true insider threat from a legitimate whistleblower.  This issue could be impacted by both the House- and Senate-passed versions of the intelligence authorization.  Both include language about continuous monitoring of security clearance holders, particularly the House version.

Director of National Intelligence James Clapper seems to have talked about such procedures when he appeared before the Senate Armed Services Committee on February 11, 2014.  In his testimony, he said:

We are going to proliferate deployment of auditing and monitoring capabilities to enhance our insider threat detection.  We’re going to need to change our security clearance process to a system of continuous evaluation. . . .  What we need is . . . a system of continuous evaluation, where . . . we have a way of monitoring their behavior, both their electronic behavior on the job as well as off the job, to see if there is a potential clearance issue. . . .

Director Clapper’s testimony gives me major pause.  It sounds as though this type of monitoring would likely capture the activity of whistleblowers communicating with Congress.

Read more

Fingerprints and the Phone Dragnet’s Secret “Correlations” Order

/22 Comments/in , , /by

Yesterday, I noted that ODNI is withholding a supplemental opinion approved on August 20, 2008 that almost certainly approved the tracking of “correlations” among the phone dragnet (though this surely extends to the Internet dragnet as well).

I pointed out that documents released by Edward Snowden suggest the use of correlations extends well beyond the search for “burner” phones.

At almost precisely the same time, Snowden was testifying to the EU. The first question he answered served to clarify what “fingerprints” are and how XKeyscore uses them to track a range of innocent activities. (This starts after 11:16, transcription mine.)

It has been reported that the NSA’s XKeyscore for interacting with the raw signals intercepted by mass surveillance programs allow for the creation of something that is called “fingerprints.”

I’d like to explain what that really means. The answer will be somewhat technical for a parliamentary setting, but these fingerprints can be used to construct a kind of unique signature for any individual or group’s communications which are often comprised of a collection of “selectors” such as email addresses, phone numbers, or user names.

This allows State Security Bureaus to instantly identify the movements and activities of you, your computers, or other devices, your personal Internet accounts, or even key words or other uncommon strings that indicate an individual or group, out of all the communications they intercept in the world are associated with that particular communication. Much like a fingerprint that you would leave on a handle of your door or your steering wheel for your car and so on.

However, though that has been reported, that is the smallest part of the NSA’s fingerprinting capability. You must first understand that any kind of Internet traffic that passes before these mass surveillance sensors can be analyzed in a protocol agnostic manner — metadata and content, both. And it can be today, right now, searched not only with very little effort, via a complex regular expression, which is a type of shorthand programming. But also via any algorithm an analyst can implement in popular high level programming languages. Now, this is very common for technicians. It not a significant work load, it’s quite easy.

This provides a capability for analysts to do things like associate unique identifiers assigned to untargeted individuals via unencrypted commercial advertising networks through cookies or other trackers — common tracking means used by businesses everyday on the Internet — with personal details, such as individuals’ precise identity, personal identity, their geographic location, their political affiliations, their place of work, their computer operating system and other technical details, their sexual orientation, their personal interests, and so on and so forth. There are very few practical limitations to the kind of analysis that can be technically performed in this manner, short of the actual imagination of the analysts themselves.

And this kind of complex analysis is in fact performed today using these systems. I can say, with authority, that the US government’s claim that “keyword filters,” searches, or “about” analysis, had not been performed by its intelligence agencies are, in fact, false. I know this because I have personally executed such searches with the explicit authorization of US government officials. And I can personally attest that these kind of searches may scrutinize communications of both American and European Union citizens without involvement of any judicial warrants or other prior legal review.

What this means in non-technical terms, more generally, is that I, an analyst working at NSA, or, more concerningly, an analyst working for a more authoritarian government elsewhere, can without the issue of any warrant, create an algorithm that for any given time period, with or without human involvement, sets aside the communications of not only targeted individuals, but even a class of individual, and that just indications of an activity — or even just indications of an activity that I as the analyst don’t approve of — something that I consider to be nefarious, or to indicate nefarious thoughts, or pre-criminal activity, even if there’s no evidence or indication that’s in fact what’s happening. that it’s not innocent behavior. Read more

Keith Alexander’s Bubble Floats into the Sunset of Defense Contractor Sinecures

/11 Comments/in /by
Screen shot 2013-11-27 at 11.11.07 AM

In a training program developed in 2009, the NSA itself identified abuses it likened to Projects Shamrock and Minaret.

Today, LAT has an extremely friendly exit interview with Keith Alexander that nevertheless depicts the now-retired General as hopelessly lost inside a bubble far removed from those who paid his salary. It depicts Alexander confusing objections to what NSA’s leaders have ordered with what the presumably honorable people who implement those decisions.

But something else seems likely to shape the legacy of the NSA’s longest-serving director, who retired Friday: something that Alexander failed to anticipate, did not prepare for and even now has trouble understanding.
Thanks to Edward Snowden, a former NSA contractor, the world came to know many of the agency’s most carefully guarded secrets. Ten months after the disclosures began, Alexander remains disturbed, and somewhat baffled, by the intensity of the public reaction.
“I think our nation has drifted into the wrong place,” he said in an interview last week. “We need to recognize that those who are working to protect our nation are not the bad people.

I find it particularly troubling that Alexander sees in skepticism about authority the nation “drifting into the wrong place.”

The profile goes on to convey Alexander’s laughable belief that what has been depicted since June is the model of oversight.

When Snowden’s disclosures began, Alexander and his deputies knew they were in for a storm. But they felt sure the American public would be comforted when they learned of the agency’s internal controls and the layers of oversight by Congress, the White House and a federal court.
“For the first week or so, we all had this idea that we had nothing to be ashamed of, and that everyone who looked at this in context would quickly agree with us,” Inglis said.
Instead, polls show, many Americans believe that the NSA is reading their emails and listening to their phone calls. A libertarian group put an advertisement in the Washington transit system calling Alexander, a 62-year-old career military officer, a liar. U.S. technology companies are crying betrayal.

Side note: it would be useful if LAT noted that in fact the disclosures do show that the NSA is conducting warrantless back door searches on US person emails, rather than using the conjunction “instead” suggesting this impression is false. And that’s all before you get into the vast collection overseas and upstream for which NSA refuses to count US person data.

I’m particularly interested in Alexander’s attempt to distinguish this scandal from the scandals of the 1970s.

He sees a fundamental difference between the intelligence abuses uncovered by Congress in the 1970s — including revelations that the NSA spied without warrants on domestic dissidents — and the programs exposed by Snowden.
“What the Church and Pike committees found” nearly 40 years ago was “that people were doing things that were wrong. That’s not happening here,” Alexander said, referring to the panels headed by Sen. Frank Church (D-Idaho) and Rep. Otis Pike (D-N.Y.) that examined intelligence-agency activities in that era.

As I have noted repeatedly, 4 years into Alexander’s tenure, the NSA itself likened some of its abuses to Projects Shamrock and Minaret. So perhaps Alexander should at least cede that under his leadership, the NSA was also doing things that it itself considered to be analogues to those earlier scandals (and yes, they violated the law and limits of the programs in question).

Even the LAT conducts a soft fact check of Alexander’s claim that the President’s Review Group and PCLOB found a model of oversight.

Outside reviews, including one released in December by a presidential task force, he said, found that “lo and behold, NSA is doing everything we asked them to do, and if they screw up, they self-report.”
The task force reported it found “no evidence of illegality or other abuse of authority for the purpose of targeting domestic political activity.” But it also noted “serious and persistent instances of noncompliance” with privacy and other rules. Even if unintentional, those violations “raise serious concerns” about the NSA’s “capacity to manage its authorities in an effective and lawful manner,” the report said.

I’d go further, too, and point out that this self-reporting only came with the greater involvement of DOJ’s National Security Division, after years of NSA not reporting these violations. Even months into one of those incidents, the NSA was failing to report its violations to the FISC without NSD involvement.

But perhaps the most egregious example of Alexander’s bubble comes in his assessment of the Snowden leaks themselves.

The ease with which Snowden removed top-secret documents also embarrassed an agency that is supposed to be the first line of defense against cyberattacks.
In July, Alexander offered to resign, but the White House turned him down, he said. He didn’t think holding other senior officials accountable would be right because a massive theft of documents by a systems administrator could not have been foreseen, he added.

Are you kidding me? First, how is it that the NSA couldn’t anticipate the large scale exfiltration of documents via removable media in the 3 years after Chelsea Manning did so? And why didn’t NSA comply with requirements to implement software to prevent just that, the kind of software Alexander insists his agency should have on our private communications? But note what else doesn’t get mentioned, as Alexander rides off into the sunset of generous defense contractor sinecures? Not only didn’t Alexander hold his subordinates responsible, but he didn’t hold Booz responsible, the company under whose lucrative eyeballs Snowden did this work.

As of Friday, the Bubble General is gone into retirement. While I fully expect soon-to-be Admiral Mike Rogers to be just as aggressive in hiding the scope of his programs and doing what he can because he can, I do hope he is not this detached from the reality in which he works.