With almost no explanation, PCLOB just released this table ODNI compiled showing the status of procedures Agencies follow to protect US person information when using data obtained under EO 12333. This is something PCLOB has been pushing for since August 2013, when it sent a letter to Attorney General Holder pointing out that some agencies weren’t in compliance with the EO.
As you know, Executive Order 12333 establishes the overall framework for the conduct of intelligence activities by U.S. intelligence agencies. Under section 2.3 of the Executive Order, intelligence agencies can only collect, retain, and disseminate information about U.S. persons if the information fits within one of the enumerated categories under the Order and if it is permitted under that agency’s implementing guidelines approved by the Attorney General after consultation with the Director of National Intelligence.
The Privacy and Civil Liberties Oversight Board has learned that key procedures that form the guidelines to protect “information concerning United States person” have not comprehensively been updated, in some cases in almost three decades, despite dramatic changes in information use and technology.
So I assume the release of this table is designed to pressure the agencies that have been stalling this process.
The immediate takeaway from this table is that, 34 years after Ronald Reagan ordered agencies to have such procedures in Executive Order 12333 and 18 months after PCLOB pushed for agencies to follow the EO, several intelligence agencies still don’t have Attorney General approved procedures. Those agencies and the interim procedures they’re using are:
The Department of Homeland Security’s notoriously shoddy Office of Intelligence and Analysis: Pending issuance of final procedures, I&A is operating pursuant to Interim Intelligence Oversight Procedures, issued jointly by the Under Secretary for Intelligence and Analysis and the Associate General Counsel for Intelligence (April 3, 2008).
United States Coast Guard (USCG)- Intelligence and counterintelligence elements: Pending issuance of final procedures, operating pursuant to Commandant Instruction – COMDINST 3820.12, Coast Guard Intelligence Activities (August 28, 2003).
Department of Treasury Office of Intelligence and Analysis (OIA): Pending issuance of final procedures. While draft guidelines are being reviewed in the interagency approval process, the Office of Intelligence and Analysis conducts intelligence operations pursuant to EO 12333 and statutory responsibilities of the IC element, as advised by supporting legal counsel.
Drug Enforcement Administration, Office of National Security Intelligence (ONSI): Pending issuance of final procedures, operates pursuant to guidance of the Office of Chief Counsel, other guidance, and: Attorney General approved “Guidelines for Disclosure of Grand Jury and Electronic, Wire, and Oral Interception Information Identifying United States Persons” (September 23, 2002); Attorney General approved “Guidelines Regarding Disclosure to the Director of Central Intelligence and Homeland Security Officials of Foreign Intelligence Acquired in the Course of a Criminal Investigation” (September 23, 2002).
I’m not surprised about DHS I&A because — as I noted — most people who track it know that it has never managed to do what it claims it should be doing. And I’m not all that worried about the Coast Guard; how much US person spying are they really doing, after all?
One should always worry about the DEA, and the fact that DEA has only had procedures affecting some of its use of EO 12333 intelligence is par for the course. I mean, limits on what it can share with CIA, but no guidelines on what it can share with FBI? And no guidelines on what it has dragnet collected overseas, where it is very active?
But I’m most troubled by Treasury OIA. In part, that’s because it doesn’t have anything in place — it has just been operating on EO 12333, apparently, in spite of EO 12333′s clear requirement that agencies have more detailed procedures in place. But Treasury’s failure to develop and follow procedures to protect US persons is especially troubling given the more central role OIA has — which expanded in 2004 — in researching and designating terrorists, weapons proliferators, and drug kingpins.
OIA makes intelligence actionable by supporting designations of terrorists, weapons proliferators, and drug traffickers and by providing information to support Treasury’s outreach to foreign partners. OIA also serves as a unique and valuable source of information to the Intelligence Community (IC), providing economic analysis, intelligence analysis, and Treasury intelligence information reports to support the IC’s needs.
As it is, such designations and the criminalization of US person actions that might violation sanctions imposed pursuant to such designations are a black box largely devoid of due process (unless you’re a rich Saudi business man). But Treasury’s failure to establish procedures to protect US persons is especially troubling given how central these three topics — terrorists, weapons proliferation, and drugs — are in the intelligence communities overseas collection. This is where bulk collection happens. And yet any US persons suck up in the process and shared with Treasury have only ill-defined protections?
