Posts

House Homeland Security Committee Apparently Knows Little about Homeland Security

Here are the first 36 words of an otherwise useful House Homeland Security Committee report on encryption:

Public engagement on encryption issues surged following the 2015 terrorist attacks in Paris and San Bernardino, particularly when it became clear that the attackers used encrypted communications to evade detection—a phenomenon known as “going dark.”

The statement has grains of truth to it. It is true that engagement on encryption surged following the Paris attacks, largely because intelligence committee sources ran around assuming (and probably briefing the White House) that encryption must explain why those same intelligence committee sources had missed the attack. It surged further months later when FBI chose to pick a fight with Apple over Syed Rizwan Farook’s work phone which — it was clear from the start — had no evidence relating to the attack on it.

It is also true that ISIS had been using Telegram leading up to the Paris attack; in its wake, the social media company shut down a bunch of channels tied to the group. But there has never been a public claim the plotters used Telegram to plan their attack.

It is also true that an ISIS recruit, arrested and interrogated months before the Paris attack, had told French authorities he had been trained to use a Truecrypt key and an elaborate dead drop method to communicate back to Syria.

But it is not true that the Paris attackers used encryption to hide their plot. They used a great many burner phones, a close-knit network (and with it face-to-face planning), an unusual dialect. But even the one phone that had an encrypted product loaded on it was not using that service.

It is also not true that the San Bernardino attackers used encryption to evade detection. They used physical tools to destroy the phones presumably used to plan the attack. They hid a hard drive via some other, unidentified means. But the only known use of encryption — the encryption that came standard on Farook’s work phone — was shown, after the FBI paid to bypass it, not to be hiding anything at all.

Now it’s possible there was encryption involved in these attacks we don’t know about, that HLSC has gotten classified briefings on. But even if there was, it could not very well have led to a public surge of engagement last year, because it would not be public.

There are reasons to discuss encryption. But factually false claims about terrorists’ use of encryption are not among those reasons.

h/t to Access Now’s Nathaniel White, who pointed out this bogosity on Twitter.

Update: See this Grugq post laying out what little encryption ISIS has been known to use in any attack.

Why Does NSA Get a Pass on the Boston Marathon Attack?

In addition to a motion claiming the FBI asked Tamerlan Tsarnaev to become an informant during their investigation of him in 2011, Dzhokhar Tsarnaev’s lawyers submitted a motion requesting notice of whether the government intends to submit as evidence or has in its possession surveillance information that would be helpful to Dzhokhar’s defense.

This motion is not going anywhere.

The government would generally be obliged to turn this over only if they planned to use it (or evidence derived from it, in the still very attenuated way they define such things) in trial. And as the defense notes in the motion, any surveillance that might exist would most likely be of Dzhokhar’s family, especially his brother, not him. Moreover, the defense points to Amnesty v. Clapper to invoke the government’s admission that it collects data not just in FISA-authorized programs, but also in EO 12333 ones.

And, although we do not reach the question, the Government contends that it can conduct FISA-exempt human and technical surveillance programs that are governed by Executive Order 12333. See Exec. Order No. 12333,

Yet there is no established obligation to notice such evidence, as there is for FISA.

All that said, to justify their demand, the defense notes the government’s non-response to three past attempts to get such information. And they note two passages from the recently released House Homeland Security Committee report on the bombing to justify their renewed claim.

This threat assessment included a check of “U.S. government databases and other information to look for such things as derogatory telephone communications, possible use of online sites associated with the promotion of radical activity, associations with other persons of interest, travel history and plans, and education history.” Id. at 12. The report also states that, according to FBI officials in Moscow, “electronic communication” between Tamerlan and a jihadist named William Plotnikov “may have been collected.”

If any “derogatory” telephone communications had been discovered, presumably the assessment into Tamerlan wouldn’t have been closed after less than 4 months, as the report makes clear it was (the Russian notice was March 4, 2011; the FBI set an alert on Tamerlan on March 22, 2011; the FBI closed the assessment on June 24, 2011). Ditto if Tamerlan had significant online activity “associated with the promotion of radical activity” (he would have, after his return from Russia). So for the moment assume nothing significant came of these searches, which are attributed to the FBI. Nevertheless, these comments at least nod to databases that may be, or may be derived from, NSA databases.

