Posts

8 Years Later, NSA Still Using Same PR Strategy to Hide Illegal Wiretap Program

/18 Comments/in , /by

[youtube]kfbHbht081E[/youtube]

Between these two posts (one, two), I’ve shown that the Executive Branch never stopped illegally wiretapping Americans, even after the worst part of it got “shut down” after the March 2004 hospital confrontation. Instead, they got FISC to approve collection with certain rules, then violated the rules consistently. When that scheme was exposed with the transition between the Bush and Obama Administrations, the Executive adopted two new strategies to hide the illegal wiretapping. First, simply not counting how many Americans they were illegally wiretapping, thus avoiding explicit violation of 50 USC 1809(a)(2). And, starting just as the Executive was confessing to its illegal wiretapping, moving — and expanding it — overseas. Given that they’re collecting content, that is a violation in spirit, at least, of Section 704 of FISA Amendments Act, which requires a warrant for wiretapping an American overseas (the government probably says this doesn’t apply because GCHQ does much of the wiretapping).

One big discovery the Snowden leaks have shown us, then, is that the government has never really stopped Bush’s illegal wiretapping program.

That actually shows in the PR response the government has adopted, which has consisted of an affirmative and a negative approach. The affirmative approach emphasizes the programs — PATRIOT Act Section 215 and Section 702 of FAA — that paralleled the illegal wiretap program (I’m not conceding either is constitutional, but only the upstream collection under 702 has been deemed an explicit violation of the law). This has allowed the government to release a blizzard of documents — Transparency!™ — that reveals some shocking disclosures, without revealing the bigger illegal programs. But note how, when the revelations touched on the Internet dragnet (which should be no more revelatory than the phone dragnet), ODNI tried to obscure basic details by hiding dates (even if they left those dates in one URL).

Meanwhile, the I Con has invested energy in trying to undermine every story that touches on the larger illegal wiretapping programs. Read more

The Stalker Outside Your Window: The NSA and a Belated Horror Story

/10 Comments/in /by

[photo: Gwen's River City Images via Flickr]

[photo: Gwen’s River City Images via Flickr]

It’s a shame Halloween has already come and gone. The reaction to Monday’s Washington Post The Switch blogpost reminds of a particularly scary horror story, in which a young woman alone in a home receives vicious, threatening calls.

There’s a sense of security vested in the idea that the caller is outside the house and the woman is tucked safely in the bosom of her home. Phew, she’s safe; nothing to see here, move along…

In reality the caller is camped directly outside the woman’s window, watching every move she makes even as she assures herself that everything is fine.

After a tepid reaction to the initial reporting last week, most media and their audience took very little notice of the Washington Post’s followup piece — what a pity, as it was the singular voice confirming the threat sits immediately outside the window.

Your window, as it were, if you have an account with either Yahoo or Google and use their products. The National Security Agency has access to users’ content inside the corporate fenceline for each of these social media firms, greasy nose pressed to glass while peering in the users’ windows.

There’s more to story, one might suspect, which has yet to be reported. The disclosure that the NSA’s slides reflected Remote Procedure Calls (RPCs) unique to Google and Yahoo internal systems is only part of the picture, though this should be quite frightening as it is.

Access to proprietary RPCs means — at a minimum — that the NSA has:

1) Access to content and commands moving in and out of Google’s and Yahoo’s servers, between their own servers — the closest thing to actually being inside these corporations’ servers.

2) With these RPCs, the NSA has the ability to construct remote login access to the servers without the businesses’ awareness. RPCs by their nature require remote access login permissions.

3) Construction through reverse engineering of proprietary RPCs could be performed without any other governmental bodies’ awareness, assuming the committees responsible for oversight did not explicitly authorize access to and use of RPCs during engineering of the MUSCULAR/SERENDIPITY/MARINA and other related tapping/monitoring/collection applications.

