emptywheel | Page 2

James Clapper Throws a Concentrated Nugget of Orwellian Turd-Splat

By: emptywheel Monday June 17, 2013 9:03 am

Hooboy.

I was going to leave the whole CNET thing well enough alone after Jerry Nadler issued a statement retracting his sort-of suggestion that the NSA could wiretap Americans without a warrant (more on that below).

But I can’t remember seeing a more concentrated piece of Orwellian turd-splat than this statement addressing the issue from James Clapper.

The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization is incorrect and was not briefed to Congress. Members have been briefed on the implementation of Section 702, that it targets foreigners located overseas for a valid foreign intelligence purpose, and that it cannot be used to target Americans anywhere in the world.

The claim that NSA doesn’t wittingly “collect” data on millions of Americans was just an opening act for James Clapper, it seems. I know it won’t work this way for those who trust this program, but Clapper’s statement should raise more questions whether the thrust of what Nadler said, rather than four words taken out of context, are in fact true.

Let’s take this slowly.

I’ve put my transcription of the exchange between Jerry Nadler and Robert Mueller below for your reference. But one thing to keep in mind as you read Clapper’s turd-splat is that Nadler first described “getting the contents of the [American] phone” identified using the metadata database and, in repeating the question he had earlier asked a briefer who actually knows about how these programs are used, “getting specific information from that telephone.” It is true that in response to Mueller, he spoke of “listening to the phone,” the four words taken out of context, and his walk-back describes “listening to the content.” But the range of Nadler’s language suggests the distinct possibility the briefer discussed a different kind of collection, and Nadler never once explicitly described setting a dedicated wiretap on the phone of an American identified from conversations with suspected terrorists (which is what CNET blew it up as).

With that in mind, I offer you turd-splat:

The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization and was not briefed to Congress.

Clapper has set up a straw man that differs in at least three key ways from what Nadler asked about. First, he is addressing only eavesdropping, monitoring a phone in real time going forward, not accessing historic collections (though one thing these two programs in conjunction do is collapse historic and ongoing communications). I’m especially amused by this move, because it replicates a mistake that many have made when discussing these programs (especially the metadata one) as wiretapping. Clapper is only addressing the most inflammatory language Nadler used, not the language he used first and last in this exchange.

Then Clapper introduces the idea of domestic communications. This has no source in Nadler’s comment whatsoever, at least so long as you believe the only way NSA uses the metadata database is to see which Americans are talking to suspected foreign terrorist phone numbers. Given the government’s improbable claim they’re only making 300 queries a year, we may well be talking about domestic communications, but that’s not what Nadler addressed, which was about the American participant in a call with a suspected foreign terrorist phone number.

Nadler asked about an analyst deciding, on the basis of metadata analysis, that a US phone number looks suspicious, to “get the content” from that number. He implies that he has been told an analyst has that authority. Clapper addresses only whether an analyst without proper legal authorization can get US person content. That is, in response to Nadler’s question whether an analyst does have the legal authority to get content based on suspicion, Clapper says an analyst can’t get content without the proper legal authority. Nadler’s entire (implied) question was whether an analyst would have the legal authority to do so. Clapper doesn’t answer it.

So in other words, Clapper alters Nadler’s comment in three fundamental ways, changing its entire meaning, and then asserts Clapper’s now only tangentially related distortion of Nadler’s comment was not briefed to Congress.

No. Of course not. And Nadler hadn’t said it was, either.

And then Clapper describes what (he claims) members were briefed. Splat!

Members have been briefed on the implementation of Section 702, that it targets foreigners located overseas for a valid foreign intelligence purpose, and that it cannot be used to target Americans anywhere in the world.

Whoa! Do you see what Clapper did there? Nadler asked a question about how an analyst would move from metadata analysis — the Section 215 program — and then use it to access content, via whatever means. Nadler mentioned Section 215 specifically. Yet Clapper claims this is all about the implementation of Section 702. (Note, I find this interesting in part because Mueller suggests Nadler might be talking about another program entirely, which remains a possibility.)

I have pointed out on several times how desperate the Administration is to have you believe that Section 215 metadata collection and Section 702 content collection are unrelated, even if surrogates can’t keep them straight themselves. Clapper’s ploy is more of the same.

