In a follow-up to its release on the DEA’s use of a license plate reader database the other day, ACLU reveals an email that shows ATF in Phoenix considered using the database to track people leaving gun shows in April 2009.
The April 2009 email states that “DEA Phoenix Division Office is working closely with ATF on attacking the guns going to [redacted] and the gun shows, to include programs/operation with LPRs at the gun shows.” The government redacted the rest of the email, but when we received this document we concluded that these agencies used license plate readers to collect information about law-abiding citizens attending gun shows. An automatic license plate reader cannot distinguish between people transporting illegal guns and those transporting legal guns, or no guns at all; it only documents the presence of any car driving to the event. Mere attendance at a gun show, it appeared, would have been enough to have one’s presence noted in a DEA database.
Responding to inquiries about the document, the DEA said that the monitoring of gun shows was merely a proposal and was never implemented.
Given the timing, location, and target — 2009, Arizona, and legal permanent residents, or Green Card holders — this consideration intersects interestingly with Fast and Furious.
But don’t worry, DEA says, this was just a consideration, tracking the movements of legal gun show attendees didn’t really happen.
All that said, I couldn’t help but remember that among the more obvious intelligence agencies the President’s Review Group into the NSA consulted in 2013 was ATF, which suggests that ATF is using at least some of the nifty toys NSA is using. As I noted at the time, that may be quite explicable, in that Section 215 has been used to track explosives precursors (and probably has been used to track acetone and hydrogen peroxide — where are TATP precursors, fertilizer, and maybe even pressure cookers).
But the fact that ATF is considering tapping into other agencies dragnets does raise further questions for me about why the PRG would need to consult with ATF.
Cover: This was released sometime (undated) in September 2012. Around that time, Pat Leahy was complaining they hadn’t received everything from Inspectors General they were due. That said, there was a counterpart NSA report that initially said there had been violations, but after its release changed its mind.
(ix) IG had to rely on “a former senior Justice Department official” for details on the 2007 fight.
(x) No mention of the extension in February for PAA, or the approval process.
(xii) Note the b7E (law enforcement method) in redaction on this page.
(xiii) During the period of IG’s review, only NSA could initiate targets.
(xiv) Note the PRISM reference, which is the second way FBI reviews selectors (presumably for certain kinds of investigations, likely CT ones).
(xvi, footnote 9) NSA got snippy by the suggestion that FBI didn’t have authority to override NSA, it appears
(xvi) Note the discussion of some “factor” the NSA uses to determine foreignness. I find it particularly interesting that the FBI IG found this legit because FISC had already approved it outside the FAA context.
(xvii footnote 10) NSA’s targeting procedures remained the same throughout the review period. But we know NSA changed them in 2011.
(xxii) This section describes that FBI would start nominating selectors in 2012.
(xxii) Report says it was being finalized in April 2012, which suggests another long delay in agency review.
(xxii) Late 2007, ODNI Cv Libs raised concerns about people who had traveled to US. This is interesting given the discussion of Yahoo case.
(xxv) FBI got a draft of this in February 2012. Also, FBI wasn’t doing its yearly reviews of what USP data it had gotten.
(xxv) FBI submitted its 2010 and 2011 annual reviews on May 22, 2012. They were received too late for DOJ IG to consider them here.
(xxvii) Claims the first time FBI dual routed data was October 14, 2009.
As with the last order (which added language ensuring the government do a First Amendment review even when obtaining emergency orders), this one made a subtle, but potentially very significant addition. In a long-running footnote noting that technical controls prevented analysts from chaining on a selector that was not RAS approved,
This order added language noting that NSA could override those controls in case of imminent threat to human life.
I’m glad they specify “human life” here — because elsewhere NSA has defined “life” to include “property.” And if this is truly about overriding technical controls in case of threat to life, I’m fine with the change. And while the footnote isn’t terrifically clear, I assume this might be used (and since it shows up in the order, might have been used) in a case where NSA was sure a selector was Reasonably Associated with a terrorist affiliate, but had not gone through the formal approval process yet, and therefore had to override the software.
All that said, one thing I saw a remarkable amount of in the IOB reports was software controls (particularly purging functions, but also access controls) that weren’t working as intended.
Let’s hope this is just a way to turn off the safeguards in cases where really necessary and not another (as the IOB repeatedly call software failures) “glitch.”