4) All users’ login requests are a form of RPC — every single account holder’s login may have been gathered. This includes government employees and elected officials as well as journalists who may have alternate accounts in either Gmail or Yahoo mail that they use as a backup in case their primary government/business account fails, or in the case of journalists, as a backchannel for handling news tips. Read more

The Smartest European Blowback In the World

/3 Comments/in /by

For the record, I think European and Brazilian efforts to crack down on US cloud companies — especially Google — are mostly just an effort to gain further access to the data themselves and create more competitive conditions for their countries’ own companies (see an interesting development on the Google front here), here is the kind of development that will slow the expansion of the US dragnet.

AT&T Inc.’s ambitions to expand in Europe have run into unexpected hurdles amid the growing outcry across the region over surveillance by the National Security Agency. German and other European officials said any attempt by AT&T to acquire a major wireless operator would face intense scrutiny, given the company’s work with the U.S. agency’s data-collection programs.

Resistance to such a deal, voiced by officials in interviews across Europe, suggests the impact of the NSA affair could extend beyond the diplomatic sphere and damage U.S. economic interests in key markets. AT&T Chief Executive Randall Stephenson has signaled repeatedly in recent months that he is interested in buying a mobile-network operator in Europe, highlighting the potential for growth on the continent at a time when the U.S. company faces headwinds at home.

On Wall Street, many bankers, investors and analysts expect AT&T to make a bid for Vodafone Group PLC, which owns cellphone networks across Europe, as early as the first half of next year.

No matter what other efforts other countries put into place to limit the US dragnet, until they take away access to the telecom backbone and/or until private companies dramatically improve their own security, the US government is just going to take what it wants (Indeed, I have been wondering whether the US push to privatize telecoms starting as early as the 1980s served, in part, to make it easier to find “partners” in access data signals).

To allow AT&T — one of NSA’s longest, most willing partners — to become a big player in Europe would simply provide that access.

I’m mildly sorry for Google and Yahoo, particularly because they’ve had their signals stolen for years and have resisted in the NSA various ways, only some of which have been effective.

But if AT&T gets locked out of overseas expansion because it is effectively just an arm of the NSA, I will applaud.

NSA Non-Denial Denial 241,352,052

/22 Comments/in /by

Here’s the best the NSA could come up with to deny the WaPo’s report about how it steals data from Google and Yahoo overseas.

NSA has multiple authorities that it uses to accomplish its mission, which is centered on defending the nation. The Washington Post’s assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and FAA 702 is not true.

NSA seems defensive about WaPo’s suggestion they used EO 12333 — if they did — for this collection. But note that David Kris suggests at least one other possibility for this “vacuum cleaner” collection, voluntary production (as well as procedures subordinate to EO 12333), so it’s possible they didn’t use EO 123333. Maybe the first line is meant to suggest at least one of these providers did cough this up voluntarily (which I think past reporting might support).

NSA then engages in the most delectable projection ever, in which it takes this comment from its biggest apologist this side of Michael Hayden, John Schindler, and suggests the WaPo made the assertion.

Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to “full take,” “bulk access” and “high volume” operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.

Outside U.S. territory, statutory restrictions on surveillance seldom apply and the Foreign Intelligence Surveillance Court has no jurisdiction. Senate Intelligence Committee Chairwoman Dianne Feinstein has acknowledged that Congress conducts little oversight of intelligence-gathering under the presidential authority of Executive Order 12333 , which defines the basic powers and responsibilities of the intelligence agencies.

John Schindler, a former NSA chief analyst and frequent defender who teaches at the Naval War College, said it was obvious why the agency would prefer to avoid restrictions where it can.

“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,” he said. “It’s fair to say the rules are less restrictive under Executive Order 12333 than they are under FISA.” [my emphasis]

The WaPo didn’t make the assertion, NSA’s most loyal voice on Twitter did.

Read more

Why Swim Upstream Overseas?

/12 Comments/in , /by

Screen shot 2013-10-30 at 1.23.18 PMIn 2011, when John Bates declared the existing upstream collection illegal, he didn’t stop the practice. Instead, he imposed new minimization procedures on part of the collection (just that part that included transactions including communications that were completely unrelated to the search terms used). He required that collection be segregated. And he wrung assurances from NSA they wouldn’t do things — like search on data collected via upstream collection — that they could do with data collected under PRISM.

In short, it was actually a pretty permissive ruling, allowing the NSA to continue to collecting upstream data, at least for the terms and purposes they had claimed they were using it for.

So why go to the trouble of stealing data from Google and Yahoo links overseas instead of through PRISM — a question The Switch asks here — and upstream collection here?

Obviously, one of the problem is encryption. The graphic above makes it very clear NSA/GCHQ are trying to avoid Google’s default and Yahoo’s available SSL protection. Which mean they can’t do the same kind of upstream collection on encrypted content.

Now it’s clear from the aftermath of the 2011 ruling — in the way Google and Yahoo had to invest a lot to keep responding to new orders — that PRISM collection in the US is tied in some way to that upstream collection. Julian Sanchez suggests Google and Yahoo may now be unwilling to do keyword (actually key-selector, since some of these would be code) searches. And that may be the case (though it’s hard to see how they could refuse an order requiring that, given that the telecoms were responding to similar orders).

There are a few other possibilities, though.

First, remember that NSA wanted to continue its collection practice as it existed, with no changes. It considered appealing Bates’ decision. And it resisted his demands they clean up existing illegally collected data.

So it may be they simply continued doing what they were doing by stealing this data overseas. But that would only make sense if MUSCULAR dates to 2012, when Bates imposed new restrictions.

It’s also possible some of the restrictions he imposed wouldn’t allow NSA to accomplish what it wanted to. Two possibilities are his requirement that NSA segregate this collection. Another is his refusal to let NSA search “incidentally” collected data.

A third possibility is that other FISC restrictions — such as limits on how many contact chains one could do on Internet metadata (WaPo makes it clear this collection includes metadata) — provided reason to evade FISC as well.

Finally, I wonder whether the types of targets they’re pursuing have anything to do with this. For a variety of reasons, I’ve come to suspect NSA only uses Section 702 for three kinds of targets.

  • Terrorists
  • Arms proliferators
  • Hackers and other cyber-attackers

According to the plain letter of Section 702 there shouldn’t be this limitation; Section 702 should be available for any foreign intelligence purpose. But it’s possible that some of the FISC rulings — perhaps even the 2007-8 one pertaining to Yahoo (which the government is in the process of declassifying as we speak) — rely on a special needs exception to the Fourth Amendment tied to these three types of threats (with the assumption being that other foreign intelligence targets don’t infiltrate the US like these do).

Which would make this passage one of the most revealing of the WaPo piece.

One weekly report on MUSCULAR says the British operators of the site allow the NSA to contribute 100,000 “selectors,” or search terms. That is more than twice the number in use in the PRISM program, but even 100,000 cannot easily account for the millions of records that are said to be sent back to Fort Meade each day.

Given that NSA is using twice as many selectors, it is likely the NSA is searching on content outside whatever parameters that FISC sets for it, perhaps on completely unrelated topics altogether. This may well be foreign intelligence, but it may not be content the FISC has deemed worthy of this kind of intrusive search.

That’s just a wildarsedguess. But I do think it possible FISC has already told the NSA — whether it be in the 2011 opinion, opinions tied to the Internet dragnet problems (which themselves may have imposed limits on just this kind of behavior), or on the original PAA/FAA opinions themselves — that this collection violated the Fourth Amendment.

In which case the prediction Russ Feingold made back in 2007 — “So in other words, if they don’t like what we [or the FISA Court] come up with, they can just go back to Article II” — would prove, as so many Feingold comments have, prescient.

NSA Returns to Stealing from Yahoo and Google

/19 Comments/in /by

Screen shot 2013-10-30 at 1.23.18 PMThe entire point of the Protect America Act and FISA Amendments Act was to provide a way for NSA to collect data from Yahoo and Google without stealing it from telecom switches, which is what they had been doing for 6 years. That was the primary goal: provide a legal means, with oversight, to collect intelligence from the multinational US-based Internet companies that dominated the free email market.

Yet, as I’ve been predicting for weeks, that wasn’t good enough for NSA. In addition to all the intelligence they collect legally using PRISM under Section 702 authority, it turns out they’ve been busy returning to their thieving ways.

The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from among hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.

According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.

The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, GCHQ. From undisclosed interception points, the NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants.