Treasury’s role in spying on Americans may be little understood. But it is significant. And apparently they’ve been doing that spying without the required internal controls.
As part of her Questions for the Record, Attorney General nominee Loretta Lynch was asked about her role in the HSBC handslap in 2012. (See Q 38, h/t Katherine Hawkins)
38. As United States Attorney for the Eastern District of New York, you helped secure nearly $2 billion from HSBC over its failure to establish proper procedures to prevent money laundering by drug cartels and terrorists. You were quoted in a DOJ press release saying, “HSBC’s blatant failure to implement proper anti-money laundering controls facilitated the laundering of at least $881 million in drug proceeds through the U.S. financial system.”
You stated that the bank’s “willful flouting of U.S. sanctions laws and regulations resulted in the processing of hundreds of millions of dollars in [Office of Foreign Assets Control]-prohibited transactions.” Still, no criminal penalties have been assessed for any executive who may have been involved.
a. Did you make any decision or recommendation on charging any individual with a crime?
i. If so, please describe any and all decisions or recommendations you made.
ii. Please explain why such decisions or recommendations were made.
b. If you did not make any decision or recommendation on charging any individual with a crime, who made the decision not to prosecute?
RESPONSE: On December 11, 2012, the Department filed an information charging HSBC Bank USA with violations of the Bank Secrecy Act and HSBC Holdings with violating U.S. economic sanctions (the two entities are collectively referred to as “HSBC”). Pursuant to a deferred prosecution agreement (“DPA”), HSBC admitted its wrongdoing, agreed to forfeit $1.256 billion, and agreed to implement significant remedial measures, including, among other things, to follow the highest global anti-money laundering standards in all jurisdictions in which it operates. As the United States District Judge who approved the deferred prosecution found, “the DPA imposes upon HSBC significant, and in some respect extraordinary, measures” and the “decision to approve the DPA is easy, for it accomplishes a great deal.” Although grand jury secrecy rules prevent me from discussing the facts involving any individual or entity against whom we decided not to bring criminal charges, as I do in all cases in which I am involved, I and the dedicated career prosecutors handling the investigation carefully considered whether there was sufficient admissible evidence to prosecute an individual and whether such a prosecution otherwise would have been consistent with the principles of federal prosecution contained in the United States Attorney’s Manual.
I want to reiterate, particularly in the context of recent media reports regarding the release of HSBC files pertaining to its tax clients, that the Deferred Prosecution Agreement reached with HSBC addresses only the charges filed in the criminal violations of the Bank Secrecy Act for failures to maintain an adequate anti-money laundering program and for sanctions violations. The DPA explicitly does not provide any protection against prosecution for conduct beyond what was described in the Statement of Facts. Furthermore, I should note the DPA explicitly mentions that the agreement does not bind the Department’s Tax Division, nor the Fraud Section of the Criminal Division. information, which are limited to violations of the Bank Secrecy Act for failures to maintain an adequate anti-money laundering program and for sanctions violations. The DPA explicitly does not provide any protection against prosecution for conduct beyond what was described in the Statement of Facts. Furthermore, I should note the DPA explicitly mentions that the agreement does not bind the Department’s Tax Division, nor the Fraud Section of the Criminal Division. [my emphasis]
Lynch seems to want to have her cake and eat it too.
Sure, she and her prosecutors were unable to find the evidence in Carl Levin’s gift-wrapped case. But trust her, she seems to be saying, she might one day see fit to charge some warm bodies with fraud if she’s confirmed.
And note she makes no mention of material support for terrorism????
Because if you’re a bank, such things are legal, apparently.
A fresh spin on insider trading also made news this week, when the SEC filed a lawsuit against two Capital One fraud investigators who made 1800 percent on their investment over three years, based on their use of a Capital One credit card user database.
The two investigators, Bonan Huang and Nan Huang, grew an investment of $147,300 to $2.8 million based on thousands of searches across a database comprised of credit card customer transactions. Noting the volume of use of credit cards at a particular fast food company, they bought and traded the company’s stock based on this data.
Over time they made similar stock trades based on transactional volume and other publicly available news about three different companies.
Had the database been one for sale by a company rather than their employer’s proprietary database, the Huangs would have been lauded as investment rock stars. But because the method they used “misappropriates confidential information for securities trading purposes, in breach of a duty owed to the source of the information,” the two men are being sued for insider trading.