On November 24, 20114, Oregon District Court Judge Michael Mosman issued a somewhat curious order explaining his decision, issued 3 days earlier, not to grant Raez Qadir Khan notice of all the surveillance authorities used to investigate him.
While Mosman loves efficiency, he explained, the time was not yet ripe for the issues raised in Khan’s effort to learn how he had been linked to an associate who had conducted a suicide bombing in Pakistan in 2009. But — Mosman promised –
The day will come when the standing, collection, and other issues foreshadowed in this motion will be litigated in this case. Due to the constraints of CIPA, properly applied in this case, that day will come in the next round of motions, without the narrowing of issues that detailed disclosure would allow.
Ten days after signing that order, Mosman signed another one: the latest authorization for the dragnet. In doing so, not only did he authorize the collection of Khan and Khan lawyer Amy Baggio’s call records (as well as those of ACLU lawyers Jameel Jaffer and Pat Toomey; they joined this case in mid-December) — remember that Khan’s conversations with several lawyers were spied on by FBI over the course of their investigation with him.
But by signing the order, Mosman also signed something that has long been in the dragnet orders but — as far as I can tell — utterly ignored: that it envisions the use of the dragnet for exculpatory information.
Early in this case, Khan challenged Mosman’s ability to serve both as trial judge and as FISC judge, a challenge Mosman dismissed.
It will be interesting to see how he handles both roles going forward.
By his own admission, James Clapper had dinner with the North Korean General who (again, according to Clapper) ordered the hack on Sony just weeks before the hack happened. That puts him at most two degrees away from the actual hackers, according to the evidence presented by Clapper and Jim Comey. According to the Intelligence Community’s at times naive analytical game of Three Degrees of Osama bin Laden — one which has repeatedly targeted negotiators like Clapper was in November, rather than culprits — Clapper should be sanctioned along with all the others President Obama has targeted.
That is, of course, absurd. We know James Clapper. And while his word may have not much more credibility at this point than Kim Jong-Un’s, that doesn’t mean his effort to negotiate a hostage release (and whatever else he and North Korea believed was being discussed at the time) makes him a culprit in the hack.
But I think the thought experiment provides useful background to consideration of Comey’s further explanation — littered with infantilizing language about bad guys and the “very dark jobs” of FBI’s behavioral analysts who “profile bad actors” — of why he and the rest of the Intelligence Community is so certain North Korea, the country, did the Sony hack.
Comey says the data deletion used in the hack was used by “the North Koreans” in the past (his conflation of “North Koreans” and “North Korea” continues throughout).
You know the technical analysis of the data deletion malware from the attack shows clear links to other malware that we know the North Koreans previously developed. The tools in the Sony attack bore striking similarities to another cyber attack the North Koreans conducted against South Korean banks and media outlets. We’ve done a—I have, as you know from watching Silence of the Lambs—about people who sit at Quantico, very dark jobs. Their jobs are to try to understand the minds of bad actors. That’s our behavioral analysis unit. We put them to work studying the statement, the writings, the diction of the people involved claiming to be the so-called guardians of peace in this attack and compared it to other attacks we know the North Koreans have done. And they say, “Easy. For us it’s the same actors.”
Comey then explained how the IC (but not outside skeptics) red teamed the IC’s own conclusions.
We brought in a red team from all across the intelligence community and said let’s hack at this. What else could be explaining this? What other explanations might there be? What might be missing? What competing hypotheses might there be? Evaluate possible alternatives—what might be missing? And we ended up in the same place.
Then, before Comey admitted that FBI still doesn’t know how “the North Koreans” hacked their way into Sony, Comey offered this detail to rebut the outside skeptics’ concerns.
Now I know because I’ve read in the newspaper—seen in the news—that some serious folks have suggested that we have it wrong. I would suggest—not suggesting, I’m saying—that they don’t have the facts that I have—don’t see what I see—but there are a couple things I have urged the intelligence community to declassify that I will tell you right now.
The Guardians of Peace would send e-mails threatening Sony employees and would post online various statements explaining their work. And in nearly every case they used proxy servers to disguise where they were coming from. And sending those e-mails and then sending and pasting and posting those statements.
And several times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans. It was a mistake by them that we haven’t told you about before that was a very clear indication of who was doing this. They shut it off very quickly once they realized the mistake. But not before we knew where it was coming from.
