Posts

Will Obama Attempt to Co-Opt the Internet Companies?

/17 Comments/in /by

Of late, Keith Alexander has added a new thing to his public schtick: inviting tech companies to come up with a way to dragnet more effectively. In the middle of discussions of why NSA must retain the phone dragnet, he’ll stop, and say, if the tech companies can come up with a way to do it better (not just to do the same thing as effectively, mind you, but better), he wants to hear it.

At a minimum, that new schtick should alert you that in 2011 when they “ended” the Internet dragnet, they didn’t end it, they just found a way to do it better, because that’s how Alexander speaks of that decision in this context.

But you might also keep this shift in Alexander’s schtick in mind as you read Matthew Aid’s story about how the President whitewash became a graywash.

At the same time, the agency’s once harmonious relationship with this country’s largest high-tech companies, such as Microsoft, Google and Yahoo, is now a shattered smoking ruin, NSA officials fret. Only the “big three” American telecommunications companies—AT&T, Verizon and Sprint—appear to remain firmly supportive, and even they are beginning to put some distance between themselves and the NSA as shareholders ask pointed questions about their clandestine relationship with the agency.

In this political climate, it was perhaps inevitable that the Review Group would recommend making substantive changes in the way the NSA operates. “We had to go this route,” a Review Group staffer told me in an interview. “If we did not recommend placing some additional controls and checks and balances on the NSA’s operations, the high-tech companies were going to kill us and Congress was going to burn the house down. Besides, our report is non-binding, so who knows what the White House is going to accept and what they are going to toss out.”

Frankly, I think the relationship with some tech companies (Microsoft) has been more harmonious than with others (Yahoo and to some extent Google). And it was never the same as the telecoms enjoy, not least because the telecoms have been stealing the tech companies’ data on and off at the government’s behest for a decade now.

But I’m not at all surprised that citizen outrage had no effect on the Review Group and Administration, but Internet company outrage did.

Fast forward to today, where Obama’s got a meeting with a curious group of CEOs.

  • Tim Cook, CEO, Apple
  • Dick Costolo, CEO, Twitter
  • Chad Dickerson, CEO, Etsy
  • Reed Hastings, co-founder and CEO, Netflix
  • Drew Houston, founder and CEO, Dropbox
  • Marissa Mayer, president and CEO, Yahoo!
  • Burke Norton, chief legal officer, Salesforce
  • Mark Pincus, founder, chief product officer and chairman, Zynga
  • Shervin Pishevar, co-founder and co-CEO, Sherpa Global
  • Brian Roberts, chairman and CEO, Comcast
  • Erika Rottenberg, vice president, general counsel and secretary, LinkedIn
  • Sheryl Sandberg, COO, Facebook
  • Eric Schmidt, executive chairman, Google
  • Brad Smith, executive vice president and general counsel, Microsoft
  • Randall Stephenson, chairman and CEO, AT&T

As WaPo’s piece on this points out, the meeting mixes the leaders of the Internet companies calling for more transparency — Yahoo, Google, and Microsoft, to a lesser extent Apple, LinkedIn, and Facebook, as well as Dropbox — and AT&T, the company that has been stealing from the critics. In addition, Comcast, which almost certainly has joined AT&T in that more harmonious role, will attend.

The initial reports on the meeting dubbed it an effort for the President to discuss — and try to fix — Federal IT contracting in the wake of the ObamaCare website.

But the critics have issued a statement making it clear they intend to talk about surveillance.

So let’s consider the dynamic to expect at this meeting. You’ve got a lot of Internet bigwigs, two Toobz bigwigs, and some smaller CEOs. That dynamic, right away, should prevent a truly candid conversation (because of the differing interests of all the parties).

And against that dynamic, the President will be discussing how to make it easier to contract with real software companies, rather than bloated federal software contractors.

There will be the stilted conversation about NSA (and AT&T) stealing from Internet companies. And a far less stilted conversation about the federal government expanding its contracting with private sector Internet companies.

They’ll have a stilted conversation about reining in government, and a less stilted conversation about putting more government dollars in Internet company pockets.

Update: Changed title to reflect these are Internet companies, not software, and fixed some syntax.

Update: Meanwhile, Obama has named a Microsoft Exec to be his new ObamaCare fixer, which should make it easier to send more business Microsoft’s way.