As is his emphasis that Section 702 targets foreigners located overseas for a valid foreign intelligence purpose. Now, just to make clear, the government has always held that any collection of information on what foreigners are doing is a valid foreign intelligence purpose. While Clapper doesn’t engage in suggesting this as directly as he and others have in past weeks, for Section 702 there is clearly no limitation of this authority to terrorism or counterintelligence or proliferation or hacking (the Administration and surrogates have suggested there is a terrorism limit for the Section 215 dragnet, but if there is, it comes from court-ordered minimization, not the law). But the real cherry here is the word “target,” which has become almost as stripped of common meaning as “collect” in this context.

In the 702 context, “target” refers to the node of communication at which collection is focused, not to all communications associated with that collection. So a directive to Verizon might ask for all communications that the original suspected terrorist phone number engages in (including its surfing and texting and pictures and email). But at a minimum that would include everyone the suspected terrorist communicates via his Verizon service, and there’s very good reason to believe it includes at least one and probably more degrees of separation out, if Verizon has it.

So when Clapper says 702 cannot be used to target Americans anywhere in the world, he means Americans cannot be the communication node on which collection is focused unless you have a FISA warrant (which is the practice Marc Ambinder, who is far more impressed with Clapper’s turd-splat than I am, addresses in this piece).

But what has never been answered — except perhaps in an off-hand comment in a debate defeating language that would actually prevent what everyone says is already prevented — is whether the government can, um, “collect” the content of Americans who communicate with those who are, um, “targeted.”

I’m not saying I have the answer to that question — though it is a concern that has been raised for years by the very same people who have been vindicated in their warnings about Section 215. But let’s be very clear what Clapper did here. He completely redefined Nadler’s comment, then divorced that redefined comment from the context of Section 215, and then threw the Orwellian term “target” at it to make it go away.

He could have denied Nadler’s more general assertions. That, he did not do. Continue reading →

Seeing Through the Blizzard to Utah: How Much Space Does Metadata Need

By: Rayne Monday June 17, 2013 4:00 am

In the blizzard of half-truths, dissembling, and prevarications about the nature of the National Security Agency’s surveillance programs, it’s easy to lose sight of the obvious. In this case, the obvious is about one million square feet in size.

First, a few other large scale objects for comparison:

[photo: DeveloperTutorials.com]

Here’s Google’s data center in The Dalles, Oregon; note the size of cars in proportion to the size of the buildings on this campus. You’ll find cars are the best tool for estimating approximate physical scale of this and the following examples.

[photo: DataCenterKnowledge.com]

This is Apple’s data center in Maiden, North Carolina. Again, compare the automobiles against the building in the photo for scale.

[photo: DataCenterKnowledge.com]

Microsoft has a data center in Dublin, Ireland. It’s a little harder to estimate physical size in this photo. A key difference is the height of the facility, as if development was limited in footprint. Continue reading →

The CNET “Bombshell” and the Four Surveillance Programs

By: emptywheel Sunday June 16, 2013 12:14 pm

CNET is getting a lot of attention for its report that NSA, “has acknowledged in a new classified briefing that it does not need court authorization to listen to domestic phone calls.”

In general, I’m just going to outsource my analysis of what the exchange means to Julian Sanchez (I hope he doesn’t charge me as much as Mike McConnell’s Booz Allen Hamilton for outsourced analysis).

What seems more likely is that Nadler is saying analysts sifting through metadata have the discretion to determine (on the basis of what they’re seeing in the metadata) that a particular phone number or e-mail account satisfies the conditions of one of the broad authorizations for electronic surveillance under §702 of the FISA Amendments Act.

[snip]

The analyst must believe that one end of the communication is outside the United States, and flag that account or phone line for collection. Note that even if the real target is the domestic phone number, an analyst working from the metadatabase wouldn’t have a name, just a number. That means there’s no “particular, known US person,” which ensures that the §702 ban on “reverse targeting” is, pretty much by definition, not violated.

None of that would be too surprising in principle: That’s the whole point of §702!