That is, Comey’s new tell — which has, with apparent other leaking about a Facebook account from Mandiant, gotten headlines — is that the FBI identified the hackers using “IPs that were exclusively used by the North Koreans.” [my emphasis]
Let me interject here and remind you that NSA and the FBI refuse to count how many US persons get sucked up in Section 702 upstream and PRISM collection because IPs aren’t a reliable indicator of the location of a person. The USA Freedom Act, by law, excluded any consideration of IP (frankly, any consideration of Internet location at all) from its obligation to report on the location of people sucked up in the dragnet. According to the FBI, tracking location based off anything but a (US based) phone number is too onerous for the Bureau.
IP is unreliable when it comes to transparency on the FBI, but rock solid when it comes to claims of attribution.
Now, I admit that’s a very different thing than spending months and years tracking one IP and attributing it to one particular actor.
But as Jeffrey Carr notes, even there the FBI’s claims have problems. He points out that the claims Comey made yesterday are remarkably similar to those used to attribute the Dark Seoul attack in 2013.
This sounded remarkably similar to the mistake made by the alleged North Korean hackers in the Dark Seoul attack of March 2013:
“SEOUL – A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years…. The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials.”
The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector.
He then notes North Korea’s Internet isn’t as locked down as it was just a few years ago — and one possible point of entry is geographically close to the St. Regis Hotel increasingly pinpointed in such attacks.
However the easiest way to compromise a node on North Korea’s Internet is to go through its ISP – Star Joint Venture. Star JV is a joint venture between North Korea Post and Telecommunications Corporation and another joint venture - Loxley Pacific (Loxpac). Loxpac is a joint venture with Charring Thai Wire Beta, Loxley, Teltech (Finland), and Jarungthai (Taiwan).
I explored the Loxley connection as soon as this story broke, knowing that the FBI and the NSA was most likely relying on the myth of a “closed” North Korean Internet to base their attribution findings upon. Loxley is owned by one of Thailand’s most well-connected families and just 4 kilometers away is the five star St. Regis hotel where one of the hackers first dumped Sony’s files over the hotel’s WiFi. It would be a simple matter to gain access to Loxley’s or Loxpac’s network via an insider or through a spear phishing attack and then browse through NK’s intranet with trusted Loxpac credentials.
Once there, how hard would it be to compromise a server? According to HP’s North Korea Security Briefing (August 2014) it would be like stealing candy from a baby.
Now, none of that proves the FBI is wrong (just as none of it, without more proof, is enough to unquestioningly believe the FBI). I frankly am a lot more interested in what went on in Clapper’s meeting right now than I am in IP claims without more proof.
But if the FBI is going to claim that IP is a rock solid indicator of someone’s ID, then can it also tell us how many Americans it sucks up into the dragnet?
Back when the WaPo published a quarterly NSA compliance audit from 2012, I caught the largest math organization in the world failing basic arithmetic. I’ve been comparing that report with the Intelligence Oversight Board report covering the same period, and I’m finding the numbers might, once again, not add up (though it’s hard to tell given the redactions).
According to NSA’s internal numbers, the organization had 865 violations in the first quarter of calendar year 2012 (670 EO 12333 violations and 195 FISA violations). Yet NSA described just 163 violations in depth (75 EO 12333 violations and 88 FISA violations, though further violations are likely hidden behind redactions in bulk descriptions).
Here’s how the numbers compare, broken down by category (I used the categories used in the IOB Report heading, unless the violation was clearly a roamer or a US Person).
Whereas some numbers are very close — such as for the illegal targeting of a US Person — there were other things, such as sharing a US person’s data or some fairly troubling unauthorized access violations not explicitly mentioned in the internal audit. Nor are unauthorized targeting and access mentioned as such.
And then there are all the “roamer” incidences, which apparently don’t all get reported to IOB (though you can definitely see an increase in them over the years), and which often look a lot less accidental when explained in the IOB report.
Then there are the rather measured descriptions the NSA gives IOB (which we’ve seen in other areas, as with the Internet dragnet, and which might be worst with the upstream violations).
Here’s what the NSA reported internally:
As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.
Here’s what NSA told the IOB about this violation:
[redacted] NSA determined that a technical service contained BR call detail records older than the approved five years. Approximately [redacted] records comprising approximately [fairly big redaction] records were retained for more than five years. The records were found on an access-controlled server that is used exclusively by technical personnel and is not accessible to intelligence analysts. [2 lines redacted]
Here’s what PCLOB had to say about this violation:
In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit. The technical server in question was not available to intelligence analysts.
