emptywheel

1 2 3 836

Maybe the Spooks Don’t Want FTC to Know NSA’s Tricks?

In awesome news, the Federal Trade Commission has hired Ashkan Soltani — the tech expert who helped Bart Gellman on many of his most important Snowden scoops — as its new Chief Technology Officer.

The news has elicited wails from NSA’s mail mouthpieces, Stewart Baker and Michael Hayden.

“I’m not trying to demonize this fella, but he’s been working through criminally exposed documents and making decisions about making those documents public,” said Michael Hayden, a former NSA director who also served as CIA director from 2006 to 2009. In a telephone interview with FedScoop, Hayden said he wasn’t surprised by the lack of concern about Soltani’s participation in the Post’s Snowden stories. “I have no good answer for that.”

[snip]

Stewart Baker, a former NSA general counsel, said, while he’s not familiar with the role Soltani would play at the FTC, there are still problems with his appointment. “I don’t think anyone who justified or exploited Snowden’s breach of confidentiality obligations should be trusted to serve in government,” Baker said.

I find Hayden’s wails especially disgusting, given the way — it is now clear — the government spent so much effort covering up how he extended the illegal wiretap program in March 2004. I mean, I’m not trying to demonize the fella, but he’s a criminal, and yet he’s complaining about the press reporting on abuses?

That said, I’m curious whether this isn’t the real reason there seems to be organized pushback against Soltani’s hire.

Soltani is scheduled to give a presentation Nov. 19 at the Strata+Hadoop World conference in Barcelona, Spain, on “how commercial tracking enables government surveillance.” According to the conference website, Soltani’s presentation will explore how “the dropping costs of bulk surveillance is aiding government eavesdropping, with a primary driver being how the NSA leverages data collected by commercial providers to collect information about innocent users worldwide.”

At FTC, Soltani will be in a role where he can directly influence the kind of regulatory pressure placed on data collectors to protect user privacy. He understands — probably far more than we know from the WaPo stories — how NSA is capitalizing on already collected data. Which means he may be able to influence how much remains available to the spooks.

So maybe all this wailing is an effort to sustain the big commercial data’s unwitting support for big spooky data?

Wyden Doesn’t Know What NSA Does with Its Dragnet Overseas

Kim Zetter has an interview with Ron Wyden that goes over a number of things I have already reported. She describes him hedging when asked when he first learned of the phone dragnet; as I have shown the government did not brief the Internet dragnet to the Intelligence Committees, not even during the PATRIOT reauthorization in 2005. Wyden describes the months — “literally months” –during which he tried to get the Intelligence Community to correct what Keith Alexander had said to DefCon before he asked James Clapper the question he is now so famous for; I laid that out here and here. Wyden describes how — “incredible as it sounds” — the Bush Administration shut down NSA’s back door search authorities., which I noted here. Zetter and Wyden also discuss how to manage zero day exploits.

But the most important detail in the interview, in my opinion, comes where Wyden makes clear he doesn’t know enough about what the government does under EO 12333.

But no one, not even lawmakers on Capitol Hill, have a full grasp of how EO 12333 is being used.

Wyden says, “I’m not sure we’re at the bottom or close to it” when it comes to understanding how it’s being used.” Wyden is suspicious that the White House and intelligence community have agreed to halt the phone records collection program, in the wake of intense criticism, only because the spy agency has other tricks to get the same data, possibly through EO 12333.

“The intelligence community is endorsing eliminating bulk-collection of phone records, and it makes me wonder what are the authorities under 12333 [through which they might do the same thing]?” he asks. “You can get a bill passed and everybody says, ‘Hey we banned bulk collection.’… [Then] we see the government go off in another direction. I will tell you that I don’t know today the full ramifications of 12333 on bulk collection. But I’m going to be spending a lot of time digging into it.”

I had pointed to Wyden’s concern about this issue when he raised it at the turn of the year and noted that the Administration made public its belief it can engage in the phone and Internet dragnet without any Congressional authorization just as the USA Freedom Act debate resumed.

But  Wyden’s confirmation that he doesn’t know what the government does overseas raises questions about, first, whether he knows what the government did with the Internet dragnet when he and Udall convinced the government to end the domestic collection of it in 2011. But it also underscores just how empty are the promises that there is adequate oversight of the NSA’s work.

If someone on the Intelligence Committees (a critic, admittedly, but he is one of the legal overseers of the Agency) doesn’t know, and doesn’t think he’d necessarily know, if the government replaced a congressionally limited program with the same program overseas, that means there’s no way the Intel Committees could ensure that the government had stopped practices Congress told it to stop.

Of course, given that Wyden got legislation passed in 2004 defunding any data mining of Americans only to have the Bush authorized dragnet continue, that must be a familiar position for the Senator.

Connecting the Dots on the CIA Torture Report

I want to pull several details of the HuffPo’s last two pieces on the CIA torture report together (kudos to HuffPo for stealing Ali Watkins from McClatchy).

Tuesday’s story presents conflicting claims about whether the CIA impersonated SSCI staffers to access the part of the server dedicated to their work.

One side — explicitly relying on the CIA Inspector General’s own report — say the CIA impersonated staffers, and possibly worse.

According to sources familiar with the CIA inspector general report that details the alleged abuses by agency officials, CIA agents impersonated Senate staffers in order to gain access to Senate communications and drafts of the Intelligence Committee investigation. These sources requested anonymity because the details of the agency’s inspector general report remain classified.

“If people knew the details of what they actually did to hack into the Senate computers to go search for the torture document, jaws would drop. It’s straight out of a movie,” said one Senate source familiar with the document.

The quote from the other side issued a non-denial denial (though perhaps there was a more direct denial not quoted): CIA did not use Administrator access (which is not what the other source claimed).

A person familiar with the events surrounding the dispute between the CIA and Intelligence Committee said the suggestion that the agency posed as staff to access drafts of the study is untrue.

“CIA simply attempted to determine if its side of the firewall could have been accessed through the Google search tool. CIA did not use administrator access to examine [Intelligence Committee] work product,” the source said.

Now consider today’s story, which describes the inconclusive result of the Senate Sergeant-at-Arms report. Here, the dispute is portrayed as a disagreement over whether the CIA has the original access logs, or only copies of them.

Computer records may have provided evidence on how the CIA document made its way into the Intelligence Committee’s hands. Those records, Senate sources said, were erased by the CIA.

The claim is technically true. The computer audit logs that recorded activity on the CIA computers used for the committee’s report were overridden from the machines’ local drives at regular intervals throughout the five-year study, HuffPost has learned. The records, however, continued to be stored elsewhere, and were provided to the Sergeant-at-Arms office for its inquiry. The CIA said that the Senate office received the computer audit records earlier this year.

“CIA cooperated fully with the Senate Sergeant-at-Arms review and provided all the relevant information that the [Sergeant-at-Arms] requested,” said CIA spokesman Dean Boyd. “In fact, audit data was specifically provided to the [Sergeant-at-Arms] in July 2014. Furthermore, CIA continues to maintain copies of this audit data to this day. Claims alleging otherwise are patently false.”

[snip]

A source familiar with the Senate inquiry has since said that the CIA submitted copies of records to the Sergeant-at-Arms, rather than the records themselves, which the investigators considered unreliable.

The Sergeant-at-Arms “can’t verify any of what CIA is saying,” said the source, who was briefed on the investigation.

In other words, the Sergeant-at-Arms got records that they can’t actually use to verify what happened on the servers. They would have gotten those logs after this issue had already blown up.

I’m reminded of the White House emails, where the content of the emails appears to have been doctored right as Patrick Fitzgerald was subpoenaing specific accounts.

If the CIA had doctored the access logs they stored, they would have been able to eliminate any trace of CIA using SSCI credentials to access the server.

So where does the claim that CIA impersonated the SSCI staffers come from? And what as the inaccurate information based on which the CIA IG referred Senate staffers for investigation?

The CIA had asked the Department of Justice to pursue criminal charges against the Senate staff for removing the document, which the Justice Department declined in June to investigate. The CIA’s inspector general has since determined that the criminal referral was based on “inaccurate information.” The inspector general also publicly accused CIA staff of misleading the offices’ investigators during its inquiry.

That doesn’t necessarily mean that the Inspector General was working with dodgy access logs. CIA has any number of ways to lie — it’s what we pay them to do. By 2010, after all, the CIA had already altered or destroyed all this evidence of their torture:

Since there are so many incidences of destroyed or disappearing torture evidence, I thought it time to start cataloging them, to keep them all straight.

  • Before May 2003: 15 of 92 torture tapes erased or damaged
  • Early 2003: Gitmo commander Mike Dunlavey’s paper trail documenting the torture discussions surrounding Mohammed al-Qahtani “lost”
  • Before August 2004: John Yoo and Patrick Philbin’s torture memo emails deleted
  • June 2005: most copies of Philip Zelikow’s dissent to the May 2005 CAT memo destroyed
  • November 8-9, 2005: 92 torture tapes destroyed
  • July 2007 (probably): 10 documents from OLC SCIF disappear
  • December 19, 2007: Fire breaks out in Cheney’s office

(I put in the Cheney fire because it happened right after DOJ started investigating the torture tape destruction.)

Add to that the 920 documents (potentially pertaining to White House involvement) stolen back from the server after they had originally been made available.

After a series of meetings, I learned that on two occasions, CIA personnel electronically removed committee access to CIA documents after providing them to the committee. This included roughly 870 documents or pages of documents that were removed in February 2010, and secondly roughly another 50 were removed in mid-May 2010.

Again, we don’t know that the CIA altered the access logs.

But if they didn’t, it would almost constitute an exception to their rule of destroying evidence.

Update: As a reminder, here were the conclusions in the CIA IG Report summary that was publicly released.

Agency Access to Files on the SSCI RDINet: Five Agency employees, two attorneys and three information technology (IT) staff members, improperly accessed or caused access to the SSCI Majority staff shared drives on the RDINet.

Agency Crimes Report on Alleged Misconduct by SSCI Staff: The Agency filed a crimes report with the DOJ, as required by Executive Order 12333 and the 1995 Crimes Reporting Memorandum between the DOJ and the Intelligence Community, reporting that SSCI staff members may have improperly accessed Agency information on the RDINet. However, the factual basis for the referral was not supported, as the author of the referral had been provided inaccurate information on which the letter was based. After review, the DOJ declined to open a criminal investigation of the matter alleged in the crimes report.

Office of Security Review of SSCI Staff Activity: Subsequent to directive by the D/CIA to halt the Agency review of SSCI staff access to the RDINet, and unaware of the D/CIA’s direction, the Office of Security conducted a limited investigation of SSCI activities on the RDINet. That effort included a keyword search of all and a review of some of the emails of SSCI Majority staff members on the RDINet system.

Lack of Candor: The three IT staff members demonstrated a lack of candor about their activities during interviews by the OIG.

Update: Katherine Hawkins reminds me that Manadel al-Jamadi’s blood-stained hood disappeared.

No, Obama Doesn’t Need Legislation to Fix the Dragnet–Unless the “Fix” Isn’t One

In an editorial calling on Congress to pass the USA Freedom Act, the USA Today makes this claim.

Obama’s proposal last January — to leave the data with phone companies, instead of with the government — can’t happen without a new law. And, as in so many other areas, the deeply divided Congress has failed to produce one.

I don’t know whether that is or is not the case.

I do know 3 Senate Intelligence Committee members say it is not the case.

Ron Wyden, Mark Udall, and Martin Heinrich wrote Obama a letter making just this point in June. They argued that Obama could accomplish most, if not all, of what he claimed he wanted without legislation, largely with a combination of Section 215 Orders to get hops and Pen Registers to get prospective collection.

[W]e believe that, in the meantime, the government already has sufficient authorities today to implement most, if not all, of the Section 215 reforms laid out in your proposal without delay in a way that does not harm our national security. More comprehensive congressional action is vital, but the executive branch need not wait for Congress to end the dragnet collection of millions of Americans’ phone records for a number of reasons.

First, we believe that the Foreign Intelligence Surveillance Court’s (FISC) expansive interpretation of the USA PATRIOT Act to allow the collection of millions of Americans’ phone records makes it likely that the FISC would also agree to a more narrowly-drawn interpretation of the law, without requiring further congressional action. Certainly, it seems likely that the FISC would permit the executive branch to use its current authorities to obtain phone records up to two “hops” from a suspicious phone number or to compel technical assistance by and compensation for recipients of court orders. Unless the FISC has already rejected such a request from the government, it does not seem necessary for the executive branch to wait for Congress before taking action.

Second, we believe that the FISC would likely approve the defined and limited prospective searches for records envisioned under your proposal pursuant to current USA PATRIOT Act Section 214 pen register authorities, given how broadly it has previous interpreted these authorities. Again, we believe it is vital for Congress to enact reforms, but we also believe that the government has sufficient authorities today under the USA PATRIOT Act to conduct these targeted prospective searches in the interim.

Finally, although we have seen no evidence that the government has needed the bulk phone records collection program to attain any time-sensitive objectives, we agree that new legislation should provide clear emergency authorities to allow the government to obtain court approval of individual queries after the fact under specific circumstances. The law currently allows prospective emergency acquisitions of call records under Section 403 of the Foreign Intelligence Surveillance Act (FISA), and the acquisition of past records without judicial review under national security letter authorities. While utilizing a patchwork of authorities is not ideal, it could be done on an interim basis, while Congress works to pass legislation.

Just weeks before they sent this, Deputy Attorney General James Cole had seemed to say they could (if not already were) getting hybrid orders, in that case mixing phone and location. So it seems like DOJ is confident they could use such hybrid orders, using Section 215 for the hops and Pen Registers for the prospective collection (though, given that they’re already using Section 215 for prospective collection, I’m not sure why they’d need to use hybrids to get anything but emergency orders).

And it makes sense. After all, the public claims about what the Call Detail Record provision would do, at least, describe it as a kind of Pen Register on steroids, 2-degrees of Pen Register. As the Senators suggest, FBI already gets two-degree information of historical records with mere NSLs, so it’d be surprising if they couldn’t get 2 degrees prospectively with a court order.

So at least according to three members of the Senate Intelligence Committee, USA Today is simply wrong.

Mind you, I’m not entirely convinced they’re right.

That’s because I suspect the new CDR provision is more than a Pen Register on steroids, is instead something far more intrusive, one that gets far beyond mere call records. I suspect the government will ask the telecoms to chain on location, address books, and more — as they do overseas — which would require far more than a prospective Pen Register and likely would require super immunity, as the bill provides.

I suspect the Senators are wrong, but if they are, it’s because Obama (or his Intelligence Community) wants something that is far more invasive then they’ve made out.

Still, for USAF supporters, there seems no question. If all Obama wants to replace the phone dragnet is prospective 2-degree call (not connection) chaining on RAS targets, he almost certainly has that authority.

But if he needs more authority, then chances are very good he’s asking for something far more than he has let on.

Update: Note, USAT makes at least one other clear error in this piece, as where it suggests the “the program” — the phone dragnet — imposes costs on cloud companies like Microsoft and Google.

Another Attorney-Client Conversation Spied On

Last month, I laid out the several attorney client conversations to which Raez Qadir Khan was party that the government wiretapped. Among the 7 privileged conversations wiretapped by the government was a January 2010 conversation he had with his immigration attorney after being told by the FBI he could not travel to see his family.

One of the defendants in a key CO terrorism case just revealed in a filing that he, too, was wiretapped when conversing with his immigration attorney’s office.

Bakhtiyor Jumaev, who through co-defendant Jamshid Muhtorov was the first to get notice his prosecution stemmed from FISA Amendments Act collection, revealed in a filing that a conversation he had with his retained immigration counsel’s paralegal was recorded even after the FBI had first questioned him.

FBI agents interrogated Mr. Jumaev at his Philadelphia apartment on February 14, 2012; at that time, Mr. Jumaev had been charged with an immigration violation, had posted bond that included electronic monitoring, was represented by an immigration attorney, Francois Mazur, Esq., and for approximately two years, unbeknownst to him, had also been under investigation for activities related to this case.15 The next day, February 15, 2012, Mr. Jumaev called Mr. Mazur and spoke with the attorney’s paralegal, seeking legal advice relating to Mr. Jumaev’s having been questioned the day prior by the FBI. A copy of the recording of the call, labeled as S2675971321_20120215194017_416.WAV, has been provided in discovery.16

15 The criminal Complaint filed against Mr. Jumaev notes that the FBI had been investigating him in this matter since shortly after his arrest in February 2010 for immigration charges. See Doc. 1 at ¶ 13.

16 Based upon information and belief, to date, the government has not provided all of Mr. Jumaev’s intercepted communications. It is therefore currently unknown whether other communications between Mr. Jumaev and his immigration attorney were intercepted.

As the footnotes make clear, at this point the FBI had already been investigating him for years, but didn’t have the caution to avoid recording his conversations with his immigration attorney (something which, in the Khan case, the government admitted should have been treated as a privileged conversation).

Call me crazy, but this is beginning to look like a pattern — the FBI wiretapping the earliest privileged conversations after their targets get alerted to the FBI investigation into them.

Maybe NSA “Moonlighting” Is Another Name for “Public-Private Partnership”?

As you’ve likely read, NSA’s Chief Technology Officer has so little to keep him busy he’s also planning on working 20 hours a week for Keith Alexander’s new boondoggle.

Under the arrangement, which was confirmed by Alexander and current intelligence officials, NSA’s Chief Technical Officer, Patrick Dowd, is allowed to work up to 20 hours a week at IronNet Cybersecurity Inc, the private firm led by Alexander, a retired Army general and his former boss.

The arrangement was approved by top NSA managers, current and former officials said. It does not appear to break any laws and it could not be determined whether Dowd has actually begun working for Alexander, who retired from the NSA in March.

Dowd is the guy with whom Alexander filed 7 patents for work developed at NSA.

During his time at the NSA, Alexander said he filed seven patents, four of which are still pending, that relate to an “end-to-end cybersecurity solution.” Alexander said his co-inventor on the patents was Patrick Dowd, the chief technical officer and chief architect of the NSA. Alexander said the patented solution, which he wouldn’t describe in detail given the sensitive nature of the work, involved “a line of thought about how you’d systematically do cybersecurity in a network.”

That sounds hard to distinguish from Alexander’s new venture. But, he insisted, the behavior modeling and other key characteristics represent a fundamentally new approach that will “jump” ahead of the technology that’s now being used in government and in the private sector.

Presumably, bringing Dowd on board will both make Alexander look more technologically credible and let Dowd profit off all the new patents Alexander is filing for, which he claims don’t derive from work taxpayers paid for.

Capitalism, baby! Privatizing the profits paid for by the public!

All that said, I’m wondering whether this is about something else — and not just greed.

Yesterday, as part of a bankster cybersecurity shindig, one of Alexander’s big named clients, SIFMA, rolled out its “Cybersecurity Regulatory Guidance.” It’s about what you’d expect from a bankster organization: demands that the government give what it needs, use a uniform light hand while regulating, show some flexibility in case that light hand becomes onerous, and never ever hold the financial industry accountable for its own shortcomings.

Bullet point 2 (Bullet point 1 basically says the US government has a big role to play here which may be true but also sounds like a demand for a handout) lays out the kind of public-private partnership SIFMA expects.

Principle 2: Recognize the Value of Public–Private Collaboration in the Development of Agency Guidance

Each party brings knowledge and influence that is required to be successful, and each has a role in making protections effective. Firms can assist regulators in making agency guidance better and more effective as it is in everyone’s best interests to protect the financial industry and the customers it serves.

The NIST Cybersecurity Framework is a useful model of public-private cooperation that should guide the development of agency guidance. NIST has done a tremendous job reaching out to stakeholders and strengthening collaboration with financial critical infrastructure. It is through such collaboration that voluntary standards for cybersecurity can be developed. NIST has raised awareness about the standards, encouraged its use, assisted the financial sector in refining its application to financial critical infrastructure components, and incorporated feedback from members of the financial sector.

In this vein, we suggest that an agency working group be established that can facilitate coordination across the agencies, including independent agencies and SROs, and receive industry feedback on suggested approaches to cybersecurity. SIFMA views the improvement of cybersecurity regulatory guidance and industry improvement efforts as an ongoing process.

Effective collaboration between the private and public sectors is critical today and in the future as the threat and the sector’s capabilities continue to evolve.

Again, this public-private partnership may be necessary in the case of cybersecurity for critical infrastructure, but banks have a history of treating such partnership as lucrative handouts (and the principle document’s concern about privacy has more to do with hiding their own deeds, and only secondarily discusses the trust of their customers). Moreover, experience suggests that when “firms assist regulators in making agency guidance better,” it usually has to do with socializing risk.

In any case, given that the banks are, once again, demanding socialism to protect themselves, is it any wonder NSA’s top technology officer is spending half his days at a boondoggle serving these banks?

And given the last decade of impunity the banks have enjoyed, what better place to roll out an exotic counter-attacking cybersecurity approach (except for the risk that it’ll bring down the fragile house of finance cards by mistake)?

Alexander said that his new approach is different than anything that’s been done before because it uses “behavioral models” to help predict what a hacker is likely to do. Rather than relying on analysis of malicious software to try to catch a hacker in the act, Alexander aims to spot them early on in their plots.

One of the most recent stories on the JP Morgan hack (which actually appears to be the kind of Treasuremapping NSA does of other country’s critical infrastructure all the time) made it clear the banksters are already doing the kind of data sharing that Keith Alexander wailed he needed immunity to encourage.

The F.B.I., after being contacted by JPMorgan, took the I.P. addresses the hackers were believed to have used to breach JPMorgan’s system to other financial institutions, including Deutsche Bank and Bank of America, these people said. The purpose: to see whether the same intruders had tried to hack into their systems as well. The banks are also sharing information among themselves.

So clearly SIFMA’s call for sharing represents something more, probably akin to the kind of socialism it benefits from in its members’ core business models.

In the intelligence world, they use the term “sheep dip” to describe how they stick people subject to one authority — such as the SEALs who killed Osama bin Laden — under a more convenient authority — such as CIA’s covert status. Maybe that’s what’s really going on here: sheep dipping NSA’s top tech person into the private sector where his work will evade even the scant oversight given to NSA.

If SIFMA’s looking for the kind of socialistic sharing akin to free money, then why should we be surprised the boondoggle at the center of it plans to share actual tech personnel?

Update: Reuters reports the deal’s off. Apparently even Congress (beyond Alan Grayson, who has long had questions about Alexander’s boondoggle) had a problem with this.

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal

If the documents relating to Yahoo’s challenge of Protect America Act released last month are accurate reflections of the documents actually submitted to the FISC and FISCR, then the government submitted a misleading document on June 5, 2008 that was central to FISCR’s ultimate ruling.

As I laid out here in 2009, FISCR relied on the the requirement  in EO 12333 that the Attorney General determine there is probable cause a wiretapping technique used in the US is directed against a foreign power to judge the Protect America Act met probable cause requirements.

The procedures incorporated through section 2.5 of Executive Order 12333, made applicable to the surveillances through the certifications and directives, serve to allay the probable cause concern.

The Attorney General hereby is delegated the power to approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes, provided that such techniques shall not be undertaken unless the Attorney General has determined in each case that there is probable cause to believe that the technique is directed against a foreign power or an agent of a foreign power.

44 Fed. Reg. at 59,951 (emphasis supplied). Thus, in order for the government to act upon the certifications, the AG first had to make a determination that probable cause existed to believe that the targeted person is a foreign power or an agent of a foreign power. Moreover, this determination was not made in a vacuum. The AG’s decision was informed by the contents of an application made pursuant to Department of Defense (DOD) regulations. See DOD, Procedures Governing the Activities of DOD Intelligence Components that Affect United States Persons, DOD 5240.1-R, Proc. 5, Pt. 2.C.  (Dec. 1982).

Yahoo didn’t buy this argument. It had a number of problems with it, notably that nothing prevented the government from changing Executive Orders.

While Executive Order 12333 (if not repealed), provides some additional protections, it is still not enough.

[snip]

Thus, to the extent that it is even appropriate to examine the protections in the Executive Order that are not statutorily required, the scales of the reasonableness determination sway but do not tip towards reasonableness.

Yahoo made that argument on May 29, 2008.

Sadly, Yahoo appears not to have noticed the best argument that Courts shouldn’t rely on EO 12333 because the President could always change it: Sheldon Whitehouse’s revelation on December 7, 2007 (right in the middle of this litigation) that OLC had ruled the President could change it in secret and not note the change publicly. Whitehouse strongly suggested that the Executive in fact had changed EO 12333 without notice to accommodate its illegal wiretap program.

But the government appears to have intentionally withheld further evidence about how easily it could change EO 12333 — and in fact had, right in the middle of the litigation.

This is the copy of the Classified Annex to EO 12333 that (at least according to the ODNI release) the government submitted to FISCR in a classified appendix on June 5, 2008 (that is, after Yahoo had already argued that an EO, and the protections it affords, might change). It is a copy of the original Classified Appendix signed by Ed Meese in 1988.

As I have shown, Michael Hayden modified NSA/CSS Policy 1-23 on March 11, 2004, which includes and incorporates EO 12333, the day after the hospital confrontation. The content of the Classified Annex released in 2013 appears to be identical, in its unredacted bits, to the original as released in 1988 (see below for a list of the different things redacted in each version). So the actual content of what the government presented may (or may not be) a faithful representation of the Classified Appendix as it currently existed.

But the version of NSA/CSS Policy 1-23 released last year (starting at page 110) provides this modification history:

This Policy 1-23 supersedes Directive 10-30, dated 20 September 1990, and Change One thereto, dated June 1998. The Associate Director for Policy endorsed an administrative update, effective 27 December 2007 to make minor adjustments to this policy. This 29 May 2009 administrative update includes changes due to the FISA Amendments Act of 2008 and in core training requirements.

That is, Michael Hayden’s March 11, 2004 modification of the Policy changed to the Directive as existed before 2 changes made under Clinton.

Just as importantly, the modification history reflects “an administrative update” making “minor adjustments to this policy” effective December 27, 2007 — a month and a half after this challenge started.

By presenting the original Classified Appendix — to which Hayden had apparently reverted in 2004 — rather than the up-to-date Policy, the government was presenting what they were currently using. But they hid the fact that they had made changes to it right in the middle of this litigation. A fact that would have made it clear that Courts can’t rely on Executive Orders to protect the rights of Americans, especially when they include Classified Annexes hidden within Procedures.

In its language relying on EO 12333, FISCR specifically pointed to DOD 5240.1-R. The Classified Annex to EO 12333 is required under compliance with part of that that complies with the August 27, 2007 PAA compliance.

That is, this Classified Annex is a part of the Russian dolls of interlocking directives and orders that implement EO 12333.

And they were changing, even as this litigation was moving forward.

Only, the government appears to have hidden that information from the FISCR.

Update: Clarified that NSA/CSS Policy 1-23 is what got changed.

Update: Hahaha. The copy of DOD 5240.1 R which the government submitted on December 11, 2007, still bears the cover sheet labeling it as an Annex to NSA/CSS Directive 10-30. Which of course had been superseded in 2004.

Note how they cut off the date to hide that it was 1990?

Note how they cut off the date to hide that it was 1990?

Continue reading

The Obama Administration Debate on the Convention Against Torture and Anas al-Libi

For some reason, the NYT decided to bury this article from Charlie Savage on page A21. It explains that the Obama Administration is debating internally whether to overturn Obama’s ban against cruelty (which is also mandated by the Detainee Treatment Act). Some intelligence lawyers, apparently, believe Obama’s torture ban and the DTA are too limiting.

It is considering reaffirming the Bush administration’s position that the treaty imposes no legal obligation on the United States to bar cruelty outside its borders, according to officials who discussed the deliberations on the condition of anonymity.

[snip]

State Department lawyers are said to be pushing to officially abandon the Bush-era interpretation. Doing so would require no policy changes, since Mr. Obama issued an executive order in 2009 that forbade cruel interrogations anywhere and made it harder for a future administration to return to torture.

But military and intelligence lawyers are said to oppose accepting that the treaty imposes legal obligations on the United States’ actions abroad. They say they need more time to study whether it would have operational impacts. They have also raised concerns that current or future wartime detainees abroad might invoke the treaty to sue American officials with claims of torture, although courts have repeatedly thrown out lawsuits brought by detainees held as terrorism suspects.

There were remarkable amounts of denial in response to this, from people who seem totally unaware of the kind of practices — that appear to include isolation, sleep deprivation, food manipulation, and other forms of coercion — currently used by High Value Interrogation Group (HIG), the inter-Agency group used to interrogate terrorist suspects. And this post from David Luban, which lays out some of the loopholes the government might be using to engage in abuse, misses a few.

We know, for example, that there are 2 OLC opinions that say Presidents don’t have to change the text of Executive Orders they choose to ignore, meaning Obama could ignore his torture ban “legally.” There’s also the Appendix M OLC opinion that has approved whatever DOD wants to sneak into the sometimes classified appendix in advance.

All of these issues have been invoked in the case of Anas al-Libi, who recently testified in his challenge to the use of the statements he made to FBI’s Clean Team in his trial, invoking the anxiety produced by the “CIA” interrogation al-Libi experienced on the USS San Antonio. (The interrogation was conducted by the HIG; note that while al-Libi has retained counsel, Bernard Kleinman, I believe he also still has public defenders, including Sabrina Shroff, who has represented HIG-interrogated defendants before, so she can attest to the continuity of the methods involved.)

Al-Libi, a 50-year-old Libyan whose legal name is Nazi Abdul al-Ruqai, testified before U.S. District Judge Lewis Kaplan in an evidentiary hearing tightly focused on the moments following al-Libi’s transfer on October 12, 2013, from military to civilian custody.

Given the situation, “I couldn’t concentrate on anything,” al-Libi told the court through an Arabic translator. When asked by his attorney, Bernard Kleinman, why he signed the papers waving his Miranda rights and paving the way for an FBI interview, al-Libi said, “You have no choice but to sign it.”

And in a filing calling on the government to preserve videotapes and any other records of his shipboard interrogation, al-Libi’s Libyan-retained lawyer invoked precisely the law and Executive Order in question.

18. Upon information and belief he was subjected to daily interrogation by professsional interrogator[s] of the CIA in an unrelenting, hostile, and extraordinary manner.

19.Upon information and belief this interrogation was conducted in a manner in violation of the Defendant’s rights under the Fifth and Sixth Amendments to the federal Constitution, and under applicable treaties and conventions to which the United States is a signatory.2

20.Furthermore, this interrogation was conducted in a manner of inhumane treatment. Notwithstanding the changes effected by both Congress3 and the President4 after the revelations of physical abuse and torture as conducted by the CIA in the name of national security, such measures (even if actually observed by the participants and interrogators) could easily lead to harsh, improper and inhumane treatment that would taint any and all subsequent interrogations, even if preceded by a Miranda warning and waiver execution, and conducted by the FBI or some other federal law enforcement agents.

21. Upon information and belief, these interrogations were videotaped, and otherwise recorded by the CIA, among other U.S. Government agencies.

22.It is, furthermore, reasonable and logical to presume that the interrogator[s] produced hard copy notes of their actions, and provided reports to other representatives of the United States Government (both in the Executive and Legislative branches).

3 In 2005 Congress passed the Detainee Treatment Act, Pub. L. No. 109-148, codified at U.S.C. §§ 2000dd, 2000dd-0, and 2000dd-J, which applied the U.S. Army Field Manual to all military interrogations. It should be noted that the Act specifically provides that

No individual in the custody or under the physical control of the United States Government, regardless of nationality or physical location, shall be subject to cruel, inhuman, or degrading treatment or punishment.

The degree and extent to which the United States Government violated this statute in the kidnapping, abduction, and interrogation of the Defendant are issues to be raised similarly in any subsequent motions made pursuant to Rule 12(b).

4 On January 22, 2009, President Obama issued Executive Order 13491, which directed the CIA to adopt the methods of interrogation as set forth in the U.S. Army Field Manual. See E.O. 13491,74 Fed. Reg. 4893 (Jan. 22, 2009).

5 Both the Detainee Treatment Act and E.O. 13491 refer to the U.S. ARMY FIELD MANUAL, HUMAN INTELLIGENCE COLLECTOR OPERATIONS, referenced as FM 2.22.3 (Sept. 2006 ed.).

I think there are probably a number of HIG-interrogated individuals — including some who were interrogated entirely within the US — who could claim they were subject to degrading treatment. But in this case, the person in question has a privately-retained lawyer, which may present significant concerns for the interrogators in question.

Meanwhile, the government is not providing al-Libi cancer treatment doctors at Duke said during the summer he needs to address liver cancer. Maybe the government is just hoping al-Libi will succumb to cancer before he can press these issues?

Whatever the plan, the government is at least entertaining widening the loopholes that they used in the past to protect torturers.

Why Isn’t FBI Investigating the Hackers Who Broke into Google’s Cables?

At his Brookings event yesterday, Jim Comey claimed that there is a misperception, in the wake of the Snowden releases, about how much data the government obtains.

In the wake of the Snowden disclosures, the prevailing view is that the government is sweeping up all of our communications. That is not true. And unfortunately, the idea that the government has access to all communications at all times has extended—unfairly—to the investigations of law enforcement agencies that obtain individual warrants, approved by judges, to intercept the communications of suspected criminals.

[snip]

It frustrates me, because I want people to understand that law enforcement needs to be able to access communications and information to bring people to justice. We do so pursuant to the rule of law, with clear guidance and strict oversight. 

He goes onto pretend that Apple and Google are default encrypting their phone solely as a marketing gimmick, some arbitrary thing crazy users want.

Both companies are run by good people, responding to what they perceive is a market demand. But the place they are leading us is one we shouldn’t go to without careful thought and debate as a country.

[snip]

Encryption isn’t just a technical feature; it’s a marketing pitch. But it will have very serious consequences for law enforcement and national security agencies at all levels. Sophisticated criminals will come to count on these means of evading detection. It’s the equivalent of a closet that can’t be opened. A safe that can’t be cracked. And my question is, at what cost?

He ends with a plea that “our private sector partners … consider changing course.”

But we have to find a way to help these companies understand what we need, why we need it, and how they can help, while still protecting privacy rights and providing network security and innovation. We need our private sector partners to take a step back, to pause, and to consider changing course.

There’s something missing from Comey’s tale.

An explanation of why the FBI has not pursued the sophisticated criminals who stole Google’s data overseas.

At a recent event with Ron Wyden, the Senator asked Schmidt to weigh in on the phone encryption “kerfuffle.” And Schmidt was quite clear: the reason Google and Apple are doing this is because the NSA’s partners in the UK stole their data, even while they had access to it via PRISM.

The people who are criticizing this should have expected this. After Google was attacked by the British version of the NSA, we were annoyed and so we put end-to-end encryption at rest, as well as through our systems, making it essentially impossible for interlopers — of any kind — to get that information.

Schmidt describes the default encryption on the iPhone, notes that it has been available for the last 3 years on Android phones, and will soon be standard, just like it is on iPhone.

Law enforcement has many many ways of getting information that they need to provide this without having to do it without court orders and with the possible snooping conversation. The problem when they do it randomly as opposed to through a judicial process is it erodes user trust.

If everything Comey said were true, if this were only about law enforcement getting data with warrants, Apple – and Google especially – might not have offered their customers the privacy they deserved. But it turns out Comey’s fellow intelligence agency decided to just go take what they wanted.

And FBI did nothing to solve that terrific hack and theft of data.

I guess FBI isn’t as interested in rule of law as Comey says.

I Con the Record’s International Privacy Guidelines Swallowed Up by Exceptions

Screen Shot 2014-10-17 at 11.23.58 AMSometimes I Con the Record outdoes itself.

On Tuesday, the Guardian noted a scathing report UN Counterterrorism special rapporteur Ben Emmerson issued last month attacking British and US collection of bulk communications.

“Merely to assert – without particularization – that mass surveillance technology can contribute to the suppression and prosecution of acts of terrorism does not provide an adequate human rights law justification for its use. The fact that something is technically feasible, and that it may sometimes yield useful intelligence, does not by itself mean that it is either reasonable or lawful.”

[snip]

“It is incompatible with existing concepts of privacy for states to collect all communications or metadata all the time indiscriminately. The very essence of the right to the privacy of communication is that infringements must be exceptional, and justified on a case-by-case basis.”

Today, I Con the Record released a “Status Report” on an initiative President Obama ordered in his PPD-28 back in January to extend privacy protections to foreigners.

As we work to meet the January 2015 deadline, PPD-28 called on the Director of National Intelligence to prepare an interim report on the status of our efforts and to evaluate, in coordination with the Department of Justice and the rest of the Intelligence Community, additional retention and dissemination safeguards.

The DNI’s interim report is now being made available to the public in line with our pledge to share as much information about sensitive intelligence activities as is possible, consistent with our national security.

One thing this interim report requires is that “elements shall publicly release their PPD-28 implementation policies and procedures to the maximum extent possible.” Which requirement, you might assume, this release fulfills.

Which is why it’s so curious I Con the Record chose not to release an unclassified report mandated and mandating transparency — dated July 2014 — until October 2014.

Lest I be called a cynic, let me acknowledge that there are key parts of this that may represent improvements (or may not). The report asserts:

  • Foreigners will be treated with procedures akin to — though not identical to — those imposed by Section 2.3 of EO 12333
  • Just because someone is a foreigner doesn’t mean their information is foreign intelligence; the IC should “permanently retain or disseminate such personal information only if the personal information relates to an authorized intelligence requirement, is reasonably believed to be evidence of a crime, or meets one of the other standards for retention or dissemination identified in section 2.3″ of EO 12333
  • The IC should consider adopting (though is not required to) retention periods used with US person data for foreign personal information (which is 5 years); the IC may get extensions, but only in 5-year chunks of time
  • When disseminating “unevaluated personal information,” the IC should make that clear so the recipient can protect it as such

Those are good things! Yeah us!

There are, however, a series of exceptions to these rules.

First, the guidelines in this report restate PPD-28′s unbelievably broad approval of the use of bulk data, in full. The report does include this language:

[T]he procedures must also reflect the limitations on the use of SIGINT collected in bulk. Moreover, Intelligence Community element procedures should include safeguards to satisfy the requirements of this section. In developing procedures to comply with this requirement, the Intelligence Community must be mindful that to make full use of intelligence information, an Intelligence Community element may need to use SIGINT collected in bulk together with other lawfully collected information. In such situations, Intelligence Community elements should take care to comply with the limitations applicable to the use of bulk SIGINT collection.

Unless I’m missing something, the only “limits” in this section are those limiting the use of bulk collection to almost all of NSA’s targets, including counterterrorism, cybersecurity, and crime, among other things. Thus, the passage not only reaffirms what amounts to a broad permission to use bulk, but then attaches those weaker handing rules to anything used in conjunction with bulk.

Then there are the other exceptions. The privacy rules in this document don’t apply to:

  • Evaluated intelligence (exempting foreigners’ data from the most important treatment US person data gets, minimization in finished intelligence reports; see footnote 3)
  • Personal information collected via other means than SIGINT (excluding most of what the CIA and FBI do, for example; see page 1)
  • Information collected via SIGINT not collecting communications or information about communications (seemingly excluding things like financial dragnets and pictures and potentially even geolocation, among a great many other things; see footnote 2)

And, if these procedures aren’t loosey goosey enough for you, the report includes this language:

It is important that elements have the ability to deviate from their procedures when national security requires doing so, but only with approval at a senior level within the Intelligence Community element and notice to the DNI and the Attorney General.

OK then.

Congratulations world! We’re going to treat you like Americans. Except in the majority of situations when we’ve decided not to grant you that treatment. Rest easy, though, knowing you’re data is sitting in a database for only 5 years, if we feel like following that rule.

1 2 3 836
Emptywheel Twitterverse
bmaz @GregLBean Greg, have you been having any issues getting into Emptywheel blog? We have noticed activity, not sure it is you. Thanks.
35sreplyretweetfavorite
JimWhiteGNV Today would be a very good day to leak the entire Senate Torture Report. Not just the summary, the whole damn thing...
2mreplyretweetfavorite
bmaz @benjaminwittes @csoghoian @lawfareblog Hey, if Emptywheel can do it, you can too.
11mreplyretweetfavorite
bmaz RT @emptywheel: Having failed in its effort to defect to Ireland, Chiquita is now trying again with Brazil. http://t.co/B1fsgDJjdp
12mreplyretweetfavorite
bmaz @kdrum Been hoping for the best. Good weekend of football for you to lay around and watch.
18mreplyretweetfavorite
bmaz @benjaminwittes @csoghoian Gotta say, @emptywheel is not a whiskey girl, she is really a beer lady. I am the whiskey/bourbon one.
21mreplyretweetfavorite
bmaz @steve_vladeck @emptywheel By the way, I don't like Brehm. But it strikes both it+Ali presenter abetter cases than Hamidullan appears to.
22mreplyretweetfavorite
emptywheel I think the Lions just saved $5,000 in airfare to London. Maybe they can put that to paying off people's H2O bills? https://t.co/Jq6aG7yZ47
24mreplyretweetfavorite
bmaz @steve_vladeck @emptywheel Like I said, I used (perhaps too loosely) that as shorthand for the entire process.
24mreplyretweetfavorite
bmaz @steve_vladeck @emptywheel Should US soldiers have the same exposure in all foreign jurisdictions, or are we just exceptional that way?
27mreplyretweetfavorite
emptywheel @benjaminwittes Except I don't drink whiskey. I wonder if @ageis drinks whiskey? @csoghoian
28mreplyretweetfavorite
bmaz @steve_vladeck @emptywheel Doesn't it trouble you that the US criminal code+procedure is going to cover the stated "battlefield" acts?
28mreplyretweetfavorite
October 2014
S M T W T F S
« Sep    
 1234
567891011
12131415161718
19202122232425
262728293031