“He’s sure as hell no traitor”

/6 Comments/in /by

Fortune has an interview with a former colleague of Edward Snowden’s in Hawaii (some have questioned its provenance, but details in the interview accord with other stories about Snowden at NSA; even Keith Alexander said he was very good at his job).

One of my favorite details describes how Snowden repeatedly alerted NSA to security problems in their code, but they didn’t always fix it.

He also frequently reported security vulnerabilities in NSA software. Many of the bugs were never patched.

This is consistent with a story describing him trying to fix a CIA security problem when he was in Europe, so it rings true. But it also reveals the NSA’s own lax concern for security.

But I’m most interested in this paragraph:

Snowden’s former colleague says that he or she has slowly come to understand Snowden’s decision to leak the NSA’s files. “I was shocked and betrayed when I first learned the news, but as more time passes I’m inclined to believe he really is trying to do the right thing and it’s not out of character for him. I don’t agree with his methods, but I understand why he did it,” he or she says. “I won’t call him a hero, but he’s sure as hell no traitor.”

I have been tracking the apparent concern on the part of top NSA officials that employees will learn something that disturbs them. This is — if authentic — one of the first descriptions we have of an NSA employee reacting to Snowden’s leaks (albeit from one who seemed to admire him).

But it describes this employee beginning to understand Snowden’s underlying point, though not his methods (and perhaps not his ultimate judgement it was unconstitutional).

This is the battle Keith Alexander seems most afraid of, the battle over the belief of NSA insiders.

NSA’s 60 Wiretaps and FBI’s 1,728 Wiretaps?

/5 Comments/in /by

I want to return to the exchange shown on last night’s 60 Minutes piece on NSA where CBS’s in-house national security shill asked Keith Alexander about collecting the content of phone calls.

John Miller: There is a perception out there that the NSA is widely collecting the content of the phone calls of Americans. Is that true?

Gen. Keith Alexander: No, that’s not true. NSA can only target the communications of a U.S. person with a probable cause finding under specific court order. Today, we have less than 60 authorizations on specific persons to do that.

John Miller: The NSA as we sit here right now is listening to a universe of 50 or 60 people that would be considered U.S. persons?

Gen. Keith Alexander: Less than 60 people globally who are considered U.S. persons.

As a threshold matter, note that Alexander didn’t answer the question Miller asked, which was whether the “NSA is widely collecting the content of the phone calls of Americans.” Instead, Alexander answered how many US persons the NSA is targeting (he’s been providing this non-responsive answer for months now, so it is a well-practiced ploy). His answer is further modified by referring to “specific person.” And he used the word “globally,” which I found to be particularly interesting, given that by law the government has to get orders to wiretap Americans overseas, too.

Note two other things Alexander doesn’t address: US person content generally, and how many FISC orders the FBI gets.

According to the report to Congress on FISA covering 2012, the FISC approved 1,788 orders for electronic surveillance last year, plus another 68 for physical searches alone (which increasingly means stored content in an email server).

During the calendar year 2012, the Government made 1,856 applications to the Foreign Surveillance Court (the “FISC”) for authority to conduct electronic surveillance and/or physical searches for foreign intelligence purposes. The 1,856 applications include applications made solely for electronic surveillance, applications made solely for physical search, and combined applications requesting authority for electronic surveillance and physical search. Of these, 1, 789 applications included requests for authority to conduct electronic surveillance.

Of the 1,789 applications, one was withdrawn by the Government.

This number does not count the same number Alexander used in his dodge. It includes FISA Amendments Act orders, though those are programmatic and therefore should be far less numerous (indeed, the number of orders did not go up that much when bulk orders were first approved in 2007, and they actually went down in 2008 and 2009 with the FISA Amendments Act passage). And these orders may be email-only orders.

Thus, there are a range of explanations for why Lying Keith claims only to have taps on 60 people but the FISA report shows 1,788 orders for electronic surveillance: FBI, not NSA, submitted the orders, they don’t request phone content, they’re bulk orders targeting non-US persons.

Still, the number of US persons who have been targeted via a specific FISC order are likely far higher than the 60 Lying Keith used on last night’s show. Plus, there may be US persons who had their email collected via specific order, but not their phone content. And of course, every one of the bulk orders targeting non-US persons would include incidentally collection US person data that can be searched with no Reasonable Articulable Suspicion. And we know NSA collects email content from around 56,000 US persons each year in its upstream collection — collection which John Bates considers intentional collection.

