Posts

Monday Morning: Calm, You Need It

/5 Comments/in , /by

Another manic Monday? Then you need some of Morcheeba’s Big Calm combining Skye Edward’s mellow voice with the Godfrey brothers’ mellifluous artistry.

Apple’s Friday-filed response to USDOJ: Nah, son
You can read here Apple’s response to the government’s brief filed after Judge James Orenstein’s order regarding drug dealer Jun Feng’s iPhone. In a nutshell, Apple tells the government they failed to exhaust all their available resources, good luck, have a nice life. A particularly choice excerpt from the preliminary statement:

As a preliminary matter, the government has utterly failed to satisfy its burden to demonstrate that Apple’s assistance in this case is necessary—a prerequisite to compelling third party assistance under the All Writs Act. See United States v. N.Y. Tel. Co. (“New York Telephone”), 434 U.S. 159, 175 (1977). The government has made no showing that it has exhausted alternative means for extracting data from the iPhone at issue here, either by making a serious attempt to obtain the passcode from the individual defendant who set it in the first place—nor to obtain passcode hints or other helpful information from the defendant—or by consulting other government agencies and third parties known to the government. Indeed, the government has gone so far as to claim that it has no obligation to do so, see DE 21 at 8, notwithstanding media reports that suggest that companies already offer commercial solutions capable of accessing data from phones running iOS 7, which is nearly three years old. See Ex. B [Kim Zetter, How the Feds Could Get into iPhones Without Apple’s Help, Wired (Mar. 2, 2016) (discussing technology that might be used to break into phones running iOS 7)]. Further undermining the government’s argument that Apple’s assistance is necessary in these proceedings is the fact that only two and a half weeks ago, in a case in which the government first insisted that it needed Apple to write new software to enable the government to bypass security features on an iPhone running iOS 9, the government ultimately abandoned its request after claiming that a third party could bypass those features without Apple’s assistance. See Ex. C [In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, Cal. License Plate #5KGD203 (“In the Matter of the Search of an Apple iPhone” or the “San Bernardino Matter”), No. 16-cm-10, DE 209 (C.D. Cal. Mar. 28, 2016)]. In response to those developments, the government filed a perfunctory letter in this case stating only that it would not modify its application. DE 39. The letter does not state that the government attempted the method that worked on the iPhone running iOS 9, consulted the third party that assisted with that phone, or consulted other third parties before baldly asserting that Apple’s assistance remains necessary in these proceedings. See id. The government’s failure to substantiate the need for Apple’s assistance, alone, provides more than sufficient grounds to deny the government’s application.

Mm-hmm. That.

Dieselgate: Volkswagen racing toward deadline

  • Thursday, April 21 is the extended deadline for VW to propose a technical solution for ~500,000 passenger diesel cars in the U.S. (Intl Business Times) — The initial deadline was 24-MAR, establishing a 30-day window of opportunity for VW to create a skunkworks team to develop a fix. But if a team couldn’t this inside 5-7 years since the cars were first sold in the U.S., another 30 days wouldn’t be enough. Will 60 days prove the magical number? Let’s see.
  • VW may have used copyrighted hybrid technology without paying licensing (Detroit News) — What the heck was going on in VW’s culture that this suit might be legitimate?
  • After last month’s drop-off in sales, VW steps up discounting (Reuters) — Trust in VW is blamed for lackluster sales; discounts aren’t likely to fix that.

Once around the kitchen

  • California’s winter rains not enough to offset long-term continued drought (Los Angeles Times) — Op-ed by Jay Famiglietti, senior water scientist at the NASA Jet Propulsion Laboratory–Pasadena and UC-Irvine’s professor of Earth system science. Famiglietti also wrote last year’s gangbuster warning about California’s drought and incompatible water usage.
  • Western scientists meet with North Korean scientists on joint study of Korean-Chinese volcano (Christian Science Monitor) — This seems quite odd, that NK would work in any way with the west on science. But there you have it, they are meeting over a once-dormant nearly-supervolcano at the Korea-china border.
  • BTW: Deadline today for bids on Yahoo.

There you are, your week off to a solid start. Catch you tomorrow morning!

Monday Morning: The Urge to Merge

/6 Comments/in , /by

In my eyes, indisposed
In disguises no one knows
Hides the face, lies the snake
The sun in my disgrace

— excerpt, Black Hole Sun by Soundgarden

Looks like this week is all about mergers. Enjoy this simulation on replay several times while listening to Soundgarden’s Black Hole Sun while we dig in.

Roll Call

  • Yahoo’s vulnerability brings all the nasty suitors to the yard (MarketWatch) — If Daily Mail wins, Yahoo will be one massive tabloid, and Tumblr will become a cesspool. Bidding’s open until next Monday; what other potential buyers may emerge this week?
  • Big names in hotels to join after shareholders approve Marriott offer for Starwood Hotels (UPI) — The vote came last Friday after Chinese insurance holding group Anbang withdrew from bidding.
  • Merger of beer producers SABMiller and A-B InBev still in holding pattern (Milwaukee Business Journal) — The deal is languishing for approval by South Africa’s Competition Commission. Part of SABMiller was once South African Brewing.
  • UK balks at Hutchins and Telefonica tie up (Reuters) — Cousins across the pond better watch out; this proposed merger, even if shot down by regulators, portends another telecom marriage ahead. With UK’s Competition and Markets Authority recommending a spin-off of either Three Mobile or O2 mobile network business in order to approve the deal, a divestment of one of these may happen anyhow.

The Yahoo and Hutchins-Telefonica deals bear scrutiny for their potential for mass surveillance depending on how the proposals play out. Yahoo could end up operating under UK laws, and some part(s) of either Hutchins or Telefonica could end up with a non-UK or non-EU partner.

All of these proposed mergers were in the works before the Panama Papers were released; none them appear to be motivated solely by tax reduction, but instead by economies of scale and weak market conditions. It’d be nice if executives of all companies raking in profits realized that failing to pay their hourly workers well has a direct impact on overall market demand. Their businesses could retain autonomy instead of spending time and money on M&A they could spend on employees’ wages.

Speaking of Panama Papers: revelations still shaping policy and politics

  • U.S. Treasury still working on tax rules to reduce tax avoidance and evasion by offshoring (Bloomberg) — Many large holding company structures use intra-group loans to move money out of the U.S. The new rules which may limit these moves may affect not only U.S. corporations but foreign corporations with subsidiaries in the U.S.
  • UK’s PM David Cameron facing heat about tax avoidance strategies used by his family (Scotsman) — Strategies included a tax-free gift of 200,000 pounds to Cameron from his mother. He is supposed to appear before Parliament for questioning.
  • Mossack Fonseca still getting hacked due to poor security response (The Register) — At what point do we ask if MossFon is really just a honeypot, given continued insufficient security?

Just for fun: Rockets!
If you didn’t watch SpaceX’s Falcon 9 launch on Friday, you really ought to make some time to do so for entertainment purposes. The first stage of the rocket returned successfully for reused, nailing a landing on a drone ship — a DRONE SHIP AT SEA. I missed the fact the landing pad was a drone vessel when I watched the first attempts. It’s a really narrow thing, landing on a speck of a pad in the ocean which is pushed around a bit by ocean currents in spite of the drone ship’s programming and/or remote control. (I would love to know who named the drone ship, ‘Of Course I Still Love You’ and why…)

What’s similarly remarkable is the SpaceX team — their excitement is off the map, rather like watching a K-12 FIRST LEGO robotics competition than an aeronautics business at work. Note in the video the team’s reaction just seconds (about 27:30) to the first stage return landing; it’s as if they KNEW they had it nailed before it happened. Wouldn’t you love to know just how they knew?

Also for grins: compare SpaceX’s landing on Friday (start at 23:48 into video) to competitor Blue Origin’s recent rocket return. Blue Origin is owned by Amazon’s Jeff Bezos; the return is so smooth and slick, but it’s in the west Texas desert where potential disruption of the landing has been minimized. Important to keep in mind that SpaceX actually delivered a payload after reaching orbit, where Blue Origin is still limited to sub-orbit elevation.

With that our week’s been launched — let’s go!

Friday Morning: Far Over Yonder

/41 Comments/in , /by

It was rough road this week, but we made it to Friday again for more jazz. Today’s genre is ska jazz, which will feel like an old friend to many of you.

The artist Tommy McCook was one of the earliest artists in this genre. Just listen to his work and you’ll understand why he has had such a deep and long-lasting influence on contemporary Jamaican music.

Let’s get cooking.

Apple pan dowdy

  • Need a hashtag for NotAlliPhones after FBI says hack only works on “narrow slice” (Reuters) — The method offered by a third party to open San Bernardino shooter’s iPhone 5c won’t work on later phones like the iPhone 5s in the Brooklyn case, according to FBI director Jim Comey. While it may be assumed newer technology is the barrier, this could be a simple line in the sand drawn by the FBI so as to limit potential risk.
  • Yet another pearl-clutching essay asking us if Apple went too far protecting privacy (MIT Technology Review) — This is the second such POS in this outlet in the last couple of months. Oh, by all means, let’s risk exposing hundreds of millions of iOS users to any surveillance because law enforcement needs access to the kind of information they didn’t have 20 years ago.
  • Apple has complied with government requests to crack iPhones 70 times, beginning in 2008 (Mac Rumors) — The first request, believed to have occurred while George Bush was still in office, arose from a child abuse and pornography case. In a case like this where children may have been endangered, one can understand the impetus for the request. But maybe, just maybe, Apple was so firm about the San Bernardino iPhone 5c is that Apple knows the government has gone too far after nearly eight years of compliance.
  • And for a change of pace, a recipe for Apple Pan Dowdy. Don’t fret over the pastry flour; just use all-purpose and not bread flour.

Leftovers

  • Yahoo up for bids, Verizon interested (Reuters) — The same telecom once in trouble for using persistent cookies is interested in a search engine-portal business which may offer them access to non-Verizon customers. Plan ahead for the next level of consumer tracking if Verizon’s bid wins. Bidding deadline has been extended from April 11 to the 18th.
  • Households at bottom income levels can’t afford food, housing (Vox) — Can’t understand why the rise of angry white man candidates? This is one big reason — things are getting much worse for those who can afford it least. And nobody working in Capitol Hill or the White House seems to give a rat’s whisker.
  • Banksters blame Hollywood for lack of interest in dodgy subprime automotive bonds (Indiewire) — Investment banking firm Morgan Stanley credits the film The Big Short, based on Michael Lewis’ book about the 2000s housing bubble and the subprime mortgage crisis, with spooking investors away from subprime automotive bonds. By all means, let’s not look in the mirror, banksters, or at the inability of working poor to make ends meet, increasing likely uptick in automotive loan defaults.
  • Venezuela makes every Friday a holiday (Bloomberg)

    — The deep El Nino cycle caused drought conditions, substantively lowering reservoir levels. President Maduro is asking large customers to make their electricity in addition to declaring every Friday for the next two months a work holiday to conserve energy. Clearly Venezuela needed investment in solar energy before this El Nino began.

  • Researchers found people do stupid stuff when they find a flash drive (Naked Security) — After sprinkling a campus with prepared USB flash drives, a study found nearly half the people who found them plugged them into a computer, ostensibly to find the owner. DON’T DO IT. If you find one, destroy it. If you lost one, consider it a lost cause — and before you lose one, make sure you’ve encrypted it just in case somebody is stupid enough to try and find the owner/look at the contents.

HIGHLY EDITORIAL COMMENT: Bill, STFU.
Just because a single African American author called you “The First Black President” doesn’t mean you are literally a black man (and the label wasn’t meant as a compliment). Your massive white/male/former-elected privilege is getting in the way of listening to people you helped marginalize. You cannot fake feeling their pain or triangulate this away. Just shut up and listen, if for no other reason than you’re hurting your wife yet again. (Sorry, I had to get that off my chest. This opinion may differ from those of other contributors at this site. YMMV.)

Phew. Hope you have a quiet, calm weekend planned. We could use one. See you Monday morning!

There’s More to the SPCMA Document

/2 Comments/in /by

Long time readers likely know I’ve been obsessed with the decision, which as far as we currently know started in 2007 after Alberto Gonzales and (since returned as FBI General Counsel) James Baker left DOJ, to let DOD chain through US person identifiers on metadata collected under EO 12333, what gets described as Special Procedures Governing Communications Metadata Analysis, or SPCMA. Here’s a post that describes it at more length.

We first learned about SPCMA in June 2013, when the Guardian published a 16-page document pertaining to the approval process that had been leaked by Edward Snowden. That document consisted of:

  • A ten page memo dated November 20, 2007, from Assistant Attorney General for National Security Ken Wainstein and Acting OLC Head Steve Bradbury, analyzing the legality of SPCMA and recommending approval of the change.
  • Appendix A, consisting of a cover sheet and a two-page approval memo signed by Robert Gates on October 19, 2007 and Michael Mukasey on January 3, 2008. As I noted in this post, the signature line had to be altered after the fact to indicate Mukasey was signing it, suggesting that then Acting Attorney General Peter Keisler had refused.
  • Appendix B, a September 28, 2006 memo written to Office of Intelligence and Policy head James Baker (this was the predecessor to the NSD at DOJ) by NSA’s General Counsel Vito Potenza requesting he approve what became SPCMA (Baker did not approve it).

Though it is not included in what Snowden leaked, the memo describes a third Appendix, Appendix C:

On July 20, 2004, the General Counsel of CIA wrote to the General Counsel of NSA and to the Counsel for Intelligence Policy asking that CIA receive from NSA United States communications metadata that NSA does not currently provide to CIA. The letter from CIA is attached at Tab C.

The government has not released an official version of the packet such as it got leaked by Snowden. However, it did release Appendix A, the approval memo, in Fall 2014 as part of the declassification of the Yahoo challenge to the Protect America Act. As I laid out in this post, the government not only got this document approved after the passage of PAA and while Yahoo was challenging orders received under it, but DOJ tried to hide it from FISC Judge Reggie Walton. They only handed it over — though without the context of the approval memo that made it clear it was about contact chaining including Americans — after he had scolded DOJ several times about not handing over all the documentation related to PAA.

DOJ did not submit the procedures to FISC in a February 20, 2008 collection of documents they submitted after being ordered to by Judge Walton after he caught them hiding other materials; they did not submit them until March 14, 2008.

So to sum up: We have 16 pages (the memo and two of three appendices) thanks to Edward Snowden, and we have an official copy of just the 2-page approval memo, released on the context of the Yahoo declassification.

I lay all this out because this entry, in the National Security Division Vaughn Index provided to ACLU last month, is undoubtedly this same memo.

Screen Shot 2016-03-06 at 3.36.12 PM

The date is the same, the description is almost the same. The only difference is that the withheld document has 20 pages, as compared to the 16 pages that Snowden gave us.

From that I conclude that the 2004 CIA memo is four pages long (three, plus a cover sheet). Note the date: squarely during the period when spooks were trying to put discontinued parts of Stellar Wind under some kind of legal authority.

Here’s how the NSA declared Exemptions 1 and 3 over this document.

56. NSD fully withheld Document 4 on its Vaughn index in part because the release of any portion of that document would disclose classified information about functions or activities of NSA. The document is a 20-page document dated 20 November 2007 and is described as NSD Legal Memo on Amending DoD Procedures and Accompanying Documentation.” This document. including its full title, was withheld in full under Exemption 1 and Exemption 3. I have reviewed the information withheld and determined that the information is currently and properly classified at the SECRET level in accordance with EO 13526 because the release of this information could reasonably be expected to cause serious damage to the national security. The information withheld pertains to intelligence activities, intelligence sources or methods, or cryptology. or the vulnerabilities or capabilities of systems or projects relating to the national security and therefore meets the criteria for classification set for in Sections 1.4(c) and 1.4(g) of EO 13526. The harm to national security of releasing any portion of this document and the reasons that no portion of this document can be released without disclosing classified information cannot be fully described on the public record. As a result my ex parte. in camera classified declaration more fully explains why this document was withheld in full.

57. The information withheld in N 0 Document 4 also relates to a “function of the National Security Agency” 50 U.S.C. § 3605. Indeed. this information relates to one of NSA’s primary functions, its SIGINT mission. Any disclosure of the withheld information would reveal NSA ·s capabilities and the tradecraft used to carry out this vital mission. Further. revealing these details would disclose “information with respect to lNSA ‘s] activities” in furtherance of its SIGINT mission. 50 U .. C. § 3605. Therefore. the information withheld is also protected from release by statute and is exempt from release based on FOIA Exemption 3. 5 U.S.C. § 552(b)(3).

The government asserted secrecy over the title of an already (and officially) released document in a recent EFF challenge, so this would not be the first time the government claimed the title of an already released document was secret to prevent nasty civil liberties groups from confirming that a FOIAed document was the same as a previously known one.

In NSD’s declaration, Bradley Weigmann indicated that “the vast majority” of the document pertained to attorney-client privilege.

NSD Document 17, the vast majority of a certain memorandum in NSD Document 4, and an email message in NSD Document 31 are protected by the attorney-client privilege. These documents discuss legal issues pertaining to an NSA program, set forth legal advice prepared by NSD lawyers for other attorneys to assist those other attorneys in representing the Government, and were sought by a decision-maker for the Government to obtain legal advice on questions of law and indeed reflect such advice. As such, NSD Document 17, the vast majority of a certain memorandum in NSD Document 4, and an email message in NSD Document 31 are protected from disclosure under the attorney-client privilege.

More interestingly, by referring to “an NSA program” it seemed to tie this document with this 2003 OIPR memo.

Screen Shot 2016-03-06 at 3.54.01 PM

And this November 12, 2013 email (written during a period in the aftermath of the Snowden releases as the government was trying to decide how to respond to various FOIAs as well as Yahoo’s request to unseal its challenge, not to mention after ACLU submitted this FOIA, which was actually submitted before the first Snowden leaks).

Screen Shot 2016-03-06 at 3.55.25 PM

Note, NSD won’t tell us what date in 2003 someone at OIPR (already headed by James Baker, one of the few people briefed on Stellar Wind) wrote about “an NSA program” that appears to be tied the chaining on US person metadata.

I have long believed one of the known but still as yet undescribed modifications to Stellar Wind (there is still at least one, though I believe there are two) enacted after the hospital confrontation in 2004 has to have been either at CIA or DOD, because it doesn’t appear in the unredacted NSA IG Report Snowden gave us. Here, we see CIA unsuccessfully asking for US person metadata at the time everyone was re-establishing Stellar Wind under more legal cover. Assuming NSA document 4 is this memo, the only thing the government is withholding that we haven’t seen yet is the CIA memo. I have a lot more suspicions about this program, too, that I still need to write up.

But I suspect they’re hiding these documents from us — and just as importantly, from the FISA Court — to prevent us from putting the various details of how US person metadata has been used over time. Or rather, to prevent us from laying out how the point of these foreign-targeted surveillance programs is to spy on Americans.

ACLU has already told the government they’re challenging the withholding of these documents.

The Tech Industry Worries CISA Will Allow Other Companies to Damage Their Infrastructure

/9 Comments/in /by

Screen Shot 2015-10-16 at 10.01.41 AMThe Computer and Communications Industry Association — a trade organization that represents Internet, social media, and even some telecom companies — came out yesterday against the Cyber Intelligence Sharing Act, an information sharing bill that not only wouldn’t be very useful in protecting against hacking, but might have really dangerous unintended consequences, such as gutting regulatory authority over network security negligence (though the Chamber of Commerce, this bill’s biggest backer, may not consider it an unintended consequence).

Most coverage of this decision emphasizes CCIA’s concern about the bill’s danger to privacy.

CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.

But I’m far more interested in CCIA’s stated concern that the bill, in authorizing defensive measures, would permit actions that would damage the Internet’s infrastructure (to which a number of these companies contribute).

In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties.

[snip]

But such a system … must not enable activities that might actively destabilize the infrastructure the bill aims to protect.

At least some of these companies that make up our Internet ecosystem think that some other companies, in aggressively pursuing perceived intruders to their systems, will do real damage to Internet as a whole.

It seems like a worthy concern. And yet the Senate runs headlong towards passing this bill anyway.

Why Does Richard Burr Think It Will Take Four Times Longer To Set Up a Metadata Compliance System than a Content One?

/in /by

On November 8, 2007, Yahoo received its first order to comply with the Protect America Act, the original law authorizing PRISM. Yahoo immediately told DOJ it would challenge the order. On May 12, 2008 — even as Yahoo appealed FISC’s order to comply with those PAA orders — Yahoo started complying with its PAA orders.

It took 185 days for Yahoo to set up a content compliance system under PRISM and challenge the underlying orders. And along the way, FBI’s requests expanded, from just a few items to nine, which appear to span the four business units Yahoo had at the time. Yet even in spite of FBI’s moving target and its ongoing legal challenge, Yahoo was able to start complying in about 6 months.

And yet Richard Burr believes — rather, claims to believe — that providers who already have sophisticated compliance systems (either under upstream and daily call records production, in the case of the telecoms, or PRISM production, in the case of other providers, not to mention that AT&T already provides roughly what it will under the new program under a contract with the FBI) will not be able to implement a system that will allow them to turn over phone records within 180 days.

Now, perhaps Burr really believes it will be tougher for providers to set up a metadata compliance system than set up content compliance systems that involve a heavy metadata component.

If so, that ought to raise real questions about what he thinks these providers will be doing, because it won’t just be turning over metadata.

Alternately, he’s wielding his ridiculous concerns about compliance for the same hoped effect as his bill did. He claimed that bill would institute a 2-year transition period for this program, but what it did in fact was to immediately grant the Intelligence Community all the authorities it has wanted, vastly expanding the dragnet. Then, a year after giving the IC everything it wanted, it would conduct a 1-year review (before any transition happened) that would show that it would be cheaper for the government to remain in the dragnet business. Only after 2 years would any “transition” happen, and it would in fact happen, if it did, immediately, with no transition period (though it probably never would happen, given that the IC would have already gotten everything it wanted).

That is, Burr’s claim that providers that have been complying with significant government requests for 7 years would need 2 more years to learn how to do it are probably just a bid to prevent the move to providers in the first place, a bid to have one more chance to argue in 6 months or a year or 2 years that it’s okay for the government to hold onto all our phone and Internet metadata.

But if not — if the new system will require more from providers than it did when they started turning over records under PRISM — than that is itself news.

The Government Changed Its Mind about How Many Databases It Searched in the Hassanshahi Case after It Shut Down the DEA Dragnet

/in , , /by

As I noted in this post, the government insists that it did not engage in parallel construction in the case of Shantia Hassanshahi, the Iranian-American busted for sanctions violations using evidence derivative of a search of what the government now claims was a DEA dragnet. “While it would not be improper for a law enforcement agency to take steps to protect the confidentiality of a law enforcement sensitive investigative technique, this case raises no such issue.”

The claim is almost certainly bullshit, true in only the narrowest sense.

Indeed, the changing story the government has offered about how they IDed Hassanshahi based off a single call he had with a phone belonging to a person of interest, “Sheikhi,” in Iran, is instructive not just against the background of the slow reveal of multiple dragnets over the same period. But also for the technological capabilities included in those claims. Basically, the government appears to be claiming they got a VOIP call from a telephony database.

As I lay out below, the story told by the government in various affidavits and declarations (curiously, the version of the first one that appears in the docket is not signed) changed in multiple ways. While there were other changes, the changes I’m most interested in pertain to:

  • Whether Homeland Security Investigator Joshua Akronowitz searched just one database — the DEA toll record database — or multiple databases
  • How Akronowitz identified Google as the provider for Hassanshahi’s phone record
  • When and how Akronowitz became interested in a call to Hassanshahi from another Iranian number
  • How many calls of interest there were

As you can see from the excerpts below, Akronowitz at first claimed to have searched “HSI-accessible law enforcement databases,” plural, and suggested he searched them himself.  In July 2014, in response to a motion to suppress (and after Edward Snowden had disclosed the NSA’s phone dragnet), Akronowitz changed that story and said he sent a research request to a single database, implying someone else did a search of just one database. Akronowitz told the same story in yet another revised affidavit submitted last October. In the declaration submitted in December but unsealed in January, DEA Assistant Special Agent Robert Patterson stuck with the single database story and used the passive voice to hide who did the database query.

While Akronowitz’ story didn’t change regarding how he discovered that Hassanshahi’s phone was a Google number, it did get more detailed in the July 2014 affidavit, which explained that he had first checked with another VOIP provider before being referred to Google.

Perhaps most interestingly, the government’s story changed regarding how many calls of interest there were, and between what numbers. In January 2013, Akronowitz said “a number of telephone calls between ‘Sheikhi’s’ known business telephone number and telephone number 818-971-9512 had occurred within a relatively narrow time frame” (though he doesn’t tell us what that time frame was). He also says that his Google subpoena showed “numerous calls to the same Iranian-based telephone number during a relatively finite period of time.” He neither explained that this number was not Sheikhi’s number — it was a different Iranian number — nor what he means by “a relatively finite period of time.”  His July and October affidavits said his research showed a contact, “on one occasion, that is, on July 4, 2011,” with Sheikhi’s number. The July affidavit maintained the claim that there were multiple calls between Hassanshahi’s number and an Iranian one: “numerous phone calls between Hassanshahi’s ‘818’ number and one Iranian phone number.” But by October, Akronowitz conceded that the Google records showed only “that Hassanshahi’s ‘818’ number made contact with an Iranian phone number (982144406457) only once, on October 5, 2011” (as well as a “22932293” number that he bizarrely claimed was a call to Iran).  Note, Akronowitz’ currently operative story would mean the government never checked whether there were any calls between Hassanshahi and Sheikhi between August 24 and September 6 (or after October 6), which would be rather remarkable. Patterson’s December affidavit provided no details about the date of the single call discovered using what he identified as DEA’s database, but did specify that the call was made by Hassanshahi’s phone, outbound to Iran. (Patterson didn’t address the later Google production, as that was pursuant to a subpoena.)

To sum up, before Edward Snowden’s leaks alerted us to the scope of NSA’s domestic and international dragnet, Akronowitz claimed he personally had searched multiple databases and found evidence of multiple calls between Hassanshahi’s phone number and Sheikhi’s number, as well as (after getting a month of call records from Google) multiple calls to another Iranian number over unspecified periods of time. After Snowden’s leaks alerted us to the dragnet, after Dianne Feinstein made it clear the NSA can search on Iranian targets in the Section 215 database, which somehow counts as a terrorist purpose, and after Eric Holder decided to shut down just the DEA dragnet, Akronowitz changed his story to claim he had found just one call between Hassanshahi and Shiekhi, and — after a few more months — just one call from another Iranian number to Hassanshahi. Then, two months later, the government claimed that the only database that ever got searched was the DEA one (the one that had already been shut down) which — Patterson told us — was based on records obtained from “United States telecommunications service providers” via a subpoena.

Before I go on, consider that the government currently claims it used just a single phone call of interest — and the absence of any additional calls in a later months’s worth of call records collected that fall — to conduct a warrantless search of a laptop in a state (CA) where such searches require warrants, after having previously claimed there was a potentially more interesting set of call records to base that search on.

Aside from the government’s currently operative claim that it would conduct border searches based on the metadata tied to a single phone call, I find all this interesting for two reasons.

First, the government’s story about how many databases got searched and how many calls got found changed in such a way that the only admission of an unconstitutional search to the judge, in December 2014, involved a database that had allegedly been shut down 15 months earlier.

Maybe they’re telling the truth. Or maybe Akronowitz searched or had searched multiple databases — as he first claimed — and found the multiple calls he originally claimed, but then revised his story to match what could have been found in the DEA database. We don’t know, for example, if the DEA database permits “hops,” but he might have found a more interesting call pattern had he been able to examine hops (for example, it might explain his interest in the other phone number in Iran, which otherwise would reflect no more than an immigrant receiving a call from his home country).

All of this is made more interesting because of my second point: the US side of the call in question was an Internet call, a Google call, not a telephony call. Indeed, at least according to Patterson’s declaration (records of this call weren’t turned over in discovery, as far as I can tell), Hassanshahi placed the call, not Sheikhi.

I have no idea how Google calls get routed, but given that Hassanshahi placed the call, there’s a high likelihood that it didn’t cross a telecom provider’s backbone in this country (and god only knows how DEA or NSA would collect Iranian telephony provider records), which is who Patterson suggests the calls came from (though there’s some room for ambiguity in his use of the term “telecommunications service providers”).

USAT’s story on this dragnet suggests the data all comes from telephone companies.

It allowed agents to link the call records its agents gathered domestically with calling data the DEA and intelligence agencies had acquired outside the USA. (In some cases, officials said the DEA paid employees of foreign telecom firms for copies of call logs and subscriber lists.)

[snip]

Instead of simply asking phone companies for records about calls made by people suspected of drug crimes, the Justice Department began ordering telephone companies to turn over lists of all phone calls from the USA to countries where the government determined drug traffickers operated, current and former officials said.

[snip]

Former officials said the operation included records from AT&T and other telecom companies.

But if this call really was placed from a Google number, it’s not clear it would come up under such production, even under production of calls that pass through telephone companies’ backbones. That may reflect — if the claims in this case are remotely honest — that the DEA dragnet, at least, gathered call records not just from telecom companies, but also from Internet companies (remember, too, that DOJ’s Inspector General has suggested DEA had or has more than one dragnet, so it may also have been collecting Internet toll records).

And that — coupled with the government’s evolving claims about how many databases got checked and how many calls that research reflected — may suggest something else. Given that the redactions on the providers obliged under the Section 215 phone dragnet orders haven’t changed going back to 2009, when it was fairly clear there were just 3 providers (AT&T, Sprint, and Verizon), it may be safe to assume that’s still all NSA collects from. A never-ending series of leaks have pointed out that the 215 phone dragnet increasingly has gaps in coverage. And this Google call would be precisely the kind of call we would expect it to miss (indeed, that’s consistent with what Verizon Associate General Counsel — and former DOJ National Security Division and FBI Counsel — Michael Woods testified to before the SSCI last year, strongly suggesting the 215 dragnet missed VOIP). So while FISC has approved use of the “terrorist” Section 215 database for the terrorist group, “Iran,” (meaning NSA might actually have been able to query on Sheikhi), we should expect that this call would not be in that database. Mind you, we should also expect NSA’s EO 12333 dragnet — which permits contact chaining on US persons under SPCMA — to include VOIP calls, even with Iran. But depending on what databases someone consulted, we would expect gaps in precisely the places where the government’s story has changed since it decided it had searched only the now-defunct DEA database.

Finally, note that if the government was sufficiently interested in Sheikhi, it could easily have targeted him under PRISM (he did have a GMail account), which would have made any metadata tied to any of his Google identities broadly shareable within the government (though DHS Inspectors would likely have to go through another agency, quite possibly the CIA). PRISM production should return any Internet phone calls (though there’s nothing in the public record to indicate Sheikhi had an Internet phone number). Indeed, the way the NSA’s larger dragnets work, a search on Sheikhi would chain on all his correlated identifiers, including any communications via another number or Internet identifier, and so would chain on whatever collection they had from his GMail address and any other Google services he used (and the USAT described the DEA dragnet as using similarly automated techniques).  In other words, when Akronowitz originally said there had been multiple “telephone calls,” he may have instead meant that Sheikhi and Hassanshahi had communicated, via a variety of different identifiers, multiple times as reflected in his search (and given what we know about DEA’s phone dragnet and my suspicion they also had an Internet dragnet, that might have come up just on the DEA dragnets alone).

The point is that each of these dragnets will have slightly different strengths and weaknesses. Given Akronowitz’ original claims, it sounds like he may have consulted dragnets with slightly better coverage than just the DEA phone dragnet — either including a correlated DEA Internet dragnet or a more extensive NSA one — but the government now claims that it only consulted the DEA dragnet and consequently claims it only found one call, a call it should have almost no reason to have an interest in.

Read more

Choking the Security State with Its Own Bottleneck

/10 Comments/in /by

One former and one current high-ranking intelligence official (is that you Keith?) have gone to CNBC to complain that tech firms are showing reluctance to get more of their people security clearances.

U.S. government officials say privately they are frustrated that Silicon Valley technology firms are not obtaining U.S. security clearances for enough of their top executives, according to interviews with officials and executives in Washington and California. Those clearances would allow the government to talk freely with executives in a timely manner about intelligence they receive, hopefully helping to thwart the spread of a hack, or other security issues.

The lack of cooperation from Silicon Valley, Washington officials complain, injects friction into a process that everyone agrees is central to the fight to protect critical U.S. cyberinfrastructure: Real-time threat information sharing between government and the private sector.

[snip]

The former intelligence official said dealing with Silicon Valley firms is much different than his experience in other industries—or with all American companies a generation ago. “It used to be, during World War II or the Cold War, that getting cooperation from boards of directors was pretty straightforward. That’s not true today, particularly at these huge start-ups that went from nothing to billions.”

It’s interesting that this complainer went to CNBC’s Eamon Javers, who covers the overlap between corporations and intelligence, rather than someone like Kim Zetter or Shane Harris, who just finished interesting books on cybersecurity. Because the only challenge to those DC insiders’ claims about the importance of information sharing comes from this anonymous executive’s suggestion that the intelligence they’d get from the government isn’t all that useful.

In Silicon Valley, however, cybersecurity executives have a different perspective on the tension. “I believe that this is more about the overclassification of information and the relatively low value that government cyberintel has for tech firms,” said one Silicon Valley executive. “Clearances are a pain to get, despite what government people think. Filling out the paper work … is a nightmare, and the investigation takes a ridiculous amount of time.”

More generally (including in each of their books), I think people are raising more questions about the value of information sharing. At a recent panel on cybersecurity (starting at 12:20) for example, a bunch of security experts seemed to agree that information sharing shouldn’t be the priority it is. Yahoo CISO Alex Stamos (who at the same conference had this awesome exchange with NSA Director Mike Rogers) argued that the government emphasizes information sharing because it’s easy — he’d rather see the government cancel just one F-35 and put the money into bug bounties for open source software.

Nevertheless, these sources have been granted anonymity to suggest tech companies are un-American because they’re not rushing to share more data with the federal government.

Not to mention, not rushing to sign up to have their lives regulated by the McCarthyite system of security clearances.

Because it’s not just that the security clearance application that is unwieldy. It’s that clearance comes with a gag order about certain issues, backed by the threat of prison (I forget whether it was Harris’ or Zetter’s book, but one describes a tech expert talking about that aspect of clearance).

Why would anyone sign up for that if the tech companies have more that the government wants than the government has that the tech companies need?

So it will be interesting to see how the security establishment respond to this. It would be a wonderful way to force the government fix some of the problems with overclassification to be able to obtain the cooperation of what are supposed to be private corporations.

A Radical Proposal of Following the Law

/6 Comments/in , , /by

Mieke Eoyang, the Director of Third Way’s National Security Program, has what Ben Wittes bills as a “disruptive” idea: to make US law the exclusive means to conduct all surveillance involving US companies.

But reforming these programs doesn’t address another range of problems—those that relate to allegations of overseas collection from US companies without their cooperation.

Beyond 215 and FAA, media reports have suggested that there have been collection programs that occur outside of the companies’ knowledge. American technology companies have been outraged about media stories of US government intrusions onto their networks overseas, and the spoofing of their web pages or products, all unbeknownst to the companies. These stories suggest that the government is creating and sneaking through a back door to take the data. As one tech employee said to me, “the back door makes a mockery of the front door.”

As a result of these allegations, companies are moving to encrypt their data against their own government; they are limiting their cooperation with NSA; and they are pushing for reform.  Negative international reactions to media reports of certain kinds of intelligence collection abroad have resulted in a backlash against American technology companies, spurring data localization requirements, rejection or cancellation of American contracts, and raising the specter of major losses in the cloud computing industry. These allegations could dim one of the few bright spots in the American economic recovery: tech.

[snip]

How about making the FAA the exclusive means for conducting electronic surveillance when the information being collected is in the custody of an American company? This could clarify that the executive branch could not play authority shell-games and claim that Executive Order 12333 allows it to obtain information on overseas non-US person targets that is in the custody of American companies, unbeknownst to those companies.

As a policy matter, it seems to me that if the information to be acquired is in the custody of an American company, the intelligence community should ask for it, rather than take it without asking. American companies should be entitled to a higher degree of forthrightness from their government than foreign companies, even when they are acting overseas.

Now, I have nothing against this proposal. It seems necessary but wholly inadequate to restoring trust between the government and (some) Internet companies. Indeed, it represents what should have been the practice in any case.

Let me first take a detour and mention a few difficulties with this. First, while I suspect this might be workable for content collection, remember that the government was not just collecting content from Google and Yahoo overseas — they were also using their software to hack people. NSA is going to still want the authority to hack people using weaknesses in such software, such as it exists (and other software companies probably still are amenable to sharing those weaknesses).  That points to the necessity to start talking about a legal regime for hacking as much as anything else — one that parallels what is going on with the FBI domestically.

Also, this idea would not cover the metadata collection from telecoms which are domestically covered by Section 215, which will surely increasingly involve cloud data that more closely parallels the data provided by FAA providers but that would be treated as EO 12333 overseas (because thus far metadata is still treated under the Third Party doctrine here). This extends to the Google and Yahoo metadata taken off switches overseas. So, such a solution would be either limited or (if and when courts domestically embrace a mosaic theory approach to data, including for national security applications) temporary, because some of the most revealing data is being handed over willingly by telecoms overseas.

Read more

Yes, the Government Does Spy Under Grandfathered Approvals

/in /by

Charlie Savage is catching no end of shit today because he reported on a provision in the PATRIOT Act (one I just noticed Tuesday, actually, when finding the sunset language for something else) that specifies ongoing investigations may continue even after a sunset.

The law says that Section 215, along with another section of the Patriot Act, expires on “June 1, 2015, except that former provisions continue in effect with respect to any particular foreign intelligence investigation that began before June 1, 2015, or with respect to any particular offense or potential offense that began or occurred before June 1, 2015.”

Michael Davidson, who until his retirement in 2011 was the Senate Intelligence Committee’s top staff lawyer, said this meant that as long as there was an older counterterrorism investigation still open, the court could keep issuing Section 215 orders to phone companies indefinitely for that investigation.

“It was always understood that no investigation should be different the day after the sunset than it was the day before,” Mr. Davidson said, adding: “There are important reasons for Congress to legislate on what, if any, program is now warranted. But considering the actual language of the sunset provision, no one should believe the present program will disappear solely because of the sunset.”

Mr. Davidson said the widespread assumption by lawmakers and executive branch officials, as well as in news articles in The New York Times and elsewhere, that the program must lapse next summer without new legislation was incorrect.

The exception is obscure because it was recorded as a note accompanying Section 215; while still law, it does not receive its own listing in the United States Code. It was created by the original Patriot Act and was explicitly restated in a 2006 reauthorization bill, and then quietly carried forward in 2010 and in 2011.

Now, I’m happy to give Savage shit when I think he deserves it. But I’m confident those attacking him now are wrong.

Before I get into why, let me first say that to some degree it is moot. The Administration believes that, legally, it needs no Congressional authorization to carry out the phone dragnet. None. What limits its ability to engage in the phone dragnet is not the law (at least not until some courts start striking the Administration’s interpretation down). It’s the willingness of the telecoms to cooperate. Right now, the government appears to have a significant problem forcing Verizon to fully cooperate. Without Verizon, you don’t have an effective dragnet, which is significantly what USA Freedom and other “reform” efforts are about, to coerce or entice Verizon’s full cooperation without at the same time creating a legal basis to kill the entire program.

That said, not only is Davidson likely absolutely correct, but there’s precedent at the FISA Court for broadly approving grandfathering claims that make dubious sense.

As Davidson noted elsewhere in Savage’s story, the FBI has ongoing enterprise investigations that don’t lapse — and almost certainly have not lapsed since 9/11. Indeed, that’s the investigation(s) the government appears, from declassified documents, to have argued the dragnet is “relevant” to. So while some claim this perverts the definition of “particular,” that’s not the word that’s really at issue here, it’s the “relevant to” interpretation that USAF leaves intact, effectively ratifying (this time with uncontested full knowledge of Congress) the 2004 redefinition of it that everyone agrees was batshit insane. If you want to prevent this from happening, you need to affirmatively correct that FISA opinion, not to mention not ratify the definition again, which USAF would do (as would a straight reauthorization of PATRIOT next year).

And as I said, there is precedent for this kind of grandfathering at FISA, all now in the public record thanks to the declassification of the Yahoo challenge documents (and all probably known to Davidson, given that he was a lead negotiator on FISA Amendments Act which included significant discussion about sunset procedures, which they lifted from PAA.

For starters, on January 15, 2008, in an opinion approving the certifications for Protect America Act submitted in August and September 2007, Colleen Kollar-Kotelly approved the grand-fathering of the earlier 2007 large content dockets based on the government’s argument that they had generally considered the same factors they promised to follow under the PAA certifications and would subject the data obtained to the post-collection procedures in the certifications. (See page 15ff)

Effectively then, this permitted them to continue collection under the older, weaker protections, under near year-long PAA certifications.

In the weeks immediately following Kollar-Kotelly’s approval of the underlying certifications (though there’s evidence they had planned the move as far back as October, before they served Directives on Yahoo), the government significantly reorganized their FAA program, bringing FBI into a central role in the process and almost certainly setting up the back door searches that have become so controversial. They submitted new certifications on January 31, 2008, on what was supposed to be the original expiration date of the PAA. As Kollar-Kotelly described in an June 18, 2008 opinion (starting at 30), that came to her in the form of new procedures received on February 12, 2008, 4 days before the final expiration date of PAA.

On February 12, 2008, the government filed in each of the 07 Dockets additional sets of procedures used by the Federal Bureau of Investigation(FBI) when that agency acquires foreign intelligence information under PAA authorities. These procedures were adopted pursuant to amendments made by the Attorney General and the Director of National Intelligence (DNI) on January 31, 2008 to the certifications in the 07 Dockets.

Then, several weeks later — and therefore several weeks after PAA expired on February 16, 2008 — the government submitted still new procedures.

On March 3, 2008, the government submitted NSA and FBI procedures in a new matter [redacted]

[snip]

Because the FBI and NSA procedures submitted in Docket No. [redacted] are quite similar to the procedures submitted in the 07 Dockets, the Court has consolidated these matters for purposes of its review under 50 U.S.C. § 1805c.

For the reasons explained below, the Court concludes that it retains jurisdiction to review the above-described procedures under §1805c. On the merits, the Court finds that the FBI procedures submitted in each of the 07 Dockets, and the NSA and FBI procedures submitted in Docket No. [redacted] satisfy the applicable review for clear error under 50 U.S.C. § 1805c(b).

She regarded these new procedures, submitted well after the law had expired, a modification of existing certifications.

In all [redacted] of the above-captioned dockets, the DNI and the Attorney General authorized acquisitions of foreign intelligence information by making or amending certifications prior to February 16, 2009, pursuant to provisions of the PAA codified at 50 U.S.C. § 1805b.

She did this in part by relying on Reggie Walton’s interim April 25, 2008 opinion in the Yahoo case that the revisions affecting Yahoo were still kosher, without, apparently, considering the very different status of procedures changed after the law had expired.

The government even considered itself to be spying with Yahoo under a September 2007 certification (that is, the latter of at least two certifications affecting Yahoo) past the July 10, 2008 passage of FISA Amendments Act, which imposed additional protections for US persons.

These are, admittedly, a slightly different case. In two cases, they amount to retaining older, less protective laws even after their replacement gets passed by Congress. In the third, it amounts to modifying procedures under a law that has already expired but remains active because of the later expiration date of the underlying certificate.

Still, this is all stuff the FISC has already approved.

The FISC also maintains — incorrectly in my opinion, but I’m not a FISC judge so they don’t much give a damn — that the 2010 and 2011 PATRIOT reauthorizations ratified everything the court had already approved, even the dragnets not explicitly laid out in the law. This sunset language was public, and there’s nothing exotic about what they say. To argue the FISC wouldn’t consider these valid clauses grand-fathering the dragnet, you’d have to argue they don’t believe the 2010 and 2011 reauthorizations ratified even the secret things already in place. That’s highly unlikely to happen, as it would bring the validity of their 40ish reauthorizations under question, which they’re not going to do.

Again, I think it’s moot. The “reform” process before us is about getting Verizon to engage in a dragnet that is not actually authorized by the law as written. They’re not doing what the government would like them to do now, so there’s no reason to believe this grandfathered language would lead them to suddenly do so.