Posts

The Sekulow Questions, Part Five: Attempting a Cover-Up by Firing Comey

/11 Comments/in , , /by

In this series, I have been showing a framework for the investigation that the Mueller questions, as imagined by Jay Sekulow, maps out. Thus far I have shown:

  • Russians, led by the Aras Agalarov and his son, cultivated Trump for years by dangling two things: real estate deals and close ties with Vladimir Putin.
  • During the election, the Russians and Trump appear to have danced towards a quid pro quo agreement, with the Russians offering dirt on Hillary Clinton in exchange for a commitment to sanctions relief, with some policy considerations thrown in.
  • During the transition period, Trump’s team took a series of actions that moved towards consummating the deal they had made with Russia, both in terms of policy concessions, particularly sanctions relief, and funding from Russian sources that could only be tapped if sanctions were lifted. The Trump team took measures to keep those actions secret.
  • Starting in January 2017, Trump came to learn that FBI was investigating Mike Flynn. His real reasons for firing Flynn remain unreported, but it appears he had some concerns that the investigation into Flynn would expose him.

This post lays out the questions on obstruction that lead up to Comey’s firing on May 9, 2017.

February 14, 2017: What was the purpose of your Feb. 14, 2017, meeting with Mr. Comey, and what was said?

On February 13, Trump fired Mike Flynn. The explanation he gave was one of the concerns Sally Yates had given to Don McGahn when she told him about the interview, that Flynn had lied to Mike Pence about having discussed sanctions relief with Sergey Kislyak on December 29, 2016. Except, coming from Trump, that excuse makes no sense, both because he had already shown he didn’t care about the counterintelligence implications of that lie by including Flynn in the January 28 phone call with Putin and other sensitive meetings. But also because at least seven people in the White House knew what occurred in Flynn’s calls, and Pence probably did too.

Against that backdrop, the next day, Trump had Jim Comey stay late after an oval office meeting so he could ask him to drop the investigation into Flynn. Leading up to this meeting, Trump had already:

  • Asked Comey to investigate the pee tape allegations so he could exonerate the President
  • Asked if FBI leaks
  • Asked if Comey was loyal shortly after asking him, for the third time, if he wanted to keep his job
  • Claimed he distrusted Flynn’s judgment because he had delayed telling Trump about a congratulatory call from Putin

After Trump asked everyone in the meeting to leave him and Comey alone, both Jeff Sessions and Jared Kushner lingered.

While the description of this meeting usually focuses on the Flynn discussion, according to Comey’s discussion, it also focused closely on leaks, which shows how Trump linked the two in his mind.

Here’s what Comey claims Trump said about Flynn:

He began by saying he wanted to “talk about Mike Flynn.” He then said that, although Flynn “hadn’t done anything wrong” in his call with the Russians (a point he made at least two more times in the conversation), he had to let him go because he misled the Vice President, whom he described as “a good guy.” He explained that he just couldn’t have Flynn misleading the vice President and, in any event, he had other concerns about Flynn, and had a great guy coming in, so he had to let Flynn go.

[a discussion of Sean Spicer’s presser explaining the firing and another about the leaks of his calls to Mexican and Australian leaders]

He then referred at length to the leaks relating to Mike Flynn’s call with the Russians, which he stressed was not wrong in any way (“he made lots of calls”), but that the leaks were terrible.

[Comey’s agreement with Trump about the problem with leaks, but also his explanation that the leaks may not have been FBI; Reince Priebus tries to interrupt but Trump sends him away for a minute or two]

He then returned to the topic of Mike Flynn, saying that Flynn is a good guy, and has been through a lot. He misled the Vice President but he didn’t do anything wrong on the call. He said, “I hope you can see your way clear to letting this go, to letting Flynn go. He is a good guy. I hope you can let this go.” I replied by saying, “I agree he is a good guy,” but said no more.

In addition to providing Trump an opportunity to rebut Comey, asking this question might aim to understand the real reason Trump fired Flynn.

March 2, 2017: What did you think and do regarding the recusal of Mr. Sessions?  What efforts did you make to try to get him to change his mind? Did you discuss whether Mr. Sessions would protect you, and reference past attorneys general?

On March 2, citing consultations with senior department officials, Sessions recused himself “from any existing or future investigations of any matters related in any way to the campaigns for President of the United States,” while noting that, “This announcement should not be interpreted as confirmation of the existence of any investigation or suggestive of the scope of any such investigation.” At that point, Dana Boente became Acting Attorney General for the investigation.

Note that this question isn’t just about Trump’s response to Sessions’ recusal — it’s also about what he did in advance of it. That’s likely because even before Sessions recused, Trump got Don McGahn to try to pressure the Attorney General not to do so. He also called Comey the night before and “talked about Sessions a bit.” When Sessions ultimately did recuse, Trump had a blow-up in which he expressed a belief that Attorneys General should protect their president.

[T]he president erupted in anger in front of numerous White House officials, saying he needed his attorney general to protect him. Mr. Trump said he had expected his top law enforcement official to safeguard him the way he believed Robert F. Kennedy, as attorney general, had done for his brother John F. Kennedy and Eric H. Holder Jr. had for Barack Obama.

Mr. Trump then asked, “Where’s my Roy Cohn?”

In the days after the Sessions recusal, Trump also kicked off the year-long panic about being wiretapped.

On Thursday, Jeff Sessions recused from the election-related parts of this investigation. In response, Trump went on a rant (inside the White House) reported to be as angry as any since he became President. The next morning, Trump responded to a Breitbart article alleging a coup by making accusations that suggest any wiretaps involved in this investigation would be improper. Having reframed wiretaps that would be targeted at Russian spies as illegitimate, Trump then invited Nunes to explore any surveillance of campaign officials, even that not directly tied to Trump himself.

And Nunes obliged.

Don McGahn and Jeff Sessions, among others, have already provided their side of this story to Mueller’s team.

March 2 to March 20, 2017: What did you know about the F.B.I.’s investigation into Mr. Flynn and Russia in the days leading up to Mr. Comey’s testimony on March 20, 2017?

As Sekulow has recorded Mueller’s question, the special counsel wants to know what Trump already knew of the investigation into Mike Flynn before Comey publicly confirmed it in Congressional testimony. This may be a baseline question, to measure how much of Trump’s response was a reaction to the investigation becoming public.

But there are other things that went down in the weeks leading up to Comey’s testimony. Devin Nunes had already made considerable efforts to undermine the investigation; he would have been briefed on the investigation on March 2 (see footnote 75), the same day as Sessions recused.Trump went into a panic on March 4, just days after Sessions recusal, about being wiretapped; I’m wondering if there’s any evidence that Trump or Steven Bannon seeded the Breitbart story that kicked off the claim of a coup against Trump. Also of note is Don McGahn’s delay in conveying the records retention request about the investigation to the White House, even as Sean Spicer conducted a device search to learn who was using encrypted messengers.

March 20, 2017: What did you do in reaction to the March 20 testimony? Describe your contacts with intelligence officials.

On March 20, in testimony to the House Intelligence Committee, Comey publicly confirmed the counterintelligence investigation into Trump’s campaign.

I have been authorized by the Department of Justice to confirm that the FBI, as part of our counterintelligence mission, is investigating the Russian government’s efforts to interfere in the 2016 presidential election and that includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government and whether there was any coordination between the campaign and Russia’s efforts. As with any counterintelligence investigation, this will also include an assessment of whether any crimes were committed.

In addition to questions about the investigation (including the revelation that FBI had not briefed the Gang of Eight on it until recently; we now know the briefing took place the day Jeff Sessions recused which suggests FBI avoided letting both Flynn and Sessions know details of it), Republicans used the hearing to delegitimize unmasking and the IC conclusion that Putin had affirmatively supported Trump.

Sekulow’s questions (or NYT’s rendition of them) lump the hearing, at which Admiral Mike Rogers also testified, in with Trump’s pressure on his spooks to issue a statement that he wasn’t under investigation. Two days after the hearing, Trump pressured Mike Pompeo and Dan Coats to intervene with Comey to stop the investigation.

It’s possible that the term “intelligence officials” includes HPSCI Chair Devin Nunes. On March 21, Nunes made his nighttime trip to the White House to accelerate the unmasking panic. Significantly, the panic didn’t just pertain to Flynn’s conversations with Sergey Kislyak; it also focused on the revelation of Mohammed bin Zayed al Nahyan’s secret trip to New York and probably other conversations with the Middle Eastern partners that have become part of this scandal.

The day after Nunes’ nighttime trip, Trump called Coats and Rogers (and probably Pompeo) and asked them to publicly deny any evidence of a conspiracy between Trump’s campaign and Russia; NSA documented the call to Rogers.

It’s now clear that the calls Nunes complained about being unmasked actually are evidence of a conspiracy (and as such, they probably provided an easy roadmap for Mueller to find the non-Russian conversations).

March 30, 2017: What was the purpose of your call to Mr. Comey on March 30?

On March 30, Trump called Comey on official phone lines and asked him to exonerate him on the Russia investigation. According to Comey, the conversation included the following:

He then said he was trying to run the country and the cloud of this Russia business was making that difficult. He said he thinks he would have won the health care vote but for the cloud. He then went on at great length, explaining that he has nothing to do with Russia (has a letter from the largest law firm in DC saying he has gotten no income from Russia). was not involved with hookers in Russia (can you imagine me, hookers? I have a beautiful wife, and it has been very painful). is bringing a personal lawsuit against Christopher Steele, always advised people to assume they were being recorded in Russia. has accounts now from those who travelled with him to Miss Universe pageant that he didn’t do anything, etc.

He asked what he could do to lift the cloud. I explained that we were running it down as quickly as possible and that there would be great benefit, if we didn’t find anything, to our Good Housekeeping seal of approval, but we had to do our work. He agreed, but then returned to the problems this was causing him, went on at great length about how bad he was for Russia because of his commitment to more oil and more nukes (ours are 40 years old).

He said something about the hearing last week. I responded by telling him I wasn’t there as a volunteer and he asked who was driving that, was it Nunes who wanted it? I said all the leadership wanted to know what was going on and mentioned that Grassley had even held up the DAG nominee to demand information. I said we had briefed the leadership on exactly what we were doing and who we were investigating.

I reminded him that I had told him we weren’t investigating him and that I had told the Congressional leadership the same thing. He said it would be great if that could get out and several times asked me to find a way to get that out.

He talked about the guy he read about in the Washington Post today (NOTE: I think he meant Sergei Millian) and said he didn’t know him at all. He said that if there was “some satellite” (NOTE: I took this to mean some associate of his or his campaign) that did something, it would be good to find that out, but that he hadn’t done anything and hoped I would find a way to get out that we weren’t investigating him.

Trump also raised “McCabe thing,” yet another apparent attempt to tie the retention of McCabe to public exoneration from Comey.

Given the news that Sergei Millian had been pitching George Papadopoulos on a Trump Tower deal in the post-election period, I wonder whether Trump’s invocation of him in conjunction with “some satellite” is a reference to Papadopoulos, who had already been interviewed twice by this time. Nunes would have learned of his inclusion in the investigation in the March 2 CI briefing.

On top of the clear evidence that this call represented a (well-documented, including a contemporaneous call to Dana Boente) effort to quash the investigation and get public exoneration, the conversation as presented by Comey also includes several bogus statements designed to exonerate him. For example, Millian had actually worked with Trump in past years selling condos to rich Russians. Trump never did sue Steele (Michael Cohen sued BuzzFeed and Fusion early this year, but he dropped it in the wake of the FBI raid on him). And the March 8 letter from Morgan Lewis certifying he didn’t get income from Russia is unrelated to whether he has been utterly reliant on investment from Russia (to say nothing of the huge sums raised from Russian oligarchs for his inauguration). In other words, like the earlier false claim that Trump hadn’t stayed overnight in Moscow during the Miss Universe pageant and therefore couldn’t have been compromised, even at this point, Trump’s attempts to persuade the FBI he was innocent were based off false claims.

March 30, 2017: Flynn asks for immunity

Mike Flynn first asked Congress for immunity on March 30, 2017, with Trump backing the effort in a tweet.

A later question deals with this topic — and suggests Trump may have contacted Flynn directly about immunity at this time, but that contact is not public, if it occurred.

April 11, 2017: What was the purpose of your call to Mr. Comey on April 11, 2017?

At 8:26AM on April 11, Comey returned a call to Trump. Trump asked again for Comey to lift the cloud on him.

He said he was following up to see if I did what he had asked last time–getting out that he personally is not under investigation. I relied that I had passed the request to the Acting AG and had not heard back from him. He spoke for a bit about why it was so important. He is trying to do work for the country, visit with foreign leaders, and any cloud, even a little cloud gets in the way of that. They keep bringing up the Russia thing as an excuse for losing the election.

[snip]

He then added, “Because I have been very loyal to you, very loyal, we had that thing, you know.”

[snip]

He then said that I was doing a great job and wished me well.

April 11, 2017: What was the purpose of your April 11, 2017, statement to Maria Bartiromo?

On April 12, Fox Business News broadcast an interview with Maria Bartiromo (Mueller must know it was recorded on April 11, so presumably after the call with Comey). There are three key aspects of the interview. First, in the context of Trump’s failures to staff his agencies, Bartiromo asks why Comey is still around [note, I bet in Hope Hicks’ several days of interviews, they asked her if these questions were planted]. Given public reports, Trump may have already been thinking about firing Comey, though Steve Bannon, Reince Priebus, and Don McGahn staved off the firing for weeks.

TRUMP:  I wish it would be explained better, the obstructionist nature, though, because a lot of times I’ll say why doesn’t so and so have people under him or her?

The reason is because we can’t get them approved.

BARTIROMO:  Well, people are still wondering, though, they’re scratching their heads, right, so many Obama-era staffers are still here.

For example, was it a mistake not to ask Jim Comey to step down from the FBI at the outset of your presidency?

Is it too late now to ask him to step down?

TRUMP:  No, it’s not too late, but, you know, I have confidence in him.  We’ll see what happens.  You know, it’s going to be interesting.

On the same day he had asked Comey to publicly state he wasn’t being interviewed, Trump said he still had confidence in Comey, even while suggesting a lot of other people were angling for the job (something he had also said in an earlier exchange with Comey).  Trump immediately pivoted to claiming Comey had kept Hillary from being charged.

TRUMP: But, you know, we have to just — look, I have so many people that want to come into this administration.  They’re so excited about this administration and what’s happening — bankers, law enforcement — everybody wants to come into this administration.  Don’t forget, when Jim Comey came out, he saved Hillary Clinton.  People don’t realize that.  He saved her life, because — I call it Comey [one].  And I joke about it a little bit.

When he was reading those charges, she was guilty on every charge.  And then he said, she was essentially OK.  But he — she wasn’t OK, because she was guilty on every charge.

And then you had two and then you had three.

But Hillary Clinton won — or Comey won.  She was guilty on every charge.

BARTIROMO:  Yes.

TRUMP:  So Director Comey…

BARTIROMO:  Well, that’s (INAUDIBLE)…

TRUMP:  No, I’m just saying…

BARTIROMO:  (INAUDIBLE)?

TRUMP:  Well, because I want to give everybody a good, fair chance.  Director Comey was very, very good to Hillary Clinton, that I can tell you.  If he weren’t, she would be, right now, going to trial.

From there, Bartiromo asks Trump why President Obama had changed the rules on sharing EO 12333 data. Trump suggests it is so his administration could be spied on, using the Susan Rice unmasking pseudo scandal as shorthand for spying on his team.

BARTIROMO:  Mr. President, just a final question for you.

In the last weeks of the Obama presidency, he changed all the rules in terms of the intelligence agencies, allowing them to share raw data.

TRUMP:  Terrible.

BARTIROMO:  Why do you think he did this?

TRUMP:  Well, I’m going to let you figure that one out.  But it’s so obvious.  When you look at Susan Rice and what’s going on, and so many people are coming up to me and apologizing now.  They’re saying you know, you were right when you said that.

Perhaps I didn’t know how right I was, because nobody knew the extent of it.

Undoubtedly, Mueller wants to know whether these comments relate to his comments to Comey (and, as I suggested, Hope Hicks may have helped elucidate that). The invocation of Hillary sets up one rationale for firing Comey, but one that contradicts with the official reason.

But the conversation also reflects Trump’s consistent panic that his actions (and those of his aides) will be captured by wiretaps.

May 3, 2017: What did you think and do about Mr. Comey’s May 3, 2017, testimony?

On May 3, Comey testified to the Senate Judiciary Committee. It covered leaks (including whether he had ever authorized any, a question implicated in the Andrew McCabe firing), and the hacked email raising questions about whether Lynch could investigate Hillary. Comey described his actions in the Hillary investigation at length. This testimony would be cited by Rod Rosenstein in his letter supporting the firing of Comey. In addition, there were a number of questions about the Russia investigation, including questions focused on Trump, that would have driven Trump nuts.

Along with getting a reaction to the differences between what Comey said in testimony and Trump’s own version (which by this point he had shared several times), Mueller likely wants to know what Trump thinks of Comey’s claim that FBI treated the Russian investigation just like the Hillary one.

With respect to the Russian investigation, we treated it like we did with the Clinton investigation. We didn’t say a word about it until months into it and then the only thing we’ve confirmed so far about this is the same thing with the Clinton investigation. That we are investigating. And I would expect, we’re not going to say another peep about it until we’re done. And I don’t know what will be said when we’re done, but that’s the way we handled the Clinton investigation as well.

In a series of questions that were likely developed in conjunction with Trump, Lindsey Graham asked whether Comey stood by his earlier claim that there was an active investigation.

GRAHAM: Did you ever talk to Sally Yates about her concerns about General Flynn being compromised?

COMEY: I did, I don’t whether I can talk about it in this forum. But the answer is yes.

GRAHAM: That she had concerns about General Flynn and she expressed those concerns to you?

COMEY: Correct.

GRAHAM: We’ll talk about that later. Do you stand by your house testimony of March 20 that there was no surveillance of the Trump campaign that you’re aware of?

COMEY: Correct.

GRAHAM: You would know about it if they were, is that correct?

COMEY: I think so, yes.

GRAHAM: OK, Carter Page; was there a FISA warrant issued regarding Carter Page’s activity with the Russians.

COMEY: I can’t answer that here.

GRAHAM: Did you consider Carter page a agent of the campaign?

COMEY: Same answer, I can’t answer that here.

GRAHAM: OK. Do you stand by your testimony that there is an active investigation counterintelligence investigation regarding Trump campaign individuals in the Russian government as to whether not to collaborate? You said that in March…

COMEY: To see if there was any coordination between the Russian effort and peoples…

GRAHAM: Is that still going on?

COMEY: Yes.

GRAHAM: OK. So nothing’s changed. You stand by those two statements?

Curiously (not least because of certain investigative dates), Sheldon Whitehouse asked some pointed questions about whether Comey could reveal if an investigation was being starved by inaction.

WHITEHOUSE: Let’s say you’ve got a hypothetically, a RICO investigation and it has to go through procedures within the department necessary to allow a RICO investigation proceed if none of those have ever been invoked or implicated that would send a signal that maybe not much effort has been dedicated to it.

Would that be a legitimate question to ask? Have these — again, you’d have to know that it was a RICO investigation. But assuming that we knew that that was the case with those staging elements as an investigation moves forward and the internal department approvals be appropriate for us to ask about and you to answer about?

COMEY: Yes, that’s a harder question. I’m not sure it would be appropriate to answer it because it would give away what we were looking at potentially.