The possible intercept between Tamerlan and Plotnikov may have dated to a year after the FBI’s assessment, although this NBC report, which seems to have been based on an unredacted report, suggests it predated the warnings. In any case, it’s almost certainly a Russian intercept, not an NSA one: the paragraph reporting it (see the partly redacted paragraph on page 15) is one of just a few in this report classified FGI, indicating it derives from foreign government intelligence. If the FBI (and later, CIA) did learn that Tamerlan had come up in incriminating intercepts with Plotnikov in 2011, that’s something the NSA presumably could have replicated (and would be solidly within NSA’s interpretation of permissible taps under reverse targeting restrictions as laid out in the most recent PCLOB hearing, even assuming such tasking were done under FAA).

Dzhokhar’s defense doesn’t deal with what I consider a far more intriguing mention, undoubtedly because it remains heavily redacted (see page 32-34). This one deals with the second Russian alert later that fall — it is another FGI paragraph and footnote — this time to the CIA. It reveals that in providing a warning reported to be largely the same as one sent 6 or 7 months earlier, the CIA version of the Russian warning used the wrong year of birth and transliterated his name differently. There was some other difference in this alert as well (this would be described in the sentence at 33-34, which the following sentence on the name and date inaccuracy add to). And while much of this heavily redacted discussion involves the mechanics of data sharing, what is clear is CIA added Tamerlan (with the wrong birth date and transliteration) to two more databases than FBI had, TIDES (a kind of centralized database) and TSDB (a centralized terrorist screening database) based on some reason to be suspicious. Just as significantly, according to NBC (which also spoke to a “US intelligence official,” though it doesn’t attribute this specific claim at all), CIA also passed on this information to several other agencies. “On Oct. 19, 2011, the CIA shared information on Tsarnaev with the National Counterterrorism Center (NCTC), DHS, the State Department and the FBI.”

Take a step back here and consider this claim. First, NBC’s source (or the unredacted report) would have you believe a legal alien in the US got added to the TSDB for alleged ties with extremists in Russia without NSA also getting notice of it. It would also have you believe that any further checks done into Tamerlan at this time never stumbled over the grisly Waltham murder committed just weeks earlier, or Tamerlan’s odd behavior afterwards. Tamerlan was getting added to databases, but no one made a Request for Information about the underlying claims involving people who could be legally targeted in Russia to the NSA, at least as far as the public story goes.

And note what doesn’t appear in the House report, but which does appear in Dzhokhar’s indictment?

Inspire magazine is an English language online publication of al-Qaeda in the Arabian Peninsula. Volume One of Inspire magazine, which is dated summer 2010, contains detailed instructions for constructing IEDs using pressure cookers, explosive powder from fireworks, shrapnel, adhesive, and other materials. IEDs constructed in this manner are designed to shred flesh, shatter bone, and cause extreme pain and suffering, as well as death.

[snip]

At a time unknown to the Grand Jury, but before on or about April IS, 2013, DZHOKHAR A. TSARNAEV downloaded to his computer a copy of Volume One of Inspire magazine, which includes instructions on how to build IEDs using pressure cookers or sections of pipe, explosive powder from fireworks, and shrapnel, among other things.

There are codes within Inspire that could and presumably are targeted under NSA’s upstream collection, meaning if such downloads in any way crossed key international switches, they might have been identified and tracked, along with metadata identifying Dzhokhar’s computer.

And yet, in spite of all these potential bread crumbs the NSA might have had, no one has thought to ask NSA whether they did. The HHSC didn’t ask NSA for information, And the joint IG report on the attacks did not include NSA’s IG.

Don’t get me wrong. I’m actually sympathetic to the idea that even the most diligent effort cannot prevent every attack. I’m not endorsing doing any more domestic collection than NSA already does — though what it does, it does precisely to identify people like Tamerlan, people who have conversations with known extremists overseas. According to both NSA and FBI’s rules, neither would have needed even Reasonable Articulable Suspicion into Tamerlan — though they clearly had that — to do a back door search on, say, Plotnikov’s communications. I’m also not saying this would make a lick of difference in Dzhokhar’s trial (though the allegation is that his computer, not Tamerlan’s, is the one with Inspire on it).

But if we’re going to do drawn out assessments every time we miss a terrorist attack, shouldn’t we also be assessing the actions or inactions of the people who run massive dragnets ostensibly because they’ll identify people like Tamerlan? If we’re going to have this dragnet — and if NSA is going to justify it by pointing to terrorism — shouldn’t we be assessing its role in actually preventing terrorism?