The Huangs’ trading experience gives pause when one considers the value of metadata, and of the data breach at JP Morgan Chase this past year.
Metadata can offer a volume of transactional activity, though it will not disclose the value of a transaction. Imagine smartphones indicating they are being used at particular devices – point-of-sale devices – at any retailer, from fast food to hard lines. An uptick in overall activity at a specific retailer indicates greater volume of business, the data fresher than that reported in a 10-Q report filed publicly with the SEC. What could an investor do with this kind of data? One could imagine success not much different than the Huangs experienced, provided they also understood other publicly available information about the retailers under observation. →']);" class="more-link">Continue reading
Bob Litt is giving a speech. In it he described what “serious crimes” FBI can use 702-derived information to investigate and prosecute. They include:
Can use for 702: Crimes involving death, kidnapping, bodily harm, v minor, infrastructure, cybersecurity, transnational crimes.
Both cybersecurity and infrastructure are big, and potentially egregiously interpreted. They surely can include a whole slew of innocent protestors who are deemed a threat to things like fracking or city infrastructure.
But also, if FBI can use 702 to investigate “transnational crime” then why isn’t Jamie Dimon in prison?
NYT has a story based off a CREW FOIA for details of FBI’s investigations into John Ensign’s efforts to buy off his mistress’ husband. While the details show Ensign was even more sleazy than we knew, I’m at least as interested in this passage:
The Justice Department’s decision not to charge Mr. Ensign was widely seen as a sign of its skittishness about prosecuting and potentially losing public corruption cases in the wake of stinging courtroom defeats against former Senators Ted Stevens of Alaska and John Edwards of North Carolina. The documents confirm that speculation: In an internal email in 2011 assessing the chances of prosecuting Mr. Ensign, a top prosecutor wrote that “the legal theory is possible with the right facts” but that the “mere response” of helping a former Senate employee to find work “is not enough.” Another prosecutor wrote that “this is a really tough case to win.”
The documents show that the investigation was also complicated by a legal conflict; Lanny A. Breuer, head of the Justice Department’s criminal division at the time, had worked with a defense lawyer in the Ensign camp at Mr. Breuer’s prior law firm, Covington & Burling. Mr. Breuer was temporarily recused from the Ensign investigation as a result of the conflict, the records show, but later got a waiver that allowed him to oversee it with certain restrictions, officials said.
In 2012, Mr. Breuer and the Justice Department decided not to bring criminal charges against Mr. Ensign.
Even the Senate (!) was willing to discipline Ensign. But DOJ chose not to. And at the center of that decision was Lanny Breuer, whose once and future firm, Covington & Burling, represented Ensign. And yet Breuer found a way to un-recuse himself from the case.
It is not at all a surprise that Breuer didn’t manage his conflicts well. I argued that he didn’t back in 2009, when he made the decision to bury Dick Cheney’s CIA leak investigation interview (and make no mention of his quasi-grand jury appearance), even though he had represented John Kiriakou in the CIA leak case (and in helping him avoid grand jury testimony, hide that Cheney and Libby knew Plame was CIA earlier than they said they did).
Ironically, that was also for a CREW FOIA.
Maybe CREW should just skip the interim step and FOIA all the times Breuer ignored the conflicts he had on issues he presided over?
The NYT brought in Will Arkin (partnering with Eric Lichtblau) to talk about the proliferation of the use of undercover officials in government agencies. The Supreme Court, IRS, the Smithsonian, and DOD are all playing dress up to spy on Americans (and the IRS permits agents to pretend to be lawyers, doctors, clergy, and journalists).
The article makes it clear that — as might be imagined — the drug war is the most common focus of these undercover officers.
More than half of all the work they described is in pursuit of the illicit drug trade. Money laundering, gangs and organized crime investigations make up the second-largest group of operations.
But it doesn’t really step back and look at who else is getting targeted, which I’ve tried to lay on in this stable.
There are several concerning aspects of this list. I’m hoping the Smithsonian is using under cover officers solely to police the Holocaust and similar museums; the Holocaust museum, after all, has been targeted by a right wing terrorist recently. I might see the point on the Washington Memorial. But I do hope they’re no patrolling the Air and Space Museum because they might catch people who, like I did when I was in fifth grade, use the museum as a playground for stupid pre-teen drama while on a field trip.