Thus, the number of Americans having their content collected is far, far higher than the 60 Alexander used on last night’s show.

Which is another good reason to require more transparency on these FISA numbers, because without it, Keith Alexander will lie again.

60 Minutes Betters Their Benghazi Debacle: Pirates Ahoy! and Chinese Global Suicide Bombers

/24 Comments/in , /by

I will have more to say about tonight’s 60 Minutes debacle.

But for now, let me make three points.

First, John Miller should never work in journalism again (he’s reportedly prepping to run NYPD’s intelligence shop, so he may not need to). There were numerous examples in tonight’s 60 Minutes piece where even a mildly curious journalist would have asked follow-up questions. But given that Miller, who has an ODNI and FBI background, knows this stuff, his failure to ask obvious follow-up questions is proof this was not at all about journalism.

Of particular note that everyone is getting snookered on: Lying Keith Alexander said that NSA only listens to the phone calls of 60 US persons. When Miller sort of asked a follow-up, Alexander seemed to reiterate that this is NSA.

Of course, FBI formally owns the wiretapping of US persons in the US. So that 60 number may only be Americans we wiretap overseas. One of those follow-up questions that might have been useful.

Then there was the NSA’s effort to show us what contact chaining looks like. As a threshold matter, they had subbed out all the real phone numbers with “555-1212” type numbers. Which means the computer was altered for TV.

Then, CBS showed an NSA analyst contact chaining off pirates.

Yes, pirates!

Aside from opening up NSA to the claim that we’re now all 3 degrees of Captain Hook, the pirate operation of course means the claims of the analyst only apply to EO 12333 collection (cause pirates are almost never US persons).

That is, we should assume it is completely meaningless as a demonstration of what the US phone dragnet is about.

Then there’s the scary BIOS plot.

I’ll need to go back and review this, but the jist of the scary claim at the heart of the report is that the NSA caught China planning a BIOS plot to shut down the global economy.

To.

Shut.

Down.

The.

Global.

Economy.

Of course, if that happened, it’d mean a goodly percentage of China’s 1.3 billion people would go hungry, which would lead to unbelievable chaos in China, which would mean the collapse of the state in China, the one thing the Chinese elite want to prevent more than anything.

But the NSA wants us to believe that this was actually going to happen.

That China was effectively going to set off a global suicide bomb. Strap on the economy in a cyber-suicide vest and … KABOOOOOOOM!

And the NSA heroically thwarted that attack.

That’s what they want us to believe and some people who call themselves reporters are reporting as fact.

Did DOJ Prosecute Basaaly Moalin Just to Have a Section 215 “Success”?

/3 Comments/in , /by

At yesterday’s Senate Judiciary Committee hearing on the dragnet, the government’s numbers supporting the value of the dragnet got even worse. At one point, Pat Leahy asserted that the phone dragnet had only been useful in one case (in the last hearing, there had been a debate over whether it had been critical in one or two cases).

Leahy (after 1:09:40): We’ve already established that Section 215 was uniquely valuable in just one terrorism case, not the 54 that have been talked about before.

In a follow up some minutes later, Keith Alexander laid out numbers that explain how the Administration had presented that 1 case as 12 in previous claims.

Alexander (at 1:21:30): As you correctly stated, there was one unique case under 215 where the metadata helped. There were 7 others where it contributed. And 4 where it didn’t find anything of value, and we were able to tell the FBI that.

That is, to publicly claim that the phone dragnet has been useful in 12 cases, the Administration included 7 cases where — as with the Najibullah Zazi case — it proved to be a tool that provided non-critical information available by other means, and 4 cases where it was useful only because it didn’t show any results.

To fluff their numbers, the Administration has been counting cases where the phone dragnet didn’t show results as showing results of no results.

With sketchy numbers like that, it’s high time for a closer examination of the details — and the timing — of the Basaaly Moalin prosecution, the only case (Alexander now agrees) where the phone dragnet has been critical.

As a reminder, Moalin was first identified via the dragnet — probably on a second hop away from Somali warlord Aden Ayro — in October 2007.  They used that and probably whatever tip they used to investigate him in 2003 to get a FISA warrant by December 20, 2007. Only 2 months later, February 26, 2008, was al-Shabaab listed as a foreign terrorist organization. Ayro was killed on May 1, 2008, though the government kept the tap on Moalin through December 2008, during which period they collected evidence of Moalin donating money (maybe 3 times as much as he gave to al-Shabaab-related people) to a range of people who had nothing to do with al-Shabaab. A CIPA stipulation presented at the trial revealed that during this period after the inculpatory conversations, Moalin’s tribe and Shabaab split and Moalin’s collections supported other entities in Somalia.

1. Money collected for the Ayr sub-clan was given to individuals including Abukar Suyare (Abukar Mohamed) and Fare Yare, who were associated with the Ilays charity.

2. Money collected by the men in Guracewl on behalf of the Ayr sub-clan was given to a group that was not as-Shabaab. [sic]

3. There was a dispute between al-Shabaab, the Ayr clan and Ilays over the administration pf [sic] of Galgaduud regions.

4. Members of the Ilays charity and the Ayr sub-clan, including Abukar Suryare, were opposed to the al-Shabaab and were Ayrow’s enemies.

On April 8, 2009, FBI would search the hawala used to send money based entirely on Moalin’s case. Yet on April 23, 2009, according to a document referenced but not provided to Moalin’s defense, the FBI concluded that Moalin not only no longer expressed support for al-Shabaab, but that he had only ever supported it because of tribal loyalties, not support for terrorism.

The San Diego FIG assesses that Moalin, who belongs to the Hawiye tribe/Habr Gedir clan/Ayr subclan, is the most significant al-Shabaab fundraiser in the San Diego Area of Operations (AOR). Although Moalin has previously expressed support for al-Shabaab, he is likely more attentive to Ayr subclan issues and is not ideologically driven to support al-Shabaab. The San Deigo FIG assesses that Moalin likely supported now deceased senior al-Shabaab leader Aden Hashi Ayrow due to Ayrow’s tribal affiliation with the Hawiye tribe/Habr Gedir clan/Ayr subclan rather than his position in al-Shabaab. Moalin has also worked diligently to support Ayr issues to promote his own status with Habr Gedir elders. The San Diego FIG assesses, based on reporting that Moalin has provided direction regarding financial accounts to be used when transferring funds overseas that he also serves as a controller for the US-based al-Shabaab fundraising network.

The intercepts on which the prosecution was based support this. They show that Moalin’s conversations with Ayro and others focused on fighting the (American-backed) Ethiopian invaders of his region, not anything outside of Somalia.

Read more

Sheldon Whitehouse: We Can’t Unilaterally Disarm, Even to Keep America Competitive

/5 Comments/in , , /by

I have to say, the Senate Judiciary Committee hearing on the dragnet was a bust.

Pat Leahy was fired up — and even blew off a Keith Alexander attempt to liken the Internet to a library with stories of the library card he got when he was 4. While generally favoring the dragnet, Chuck Grassley at least asked decent questions. But because of a conflict with a briefing on the Iran deal, Al Franken was the only other Senator to show up for the first panel. And the government witnesses — Keith Alexander, Robert Litt, and James Cole — focused on the phone dragnet disclosed over 6 months ago, rather than newer disclosures like back door searches and the Internet dragnet, which moved overseas. Litt even suggested — in response to a question from Leahy — that they might still be able to conduct the dragnet if they could bamboozle the FISA Court on relevance, again (see Spencer on that). As a result, no one discussed the systemic legal abuses of the Internet dragnet or NSA’s seeming attempt to evade oversight and data sharing limits by moving their dragnet overseas.

Things went downhill when Leahy left for the Iran briefing and Sheldon Whitehouse presided over the second panel, with the Computer & Communications Industry Association’s Edward Black, CATO’s Julian Sanchez, and Georgetown professor (and former DOJ official) Carrie Cordero. Sanchez hit some key points on the why Internet metadata is not actually like phone pen registers. Cordero acknowledged that metadata was very powerful but then asserted that the metadata of the phone-based relationships of every American was not.

And Black tried to make the case that the spying is killing America.

Or, more specifically, his industry’s little but significant corner of America, the Internet. While only some of this was in his opening statement, Black made the case that the Internet plays a critical role in America’s competitiveness.

While these are critical issues, it is important that the Committee also concern itself with the fact that the behavior of the NSA, combined with the global environment in which this summer’s revelations were released, may well pose an existential threat to the Internet as we know it today, and, consequently, to many vital U.S. interests, including the U.S. economy.

[snip]

The U.S. government has even taken notice. A recent comprehensive re- port from the U.S. International Trade Commission (ITC) noted, “digital trade continues to grow both in the U.S. economy and globally” and that a “further increase in digital trade is probable, with the U.S. in the lead.” In fact, the re- port also shows, U.S. digital exports have exceeded imports and that surplus has continually widened since 2007.

[snip]

As a result, the economic security risks posed by NSA surveillance, and the international political reaction to it, should not be subjugated to traditional national security arguments, as our global competitiveness is essential to long-term American security. It is no accident that the official National Security Strategy of the United States includes increasing exports as a major component of our national defense strategy.

Then he laid out all the ways that NSA’s spying has damaged that vital part of the American economy: by damaging trust, especially among non-American users not granted to the protections Americans purportedly get, and by raising suspicion of encryption.

Black then talked about the importance of the Internet to soft power. He spoke about this generally, but also focused on the way that NSA spying was threatening America’s dominant position in Internet governance, which (for better and worse, IMO) has made the Internet the medium of exchange it is.

The U.S. government position of supporting the multi-stakeholder model of Internet governance has been compromised. We have heard increased calls for the ITU or the United Nations in general to seize Internet governance functions from organizations that are perceived to be too closely associated with the U.S. government, such as the Internet Corporation for Assigned Names and Numbers (ICANN).

And he pointed to proposals to alter the architecture of the Internet to minimize the preferential access the US currently has.

Let’s be honest, Black is a lobbyist, and he’s pitching his industry best as he can. I get that. Yet even still, he’s not admitting that these governance and architecture issues really don’t provide neutrality — though US stewardship may be the least-worst option, it provides the US a big advantage.

What Black hinted at (but couldn’t say without freaking out foreign users even more) is that our stewardship of the Internet is not just one of the few bright spots in our economy, but also a keystone to our power internationally. And it gives us huge spying advantages (not everyone trying to erode our control of the Internet’s international governance is being cynical — Edward Snowden has made it clear we have abused our position).

Which is why Whitehouse’s response was so disingenuous. He badgered Black, interrupting him consistently. He asked him to compare our spying with that of totalitarian governments, which Black responded was an unfair comparison. And Whitehouse didn’t let Black point out that American advantages actually do mean we spy more than others, because we can.

Basically, Whitehouse suggested that, in the era of Big Data,  if we didn’t do as much spying as we could — and to hell with what it did to our preferential position on the Internet — it would amount to unilaterally disarming in the face of Chinese and Russian challenges.

If we were to pass law that prevented us from operating in Big Data, would be unilaterally disarming.

Whitehouse followed this hubris up with several questions that Sanchez might have gladly answered but Black might have had less leeway to answer, such as whether a court had ever found these programs to be unconstitutional. (The answer is yes, John Bates found upstream collection to be unconstitutional, he found the Internet dragnet as conducted for 5 years to be illegal wiretapping, and in the Yahoo litigation in 2007, Yahoo never learned what the minimization procedures were, and therefore never had the opportunity to make the case.) Black suggested, correctly, I think, that Whitehouse’s position meant we were just in an arms race to be the Biggest Brother.

I get it. Whitehouse is one of those who believelike Keith Alexander (whose firing Whitehouse has bizarrely not demanded, given his stated concerns about the failure to protect our data during Alexander’s tenure) that the Chinese are plundering the US like a colony.

Not only does this stance seem to evince no awareness of how America used data theft to build itself as a country (and how America’s hardline IP stance will kill people, making America more enemies). But it ignores the role of the Internet in jobs and competition and trade in ideas and goods.

Sheldon Whitehouse, from a state suffering economically almost as much as Michigan, seems anxious to piss away what competitive advantages non-defense America has to conduct spying that hasn’t really produced results (and has made our networks less secure as a result — precisely the problem Whitehouse claims to be so concerned about). That’s an ugly kind of American hubris that doesn’t serve this country, even if you adopt the most jingoistic nationalism imaginable.

He should know better than this. But in today’s hearing, he seemed intent on silencing the Internet industry so he didn’t learn better.

Update: Fixed the Black quotation.

Update: Jack Goldsmith pushes back against the American double standards on spying and stealing here.

In Naming Its Man of the Year, Time Proves It Doesn’t Even READ the News

/15 Comments/in , /by

I’m probably fairly lonely among my crowd to be satisfied that Time picked Pope Francis over Edward Snowden to be Person of the Year. Not only do I prefer that the focus remain on the reporting on NSA than revert back to caricatures like Time creates of Snowden as a “Dark Prophet” reading Dostoevsky. The Pope’s criticism of — above all — inequality may have as much or more impact on people around the globe as Snowden’s criticism of the surveillance state.

Would that both the Catholic Church and the United States live up to the idealist claims they purport to espouse.

But reading the profile Time did of Snowden, I can’t help but suspect they picked the Pope out of either fear or ignorance about what Snowden actually revealed. Consider this paragraph, which introduces a section on the lies NSA has told.

The NSA, for its part, has always prided itself on being different from the intelligence services of authoritarian regimes, and it has long collected far less information on Americans than it could. The programs Snowden revealed in U.S. ­surveillance agencies, at least since the 1970s, are subject to a strict, regularly audited system of checks and balances and a complex set of rules that restrict the circumstances under which the data gathered on Americans can be reviewed. As a general rule, a court order is still expected to review the content of American phone calls and e-mail ­messages. Unclassified talking points sent home with NSA employees for Thanksgiving put it this way: “The NSA performs its mission the right way—­lawful, compliant and in a way that protects civil liberties and privacy.” Indeed, none of the Snowden disclosures published to date have revealed any ongoing programs that clearly violate current law, at least in a way that any court has so far identified. Parts of all three branches of government had been briefed and had given their approval.

It’s full of bullshit. There’s the claim that NSA collects far less on Americans than it could. Does that account for the fact that, in the Internet dragnet and upstream collection programs, it collected far more than it was authorized to? Those same programs prove that surveillance can go on for (in the case of the Internet dragnet) 5 years before anyone realizes it has been violating the law — not exactly the definition of a regularly audited system. And, with its claim that “all three branches of government have been briefed,” Time must have missed Dianne Feinstein’s admission that the stunning sweep of the programs conducted under EO 12333 (which also collect US person data) don’t get close scrutiny from her committee (and none from the FISA Court).

But this claim most pisses me off:

As a general rule, a court order is still expected to review the content of American phone calls and e-mail ­messages.

Journalistic outlet Time must have missed where NSA’s General Counsel Raj De, in a public hearing, testified that NSA doesn’t even need Reasonable Articulable Suspicion — much less a court order — to read the content of Americans’ data collected incidentally under the FISA Amendment Act’s broad sweep, to say nothing of the even greater collection of data swept up under 12333. To support this demonstrably false claim, Time then points to the similarly false talking points the NSA sent home at Thanksgiving. It points to the NSA’s talking points just two paragraphs before Time lays out how often NSA has lied, both describing the government as actively misleading…

At the time Snowden went public, the American people had not just been kept in the dark; they had actively been misled about the actions of their government.

And then describing the specific lies of Keith Alexander and James Clapper.

The NSA lies, and lies often. But Time points to the NSA’s own lies to support its bad reporting.

At the same time, Time dances around the many things the US does that make us less secure. For example, it gives credence to the nonsense claim that Snowden singlehandedly prevented us from pressuring China into stopping hacking of us.

While in Hong Kong, Snowden gave an interview and documents to the South China Morning Post describing NSA spying on Chinese universities, a disclosure that frustrated American attempts to embarrass China into reducing its industrial-espionage efforts against U.S. firms.

This repeats the anachronistic claims and silence about US cyberwar that Kurt Eichenwald made in Newsweek.

And Time says Bullrun — a program that involves inserting vulnerabilities into code — “decodes encrypted messages to defeat network security,” which also minimizes the dangerous implications of NSA’s hacking.

If Time had actually read the news, rather than wax romantic about Russian literature, it might report that NSA in fact does collect vast amounts of and can the read incidentally collected content of most Americans. It might describe the several times NSA has been found to be violating the law, for years at a time. It might explain that many of these programs, because they operate solely under the President’s authority, might never get court review without Snowden’s leaks. And Time might bother to tell readers that, in some ways at least, the NSA makes us less safe because it prioritizes offensive cyberattacks (and not just on China) over keeping American networks safe.

As I said, I could have been happy about either a Pope Francis or an Edward Snowden selection. But as it is, Time might better call their scheme “Caricature of the Year,” because at least in their Snowden profile, they’re not actually presenting the news.

Former Top NSA Officials Insist Employees Are Leaving Because Obama Is Mean, Not Because They Object To NSA’s Current Activities

/29 Comments/in /by

Ellen Nakashima has a story that purports to show 1) significant morale problems at the NSA and 2) proof that the morale stems from Obama’s failure to more aggressively support the NSA in the wake of the Edward Snowden revelations.

The story relies in significant part on former NSA IG Joel Brenner and two other former officials who insisted on remaining anonymous because “they still have dealings” with the NSA.

“The agency, from top to bottom, leadership to rank and file, feels that it is had no support from the White House even though it’s been carrying out publicly approved intelligence missions,” said Joel Brenner, NSA inspector general from 2002 to 2006. “They feel they’ve been hung out to dry, and they’re right.”

A former U.S. official — who like several other former officials interviewed for this story requested anonymity because he still has dealings with the agency — said: “The president has multiple constituencies — I get it. But he must agree that the signals intelligence NSA is providing is one of the most important sources of intelligence today.

“So if that’s the case, why isn’t the president taking care of one of the most important elements of the national security apparatus?”

[snip]

A second former official said NSA workers are polishing up their résumés and asking that they be cleared — removing any material linked to classified programs — so they can be sent out to potential employers. He noted that one employee who processes the résumés said, “I’ve never seen so many résumés that people want to have cleared in my life.”

Morale is “bad overall,” a third former official said. “The news — the Snowden disclosures — it questions the integrity of the NSA workforce,” he said. “It’s become very public and very personal. Literally, neighbors are asking people, ‘Why are you spying on Grandma?’ And we aren’t. People are feeling bad, beaten down.”

Does “still have dealings with the agency” mean these people still contract to it, indirectly or directly? If it does, how much of this contracting works through The Chertoff Group, where a slew of former officials seem to have had remarkably consistent interests in spreading this line for months? Nakashima might want to provide more details about this in any future of these stories, as it may tell us far more about how much these men are profiting for espousing such views.

After all, while they do provide evidence that NSA employees are leaving, they provide only second-hand evidence — evidence that is probably impossible for any of these figures to gain in depth personally — that the issue pertains to Obama’s response.

And there are at least hints that NSA employees might be leaving for another reason: they don’t want to be a part of programs they’re only now — thanks to compartmentalization — learning about

We can look to the two letters the NSA has sent to “families” of workers for such hints.

The first, sent in September (page one, page two, h/t Kevin Gosztola), got sent just 3 days after the release of documents showing NSA had been violating just about every rule imposed on the phone dragnet for the first three years it operated (partly, it should be said, because of Joel Brenner’s inadequate oversight at its inception). In the guise of providing more context to NSA employee family members about that and recent disclosures, Keith Alexander and John Inglis wrote,

We want to put the information you are reading and hearing about in the press into context and reassure you that this Agency and its workforce are deserving and appreciative of your support. Read more

Why NSA Can’t Count How Many Americans’ Cell Location They Collect

/12 Comments/in /by

As bmaz noted, WaPo reported today that NSA has been collecting billions of phone records a day, including cell location information. Once again, when the NSA says it has stopped or doesn’t conduct a practice, it means only it has stopped the practice in the US, even though it still collects US person data overseas.

But the NSA refuses to reveal how many Americans’ data are being swept up.

The number of Americans whose locations are tracked as part of the NSA’s collection of data overseas is impossible to determine from the Snowden documents alone, and senior intelligence officials declined to offer an estimate.

“It’s awkward for us to try to provide any specific numbers,” one intelligence official said in a telephone interview. An NSA spokeswoman who took part in the call cut in to say the agency has no way to calculate such a figure.

An intelligence lawyer, speaking with his agency’s permission, said location data are obtained by methods “tuned to be looking outside the United States,” a formulation he repeated three times. When U.S. cellphone data are collected, he said, the data are not covered by the Fourth Amendment, which protects Americans against unreasonable searches and seizures.

A number of tech people are wondering if there’s some secret technical reason why NSA can’t or won’t estimate the number.

But the reason is almost certainly far more cynical.

In 2010 (sometime between July and October), John Bates told the NSA if they knew they were collecting content of US persons, they were illegally wiretapping them. But if they didn’t know, then they weren’t in violation.

When it is not known, and there is no reason to know, that a piece of information was acquired through electronic surveillance that was not authorized by the Court’s prior orders, the information is not subject to the criminal prohibition in Section 1809(a)(2). Of course, government officials may not avoid the strictures of Section 1809(a)(2) by cultivating a state of deliberate ignorance when reasonable inquiry would likely establish that information was indeed obtained through unauthorized electronic surveillance.

Then in 2011, Bates made them count some of their collection of US person content (he deemed it intentional collection, though they and their Congressional overseers still like to claim, legal opinion notwithstanding, it was not; the use of “tuned to be looking outside the US” is probably more of the same). And using the threat of labeling that US person content, he forced them to purge the information. But they somehow refused to count the larger amount of US person data collected intentionally, and NSA was permitted to keep that.

Presumably, the laws would be different on overseas collection, which would not count as “electronic surveillance.” Except that with Section 703 of FISA — which requires an order for collection on US person content overseas — there may be similar levels of protection, just via different statutes.

One thing the NSA has learned through experience with John Bates and FISC is that if you claim you don’t know you’ve collected US person data, a judge will not declare it legal. But if you admit you’ve collected US person data, then that same judge may threaten you with sanctions or force you to purge your data.

So there’s a very good reason why it’s “awkward” for NSA “to try to provide any specific numbers.” Doing so would probably make the collection illegal.

NSA: We Steal Industry Secrets, But Not for Competitive Advantage

/6 Comments/in /by

Kudos to Kevin Gosztola, who liberated the propaganda the NSA sent workers home with for Thanksgiving to use with family and friends.

I find 3 of the bullet points particularly interesting (all of which Gosztola also touches on).

NSA: we steal secrets, we just use them differently

NSA does not and will not steal industry secrets in order to give U.S. companies a competitive advantage.

The NSA has uttered various versions of this claim since the Snowden leaks started. But I find this formulation particularly telling. NSA is not denying they steal industry secrets (nor could they, since we know they’ve stolen data from corporations like Petrobras and have stolen secrets from a range of hacking targets).

They’re just denying they steal secrets in order to give US companies a competitive advantage.

Of course, they’re not calculating the advantage that having the world’s most voracious COMINT spy might have for owners of IP. They’re not talking about how intelligence on opposition to US products (like GMO or untested chemicals) translates into industrial advantage. They’re not talking about how spying influences the work of Defense Contractors (who do, of course, also sell on the international market). They’re not talking about how larger financial spying ultimately gives American companies an advantage.

But so long as NSA’s workers can tell their mother-in-law they’re not facilitating US cheating (which they are), it’s all good, I guess.

We don’t demand, we ask nicely

NSA does not and will not demand changes by any vendor to any product, nor does it have any authority to demand such changes.

Again, watch the language carefully. NSA denies it demands changes (presumably meaning to the security of software and hardware producers). It doesn’t deny it sometimes asks for changes. It doesn’t deny it sometimes negotiates unfairly to get those changes. It doesn’t deny it steals data on those changes.

It just doesn’t demand those changes.

We perform exceptionally well if you ignore cybersecurity

NSA performs its mission exceptionally well. We strive to be the best that we can be, because that’s what America requires as part of its defense in a dangerous world.

Signals intelligence improves our knowledge and understanding of terrorist plans and intentions. It is one of the most powerful tools we have to protect our citizens, soldiers, and allies.

Fundamentally, NSA and partner foreign intelligence agencies work together to protect the world’s citizens from a range of threats like terrorism, weapons proliferation, and cyber attacks. Terrorists and weapons proliferators use the same technology many of us do, such as e-mail. That is why the U.S. Government compels providers to provide webmail for these carefully identified threats.

In the original, the first of these two bullets is bolded, on top of the emphasis to exceptionally well.

But note how carefully the document dances around NSA’s failures in cybersecurity? Elsewhere, the document admits its helps DOD with cybersecurity, but says nothing about targeting cyber attackers more generally.

It then pretends it only uses Section 702 for collection directly from Internet providers, ignoring the upstream collection and its focus on cybersecurity targets. It also pretends it only uses Section 702 for counterproliferation and terrorist targets, though ODNI has admitted to targeting cyberattackers under Section 702 before.

No lesser expert than Keith Alexander has equated the cybertheft of American companies to colonial plunder. It is his job to combat those cyberthieves who’ve plundered the country. And yet, he says he has done his job exceptionally well.

I guess that’s why he only wanted to talk about terrorism?