While it appears NSA managed to give IOB (completely redacted) numbers for the files involved, it appears PCLOB never got a clear count of how many were involved. It’s not clear that NSA ever admitted this data may have gotten mixed in with Stellar Wind data. No one seems to care that this was a double violation, because techs are supposed to destroy data when they’re done with it.
Though, if you ask me, you should wait to figure out why so many records were lying around a tech server before you destroy them all. But I’m kind of touchy that way.
One thing I realize is consistent between the internal audit and the IOB report. The NSA, probably the owner of the most powerful computing power in the world, consistently uses the term “glitch” to describe software that doesn’t do what it is designed to to keep people out of data they’re not supposed to have access to.
The glitches are letting us down.
I’ve been meaning to return to coverage of the re-release of the DOJ IG Reports on Section 215 liberated by Charlie Savage just before Christmas. I’ve been seeing a lot of focus on posts like this which “report” that FBI used NSLs to get data the FISA Court would not approve under Section 215 for First Amendment reasons. Such a focus drives me batshit for 3 reasons:
As I noted (and as most outlets seem to have missed) these two reports are re-releases of old DOJ IG reports, part of a series of re-released reports in response to a Charlie Savage lawsuit. And while this release is not quite so bad as the previous release – in which FBI actually reclassified previously public words! – there’s still very little that’s new. In addition to the phone dragnet appendix we’ve all been waiting for (which I wrote about here), the most significant newly released material pertains to how FBI shares Section 215 information with foreign governments (including the declassification of descriptions of that use, as on page 27, 29). The most interesting new material may be a reference on page 20 that reveals OIPR only temporarily stopped using combination orders in 2006 after the passage of the PATRIOT Reauthorization. This suggests they may have resumed using them to get location data, as I laid out here(and as clearly admitted by James Cole here).
But that’s, for the most part, it. There are only words here or there that are newly released.
Not only was the NSL-replacing-a-215-request not new, but there were congressional hearings on it when the report initially got released.
Indeed if you compare this passage from the original 2008 release:
With the same passage from the re-release:
You can see that the revelation about the use of an NSL where the court had already rejected a Section 215 order has not changed (there are a few new words revealed elsewhere).
I’m still trudging through NSA’s reports to the Intelligence Oversight Board, which were document dumped just before Christmas. In this post, I want to examine why NSA is redacting one FISA authority, starting with this section of the Q1 2011 report.
During that period, the reports grew to have a bit more structure (this may have been Matt Olsen’s doing, who took over as NSA GC in 2010). Here’s what that Q1 2011 report looks like:
The key change, though, is that the FISA section breaks down by authority, like this, as seen in the Q1 2012 report, which is the most complete example of this
After that Q1 2011 report, every single report has that redacted category in the same spot, and every single report redacts it (though I suppose it is possible that whatever is redacted there changes).
I wondered, briefly, if that meant NSA was using a secret authority, some new program that egregiously interpreted a law in a way no one could imagine, just like NSA redefined Section 215 and PRTT. But I don’t think that’s right.
Rather, I think NSA is making a rather pathetic effort to hide that it uses FISA’s physical search provision to obtain emails and other data “stored” in the cloud.
Remember that intercepts (50 USC 1806, which is subchapter I of FISA) and physical search (50 USC 1821, which is subchapter II) are different authorities under FISA, each requiring notice to defendants, though they are usually noticed in the same filing (as here to Reaz Qadir Khan). While it’s possible the redacted authority instead designates a different agency (remember that FBI is the front end on a lot of Internet collection), the analysts referred to in these sections are described as NSA analysts. So I suspect it distinguishes between the two types of individualized FISA orders. And it’d be hard to believe there were no IOB violations under 1821, so it must be there somewhere.
Further, I suspect NSA is hiding what appears in some of these reports as a redacted unclassified detail because the descriptions make it clear NSA is querying out of raw traffic databases.
I’ve been working through the NSA’s reports to the Intelligence Oversight Board. Given that we know so much about the phone and Internet dragnets, I have been particularly interested in how they got reported to the IOB.
By and large, though, they didn’t. Even though we know there were significant earlier violations (some of the phone dragnet violations appear in this timeline; there was an Internet violation under the first order and at least one more of unknown date), I believe neither gets any mention until the Q1 2009 report. These are on the government’s fiscal year calendar, which goes from October to September, so this report covers the last quarter of 2008. The Q1 2009 reports explains a few (though not the most serious) 2008-related phone dragnet problems and then reveals the discovery of the alert list, which technically happened in Q2 2009.