Mind you, the apologists will say that breaking into Yahoo and Google’s internal clouds to steal this information isn’t stealing because it takes place overseas, and therefore doesn’t have to abide by FISA, and therefore just amounts to normal old spying.

Case in point:

Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to “full take,” “bulk access” and “high volume” operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.

Outside U.S. territory, statutory restrictions on surveillance seldom apply and the Foreign Intelligence Surveillance Court has no jurisdiction. Senate Intelligence Committee Chairwoman Dianne Feinstein has acknowledged that Congress conducts little oversight of intelligence-gathering under the presidential authority of Executive Order 12333 , which defines the basic powers and responsibilities of the intelligence agencies.

John Schindler, a former NSA chief analyst and frequent defender who teaches at the Naval War College, said it was obvious why the agency would prefer to avoid restrictions where it can.

“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,” he said. “It’s fair to say the rules are less restrictive under Executive Order 12333 than they are under FISA.”

But as I noted in this post, there’s at least an argument to be made that the 2011 John Bates decision ruling Section 702 upstream collection intentional and the existing FAA (that is, far more stringent than the 12333) minimization procedures insufficient under the Fourth Amendment would apply here, making the exposure of US person data under this collection a constitutional violation. And all that’s assuming there’s a purpose, like terrorism, that would warrant (heh) a special needs exception. With such bulk collection and nonexistent oversight, it’s not clear such a case could be made.

So stealing. And in the process doing enormous damage to two important American companies.

There’s one odd thing about this article though. Notice the absence of any discussion of Microsoft?

6 Years Later, Are the Internet Companies Trying to Expose Telecoms Stealing Their Data, Again?

/13 Comments/in /by

Update: And now this, too, has been halted because of the shutdown (h/t Mike Scarcella). This motion suggests the government asked the Internet companies for a stay on Friday. This one suggests the Internet companies asked the government for access to the classified information in the government filing, but the government told them they can’t consider that during the shut-down. 

As Time lays out, unlike several of the other NSA-related transparency lawsuits, the fight between the government and some Internet companies (Google, Yahoo, Facebook, Microsoft, and LinkedIn, with Dropbox as amicus) continues even under government shut-down. The government’s brief and declaration opposing the Internet bid for more transparency is now available on the FISA Court docket.

Those documents — along with an evolving understanding of how EO 12333 collection works with FISA collection — raise new questions about the reasons behind the government’s opposition.

When the Internet companies originally demanded the government permit them to provide somewhat detailed numbers on how much information they provide the government, I thought some companies — Google and Yahoo, I imagined — aimed to show they were much less helpful to the government than others, like Microsoft. But, Microsoft joined in, and it has become instead a showdown with Internet companies together challenging the government.

Meanwhile, the phone companies are asking for no such transparency, though one Verizon Exec explicitly accused the Internet companies of grandstanding.

In a media briefing in Tokyo, Stratton, the former chief operating officer of Verizon Wireless, said the company is “compelled” to abide by the law in each country that it operates in, and accused companies such as Microsoft, Google, and Yahoo of playing up to their customers’ indignation at the information contained in the continuing Snowden leak saga.

Stratton said that he appreciated that “consumer-centric IT firms” such as Yahoo, Google, Microsoft needed to “grandstand a bit, and wave their arms and protest loudly so as not to offend the sensibility of their customers.”

“This is a more important issue than that which is generated in a press release. This is a matter of national security.”

Stratton said the larger issue that failed to be addressed in the actions of the companies is of keeping security and liberty in balance.

“There is another question that needs to be kept in the balance, which is a question of civil liberty and the rights of the individual citizen in the context of that broader set of protections that the government seeks to create in its society.”

With that in mind, consider these fascinating details from the government filings.

  • The FBI — not the NSA — is named as the classification authority and submits the declaration (from Acting Executive Assistant Director Andrew McCabe) defending the government’s secrecy claims
  • The government seems concerned about breaking out metadata numbers from content (or non-content from non-content and content, as Microsoft describes it), even while suggesting this is about providing our “adversaries” hints about how to avoid surveillance
  • The government suggests some of what the Internet companies might disclose doesn’t fall under FISC’s jurisdiction

All of these details lead me to suspect (and this is a wildarsed guess) that what the government is really trying to hide here is how they use upstream metadata collection under 12333 to develop relatively pinpointed requests for content from Internet companies. If the Internet companies disclosed that, it would not only make their response seem much more circumscribed than what we’ve learned about PRISM, but more importantly, it would reveal how the upstream, unsupervised collection of metadata off telecom switches serves to target this collection.

The FBI as declarant

Begin with the fact that the FBI — and not NSA or ODNI — is the declarant here. I can think of two possible reasons for this.

One, that much of the collection from Internet companies is done via NSL or another statute for which the FBI, not the NSA, would submit the request. There are a number of references to NSLs in the filings that might support this reading. [Correction: FBI is not required to submit NSLs in all cases, but they are in 18 USC 2709, which applies here.]

It’s also possible, though, that the Internet companies only turn over information if it involves US persons, and that the government gets all other content under EO 12333. As with NSLs, the FBI submits applications specifically for US person data, not the NSA. But if that’s the case, then this might point to massive parallel construction, hiding that much of the US person data they collect comes without FISC supervision.

And remember — the FBI seems to have had the authority to search incidentally collected (presumably, via whatever means) US person data before the NSA asked for such authority in 2011.

There may be other possibilities, but whatever it is, it seems that the FBI would only be the classification authority appropriate to respond here if they are the primary interlocutor with the Internet companies — at least within the context of collection achieved under the FISA Court’s authority.

Breaking out metadata from content numbers and revealing “timing”

While the government makes an argument that revealing provider specific information would help “adversaries” to avoid surveillance, two other issues seem to be of more acute concern.

First, it suggests Google and Microsoft’s request to break out requests by FISA provision — and especially Microsoft’s request to “disclose separate categories for ‘non-content’ requests and ‘content and non-content requests” — brought negotiations to a head (see 2-3). This suggests we would see a pretty surprising imbalance there — perhaps (if my theory that the FBI goes to Internet companies only for US person data is correct) primarily specific orders (though that would seem to contradict the PRISM slide that suggested it operated under Section 702). It also suggests that the Internet companies may be providing either primarily content or primarily metadata, not both (as we might expect under PRISM).

The government is also concerned about revealing “the timing of when the Government acquires certain surveillance capabilities.” (see brief 19; the brief references McCabe’s discussion of timing, but the discussion is entirely redacted). That’s interesting because these are to a large extent (though not exclusively) storage companies. It may suggest the government is only asking for data stored in the Internet companies’ servers, not data that is in transit.

The FISC may not have jurisdiction over all this

Then there are hints that the FISC may not have jurisdiction over all the collection involving the Internet companies. That shows up in several ways.

First, in one spot (page 17) the government refers to the subject of its brief as “FISA proceedings and foreign intelligence collection.” In other documents, we’ve seen the government distinguish FISC-governed collection from collection conducted under other authorities — at least EO 12333. Naming both may suggest that part of the jurisdictional issue is that the collection takes place under EO 12333.

There’s another interesting reference to the FISC’s jurisdiction, where the government says it wants to reveal information on the programs “overseen by this Court.”

Although the Government has attempted to release as much information as possible about the intelligence collection activities overseen by this Court, the public debate about surveillance does not give the companies the First Amendment right to disclose information that the Government has determined must remain classified.

I’m increasingly convinced that the government is trying to do a limited hangout with the Edward Snowden leaks, revealing only the stuff authorized by FISC, while refusing to talk about the collection authorized under other statutes (this likely also serves to hide the role of GCHQ). If this passage suggests — as I think it might — that the Government is only attempting to release that information overseen by the FISC, then it suggests that part of what the Internet companies would reveal does not fall under FISC.

Then there are the two additional threats the government uses — in addition to gags tied to FISA orders — to ensure the Internet personnel not reveal this information: nondisclosure agreements and the Espionage Act.

I’m not certain whether the government is arguing whether these two issues — even if formulated in conjunction with FISA Orders — are simply outside the mandate of the FISC, or if it is saying that it uses these threats to gag people engaged in intelligence collection not covered by FISA order gags.

The review and construction of nondisclosure agreements and other prohibitions on disclosure unrelated to FISA or the Courts rules and orders fall far outside the powers that “necessarily result to [this Court] from the nature of [the] institution,” and therefore fall outside the Court’s inherent jurisdiction.

Whichever it is (it could be both), the government seems intent on staving off FISC-mandated transparency by insisting that such transparency on these issues is outside the jurisdiction of the Court.

There there’s this odd detail. Note that McCabe’s declaration is not sworn under oath, but is sworn under penalty of perjury under 18 USC 1746 (see the redaction at the very beginning of the declaration) . Is that another way of saying the FISA Court doesn’t have jurisdiction over this matter? [Update: One possibility is that this is shut-down related–that DOJ’s notaries who validate sworn documents aren’t considered essential.]

The PRISM companies and the poisoned upstream fruit

One more thing to remember. Though we don’t know why, the government had to pay the PRISM companies — that is, the same ones suing for more transparency — lots of money to comply with a series of new orders after John Bates imposed new restrictions on the use of upstream data. I’ve suggested that might be because existing orders were based on poisoned fruit, the illegally collected US person data collected at telecom switches.

That, too, may explain why PRISM company disclosure of the orders they receive would reveal unwanted details about the methods the government uses: there seems to be some relation between this upstream collection and the requests the Internet companies that is particularly sensitive.

As I have repeatedly recalled, back in 2007, these very same Internet companies tried to prevent the telecoms from getting retroactive immunity for their actions under Bush’s illegal wiretap program. That may have been because the telecoms were turning over the Internet companies’ data to the government.

They appear to be doing so again. And this push for transparency seems to be an effort to expose that fact.

Update: Microsoft’s Amended Motion — the one asking to break out orders by statute — raises the initial reports on PRISM, reports on XKeyscore, and on the aftermath of the 2011 upstream problems (which I noted above). It doesn’t talk about any story specifically tying Microsoft to Section 215. However, it lists these statutes among those it’d like to break out.

1These authorities could include electronic surveillance orders, see 50 U.S.C. §§ 1801-1812; phyasical search orders, see 50 U.S.C. §§ 1821-1829; pen register and trap and trace orders, see 50 U.S.C. §§ 1841-1846; business records orders, see 50 U.S.C. §§ 1861-1862; and orders and directives targeting certain persons outside the United States, see 50 U.S.C. §§ 1881-1881g. [my emphasis]

If I’m not mistaken, the motion doesn’t reference this article, which described how the government accessed Skype and Outlook, which you’d think would be one of the ones MSFT would most want to refute, if it could. But I’ve also been insisting that they must get Skype info for the phone dragnet, otherwise they couldn’t very well claim to have the whole “phone” haystack.

But the mention of Section 215 suggests they may be included in that order.

Also, we keep seeing physical search orders included in a communication arena. I wonder if that’s a storage issue.

Update: One more note about the MSFT Amended Motion. It lists where the people involved got their TS security clearances. MSFT’s General Counsels is tied to DOD; the lawyers on the brief all are tied to FBI.

One final detail on MSFT. Though the government brief doesn’t say this, MSFT is also looking to release the number of accounts affected by various orders, not just the number of targets (which is what the government wants to release). That’s a huge difference.

Also, the Nail Polish Remover Lobby Didn’t Challenge Section 215 Orders

/13 Comments/in , /by

The takeaway from the FISC opinion released today from about 6 outlets seems to be that no telecom has ever challenged a Section 215 order.

But the opinion actually says more than that. It says,

To date, no holder of records who has received an Order to produce bulk telephony has challenged the legality of such an Order. Indeed, no recipient of any Section 215 Order has challenged the legality of such an Order, despite the explicit statutory mechanism for doing so.

Now, if your bullshit antennae aren’t buzzing when you read that formulation, “no holder of records,” then you need to have them checked. Because it sure seems to allow for the possibility that someone whose customers had their records seized via someone deemed the actual holder of them objected. That entity, after all, wouldn’t be a Section 215 Order recipient, and therefore would have no standing to object, regardless of the statutory mechanism for doing so. (Plus, both EPIC and ACLU have — and had, by the time this order was written — objected. But they don’t count because they’re the actual customers.)

But remember, as far as we know, Section 215 has not been used for Internet metadata (except for subscriber information for the first 2 years of the program; see Verizon’s CEO bitching about the email companies his company stole data from for years complaining publicly about the dragnet). The one other big “customer base” we know has been targeted by bulk-ish orders are hydrogen peroxide and nail polish remover (acetone) purchasers.

However, there, too, like Internet providers whose data gets sucked up at a telecom provider’s switch, the actual beauty supply companies are unlikely to be the “holder of records.” The beauty of the Third Party doctrine, for the government, is it can always look elsewhere for people who have “records” that betray customers’ interests.

If only we had a powerful nail polish remover lobby we might be able to combat the dragnet.

Google’s Payoff from DOD: 20 Cheap Fuel Flights to Tortola

/9 Comments/in , /by

Screen shot 2013-09-13 at 1.47.45 PMGiven that I’m very interested in the carrots and sticks the government uses to get tech companies to help spy on us, I find it rather interesting that from 2007 until August 31, DOD was allowing Google to pay for jet fuel at Moffett Field near Google’s HQ in Mountain View at DOD’s substantially discounted rate.

Granted, this arose because Google provided a light airplane to perform scientific flights for Ames Research Center.

NASA officials have pointed to a related agreement by the Google executives to perform scientific flights and other NASA-related transport. That mostly has involved flights by an Alpha jet, a small trainer bought by the Google executives and used by NASA to measure atmospheric greenhouse gases and ozone.

[snip]

[T]he contract between H211 and the Pentagon stated that the fuel was supposed to be used only “for performance of a U.S. government contract, charter or other approved use,” and said violations could trigger civil or criminal penalties. There is no indication of any such investigation.

Flight records from the Federal Aviation Administration suggest that the vast bulk of the flights by the Google executives’ fleet have been for non-NASA purposes.

The main jets in the fleet—a Boeing 767, Boeing 757 and four Gulfstream V’s—have departed from Moffett a total of 710 times since 2007, FAA records show. The most frequent destinations were Los Angeles and New York, but the planes also flew 20 times to the Caribbean island of Tortola; 17 to Hawaii; 16 to Nantucket, Mass.; and 15 to Tahiti.

This agreement went into place before Google joined PRISM, for example (though I’m sure Google was already helping NSA on its storage challenges before that). Though I really look forward to Google defending these fuel purchases because so much of what they do is “for performance of a U.S. government contract.”

This is peanuts to a company as rich as Google; access to the airport is probably worth more to Google execs than the cheap gas.

Still, it’s a perk. The kind of perk that might explain why Eric Schmidt believes all this spying is just the nature of society. (h/t Kevin Gosztola)

There’s been spying for years, there’s been surveillance for years, and so forth, I’m not going to pass judgment on that, it’s the nature of our society.

Spying is the nature of society in the same way as special perks for those who help in it, after all.

Microsoft, Google, as Unimpressed as I Am with I Con’s New Data Release Promise

/1 Comment/in , /by

I showed earlier that the Director of National Intelligence’s promise to release certain information — much of which they’re already obligated to release — wasn’t all that impressive. As part of that, I noted that the DNI wasn’t providing data specific to each provider.

Moreover, the government doesn’t, apparently plan to release the number Google and Yahoo would like it to release, numbers which likely show how much more enthusiastic the well-lubricated telecoms are about providing this material than the less-well lubricated Internet providers. That is, the government isn’t going to (or hasn’t yet agreed to) provide numbers that show corporations have some leeway on how much of our data they turn over to the government.

It turns out, Microsoft and Google agree with me that the promised new release is none too impressive.

More importantly, they view it as a refusal — after serial delays from the government — to release that provider specific and content type specific information they want to release.

Yesterday, the Government announced that it would begin publishing the total number of national security requests for customer data for the past 12 months and do so going forward once a year.  The Government’s decision represents a good start.  But the public deserves and the Constitution guarantees more than this first step.  Read more