Posts

The Internet Dragnet Was a Clusterfuck … and NSA Didn’t Care

Here’s my best description from last year of the mind-boggling fact that NSA conducted 25 spot checks between 2004 and 2009 and then did a several months’ long end-to-end review of the Internet dragnet in 2009 and found it to be in pretty good shape, only then to have someone discover that every single record received under the program had violated rules set in 2004.

Exhibit A is a comprehensive end-to-end report that the NSA conducted in late summer or early fall of 2009, which focused on the work the agency did in metadata collection and analysis to try and identify people emailing terrorist suspects.

The report described a number of violations that the NSA had cleaned up since the beginning of that year — including using automatic alerts that had not been authorized and giving the FBI and CIA direct access to a database of query results. It concluded the internet dragnet was in pretty good shape. “NSA has taken significant steps designed to eliminate the possibility of any future compliance issues,” the last line of the report read, “and to ensure that mechanisms are in place to detect and respond quickly if any were to occur.”

But just weeks later, the Department of Justice informed the FISA Court, which oversees the NSA program, that the NSA had been collecting impermissible categories of data — potentially including content — for all five years of the program’s existence.

The Justice Department said the violation had been discovered by NSA’s general counsel, which since a previous violation in 2004 had been required to do two spot checks of the data quarterly to make sure NSA had complied with FISC orders. But the general counsel had found the problem only after years of not finding it. The Justice Department later told the court that “virtually every” internet dragnet record “contains some metadata that was authorized for collection and some metadata that was not authorized for collection.” In other words, in the more than 25 checks the NSA’s general counsel should have done from 2004 to 2009, it never once found this unauthorized data.

The following year, Judge John Bates, then head of FISC, emphasized that the NSA had missed the unauthorized data in its comprehensive report. He noted “the extraordinary fact that NSA’s end-to-end review overlooked unauthorized acquisitions that were documented in virtually every record of what was acquired.” Bates went on, “[I]t must be added that those responsible for conducting oversight at NSA failed to do so effectively.”

Even after these details became public in 2014 (or perhaps because the intelligence community buried such disclosures in documents with dates obscured), commentators have generally given the NSA the benefit of the doubt in its good faith to operate its dragnet(s) under the rules set by the FISA Court.

But an IG Report from 2007 (PDF 24-56) released in Charlie Savage’s latest FOIA return should disabuse commentators of that opinion.

This is a report from early 2007, almost 3 years after the Stellar Wind Internet dragnet moved under FISA authority and close to 30 months after Judge Colleen Kollar-Kotelly ordered NSA to implement more oversight measures, including those spot checks. We know that rough date because the IG Report post-dates the January 8, 2007 initiation of the FISC-spying compartment and it reflects 10 dragnet order periods of up to 90 days apiece (see page 21). So the investigation in it should date to no later than February 8, 2007, with the final report finished somewhat later. It was completed by Brian McAndrew, who served as Acting Inspector General from the time Joel Brenner left in 2006 until George Ellard started in 2007 (but who also got asked to sign at least one document he couldn’t vouch for in 2002, again as Acting IG).

The IG Report is bizarre. It gives the NSA a passing grade on what it assessed.

The management controls designed by the Agency to govern the collection, dissemination, and data security of electronic communications metadata and U.S. person information obtained under the Order are adequate and in several aspects exceed the terms of the Order.

I believe that by giving a passing grade, the IG made it less likely his results would have to get reported (for example, to the Intelligence Oversight Board, which still wasn’t getting reporting on this program, and probably also to the Intelligence Committees, which didn’t start getting most documentation on this stuff until late 2008) in any but a routine manner, if even that. But the report also admits it did not assess “the effectiveness of management controls[, which] will be addressed in a subsequent report.” (The 2011 report examined here identified previous PRTT reports, including this one, and that subsequent report doesn’t appear in any obvious form.) Then, having given the NSA a passing grade but deferring the most important part of the review, the IG notes “additional controls are needed.”