DOD’s expanded use of undercover officers to target Americans is very troubling. The 9th Circuit recently threw out a conviction because the Navy had initiated the case searching data in the guise of protecting Spokane’s bases. I suspect, in response, the government will just get more assiduous at laundering such investigations. And it would be highly improper for them to do so clandestinely.
That said, this table is just as telling for what it doesn’t include as what it does.
If USDA is going undercover, why not send undercover inspectors to work in food processing plants, as a great way to not only show the food safety violations, but also the labor violations? Why not go undercover to investigate CAFOs?
The big silence, however, is about bank crime. While I’m sure SEC uses some undercover officers to investigate financial crime, you don’t hear of it anymore, since the failed Goldman prosecution. And we know FBI gave up efforts to use undercover officers to investigate (penny ante) mortgage fraud crime because, well, it just forgot.
But when DOJ’s Inspector General investigated what FBI did when it was given $196 million between 2009 and 2011 to investigate (penny ante) mortgage fraud, FBI’s focus on the issue actually decreased (and DOJ lied about its results). When FBI decided to try to investigate mortgage fraud proactively by using undercover operations, like it does terrorism and drugs, its agents just couldn’t figure out how to do so (in many cases Agents were never told of the effort), so the effort was dropped.
So it’s not just that Agencies are using undercover officers to investigate every little thing, including legitimate dissent, with too little oversight.
Its also that the government, as a whole, is using this increasingly to investigate those penny ante crimes, but not the biggest criminals, like the banksters. So long as the choice of these undercover operations reflects inherent bias (and it always has, especially in the war on drugs), then the underlying structure is illegitimate.
I’ve long tracked developments in SWIFT, the system that tracks international bank transfers. The NSA got SWIFT to turn over data willingly after 9/11. But then the consortium moved its servers to Europe, making the data legally safer — though surely not technically safer – from NSA hands. And in spite of the fact that the US negotiated, and then violated the spirit of, a permissive deal to access this information, documents leaked by Edward Snowden still show the NSA double dipping, obtaining SWIFT information via the legal front door and the technical back door.
Nevertheless, it wasn’t the evidence that the US had preferential access to the records of international bank transfers is not what led someone to create a competitor. The threat of sanctions did.
Russia has just announced a plan to have some alternative to SWIFT in place by May.
Russia intends to have its own international inter-bank system up and running by May 2015. The Central of Russia says it needs to speed up preparations for its version of SWIFT in case of possible ”challenges” from the West.
“Given the challenges, Bank of Russia is creating its own system for transmitting financial messaging… It’s time to hurry up, so in the next few months we will have certain work done. The entire project for transmitting financial messages will be completed in May 2015,” said Ramilya Kanafina, deputy head of the national payment system department at the Central Bank of Russia (CBR).
Calls not to use the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system in Russian banks began to grow as relations between Russia and the West deteriorated over sanctions. So far, SWIFT says despite pressure from some Western countries to join the anti-Russian sanctions, it has no intention of doing so.
I’ve long wondered when US reliance on sanctions — which is effectively an assertion of the authority to be able to dictate which economic players are acceptable and not — would begin to undermine the US system. And while this does not seem to be primarily motivated by an effort to undercut US hegemony, except to the degree that Russia refuses to comply with US demands it be permitted to rearrange Russia’s immediate neighborhood. Rather, this is a reaction to US actions.
Nevertheless, it may establish the infrastructure that undermines US hegemony.
This is going to sound very tinfoily. But here goes.
Prominent Baltimore banker Ed Hale has come forward to reveal he was a CIA NOC while Chair of the Bank of Baltimore from sometime around 1991 until 2001.
In a life that reads like a spy thriller, Hale says he was recruited into the CIA by former Alex Brown chairman Buzzy Krongard, who was with the agency.
“He came to my officer one day and said ‘Let’s go for a walk,’” Hale said.
Blue collar beginnings in Eastern Baltimore County to the world of espionage, Hale details this secret life in the CIA in a new biography called “Hale Storm.”
“I was called a NOC,” Hale said, “N.O.C.”
That stands for “non-official cover.”
During his time with the CIA, from 1991 to 2001, Hale never told anyone.
That’s all very nice. But it suggests that Buzzy Krongard was at the CIA, recruiting other banksters, years before he was known to be (he is known to have started in 1998).
There are other versions of this, with slightly different dates and a different relationship with the CIA for Buzzy, which may be key. Still, they all show Buzzy recruiting a top banker to join the CIA in the early 1990s.
Which would mean that when Alex Brown was shorting United and American stocks in the days before 9/11, it didn’t just have a former employee at the CIA. It had served as a cover for that former employer while he was working for the CIA.
A single U.S.-based institutional investor with no conceivable ties to al Qaeda purchased 95 percent of the UAL puts on September 6 (2001) as part of a strategy that also included buying 115,000 shares of American on September 10. Similarly, much of the seemingly suspicious trading on September 10 was traced to a specific U.S.-based options trading newsletter faxed to its subscribers, which recommended these trades.
The 9/11 Report goes on to report the SEC found these trades to be “innocuous.”
It doesn’t sound all that innocuous.
As you’ve likely read, NSA’s Chief Technology Officer has so little to keep him busy he’s also planning on working 20 hours a week for Keith Alexander’s new boondoggle.
Under the arrangement, which was confirmed by Alexander and current intelligence officials, NSA’s Chief Technical Officer, Patrick Dowd, is allowed to work up to 20 hours a week at IronNet Cybersecurity Inc, the private firm led by Alexander, a retired Army general and his former boss.
The arrangement was approved by top NSA managers, current and former officials said. It does not appear to break any laws and it could not be determined whether Dowd has actually begun working for Alexander, who retired from the NSA in March.
Dowd is the guy with whom Alexander filed 7 patents for work developed at NSA.
During his time at the NSA, Alexander said he filed seven patents, four of which are still pending, that relate to an “end-to-end cybersecurity solution.” Alexander said his co-inventor on the patents was Patrick Dowd, the chief technical officer and chief architect of the NSA. Alexander said the patented solution, which he wouldn’t describe in detail given the sensitive nature of the work, involved “a line of thought about how you’d systematically do cybersecurity in a network.”
That sounds hard to distinguish from Alexander’s new venture. But, he insisted, the behavior modeling and other key characteristics represent a fundamentally new approach that will “jump” ahead of the technology that’s now being used in government and in the private sector.
Presumably, bringing Dowd on board will both make Alexander look more technologically credible and let Dowd profit off all the new patents Alexander is filing for, which he claims don’t derive from work taxpayers paid for.
Capitalism, baby! Privatizing the profits paid for by the public!
All that said, I’m wondering whether this is about something else — and not just greed.
Yesterday, as part of a bankster cybersecurity shindig, one of Alexander’s big named clients, SIFMA, rolled out its “Cybersecurity Regulatory Guidance.” It’s about what you’d expect from a bankster organization: demands that the government give what it needs, use a uniform light hand while regulating, show some flexibility in case that light hand becomes onerous, and never ever hold the financial industry accountable for its own shortcomings.
Bullet point 2 (Bullet point 1 basically says the US government has a big role to play here which may be true but also sounds like a demand for a handout) lays out the kind of public-private partnership SIFMA expects.
Principle 2: Recognize the Value of Public–Private Collaboration in the Development of Agency Guidance
Each party brings knowledge and influence that is required to be successful, and each has a role in making protections effective. Firms can assist regulators in making agency guidance better and more effective as it is in everyone’s best interests to protect the financial industry and the customers it serves.
The NIST Cybersecurity Framework is a useful model of public-private cooperation that should guide the development of agency guidance. NIST has done a tremendous job reaching out to stakeholders and strengthening collaboration with financial critical infrastructure. It is through such collaboration that voluntary standards for cybersecurity can be developed. NIST has raised awareness about the standards, encouraged its use, assisted the financial sector in refining its application to financial critical infrastructure components, and incorporated feedback from members of the financial sector.
In this vein, we suggest that an agency working group be established that can facilitate coordination across the agencies, including independent agencies and SROs, and receive industry feedback on suggested approaches to cybersecurity. SIFMA views the improvement of cybersecurity regulatory guidance and industry improvement efforts as an ongoing process.
Effective collaboration between the private and public sectors is critical today and in the future as the threat and the sector’s capabilities continue to evolve.