That is, what Nadler may have learned that the same analysts who have access to the phone metadata may also have authority to issue directives to companies for phone content collection. If so, it would be entirely feasible for the same analyst to learn, via the metadata database, that a suspect phone number is in contact with the US and for her to submit a request for actual content to the providers, without having to first get a FISA order covering the US person callers directly. Since she was still “targeting” the original overseas phone number, she would be able to get the US person content without a specific order.

I just want to point to a part of this exchange that everyone is ignoring (but that I pointed out while live tweeting this).

Mueller: I’m not certain it’s the same–I’m not certain it’s an answer to the same question.

Mueller didn’t deny the NSA can get access to US person phone content without a warrant. He just suggested that Nadler might be conflating two different programs or questions.

And that’s one of the things to remember about this discussion. Among many other methods of shielding parts of the programs, the government is thus far discussing primarily the two programs identified by the Guardian: the phone metadata collection (which the WaPo reports is called MAINWAY) and the Internet content access (PRISM).

Continue reading →

Shell Games: How to Keep Doing Internet Data Mining and Avoid the Courts

By: emptywheel Sunday June 16, 2013 9:58 am

As I noted, the WaPo makes it clear one of the most sensitive parts of the government’s surveillance programs is the collection of Internet metadata.

But the thing is, it doesn’t come out and explain whether and if so how it continues to go on.

This passage, written in the present tense, sure seems to suggest it continues.

MARINA and the collection tools that feed it are probably the least known of the NSA’s domestic operations, even among experts who follow the subject closely. Yet they probably capture information about more American citizens than any other, because the volume of e-mail, chats and other Internet communications far exceeds the volume of standard telephone calls.

The NSA calls Internet metadata “digital network information.” Sophisticated analysis of those records can reveal unknown associates of known terrorism suspects. Depending on the methods applied, it can also expose medical conditions, political or religious affiliations, confidential business negotiations and extramarital affairs.

What permits the former and prevents the latter is a complex set of policies that the public is not permitted to see. “You could do analyses that give you more information, but the law and procedures don’t allow that,” a senior U.S. intelligence lawyer said.

Yet buried in the last paragraphs of the story, WaPo’s sources suggest “the NSA is no longer doing it.” Or — as elaborated — doing “it” under the guise of and with the oversight of the FISA court.

As for bulk collection of Internet metadata, the question that triggered the crisis of 2004, another official said the NSA is no longer doing it. When pressed on that question, he said he was speaking only of collections under authority of the surveillance court.

“I’m not going to say we’re not collecting any Internet metadata,” he added. “We’re not using this program and these kinds of accesses to collect Internet metadata in bulk.”

I keep saying this: sources on this story are trying hard to get us to focus on a few programs managed by FBI and NSA under two particular provisions of law that happen to have (secret, limited) court oversight, Section 215 of the PATRIOT Act and the FISA Amendments Act. But that leaves out several other likely candidates to conduct such intelligence analysis, notably the NCTC. And it leaves out other potential sources of collection, such as cybersecurity in the name of self-defense.

Telecoms Versus the Toobz: The Source of the Legal Troubles

By: emptywheel Sunday June 16, 2013 9:41 am

In this important piece on overbroad surveillance programs under Presidents Bush and Obama, the WaPo reveals that the program James Comey almost resigned over in 2004 involved sucking Internet metadata off telecom switches owned by the telecoms.

Telephone metadata was not the issue that sparked a rebellion at the Justice Department, first by Jack Goldsmith of the Office of Legal Counsel and then by Comey, who was acting attorney general because John D. Ashcroft was in intensive care with acute gallstone pancreatitis. It was Internet metadata.

At Bush’s direction, in orders prepared by David Addington, the counsel to Vice President Richard B. Cheney, the NSA had been siphoning e-mail metadata and technical records of Skype calls from data links owned by AT&T, Sprint and MCI, which later merged with Verizon.

For reasons unspecified in the report, Goldsmith and Comey became convinced that Bush had no lawful authority to do that.

This leads me to wonder whether legal leverage from the Internet providers — rather than any squeamishness about the law itself — caused the conflict.

Remember, in the fight over retroactive immunity in 2008, the industry group for the Internet providers — including Microsoft, Yahoo, and Google — argued against retroactive immunity.

The Computer & Communications Industry Association (CCIA) strongly opposes S. 2248, the “FISA Amendments Act of 2007,” as passed by the Senate on February 12, 2008. CCIA believes that this bill should not provide retroactive immunity to corporations that may have participated in violations of federal law. CCIA represents an industry that is called upon for cooperation and assistance in law enforcement. To act with speed in times of crisis, our industry needs clear rules, not vague promises that the U.S. Government can be relied upon to paper over Constitutional transgressions after the fact.

Given the WaPo’s report, this amounts to a demand that Congress allow the Internet companies to hold the telecoms accountable for helping the government seize their data.

As well they should have been able to. To a degree, these companies compete, and in the name of helping the government, the telecoms were helping themselves to Internet suppliers crown jewels.

Microsoft and Google versus AT&T and Verizon. Now that would have been an amusing lawsuit to watch. And probably a lot bigger worry for the people who use all of them to spy on us peons than we peons actually are.

NSA Spying: The Oversight of the Passive Voice

By: emptywheel Sunday June 16, 2013 7:48 am

In a white paper claiming “the American people deserve to know what we are doing to protect both” privacy and liberty, and security, the government (Ellen Nakashima, at least, doesn’t specify which agency generated this) also includes this assertion:

The [dragnet metadata] program is subject to strict controls and oversight: the metadata is segregated and queries against the metadata are documented and audited.

The detail is one that NSA Director Keith Alexander had already claimed in his testimony before the Senate Appropriations Committee last week. He claimed,

Every time we query that database, it’s auditible by the committees, by DOJ, by the court, by the Administration.

In a telling comment to the press the other day, though, Dianne Feinstein, whose staffers on the Intelligence Committee would be the ones auditing the queries, said this:

Asked to confirm that intelligence officials do not need a court order for the query of the number itself, Feinstein said, “that’s my understanding.”

I found it really strange that a person who should be solidly in the thick of the audits Alexander was boasting about didn’t even seem sure about how someone accessed the database.

But then, Alexander said they were “auditable,” not that they were audited by all these people.

One of just a few explanations about oversight in a document trying to prove the government protects our privacy and liberty might be more persuasive if they weren’t presented in the passive voice. It doesn’t sound like DiFi knows Congress could audit the document; I wonder if the FISA Court, which Alexander claims also can audit the data, knows it can (I’d also like to see someone audit the claim it is segregated; is it ever copied?).

The white paper’s statements about the 702/PRISM program are equally unsatisfying.

Congress requires the Government to develop and obtain judicial approval for “minimization” procedures to ensure appropriate protection of any information about U.S. persons that may be incidentally acquired. The Government did that, and its procedures were approved by the Foreign Intelligence Surveillance Court.

As I’ve noted repeatedly, the FISC doesn’t get to review compliance with these procedures, only the adequacy of them if applied as promised. And since this white paper makes no claims that the government can’t access this US person data — which, after all, includes content and metadata — it suggests the most sensitive collection for Americans has only internal (DOJ and ODNI review) safeguards for Americans’ Internet communications.

Effectively, in addition to providing further evidence for Mark Udall’s assertions that the government could accomplish what it says it is doing via other, far less sensitive means, this document only serves to show how inadequate the oversight of these programs is.

To Justify Dragnet, FBI Implies It Can’t File 300 More NSLs in a Year

By: emptywheel Saturday June 15, 2013 10:40 pm

So Mark Hosenball just reported this, uncritically.

The U.S. government only searched for detailed information on calls involving fewer than 300 specific phone numbers among the millions of raw phone records collected by the National Security Agency in 2012, according to a government paper obtained by Reuters on Saturday.

As Jim Sensenbrenner noted the other day, if the government is doing only what it says it is with the database — finding US persons who are in contact with suspected terrorists — the FBI could use a grand jury subpoena or a National Security Letter to do so. Collecting all the phone records of Americans would only be required if the FBI were doing so many checks such a process became onerous.

Except that the FBI routinely gets upwards of 10,000 NSLs a year. Adding these 300 would be a drop in the bucket.

So the difficulty of getting NSLs can’t be the problem.

Which suggests the 300 claim is implicit acknowledgment they’re doing something more with this data than they’re letting on.

PRISM: The Difference between Orders and Directives

By: emptywheel Saturday June 15, 2013 2:01 pm

The AP has a story that lays out the architecture of how PRISM fits in with the rest of the government surveillance programs. The short version is, as much prior reporting supports, it uses PRISM to target communications it has collected, as packets, from the telecom backbone. Like the Section 215 dragnet (and consistent with James Clapper’s metaphor that the dragnet serves as the Dewey Decimal system to direct the government were to find the conversations it wants) it seems to serve to tell the government where to look to get more content.

The story is most valuable, in my opinion, for the distinction it describes between orders — which courts approve — and directives — which courts don’t.

Every year, the attorney general and the director of national intelligence spell out in a classified document how the government plans to gather intelligence on foreigners overseas.

By law, the certification can be broad. The government isn’t required to identify specific targets or places.

A federal judge, in a secret order, approves the plan.

With that, the government can issue “directives” to Internet companies to turn over information.

While the court provides the government with broad authority to seize records, the directives themselves typically are specific, said one former associate general counsel at a major Internet company. They identify a specific target or groups of targets. Other company officials recall similar experiences.

I’ve seen some apologist reporting that conflates these two, suggesting that the courts approve individual targets.

The entire point of FISA Amendments Act is to have the courts approve broader targeting.

As Russ Feingold warned four years ago, there is less oversight of how you get from orders to the procedures that make them compliant with the Constitution.

AP goes on to explain the danger to this scheme, though: there’s far less oversight over individual targets. Which can — and in 2009, at least — led the NSA to take US person data.

A few months after Obama took office in 2009, the surveillance debate reignited in Congress because the NSA had crossed the line. Eavesdroppers, it turned out, had been using their warrantless wiretap authority to intercept far more emails and phone calls of Americans than they were supposed to.

Remember, this overcollection was self-reported by the Obama Administration at the time, not discovered by the FISA Court. Good for the Obama Administration, though we’re trusting them at their word that the overcollection was unintentional.

As part of a periodic review of the agency’s activities, the department “detected issues that raised concerns,” it said. [snip]

The overcollection problems appear to have been uncovered as part of a twice-annual certification that the Justice Department and the director of national intelligence are required to give to the Foreign Intelligence Surveillance Court on the protocols that the N.S.A. is using in wiretapping. That review, officials said, began in the waning days of the Bush administration and was continued by the Obama administration. It led intelligence officials to realize that the N.S.A. was improperly capturing information involving significant amounts of American traffic.

But that raises one of the problems with the program. The court oversight is removed from the specificity of the collection, and the law, by design, prevents the court from double-checking whether the government does at the directive level what it says it will do at the order level.

Trust us.

Continue reading →

The Inefficacy of Big Brother: Associations and the Terror Factory

By: emptywheel Saturday June 15, 2013 9:01 am

The WSJ has a fascinating story, responding to (but not linking) this post, trying to address the question of whether the NSA programs we’ve learned about are efficient.

But some statisticians and security experts have raised another objection: As a terror-fighting tool, it is highly inefficient and has some serious downsides.

Their reasoning: Any automated approach to spotting something rare necessarily produces false positives. That means for every correctly identified target, many more alarms that go off will prove to be incorrect. So if there are vastly more innocent people than would-be terrorists whose communications are monitored, even an extremely accurate test would ensnare many non-terrorists.

[snip]

Even if the NSA’s algorithm “is terribly clever and has a very high sensitivity and specificity, it cannot avoid having an immense false-positive rate,” said Peter F. Thall, a biostatistician at the University of Texas’ M.D. Anderson Cancer Center. In his arena, false positives mean patients may get tests or treatment they don’t need. For the NSA, false positives could mean innocent people are monitored, detained, find themselves on no-fly lists or are otherwise inconvenienced, and that the agency spends resources inefficiently.

Others, though, noted a key difference between terrorism and, say, a needle in a haystack: Terrorists tend to talk to each other in a way that needles don’t. So by analyzing a network of communications, the NSA could be ferreting out clues from more than just the messages’ particulars.

This question is, obviously, one of the reasons I posted on the 3 apparent false positives presented as implicitly terrorist associates of Najibullah Zazi in 2009. Because — assuming I’m right that they were false positives — it provides a glimpse into precisely how the government understood a lot of these terms in 2009 (I assume, though could be wrong, that their approach continues to be fine-tuned). As a reminder, here’s what we know about these 3 people:

Evidence that “individuals associated with Zazi purchased unusual quantities of hydrogen and acetone products in July, August, and September 2009 from three different beauty supply stores in and around Aurora;” these purchases include:

Person one: a one-gallon container of a product containing 20% hydrogen peroxide and an 8-oz bottle of acetone

Person two: an acetone product

Person three: 32-oz bottles of Ion Sensitive Scalp Developer three different times

For a variety of reasons, I believe the 3 false positives consist of one person (probably person two) with a genuine relationship with Zazi who purchase relatively little acetone, and 2 people with false relationships with Zazi who bought an unusual amount of beauty supplies.

That says the FBI made two mistakes, IMO. Assuming any purchase of a common product, acetone, was criminal on behalf of someone with a real tie to Zazi.

And assuming the relationships between the other two — the ones buying more beauty supplies — were meaningful. This could be, and I suspect it is, an assumption that anyone who belongs to the same mosque (and unlike the radical one he attended in NY, Zazi was reportedly not close to people at his mosque in CO).

Also note. This program (unlike ones I believe to exist at the National Counterterrorism Center) may not be algorithms per se at all. Rather, it could just be associations: If tie to Zazi and if beauty supply purchaser = “positive.” In other words, for better and worse the FBI may not be asking the computers to “think” for it at all.

Nevertheless, the assumptions — that membership in the same mosque (or, for that matter, a single communication with a suspected terrorist) necessarily equates to a meaningful relationship — probably doom the approach in any case.

Which brings me to my other point. The WSJ suggests the costs of false positives include wasted investigative resources and unfair persecution for false positives.

But it doesn’t consider the other possible uses of what may or may not be considered false positives.

First, there’s the possibility an FBI investigation into a true false positive — someone totally innocent of terrorism — may discover some other criminal exposure, which the FBI could and has been known to use to turn the false positive into an informant.

Then there’s the likelihood, especially if a potentially false positive is a young Muslim male, that the FBI will keep that person under heavy surveillance and recruitment for years and ultimately turn him into a terrorism statistic. The FBI started surveilling Mohamed Osman Mohamud 3 years, starting before he turned 18, before they got him to attempt to bomb a public event. His parents even alerted the authorities to his increasing radicalism, but instead of intervening to reverse it, the FBI exacerbated it with several informants.

Would Mohamud have ever turned to terrorism without all that help from the FBI? Would he have developed the competence and acquired the resources to do harm? We can’t actually know, and I’m actually not aware that anyone has asked this question.

What we also can’t know is whether, had the FBI dedicated its efforts to something else, it could have prevented a crime developing without FBI’s help.

That is, there are a whole slew of questions that have to be asked as we assess this program. Which is why we need real transparency.

Al Gore: Get Your Hands Off of My (Our?) Internet

By: emptywheel Friday June 14, 2013 4:21 pm

Working on posts and then will have my sis-in-law in to watch the Grand Rapids Griffins defeat her Syracuse Crush tonight in hockey. (Really!)

But I did like this Al Gore interview:

Gore said he was not persuaded by the argument that the NSA surveillance had operated within the boundaries of the law.

“This in my view violates the constitution. The fourth amendment and the first amendment – and the fourth amendment language is crystal clear,” he said. “It is not acceptable to have a secret interpretation of a law that goes far beyond any reasonable reading of either the law or the constitution and then classify as top secret what the actual law is.”

Gore added: “This is not right.”

Gore even recognized the problem of the Director of National Intelligence lying under oath.

Gore did say, however, that he had serious concerns about some aspects of the testimony offered by national intelligence director James Clapper during testimony to the Senate intelligence committee last March.

Clapper, in response to pointed questions from Democratic senator Ron Wyden, had said during that appearance that the NSA did not collect data on Americans.

“I was troubled by his direct response to Senator Wyden’s very pointed question,” Gore said. “I was troubled by that.”

Yeah! Me too!