And how.

As to the issue of the spot checks, mandated by the FISA Court and intended to prevent years of ongoing violations, the IG deems such checks “largely ineffective” because management hadn’t adopted a methodology for those spot checks. They appear to have just swooped in and checked queries already approved by an analyst’s supervisor, in what they called a superaudit.

Worse still, they didn’t write anything down.

As mandated by the Order, OGC periodically conducts random spot checks of the data collected [redaction] and monitors the audit log function. OGC does not, however document the data, scope, or results of the reviews. The purpose of the spot checks is to ensure that filters and other controls in place on the [redaction] are functioning as described by the Order and that only court authorized data is retained. [snip] Currently, an OGC attorney meets with the individuals responsible [redaction] and audit log functions, and reviews samples of the data to determine compliance with the Order. The attorney stated that she would formally document the reviews only if there were violations or other discrepancies of note. To date, OGC has found no violations or discrepancies.

So this IG review was done more than two years after Kollar-Kotelly had ordered these spot checks, during which period 18 spot checks should have been done. Yet at that point, NSA had no documentary evidence a single spot check had been done, just the say-so of the lawyer who claimed to have done them.

Keep in mind, too, that Oversight and Control were, at this point, implementing a new-and-improved spot-check process. That’s what the IG reviewed, the new-and-improved process, because (of course) reviewers couldn’t review the past process because there was no documentation of it. It’s the new-and-improved process that was inadequate to the task.

But that’s not the only problem the IG found in 2007. For example, the logs used in auditing did not accurately document what seed had been used for queries, which means you couldn’t review whether those queries really met the incredibly low bar of Reasonable Articulable Suspicion or that they were pre-approved.  Nor did they document how many hops out analysts chained, which means any given query could have sucked in a great deal of Americans (which might happen by the third or fourth hop) and thrown them into the corporate store for far more intrusive anlaysis. While the IG didn’t point this out directly, the management response made clear log files also didn’t document whether a seed was a US person and therefore entitled to a First Amendment review. In short, NSA didn’t capture any — any!!! — of the data that would have been necessary to assess minimal compliance with FISC orders.

NSA’s lawyers also didn’t have a solid list of everyone who had access to the databases (and therefore who needed to be trained or informed of changes to the FISC order). The Program Management Office had a list that it periodically compared to who was actually accessing the data (though as made clear later in the report, that included just the analysts). And NSA’s Office of General Counsel would also periodically review to ensure those accessing the data had the information they needed to do so legally. But “the attorney conducting the review relie[d] on memory to verify the accuracy and completeness of the list.” DOD in general is wonderfully neurotic about documenting any bit of training a given person has undergone, but with the people who had access to the Internet metadata documenting a great deal of Americans’ communication in the country, NSA chose just to work from memory.

And this non-existent manner of tracking those with database access extended to auditing as well. The IG reported that NSA also didn’t track all queries made, such as those made by “those that have the ability to query the PRTT data but are not on the PMO list or who are not analysts.” While the IG includes people who’ve been given new authorization to query the data in this discussion, it’s also talking about techs who access the data. It notes, for example, “two systems administrators, who have the ability to query PRTT data, were also omitted from the audit report logs.” The thing is, as part of the 2009 “reforms,” NSA got approval to exempt techs from audits. I’ve written a lot about this but will return to it, as there is increasing evidence that the techs have always had the ability — and continue to have the ability — to bypass limits on the program.

There are actually far more problems reported in this short report, including details proving that — as I’ve pointed out before — NSA’s training sucks.

But equally disturbing is the evidence that NSA really didn’t give a fuck about the fact they’d left a database of a significant amount of Americans’ communications metadata exposed to all sorts of control problems. The disinterest in fixing this problem dates back to 2004, when NSA first admitted to Kollar-Kotelly they were violating her orders. They did an IG report at the time (under the guidance of Joel Brenner), but it did “not make formal recommendations to management. Rather, the report summarize[d] key facts and evaluate[d] responsibility for the violation.” That’s unusual by itself: for audits to improve processes, they are supposed to provide recommendations and track whether those are implemented. Moreover, while the IG (who also claimed the clusterfuck in place in 2007 merited a passing grade) assessed that “management has taken steps to prevent recurrence of the violation,” it also noted that NSA never really fixed the monitoring and change control process identified as problems back in 2004. In other words, it found that NSA hadn’t fixed key problems IDed back in 2004.

As to this report? It did make recommendations and management even concurred with some of them, going so far as to agree to document (!!) their spot checks in the future. With others — such as the recommendation that shift supervisors should not be able to make their own RAS determinations — management didn’t concur, they just said they’d monitor those queries more closely in the future. As to the report as a whole, here’s what McAndrew had to say about management’s response to the report showing the PRTT program was a clusterfuck of vulnerabilities: “Because of extenuating circumstances, management was unable to provide complete responses to the draft report.”

So in 2007, NSA’s IG demonstrated that the oversight over a program giving NSA access to the Internet metadata of a good chunk of all Americans was laughably inadequate.

And NSA’s management didn’t even bother to give the report a full response.

Joel Brenner Reveals David Addington’s Sources and Methods

Several people (including Dan Froomkin) have pointed to the speech former NSA Inspector General Joel Brenner gave at NSA today for the confirmation of what was pretty clear from the joint IG Report on Stellar Wind — that David Addington ran the program out of OVP.

The seed of the problem was planted shortly after 9/11, when the White House determined to undertake certain collection outside the FISA regime under a highly classified, but now mostly declassified, program called STELLAR WIND. That program was not SAP’ed, because the creation of a new special access program requires Congressional notification, but it was run directly by the Office of the Vice President and put under the direct personal control of the Vice President’s counsel, David Addington.

But there’s another detail I find more interesting (aside from Brenner’s note that parts of the program remain classified, which people often forget).

Stellar Wind was not SAP’ed, Joel Brenner (who was, at least according to the IG Report, not read in himself until far later than he makes out in his speech).

Because if it were SAP’ed — if it were made a Special Access Program — then Congress would have had to be notified.

I’m interested in that for two reasons.

First (and most prosically), the Executive was messing around with the classification of Stellar Wind at least until January 2009, when they appear to have been making last minute adjustments to gain advantage in the al-Haramain suit.

More interestingly, because the Executive claims Congress was notified (even in that IG Report, though interestingly enough, some accountings of Congressional briefings got redacted in the underlying reports). Joel Brenner is here suggesting that they weren’t, really. Which is consistent with the fact that the briefing Congress got on March 10, 2004 was different in substance than what they had gotten before then.

Finally, because there are questions about when and who made the torture program a SAP. It appears not to have happened until early 2003 (and some of CIA’s own briefing records suggest that’s when the first torture briefings were, notwithstanding the September 2002 briefings for the Gang of Four).

Brenner’s suggestion makes it likely (as if it weren’t already) that that decision, too, was driven by Addington.

Stellar Wind and the Intelligence Oversight Board Reports

As I noted, the NSA released its quarterly reports to the Intelligence Oversight Board as a FOIA-coal-for-Christmas present. In them, we see how the NSA executed a bit of legal chicanery with respect to Stellar Wind which had previously been revealed in the 2009 Draft IG Report on Stellar Wind.

The report claims that NSA’s Inspector General did not get read into the program until August 2002. The IG Report claims to be mystified as to why NSA operated an illegal program for 9 months before reading in the IG; it offers the suggestion that President Bush didn’t want to read in the IG until NSA had a named IG, rather than an Acting one — but that doesn’t explain why they waited 4 months after Joel Brenner came in in April 2002.

(TS//SI//NF) We could not determine exact reasons for why the NSA IG was not cleared for the PSP until August 2002. According to the NSA General Counsel, the President would not allow the IG to be briefed sooner. General Hayden did not specifically recall why the IG was not brought in earlier, but thought that it had not been appropriate to do so when it was uncertain how long the Program would last and before operations had stabilized. The NSA IG pointed out that he did not take the IG position until April 2002, so NSA leadership or the White House may have been resistant to clearing either a new or an acting IG.

One of the things Brenner instituted — the report claims it started almost a year after he came in and more than 6 months after he got read into the program — was to make the IOB reports technically correct by stating that there might be incidents not noticed to IOB but instead noticed to the President.

(C) Second, in March 2003, the IG advised General Hayden that he should report violations of the Authorization to the President. In February of 2003, the OIG learned of PSP incidents or violations that had not been reported to overseers as required, because none had the clearance to see the report.

(TS//SI//OC/NF) Before March 2003, NSA quarterly reports on intelligence activities sent to the President’s Intelligence Oversight Board (through the Assistant to the Secretary of Defense for Intelligence Oversight) stated that the Director was not aware of any unlawful surveillance activities by NSA other than that described in the report. Beginning in March 2003, at the IG’s direction, NSA quarterly reports stated that except as disclosed to the President, the Director was not aware of any unlawful surveillance activities by NSA. Also beginning in March 2003, PSP violations, including those not previously reported to the Intelligence Oversight Board, were reported in “Presidential Notifications.”

But that’s actually not correct. The change appears in the December 4, 2002 report.

Screen shot 2014-12-27 at 7.36.43 AM

If the remaining chronology is correct — that Brenner had not yet convinced Hayden to tell the President about violations and that there were some February 2003 violations that did not get reported — then the December 2002 report was inaccurate, because the President would not have been noticed.

What I find interesting about it is how signatures were handled before that. In the June 2002 report — at a time when Brenner was not read into the program — he signed the report himself.  In the August 27, 2002 report (which was presumably submitted just after Brenner got read into Stellar Wind), Brian McAndrew, who had been Acting IG before Brenner took over, signed for him.

Screen shot 2014-12-27 at 7.34.02 AM

And, in perhaps related metadata, there’s this, from the December 2001 report (that is, the first one after the initiation of Stellar Wind).

Screen shot 2014-12-27 at 8.12.00 AM

 

I think, though am not certain, this note comes from Michael Hayden (with an “H” in the circle), to whom the memo is addressed. He appears to have asked Robert Deitz to discuss the implications of this notice further before he signed it. And someone amended the notice, to include violations known to affiliated (agency?) directors but not to Hayden.

That is, it seems possible that even Michael Hayden hesitated to say this report included all violations of law without Robert Deitz (who has written some robust defenses of NSA since the Snowden leaks) holding his hand somewhat.

Update: Note that the coversheet with Hayden’s note was initially dated December 7, 2001. But the date on the letter he signed was January 4, 2002. That suggests they could have actually changed the content of the letter in response to Hayden’s concerns, though such a delay appears normal given the other reports. 

Of course, this entire structure is premised on the caveat that the President can instruct agency heads not to include violations he doesn’t want them to. And the gaming of some signatures to avoid making false declarations is child’s play compared to what Obama did at the beginning of his Administration, which was basically to let the entire board lapse by not appointing anyone.

Still, the games they were playing with their declarations suggests these men — who’ve made broad comments about how well NSA follows the law — know they were fibbing.

Former Top NSA Officials Insist Employees Are Leaving Because Obama Is Mean, Not Because They Object To NSA’s Current Activities

Ellen Nakashima has a story that purports to show 1) significant morale problems at the NSA and 2) proof that the morale stems from Obama’s failure to more aggressively support the NSA in the wake of the Edward Snowden revelations.

The story relies in significant part on former NSA IG Joel Brenner and two other former officials who insisted on remaining anonymous because “they still have dealings” with the NSA.

“The agency, from top to bottom, leadership to rank and file, feels that it is had no support from the White House even though it’s been carrying out publicly approved intelligence missions,” said Joel Brenner, NSA inspector general from 2002 to 2006. “They feel they’ve been hung out to dry, and they’re right.”