Now, it may be that the IOB received other notice of the earlier violations. Or it may be that the NSA still treated them under the “reported to the President” loophole created for Stellar Wind. (That loophole was still in the reports in 2013, so they could still be using it today!)
In any case, with the notice of the phone dragnet orders in Q1 2009, NSA also listed the Internet dragnet, but said it had nothing to report.
Before its discussion of the known systemic phone dragnet problems, the Q2 2009 report includes this violation which doesn’t appear in this form (it may well be described in different fashion) in the other phone dragnet discussions.
On 7 January 2009, while searching collection [redacted] NSA analysts found BR FISA data included in the query results. Of the [redacted] selectors used in queries, only [redacted] had been approved under the reasonable articulable suspicion (RAS) standard. Although the numbers were associated with a foreign target, the selectors had not been approved for call chaining in the BR FISA data. The analyst did not know that approval must be sought for BR FISA[redacted--note, not space] call chaining. No data was retained, and no reports were issued.
I find it interesting because that’s precisely where the problem with the phone dragnet stemmed from: BR FISA data had gotten thrown into the EO 12333 data without any technical controls or markings. Indeed, it’s possible this is how the phone dragnet problems were first discovered.
It then has a 3 paragraph description of the phone dragnet problems. →']);" class="more-link">Continue reading
The NSA got a lot of criticism for releasing its IOB reports on December 23, just as everyone was preparing for vacation. But there were three reports that — at least when I accessed the interface — weren’t originally posted: Q3 and Q4 2009 and Q3 2010 — all conveniently important dates for the Internet dragnet (I’ll have more on what they didn’t disclose soon).
Apparently those reports were added on New Year’s Eve Eve Eve, an even bigger wasteland for document dumps than Christmas Eve.
In addition to details about what NSA did and didn’t reveal about the Internet and (to a lesser degree) phone dragnet, the Q3 report also claimed to rebut this June 16, 2009 Risen and Lichtblau article.
The article pretty clearly reveals the outlines of what we’ve since learned to be big privacy problems behind NSA’s programs — definitely back door searches, and probably upstream collection.
Since April, when it was disclosed that the intercepts of some private communications of Americans went beyond legal limits in late 2008 and early 2009, several Congressional committees have been investigating. Those inquiries have led to concerns in Congress about the agency’s ability to collect and read domestic e-mail messages of Americans on a widespread basis, officials said. Supporting that conclusion is the account of a former N.S.A. analyst who, in a series of interviews, described being trained in 2005 for a program in which the agency routinely examined large volumes of Americans’ e-mail messages without court warrants. Two intelligence officials confirmed that the program was still in operation.
A new law enacted by Congress last year gave the N.S.A. greater legal leeway to collect the private communications of Americans so long as it was done only as the incidental byproduct of investigating individuals “reasonably believed” to be overseas.
But after closed-door hearings by three Congressional panels, some lawmakers are asking what the tolerable limits are for such incidental collection and whether the privacy of Americans is being adequately protected.
“For the Hill, the issue is a sense of scale, about how much domestic e-mail collection is acceptable,” a former intelligence official said, speaking on condition of anonymity because N.S.A. operations are classified. “It’s a question of how many mistakes they can allow.”
The N.S.A. is believed to have gone beyond legal boundaries designed to protect Americans in about 8 to 10 separate court orders issued by the Foreign Intelligence Surveillance Court, according to three intelligence officials who spoke anonymously because disclosing such information is illegal. Because each court order could single out hundreds or even thousands of phone numbers or e-mail addresses, the number of individual communications that were improperly collected could number in the millions, officials said.
But even before that, the agency appears to have tolerated significant collection and examination of domestic e-mail messages without warrants, according to the former analyst, who spoke only on condition of anonymity.
He said he and other analysts were trained to use a secret database, code-named Pinwale, in 2005 that archived foreign and domestic e-mail messages. He said Pinwale allowed N.S.A. analysts to read large volumes of e-mail messages to and from Americans as long as they fell within certain limits — no more than 30 percent of any database search, he recalled being told — and Americans were not explicitly singled out in the searches.
Over and over, this report clearly describes the accessing of US person data, without warrants, that has been incidentally collected. Rush Holt — then leading an oversight investigation into the NSA — even goes on the record in the article.
The report helpfully includes the rebuttal NSA sent to Congress (starting at PDF 18). The rebuttal goes like this: