Cybersecurity

How to Avoid Rubber-Stamping another Drone Execution: Leave

NPR’s Carrie Johnson reports that OLC head Virginia Seitz quietly left OLC before Christmas.

Virginia Seitz, who won Senate confirmation after an earlier candidate under president Obama foundered, resigned from federal service after two-and-a-half years on the job. The timing is unusual because her unit plays a critical role in drawing the legal boundaries of executive branch action —at a time when President Obama says he will do more to bypass a divided Congress and do more governing by way of executive order.

And while DOJ’s official line is that Seitz left entirely for personal reasons, two sources told Johnson the ongoing discussions about whether to drone kill another American were another factor.

Two other sources suggested that aside from the tough work, another issue weighed heavily on her mind over the last several months: the question of whether and when the US can target its own citizens overseas with a weaponized drone or missile attack. American officials are considering such a strike against at least one citizen linked to al Qaeda, the sources said.

While a “law enforcement” source (but wait! the entire point of drone assassinations is they replace law enforcement with intelligence entirely!) suggests the decision has not yet been made.

A law enforcement source told NPR the controversy over the use of drones against Americans in foreign lands did not play a major role in Seitz’s decision to leave government, since the OLC is continuing to do legal analysis on the issue and there was no firm conclusion to which she may have objected or disagreed.

Which is sort of funny, because Kimberly Dozier’s report on the American in question says DOD, at least, has made its decision.

But one U.S. official said the Defense Department was divided over whether the man is dangerous enough to merit the potential domestic fallout of killing an American without charging him with a crime or trying him, and the potential international fallout of such an operation in a country that has been resistant to U.S. action.

Another of the U.S. officials said the Pentagon did ultimately decide to recommend lethal action.

And remember, as I’ve pointed out, this potential drone execution target is differently situated from Anwar al-Awlaki, in that there appears to be no claim this one is targeting civilians in the US.

But let’s take a step back and consider some other interesting details of timing.

First, on November 29 of last year, Ron Wyden, Mark Udall, and Martin Heinrich released a letter they sent to Eric Holder asking for more clarity on when the President could kill an American.

[W]e have concluded that the limits and boundaries of the President’s power to authorize the deliberate killing of Americans need to be laid out with much greater specificity. It is extremely important for both Congress and the public to have a fully understanding of what the executive branch thinks the President’s authorities are, so that lawmakers and the American people can decide whether these authorities are subject to adequate limits and safeguards.

Retrospectively, it seems this letter may have pertained to this new execution target, particularly given the different circumstances regarding his alleged attacks against the US. I might even imagine this serving as a public demand that DOJ not simply rely on the existing Awlaki drone assassination memo, creating the need to do a new one.

Now consider how (currently acting OLC head) Caroline Krass’ confirmation hearing plays in. On December 17, Wyden asked her who had the authority to withdraw an OLC opinion (the opinion in question pertains to common commercial services in some way related to cybersecurity, but I find it interesting in retrospect).

Wyden: But I want to make sure nobody else ever relies on that particular opinion and I’m concerned that a different attorney could take a different view and argue that the opinion is still legally valid because it’s not been withdrawn. Now, we have tried to get Attorney General Holder to withdraw it, and I’m trying to figure out — he has not answered our letters — who at the Justice Department has the authority to withdraw the opinion. Do you currently have the authority to withdraw the opinion?

Krass: No I do not currently have that authority.

Wyden: Okay. Who does, at the Justice Department?

Krass: Well, for an OLC opinion to be withdrawn, on OLC’s own initiative or on the initiative of the Attorney General would be extremely unusual.

She said she did not “currently have that authority.” Was she about to get that authority in days or hours?

Then finally there are the implications for Krass’ confirmation. The leaks about this current drone execution target almost certainly came from Mike Rogers’ immediate vicinity. He’s torqued because Obama’s efforts to impose some limits on the drone war have allegedly made it more difficult to execute this American with no due process.

And while Rogers doesn’t get a vote over Krass’ confirmation to be CIA General Counsel, Dianne Feinstein and Saxby Chambliss do. And their efforts to keep CIA in the drone business may well have an impact on — and may have been motivated by — our ability to assassinate Americans.

I don’t recall Krass getting questions that directly addressed drone killing, though she did get some that hinted at the edges of such questions, such as this one:

Are there circumstances in which a use of force, or other action, by the U.S. government that would be unlawful if carried out overtly is lawful when carried out covertly? Please explain.

ANSWER: As a matter of domestic law, I cannot think of any circumstances in which a use of force or other action by the U.S. government that would be unlawful if carried out overtly would be lawful when carried out covertly, but I have not studied this question.

This seems to be a question she would have had to consider if she had any involvement in OLC’s consideration of a new drone execution memo.

All that said, she hasn’t yet gotten her vote (though any delay may arise from holds relating to the Senate Torture Report).

It just seems likely that — as we did in May 2005 when Steven Bradbury reapproved torture in anticipation of a promotion to head OLC — we’re faced yet again with a lawyer waiting for a promotion being asked to give legal sanction to legally suspect activity. My impression is that Krass has far more integrity than Bradbury (remember, she’s the one who originally imposed limits on the Libya campaign), so I’m only raising this because of the circumstances, not any reason to doubt her character.

It just seems like if you need lawyers to rubber stamp legally suspect activities, there ought to be more transparency about what promotions and resignations are going on.

Apple’s Go to Fail Response

if you haven’t already heard, Apple admitted to what has been discovered to be a serious security flaw on Friday.

Essentially, for some of the more careful kinds of security, the flaw would allow an attacker to conduct a Man-in-the-Middle attack when you were sending or receiving data via an Apple operating system. Apple’s announcement Friday pertained to just iOS. But security researchers quickly discovered that the bug affects recent releases of OSX as well. And even if you’re using Chrome or Firefox, the bug may affect underlying applications.

This post, from Google engineer Adam Langley, is one of the best posts on the bug itself. Here’s Wired’s take. Here’s a really accessible take from Gizmodo.

In the wake of the Snowden revelations, the discovery of the bug raises questions about how it got there. Langley thinks it was a mistake. Steve Bellovin does too, though does note that targeting Perfect Forward Security is precisely what a determined hacker, including a nation-state’s SIGINT agency, would need to compromise. Others are raising more questions.

But whether or not this is an intentional backdoor into the security protecting users of most of Apple’s most recent devices, I’m just as interested in Apple’s response … both to the public report, almost 6 months ago, that,

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

And to its discovery — reportedly perhaps as long as a few weeks ago — that it had this serious bug.

Now, if I were a leading device/consumer products company with an incentive to get consumers deeper into the cloud and living further and further online, particularly if I were a leading device/consumer products company sitting on mountains and mountains of cash, upon reading the report last September, I would throw bodies at my code to make sure I really was providing the security my customers needed to sustain trust. And given that this is a key part of the security on which that trust relies, I would think the mountains of cash device/consumer products company might have found this bug.

According to rumors, at least, this bug was not found by Apple with all its mountains and mountains of cash; it was found by a researcher.

Then there’s the radio silence Apple has maintained since issuing its alert about iOS on Friday. It told Reuters over the weekend that it would have a fix to the OSX bug “soon,” so it has, effectively acknowledged that it’s there. But it has not issued an official statement.

It just seems to me there is little that can explain issuing Friday’s security alert — alerting everyone, including potential hackers, that the problem is there, which quickly led to the independent identification of the OSX problem — without at the same time rolling out an OSX announcement and alert. Admitting to the iOS error effectively led to OSX users being exposed to people responding to the announcement. Millions of Apple customers are even further exposed, until such time as Apple rolls out a fix (though you might consider doing your banking on a browser other than Safari to give yourself a tiny bit of protection until that point).

The only thing I can think of that would explain Apple’s actions is if the security researcher who found this bug gave them limited warning, before her or she would have published it.

Otherwise, though, I’m as interested in the explanation for Apple’s two-step rollout of this bug fix as I am in how it got there in the first place.

In Cut and Paste Tumblr Post, James Clapper Describes Who We Can Spy on without Discriminants

As part of his Presidential Policy Directive on Signals Intelligence, Obama said this about bulk collection:

In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: (1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests; (2) threats to the United States and its interests from terrorism; (3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied Armed Forces or other U.S or allied personnel; and (6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section. In no event may signals intelligence collected in bulk be used for the purpose of suppressing or burdening criticism or dissent; disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion; affording a competitive advantage to U.S. companies and U.S . business sectors commercially; or achieving any purpose other than those identified in this section.

The Assistant to the President and National Security Advisor (APNSA), in consultation with the Director of National Intelligence (DNI), shall coordinate, on at least an annual basis, a review of the permissible uses of signals intelligence collected in bulk through the National Security Council Principals and Deputies Committee system identified in PPD-1 or any successor document. At the end of this review, I will be presented with recommended additions to or removals from the list of the permissible uses of signals intelligence collected in bulk.

The DNI shall maintain a list of the permissible uses of signals intelligence collected in bulk. This list shall be updated as necessary and made publicly available to the maximum extent feasible, consistent with the national security.

To fulfill that bolded “shall” language, James Clapper just released this on his IContheRecord Tumblr page:

Presidential Policy Directive/PPD-28 – Signals Intelligence Activities establishes a process for determining the permissible uses of nonpublicly available signals intelligence that the United States collects in bulk. It also directs the Director of National Intelligence to “maintain a list of permissible uses of signals intelligence collected in bulk” and make the list “publicly available to the maximum extent feasible, consistent with the national security.”

Consistent with that directive, I am hereby releasing the current list of permissible uses of nonpublicly available signals intelligence that the United States collects in bulk.

Signals intelligence collected in “bulk” is defined as “the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).” As of Jan. 17, 2014, nonpublicly available signals intelligence collected by the United States in bulk may be used by the United States “only for the purposes of detecting and countering:

  1. Espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;
  2. Threats to the United States and its interests from terrorism;
  3. Threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;
  4. Cybersecurity threats;
  5. Threats to U.S. or allied Armed Forces or other U.S. or allied personnel; and
  6. Transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named above.”

Further, as prescribed in PPD-28, “in no event may signals intelligence collected in bulk be used for the purpose of suppressing or burdening criticism or dissent; disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion; affording a competitive advantage to U.S. companies and U.S. business sectors commercially;” or achieving any purpose other than those identified above.

Effectively, Clapper fulfilled an obligation mandated by the PPD by simply cutting and pasting the list of 6 permissible uses of bulk collection in the PPD.

Given that this list is expected to be assessed annually, does that mean the PPD itself should be considered valid for no more than a year?

GCHQ DDoS Hackers Hang Out with NSA’s Audit-Free Techies

Yesterday, I noted NBC’s report that GCHQ conducted a DDoS attack against Anonymous IRC chat.

There’s a subtle point that deserves more attention: GCHQ presented the underlying Powerpoint to NSA’s SIGDEV conference.

The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder — and other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.

[snip]

In the presentation on hacktivism that was prepared for the 2012 SIGDEV conference, one official working for JTRIG described the techniques the unit used to disrupt the communications of Anonymous and identify individual hacktivists, including some involved in Operation Payback. Called “Pushing the Boundaries and Action Against Hacktivism,” the presentation lists Anonymous, Lulzsec and the Syrian Cyber Army among “Hacktivist Groups,” says the hacktivists’ targets include corporations and governments, and says their techniques include DDOS and data theft.

SIGDEV is NSA’s term for the agency’s efforts to develop new signals intelligence techniques and sources. Thus, GCHQ presented the attack as the cutting edge of what NSA does.

Goodie.

But remember: NSA’s SIGDEV analysts have access to raw data outside of normal channels. This shows up repeatedly in the primary orders for the dragnet. And, as Bart Gellman noted (and I elaborated on here), Obama specifically exempted these folks from his Presidential Policy Directive limiting our spying (though his PPD did say foreigners could be spied on for cybersecurity reasons).

In other words, the people GCHQ boasted of their attack on Anonymous to are the people who have some of the least oversight within NSA.

The “McCain Committee” Would Be Full of NSA Defenders

Imagine a McCain Committee as the inheritor of the tradition of Frank Church and Otis Pike.

(Yes, I did that to make bmaz’ head explode.)

That seems to be what John McCain intends with his resolution calling for a Committee to Investigate the Dragnet. (h/t Steven Aftergood)

Only, McCain proposes to investigate not just whether NSA has engaged in things it was not authorized to do. But also to investigate Snowden’s leaks themselves and the potential role of contractors in making leaks more likely.

All that said, I might be excited about McCain’s proposal to review the dragnet, as described:

(3) The nature and scope of National Security Agency intelligence-collection programs, operations, and activities, including intelligence-collection programs affecting Americans, that were the subject matter of the unauthorized disclosure, including–

(A) the extent of domestic surveillance authorized by law;

(B) the legal authority that served as the basis for the National Security Agency intelligence-collection programs, operations, and activities that are the subject matter of those disclosures;

(C) the extent to which such programs, operations, and activities that were the subject matter of such unauthorized disclosures may have gone beyond what was authorized by law or permitted under the Constitution of the United States;

(D) the extent and sufficiency of oversight of such programs, operations, and activities by Congress and the Executive Branch; and

(E) the need for greater transparency and more effective congressional oversight of intelligence community activities.

There’s just one problem with McCain’s proposal.

Here’s the list of the people who would be on the Committee (he provides titles, I’m providing names):

  • Diane Feinstein
  • Saxby Chambliss
  • Carl Levin
  • Jim Inhofe
  • Tom Carper
  • Tom Coburn
  • Robert Menendez
  • Bob Corker
  • Pat Leahy
  • Chuck Grassley
  • Jello Jay Rockefeller
  • John Thune
  • A Harry Reid pick
  • A Mitch McConnell pick

There are a number of very big NSA defenders on this list — in addition to DiFi and Saxby, both Jello Jay and Coburn are Intel Committee members who have never questioned the dragnet (indeed, Coburn has called for getting rid of the controls on the phone dragnet!). Chuck Grassley, too, has generally been supportive of the dragnet in SJC hearings on the subject. Most of the rest are simply not the caliber of people who might critically assess the dragnet much less show real interest in Americans’ privacy. Only Carl Levin and Pat Leahy, alone among the 12 named members, have been explicitly skeptical of the dragnet at all.

McCain proposes a Select Committee to investigate the dragnet. And he proposes to fill it with people who are really happy with the dragnet as it currently exists.

Update: Just to give a sense of how terrible this make-up for a Select Committee is, compare it with the bipartisan list of 26 Senators who asked James Clapper for more information on other uses of Section 215 last June. Just one Senator from that list — Pat Leahy — would be on McCain’s committee.

Update: Haha! Via Matt Sledge, DiFi shot McCain’s idea down pretty quickly.

Density within Legal Density

Ben Wittes has a long post trying to explain the NSA’s job in such a way as to “tell a young student what intelligence collection under the rule of law looks like” without inducing “a sense of betrayal.”

I have no problem with Wittes’ attempt to develop such an explanation, nor any great gripe with his effort. I’m not going to accuse Wittes of being naked this time.

But I want to raise three details that show the problem behind the effort.

First, Wittes’ entire statement reads,

NSA does not, except in emergencies, intentionally target for collection the communications of specific Americans without seeking a court order first, and it does not intentionally target for collection the communications of individuals known to be in the United States. It does, however, routinely acquire and store the communications of US persons and some domestic communications as a necessary incident to its broad collection directed at targets overseas—and it then has rules restricting the retention and use of this material to the extent it does not have foreign intelligence value. What’s more, NSA routinely acquires in bulk the records, but not the contents, of domestic telephone communications, which it uses for narrow counterterrorism purposes.

With the caveat that most people’s definition of “target” is not as specific as NSA’s is, I don’t have a big issue with this statement.

Except that it is false to say the phone dragnet is only used “for narrow counterterrroism purposes.” As Dianne Feinstein stated and Keith Alexander confirmed back in June, the dragnet is used with al Qaeda related groups and with Iran.

It can only look at that data after a showing that there is a reasonable, articulable that a specific individual is involved in terrorism, actually related to al Qaeda or Iran.

Now, perhaps in reality the dragnet is used against Hizballah, which the US, at least, treats as a terrorist organization. But to the extent that the dragnet is used against specific individuals from Iran “involved in terrorism,” then the entire notion of “narrow counterterrorism purposes” goes out the window, because accusing Iran of engaging in terrorism, even in the context of Iraq (where I suspect such usage derives from) is problematic. That’s true not just because Iran has been the target of what might count as terrorist acts, including assassinations of civilians, but also because those whom we’ve listed as terrorists (including members of the Republican Guard and its bank) are engaged in what ought to be considered legitimate defense of a sovereign nation.

So even if you agree with the approach the US has adopted with Iran, including it among the terrorists you can use the phone dragnet against moves beyond “narrow” counterterrorism into counterterrorism as a tactical tool wielded against a state adversary. And that such definitions can happen in secret (Iran’s listings on Treasury’s terrorism list are not secret, but the choice to include it among the two general targets of the dragnet was secret until June) means there’s no reason to trust that the phone dragnet will remain narrowly targeted.

Then there’s the notion our targets are all overseas. They’re not. Hacking targets are in the US, and there’s good reason to believe the upstream collection is used against them (we do know there’s a cybersecurity certification for Section 702). NSA presumably manages to conduct this domestic spying in the guise of foreign intelligence by noting how difficult it is to attribute hacks (that’s also presumably how it justifies holding all encrypted communications indefinitely). In other words, what we’re seeing is a redefinition of “foreign” to incorporate more and more that is domestic, which in part amounts to using intelligence rather than law enforcement tools against criminal activity because some but not all of that criminal activity is propagated by states. (Note, in yesterday’s hearing Peter Swire suggested NSA’s info assurance function is where it serves as a domestic security agency.)

Then there’s this statement from Wittes:

We want a robust foreign intelligence capability. We don’t want our domestic relations between citizens and government conditioned by an intelligence agency—which necessarily uses secrecy, deceit and trade-craft that has no part in domestic governance.

This is why I harp constantly about the use of the dragnet to identify potential informants. Because it is precisely through that application of the dragnet where NSA’s activities lead directly to the the interjection of secrecy, deceit, and trade-craft in domestic governance. Sure, FBI (that hybrid intelligence/law enforcement agency) carries out that secrecy, deceit, and trade-craft, not NSA. But the power of the dragnet makes all that deceit potentially far worse (because it provides a way to exploit the secrets of innocent citizens to coerce them to become informants). That NSA is one step removed from this troubling approach does not mean it is not party to it.

Again, these are details, details which don’t necessarily invalidate Wittes’ larger point, but show that even within the larger framework, NSA has secretly violated those principles Wittes would like to believe.

US Official Position Says Hacking Is Permissible?

According to LAT’s Ken Dilanian, it is the “official position” of the US government that some kinds of hacking are “permissible.”

The official U.S. position — that governments hacking governments for military and other official secrets is permissible, but governments hacking businesses for trade secrets is not — is a tougher sell these days.

He makes the claim in an article that originally claimed Edward Snowden’s leaks have set back cybersecurity efforts, but then had to issue a correction acknowledging CISPA probably wasn’t going to happen anyway.

An article in the Feb. 2 Section A on the effects of Edward Snowden’s leaks of National Security Agency secrets said the White House backed the Cyber Intelligence Sharing and Protection Act, a cybersecurity measure. The White House threatened to veto the proposed bill in April. —

I take from this correction that Dilanian was fairly uncritically repeating the claims of NSA boosters — as other reporters have credulously repeated claims about the way Snowden’s leaks will affect cybersecurity initiatives.

Which is why I find his description of this “official position” so interesting.

I’m not aware of the US endorsing any official (public) policy on the kinds of hacks NSA (and CyberCommand) are permitted. Congress has tried to put some limits on it — or at least get briefing on it. And Keith Alexander successfully fought for a lot more autonomy over the hacks he could do.

The Executive does, however, have an official policy on SIGINT: President Obama’s recent Presidential Policy Directive. But a SIGINT official position and a hacking policy are not necessarily the same thing. While hacking is one way we collect SIGINT (though I don’t think NSA has admitted to that), we also conduct hacking for offensive purposes.

Even assuming they were the same thing, Dilanian’s characterization would be a misstatement of the policy in any case.

The actual policy permits the collection of SIGINT for broadly defined foreign intelligence purposes.

Thus, ” foreign intelligence ” means ” information relating to the capabilities, intentions, or activities of foreign governments or elements thereof, foreign organizations, foreign persons, or international terrorists,

Of course, corporations are, under US law, both “organizations” and “persons,” so this definition permits spying on foreign corporations (other intelligence documents lay this out explicitly).

And the PPD does permit the collection of foreign private commercial information to protect US and allies’ national security.

The collection of foreign private commercial information or trade secrets is authorized only to protect the national security of the United States or its partners an d allies. It is not an authorized foreign intelligence or counterintelligence purpose to collect such information to afford a competitive advantage 4 to U.S. companies and U.S. business sectors commercially.

This is, frankly, where our hypocrisy on hacking (and SIGINT) begins to fall apart, given that China would maintain that stealing our military (and energy and tech) secrets are a matter of national security, and the fact that our government maintains more nominal separation from the companies that develop such things than China does should not shield those companies from spying.

And then, finally, the limits on data collection don’t apply when the NSA is working to develop SIGINT capabilities.

it shall not apply to signals intelligence activities undertaken to test or develop signals intelligence capabilities.

Given that some of our alleged hacking seems to support efforts to develop new hacking capabilities, this exception could prove infinitely recursive, especially given the rules on information collection in the name of cyberdefense and attacks. And of course, when we exploited Siemens’ SCADA industrial control systems to attack Iran, we used a corporate competitor’s trade secrets in the name of national security.

That is, even ignoring how America’s self-interested standard simply defines our national security in terms that legitimize our own hacking, when you get into the interaction of our intelligence to hack which serves to collect intelligence, the rules on SIGINT basically fall apart.

But hey. If the US says hacking of official government secrets is “permissible,” then maybe DOJ will withdraw the charges against Edward Snowden?

Mirror, Mirror, on the Wall, Who’s the Hackiest of Them All?

ClapperHere are some excerpts from the Global Threats report pertaining to the cyber threat.

We assess that computer network exploitation and disruption activities such as denial-of-service attacks will continue.

[snip]

… many countries are creating cyber defense institutions within their national security establishments. We estimate that several of these will likely be responsible for offensive cyber operations as well.

[snip]

Critical infrastructure, particularly the Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used in water management, oil and gas pipelines, electrical power distribution, and mass transit, provides an enticing target to malicious actors. Although newer architectures provide flexibility, functionality, and resilience, large segments of legacy architecture remain vulnerable to attack, which might cause significant economic or human impact.

It’s as if the intelligence community called up NSA and CyberCommand, asked what they had been working on, and then “assessed” that those targets presented threats going forward.

And while I expect that China commits what would be judged the largest number of hacks (in part because much of the information we steal right from the communication backbone they would have to hack to get), the inclusion of SCADA in the list of vulnerabilities is particularly rich, considering we are believed to have pioneered that kind of attack with StuxNet.

Again, I’m not denying these other entities hack (the unclassified version of the report left off Israel and France, as unclassified versions tend to do). Just that we continue to exhibit no awareness that some part of this threat amounts to our genie blowing back in our face.

Is CIA Spying Domestically by Hacking Americans’ Computers?

In addition to further details about CIA’s quashed review showing torture didn’t work and a commitment from James Clapper he would tell the American people if any of them had been back door searched, Ron Wyden and Mark Udall (along with Martin Heinrich) got one more curious set of details into the record at today’s Threat Hearing.

First, Wyden asked (43;04) John Brennan whether the federal Computer Fraud and Abuse Act applied to the CIA.

Wyden: Does the federal Computer Fraud and Abuse Act apply to the CIA?

Brennan: I would have to look into what that act actually calls for and its applicability to CIA’s authorities. I’ll be happy to get back to you, Senator, on that.

Wyden: How long would that take?

Brennan: I’ll be happy to get back to you as soon as possible but certainly no longer than–

Wyden: A week?

Brennan: I think that I could get that back to you, yes.

Minutes later, Mark Udall raised EO 12333′s limits on CIA’s spying domestically (48:30).

Udall: I want to be able to reassure the American people that the CIA and the Director understand the limits of its authorities. We are all aware of Executive Order 12333. That order prohibits the CIA from engaging in domestic spying and searches of US citizens within our borders. Can you assure the Committee that the CIA does not conduct such domestic spying and searches?

Brennan: I can assure the Committee that the CIA follows the letter and spirit of the law in terms of what CIA’s authorities are, in terms of its responsibilities to collect intelligence that will keep this country safe. Yes Senator, I do.

Now, it’s not certain these two questions are linked. Though obviously, hacking computers is an easy way to spy on people (as the NSA knows well).

Of course, the logic of the memo authorizing the Anwar al-Awlaki killing says that, so long as CIA has a presidential finding, even laws protecting American citizens cannot limit the CIA. And we learned 6 years ago that the Executive had secretly altered the text of EO 12333 without actually changing it, a practice John Yoo rubber stamped.

So, particularly given Brennan’s snitty answer about protecting this country, I’d assume it’s a safe bet that the CIA is spying domestically, and I’d posit that they may be hacking computers to do so.

Oh good. NSA was getting bored being the only Agency exposed for hacking.

Verizon’s Storefront

As I noted yesterday, Verizon conveniently released its own transparency report 5 days before the government approved new transparency guidelines (according to one report, the deal was substantially completed earlier in the month, but had to wait on some tweaks to follow Obama’s speech).

Had Verizon released a transparency report yesterday, it would have added at least the following two details:

Non-Content FISA orders:

4 orders affecting 107,700,000 customers

Content FISA orders:

? orders affecting ? selectors (probably measuring the number of search terms — maybe something like “250″ — Verizon searches for off its upstream collection affecting millions of people)

It would have painted a very different picture.

It turns out they did have time scheduled to write transparency claims yesterday. They released this statement attempting to reassure customers that Verizon doesn’t comply with any US government orders for data stored overseas. (h/t Chris Soghoian) Here’s an excerpt:

Over the past year there has been extensive discussion around the world about government demands for data.  Last week, Verizon released a Transparency Report outlining the number of law enforcement requests for customer information that we received in 2013.  In the report we noted that in 2013 we did not receive any demands from the United States government for data stored in other countries.

Although we would not expect to receive any such demands, there are persistent myths and questions about the U.S. government’s ability to access customer data stored in cloud servers outside the U.S.  Now is a good time to dispel these inaccuracies and address the questions, which have been exacerbated by the stream of news reports since last June about national intelligence activities in the U.S. and elsewhere.

Our view on the matter is simple: the U.S. government cannot compel us to produce our customers’ data stored in data centers outside the U.S., and if it attempts to do so, we would challenge that attempt in court.

Here’s why.

The section of the national security laws often cited as granting the U.S. government authority to access data stored abroad is Section 215 of the Patriot Act.

While Section 215 allows a court to issue an order requiring a company operating in the U.S. to produce certain business records, it does not give the U.S. government the power to act outside the U.S.  More importantly, Section 215 does not grant the U.S. government access to customer data stored in the cloud; it only applies to business records of the cloud provider itself.  So the U.S. government cannot use Section 215 to compel a company to produce customer data stored in data centers outside the U.S.

[snip]

Finally, Section 702 of the Patriot Act also is not an option for the U.S. government to compel a U.S. company to turn over customer data stored in a data center outside the U.S. because the U.S. company does not have possession, custody or control of that data.

[snip]

customer data stored in data centers outside the U.S.

[snip]

data stored outside the U.S.

[snip]

data stored in the cloud outside the U.S.

[snip]

there should be no concern about the U.S. government compelling Verizon to disclose data our customers store in Verizon data centers outside the U.S. [my emphasis]

So having dodged by 5 days the obligation to report on all the data stored in the US it hands over to the government, it now wants to make claims about Verizon customer data stored overseas.

Stored, stored, stored, stored, stored, stored, stored, stored, stored, stored, store.

It chose not to say anything about data in transit, either here or in the US. In the US it is now permitted to talk about the data it collects in transit off its cables for the government in response to FISA Section 702 orders (though the deal only permits reports every 6 months; I guess it’s hoping we’ll forget about this soon).

To say nothing of the data it provides the government it collects as it transits overseas, perhaps in response to a polite request?

I’m actually most interested in Verizon’s claim it could not be required to turn over data stored overseas under Section 702.

Wouldn’t it primarily be served such a request under Section 703, which requires a warrant for electronic surveillance or access to stored communications of Americans overseas? Actually, I don’t know the answer to that — no one seems to, and I’ve been asking a lot of lawyer types.

But if Verizon says it can’t be served with an order for data stored overseas (in truth, many 703 orders must relate to searches conducted here on people who are physically overseas, but still), then the government isn’t using 703 in all the cases it is required to.

Whatever: the message to all you Europeans seems clear. Verizon would never let the government touch data it had in its own servers. Nosirree!

As far as data transiting its cables? All bets are off.

Emptywheel Twitterverse
bmaz @PhilPerspective @phillipanderson @JasonLeopold that ain't camping, that's just front porch drinking.
18mreplyretweetfavorite
bmaz @JasonLeopold @phillipanderson Get the fuck out and buy me the Allman's Beacon deal. Or I will keeel you.
20mreplyretweetfavorite
bmaz @misterdevans It is shocking. Trust me, she is gonna catch on at some point....
1hreplyretweetfavorite
bmaz @misterdevans Yes, she was, and is. Whether I am worth it to her is the better question perhaps.
2hreplyretweetfavorite
bmaz @misterdevans They were huge, but I had the horns loaded on the top vet space of the cabinet, so only maybe 2.5ft wide by 3ft tall.
2hreplyretweetfavorite
bmaz @misterdevans Wife also made me get rid or my Altec Voice of the Teaters. Sad, sad, day. Have only Polk Audio and B+W'monitors now.
2hreplyretweetfavorite
bmaz @misterdevans No clue how many I have now. Maybe 750+, maybe more. Jettisoned a bunch along the way (I'm married)
2hreplyretweetfavorite
bmaz @misterdevans Crap, I would have taken them!
2hreplyretweetfavorite
bmaz @newtonusr Ohhhhh. Well, if you put it THAT way: http://t.co/Si6l5m1Aqq
2hreplyretweetfavorite
bmaz @misterdevans Man, I'm anachronistic. I have tube driven amps+pre-amps and like old fashioned records. Met Mad Man Muntz once 8tracks sucked
2hreplyretweetfavorite
bmaz @AskZelda_ Zelda, should I walk my damn dog? It is pleasurable, but EVERY person in the hood knows her from my wife. Annoying. What to do?
2hreplyretweetfavorite
bmaz What did y'all buy at yer local vinyl stores on National Record Day? Cause I KNOW all you mopes bought a record or more today, right?
2hreplyretweetfavorite
April 2014
S M T W T F S
« Mar    
 12345
6789101112
13141516171819
20212223242526
27282930