Again, this public-private partnership may be necessary in the case of cybersecurity for critical infrastructure, but banks have a history of treating such partnership as lucrative handouts (and the principle document’s concern about privacy has more to do with hiding their own deeds, and only secondarily discusses the trust of their customers). Moreover, experience suggests that when “firms assist regulators in making agency guidance better,” it usually has to do with socializing risk.
In any case, given that the banks are, once again, demanding socialism to protect themselves, is it any wonder NSA’s top technology officer is spending half his days at a boondoggle serving these banks?
And given the last decade of impunity the banks have enjoyed, what better place to roll out an exotic counter-attacking cybersecurity approach (except for the risk that it’ll bring down the fragile house of finance cards by mistake)?
Alexander said that his new approach is different than anything that’s been done before because it uses “behavioral models” to help predict what a hacker is likely to do. Rather than relying on analysis of malicious software to try to catch a hacker in the act, Alexander aims to spot them early on in their plots.
One of the most recent stories on the JP Morgan hack (which actually appears to be the kind of Treasuremapping NSA does of other country’s critical infrastructure all the time) made it clear the banksters are already doing the kind of data sharing that Keith Alexander wailed he needed immunity to encourage.
The F.B.I., after being contacted by JPMorgan, took the I.P. addresses the hackers were believed to have used to breach JPMorgan’s system to other financial institutions, including Deutsche Bank and Bank of America, these people said. The purpose: to see whether the same intruders had tried to hack into their systems as well. The banks are also sharing information among themselves.
So clearly SIFMA’s call for sharing represents something more, probably akin to the kind of socialism it benefits from in its members’ core business models.
In the intelligence world, they use the term “sheep dip” to describe how they stick people subject to one authority — such as the SEALs who killed Osama bin Laden — under a more convenient authority — such as CIA’s covert status. Maybe that’s what’s really going on here: sheep dipping NSA’s top tech person into the private sector where his work will evade even the scant oversight given to NSA.
If SIFMA’s looking for the kind of socialistic sharing akin to free money, then why should we be surprised the boondoggle at the center of it plans to share actual tech personnel?
Update: Reuters reports the deal’s off. Apparently even Congress (beyond Alan Grayson, who has long had questions about Alexander’s boondoggle) had a problem with this.
Zacarias Moussaoui sent a letter to the judge presiding over a lawsuit against Jordanian Arab Bank, offering to testify against that bank and several Saudi banks that he says supported 9/11.
I want to testify against financial institutions such as Arab Bank, Saudi American Bank, the National Commercial Bank of Saudi Arabia for their support and financing of Usama bin Laden and Al Qaeda from the time of the Eastern Africa embassy bombing, U.S.S. Cole bombing and 9/11.
As Alison Frankel — who broke this story — noted, Moussaoui’s testimony would be inappropriate in the case in question, which found that Arab Bank funded Hamas.
But that’s not the most interesting part of her report (and Moussaoui’s letter). He claims the lawyers for the 9/11 victims have tried to meet with him in the SuperMax at Florence, CO, and also claims he sent a letter to the judge presiding over that case, where his testimony would be on point.
Moussaoui said that plaintiffs’ lawyers representing victims of the Sept. 11 attacks have requested permission to meet with him but that prison officials have denied the request. Moussaoui also claimed that he has previously offered to testify about al Qaeda financing in letters to the judge overseeing the Sept. 11 victims’ consolidated litigation, U.S. District Judge George Daniels of Manhattan, but that he does not know if the prison has mailed them. The docket in that case does not show any communications from Moussaoui, who was once named as a defendant by Sept. 11 victims.
The implication is that the Special Administrative Measures to which Moussaoui is subject may be preventing his letters from getting out or plaintiffs lawyers from being able to meet with him.
I’m not convinced Moussaoui would really have known about the financing of the 9/11 attack; from reports, al Qaeda kept the operation much better compartmented than that, and Khalid Sheikh Mohammed reportedly had real questions about the competence of Moussaoui (which is why he got others for the mission). Plus, Moussaoui’s been in solitary so long, it’s unclear how cogent he can be (though his letter sounds more cogent than some of what he sent during his own trial).
Still, I am curious whether the government has been using the SAMs imposed on Moussaoui as yet another way to bury larger Saudi complicity in the attacks.