A former U.S. official — who like several other former officials interviewed for this story requested anonymity because he still has dealings with the agency — said: “The president has multiple constituencies — I get it. But he must agree that the signals intelligence NSA is providing is one of the most important sources of intelligence today.

“So if that’s the case, why isn’t the president taking care of one of the most important elements of the national security apparatus?”

[snip]

A second former official said NSA workers are polishing up their résumés and asking that they be cleared — removing any material linked to classified programs — so they can be sent out to potential employers. He noted that one employee who processes the résumés said, “I’ve never seen so many résumés that people want to have cleared in my life.”

Morale is “bad overall,” a third former official said. “The news — the Snowden disclosures — it questions the integrity of the NSA workforce,” he said. “It’s become very public and very personal. Literally, neighbors are asking people, ‘Why are you spying on Grandma?’ And we aren’t. People are feeling bad, beaten down.”

Does “still have dealings with the agency” mean these people still contract to it, indirectly or directly? If it does, how much of this contracting works through The Chertoff Group, where a slew of former officials seem to have had remarkably consistent interests in spreading this line for months? Nakashima might want to provide more details about this in any future of these stories, as it may tell us far more about how much these men are profiting for espousing such views.

After all, while they do provide evidence that NSA employees are leaving, they provide only second-hand evidence — evidence that is probably impossible for any of these figures to gain in depth personally — that the issue pertains to Obama’s response.

And there are at least hints that NSA employees might be leaving for another reason: they don’t want to be a part of programs they’re only now — thanks to compartmentalization — learning about

We can look to the two letters the NSA has sent to “families” of workers for such hints.

The first, sent in September (page one, page two, h/t Kevin Gosztola), got sent just 3 days after the release of documents showing NSA had been violating just about every rule imposed on the phone dragnet for the first three years it operated (partly, it should be said, because of Joel Brenner’s inadequate oversight at its inception). In the guise of providing more context to NSA employee family members about that and recent disclosures, Keith Alexander and John Inglis wrote,

We want to put the information you are reading and hearing about in the press into context and reassure you that this Agency and its workforce are deserving and appreciative of your support. Read more

Could an Independent NSA Inspector General Have Prevented 3 Years of Violations?

Last week, two former Senate Intelligence Committee members proposed a fix for the NSA no one has yet floated: making NSA’s Inspector General independent. Doing so, they argue, would give the IG more leeway to direct her investigations of the NSA and provide Congress needed insight into NSA’s real activities.

But one important option has yet to be proposed: creating an independent inspector general’s office at the NSA, comparable to the office that was created within the CIA in 1989.

[snip]

Not only was the inspector general’s office viewed differently after the law was passed, but the office itself was different. It decided which of the CIA’s activities would be investigated, inspected or audited without waiting for direction or approval from agency management. Employees of the IG’s office no longer had to worry about the potential effect on their careers if their findings and conclusions were critical of the agency. They may not have always gotten everything right, but they were freer to call things as they saw them and did so, at times to the chagrin of CIA management.

Having an independent inspector general at the CIA produced other advantages for the oversight process: It gave the congressional intelligence committees a more reliable partner — an office that lawmakers could call upon to conduct investigations beyond their own capabilities — and they learned of problems they otherwise might not have come across.

The same dynamic is not possible at the NSA today because the agency’s inspector general is appointed by and works for the NSA director. For all practical purposes, he is a member of the director’s staff and does not report directly to the intelligence committees.

I’m particularly interested in this recommendation given a few data points from the transition period between the illegal phone dragnet to the Section 215 dragnet in 2006.

As the documents submitted in 2009 make clear, the dragnet remained largely if not entirely unchanged from what it was before 2006. The initial “bug” that “arose” in 2009 was really just a “feature” — an alert system on suspect phone identifiers — of the illegal program that never got shut down or properly disclosed to the FISA Court. Many of the subsequent “bugs” (such as access to the queried data for FBI and CIA) also seem to be “features” no one turned off to keep the program legal.

And the Inspector General (from 2002 to 2006, NSA defender Joel Brenner served in that role) knew about the features of the illegal program because he was belatedly read into the illegal program in 2002 and actually provided 3 suggestions to improve oversight of it (see pages 45-46). Among other things, Brenner instituted and attended monthly due diligence meetings.

As Keith Alexander’s February 2009 declaration to Reggie Walton reveals, as the program was transferring to FISC authorization in 2006, someone in the IG office suggested NSA tell the FISA Court how the alert system worked, but NSA chose not to follow that suggestion.

Agency records indicate that, in April 2006, when the Business Records Order was being proposed, NSA’s Office of Inspector General (“OIG”) suggested to SID personnel that the alert process be spelled out in any prospective Order for clarity but this suggestion was not adopted.

More interesting still is the role of a 2006 study submitted to the FISA Court (starting at 85). Read more

Working Thread: Section 215 Dragnet Document Dump, Part II

It’s fundraising week. Please support the work I do with a donation.

This is part of a working thread on yesterday’s Section 215 dragnet. Part I is here. The documents are here.


IG Report

(i) Note that the cover letter was signed by the Acting IG, Brian McAndrew, but the report itself was signed by Joel Brenner.

(3) The IG Report uses a lot of passive voice where it should assign some responsibility for implementing controls.

(4) Note this recommendation is redacted but almost certainly is S 215 or S 332, based on the distribution list.

(4) Note the definition of processing.

(8) Note the finding the info assurance was adequate turned out to be wrong, as people were just wandering into this database.

(9) The audits OIG was supposed to conduct didn’t happen, per the description on page 31 of the Alexander declaration. This is sort of a big deal. Was OIG excluded (as they had been under the illegal program)? Or did they just not do their job?

(13) Note the review started immediately after the program started and by its own admission “did not conduct a full range of compliance and/or substantive testing.”

(18) Curious whether NSA introduced the word “archive” in the table.

(19) The language on metadata retention is another tell: they describe not “keeping” the data but “keeping it online” while avoiding mention of archive.


Compliance Incidents, Feb 26, 2009 & Supplemental Alexader

(4) Three different analysts querying databases. Again the timing on this is interesting, from day after election to day after transferring power. Note there’s still no discussion of where all those other identifiers went.

(SAlexander 2) Note the reference to telecoms remains unredacted.

Read more

Shorter NSA: That We Discovered We Had No Fucking Clue How We Use Our Spying Is Proof Oversight Works

It’s fundraising week. Please donate if you can.

James Clapper’s office just released a bunch of documents pertaining to the Section 215 dragnet. It reveals a whole slew of violations which it attributes to this:

The compliance incidents discussed in these documents stemmed in large part from the complexity of the technology employed in connection with the bulk telephony metadata collection program, interaction of that technology with other NSA systems, and a lack of a shared understanding among various NSA components about how certain aspects of the complex architecture supporting the program functioned.  These gaps in understanding led, in turn, to unintentional misrepresentations in the way the collection was described to the FISC.  As discussed in the documents, there was no single cause of the incidents and, in fact, a number of successful oversight, management, and technology processes in place operated as designed and uncovered these matters.

More candidly it admits that no one at NSA understood how everything works. It appears they’re still not sure, as one Senior Official Who Refused to Back His Words admitted,

“I guess they have 300 people doing compliance at NSA.”

“I guess” is how they make us comfortable about their new compliance program.

Ultimately, this resulted them in running daily Section 215 collection on a bunch of numbers that–by their own admission–they did not have reasonable articulable suspicion had some time to terrorism. When they got caught, that number consisted of roughly 10 out of 11 of the numbers they were searching on.

The rest of this post will be a working thread.

Update: Here is the Wyden/Udall statement. It strongly suggests that the other thing the government lied about — as referenced in John Bates’ October 3, 2011 opinion — was the Internet dragnet.

With the documents declassified and released this afternoon by the Director of National Intelligence, the public now has new information about the size and shape of that iceberg. Additional information about these violations was contained in other recently-released court opinions, though some significant information – particularly about violations pertaining to the bulk email records collection program – remains classified.

 

In addition to providing further information about how bulk phone records collection came under great FISA Court scrutiny due to serious and on-going compliance violations, these documents show that the court actually limited the NSA’s access to its bulk phone records database for much of 2009. The court required the NSA to seek case-by-case approval to access bulk phone records until these compliance violations were addressed. In our judgment, the fact that the FISA Court was able to handle these requests on an individual basis is further evidence that intelligence agencies can get all of the information they genuinely need without engaging in the dragnet surveillance of huge numbers of law-abiding Americans.


The original order required NSA to keep the dragnet on “a secure private network that NSA exclusively will operate.” Yet on the conference call, the Secret-Officials-Whose-Word-Can’t-Be-Trusted admitted that some of the violations involved people wandering into the data without knowing where they were. And an earlier violation made it clear in 2012 they found a chunk of this data that tech people had put on their own server.

The order also requires an interface with security limitations. Again, we know tech personnel access the data outside of this structure.

That order also only approves 7 people to approve queries. That number is now 22.

(9) We need to see a copy of the first couple of reports NSA gave to FISC with its reapplications to see how things got so out of control.

(10) This approval was signed by Malcom Howard. Among other things he was in the White House during the Nixon-Ford transition period.


The original authorization for 215 was a hash. Reggie Walton got involved in 2008 and cleaned it up (though not convincingly) in this supplemental order. He relies, significantly, on the “any tangible thing” language passed in 2006. (2-3)

Read more

On the Meanings of “Dishonor” and “Hack”

The former NSA IG (and current affiliate of the Chertoff Group profiteers, though he didn’t disclose that financial interest) Joel Brenner has taken to the pages of Lawfare to suggest anyone trying to force some truth out of top Intelligence Community officials is dishonorable.

On March 12 of this year, Senator Ron Wyden asked James Clapper, the director of national intelligence, whether the National Security Agency gathers “any type of data at all on millions or hundreds of millions of Americans.”

“No, sir,” replied the director, visibly annoyed. “Not wittingly.”

Wyden is a member of the Senate Select Committee on Intelligence and had long known about the court-approved metadata program that has since become public knowledge. He knew Clapper’s answer was incorrect. But Wyden, like Clapper, was also under an oath not to divulge the story. In posing this question, he knew Clapper would have to breach his oath of secrecy, lie, prevaricate, or decline to reply except in executive session—a tactic that would implicitly have divulged the secret. The committee chairman, Senator Diane Feinstein, may have known what Wyden had in mind. In opening the hearing she reminded senators it would be followed by a closed session and said,  “I’ll ask that members refrain from asking questions here that have classified answers.” Not dissuaded, Wyden sandbagged he [sic] director.

This was a vicious tactic, regardless of what you think of the later Snowden disclosures. Wyden learned nothing, the public learned nothing, and an honest and unusually forthright public servant has had his credibility trashed.

Brenner of course doesn’t mention that Clapper had had warning of this question, so should have provided a better non-answer. Later in his post, he understates how revealing telephone metadata can be (and of course doesn’t mention it can also include location). He even misstates how often the phone metadata collection has been queried (it was queried on 300 selectors, not “accessed only 300 times”).

But the really hackish part of his argument is in pretending this whole exchange started on March 12.

It didn’t. It started over a year ago and continued through last week when Keith Alexander had to withdraw a “fact sheet” purporting to lay out the “Section 702 protections” Americans enjoy (see below for links to these exchanges).

The exchange didn’t start out very well, with two Inspectors General working to ensure that Wyden and Mark Udall would not get their unclassified non-answer about how many Americans are surveilled under Section 702’s back door until after the Intelligence Committee marked up the bill.

But perhaps the signature exchange was this October 10, 2012 Wyden letter (with 3 other Senators) to Keith Alexander and Alexander’s November 5, 2012 response.

On July 27, 2012, Alexander put on a jeans-and-t-shirt costume and went to DefCon to suck up to hackers. After giving a schmaltzy speech including lines like, “we can protect the networks and have civil liberties and privacy,” DefCon founder Jeff Moss asked Alexander about recent Bill Binney allegations that the NSA was collecting communications of all Americans. Wired reported the exchange here.

It was this exchange — Keith Alexander’s choice to make unclassified statements to a bunch of hackers he was trying to suck up to — that underlies Wyden’s question. And Wyden explicitly invoked Alexander’s comments in his March 12 question to Clapper.

In Wyden’s letter, he quoted this, from Alexander.

We may, incidentally, in targeting a bad guy hit on somebody from a good guy, because there’s a discussion there. We have requirements from the FISA Court and the Attorney General to minimize that, which means nobody else can see it unless there’s a crime that’s been committed.

Wyden then noted,

We believe that this statement incorrectly characterized the minimization requirements that apply to the NSA’s FISA Amendments Act collection, and portrays privacy protections for Americans’ communications as being stronger than they actually are.

This is almost precisely the exchange that occurred last week, when Wyden and Udall had to correct Alexander’s public lies about Section 702 protections again. 8 months later and Alexander is reverting to the same lies about protections for US Persons.

In the letter, Wyden quoted from Alexander again,

You also stated, in response to the same question, that “…the story that we have millions or hundreds of millions of dossiers on people is absolutely false. We are not entirely clear what the term “dossier” means in this context, so we would appreciate it if you would clarify this remark.

And asked,

Are you certain that the number of American communications collected is not “millions or hundreds of millions”? If so, then clearly you must have some ability to estimate the scale of this number, at least some range in which you believe it falls. If this is the case, how large could this number possibly be? How small could it possibly be?

Does the NSA collect any type of data at all on “millions or hundreds of millions of Americans”?

This last question was precisely the question Wyden asked Clapper 5 months later on March 12 (Alexander’s response in November didn’t even acknowledge this question — he just blew it off entirely).

As Wyden emphasized, Alexander is the one who chose to make misleading assertions in unclassified form, opening up the door for demands for an unclassified response.

Since you made your remarks in an unclassified forum, we would appreciate an unclassified response to these questions, so that your remarks can be properly understood by Congress and the public, and not interpreted in a misleading way.

In other words, Brenner presents the context of Wyden’s question to Clapper completely wrong. He pretends this exchange was about one cleared person setting up another cleared person to answer a question. But Brenner ignores (Wyden’s clear invocation of it notwithstanding) that this exchange started when a cleared person, General Alexander, chose to lie to the public.

And now that we’ve seen the minimization standards, we know just how egregious a lie Alexander told to the hackers at DefCon. It’s bad enough that Alexander didn’t admit that anything that might possibly have a foreign intelligence purpose could be kept and, potentially, disseminated, a fact that would affect all Americans’ communications.

But Alexander was talking to high level hackers, probably the group of civilians who encrypt their online communications more than any other.

And Alexander knows that the NSA keeps encrypted communications indefinitely, and with his say-so, can keep them even if they’re known to be entirely domestic communications.

In other words, in speaking to the group of American civilians whose communications probably get the least protections from NSA (aside from the encryption they themselves give it), Alexander suggested their communications would only be captured if they were talking to bad guys. But the NSA defines “those who encrypt their communications” as bad guys by default.

He was trying to suck up to the hackers, even as he lied about the degree to which NSA defines most of them as bad guys.

Brenner gets all upset about his colleagues being “forced” to lie in public. But that’s not what’s going on here: James Clapper and, especially, Keith Alexander are choosing to lie to the public.

And if it is vicious for an intelligence overseer to call IC officials on willful lies to the public, then we’ve got a very basic problem with democracy. Read more