WHITEHOUSE: Would it be appropriate to ask if — whether any — any witnesses have been interviewed or whether any documents have been obtained pursuant to the investigation?

Richard Blumenthal asked Comey whether he could rule Trump in or out as a target of the investigation and specifically within that context, suggested appointing a special counsel (Patrick Leahy had already made the suggestion for a special counsel).

BLUMENTHAL: Have you — have you ruled out the president of the United States?

COMEY: I don’t — I don’t want people to over interpret this answer, I’m not going to comment on anyone in particular, because that puts me down a slope of — because if I say no to that then I have to answer succeeding questions. So what we’ve done is brief the chair and ranking on who the U.S. persons are that we’ve opened investigations on. And that’s — that’s as far as we’re going to go, at this point.

BLUMENTHAL: But as a former prosecutor, you know that when there’s an investigation into several potentially culpable individuals, the evidence from those individuals and the investigation can lead to others, correct?

COMEY: Correct. We’re always open-minded about — and we follow the evidence wherever it takes us.

BLUMENTHAL: So potentially, the president of the United States could be a target of your ongoing investigation into the Trump campaign’s involvement with Russian interference in our election, correct?

COMEY: I just worry — I don’t want to answer that — that — that seems to be unfair speculation. We will follow the evidence, we’ll try and find as much as we can and we’ll follow the evidence wherever it leads.

BLUMENTHAL: Wouldn’t this situation be ideal for the appointment of a special prosecutor, an independent counsel, in light of the fact that the attorney general has recused himself and, so far as your answers indicate today, no one has been ruled out publicly in your ongoing investigation. I understand the reasons that you want to avoid ruling out anyone publicly. But for exactly that reason, because of the appearance of a potential conflict of interest, isn’t this situation absolutely crying out for a special prosecutor?

Chuck Grassley asked Comey the first questions about what would become the year-long focus on Christopher Steele’s involvement in the FISA application on Carter Page.

GRASSLEY: On — on March 6, I wrote to you asking about the FBI’s relationship with the author of the trip — Trump-Russia dossier Christopher Steele. Most of these questions have not been answered, so I’m going to ask them now. Prior to the bureau launching the investigation of alleged ties between the Trump campaign and Russia, did anyone from the FBI have interactions with Mr. Steele regarding the issue?

COMEY: That’s not a question that I can answer in this forum. As you know, I — I briefed you privately on this and if there’s more that’s necessary then I’d be happy to do it privately.

GRASSLEY: Have you ever represented to a judge that the FBI had interaction with Mr. Steele whether by name or not regarding alleged ties between the Trump campaign and Russia prior to the Bureau launching its investigation of the matter?

COMEY: I have to give you the same answer Mr. Chairman.

In a second round, Whitehouse asked about a Trump tweet suggesting Comey had given Hillary a free pass.

WHITEHOUSE: Thank you.

A couple of quick matters, for starters. Did you give Hillary Clinton quote, “a free pass for many bad deeds?” There was a tweet to that effect from the president.

COMEY: Oh, no, not — that was not my intention, certainly.

WHITEHOUSE: Well, did you give her a free pass for many bad deeds, whatever your intention may have been?

COMEY: We conducted a competent, honest and independent investigation, closed it while offering transparency to the American people. I believed what I said, there was not a prosecutable case, there.

Al Franken asked Comey whether the investigation might access Trump’s tax returns.

FRANKEN: I just want to clarify something — some of the answers that you gave me for example in response to director — I asked you would President Trump’s tax returns be material to the — such an investigation — the Russian investigation and does the investigation have access to President Trump’s tax returns and some other questions you answered I can’t say. And I’d like to get a clarification on that. Is it that you cant say or that you can’t say in this setting?

COMEY: That I won’t answer questions about the contours of the investigation. As I sit here I don’t know whether I would do it in a closed setting either. But for sure — I don’t want to begin answering questions about what we’re looking at and how.

Update: Contemporaneous reporting makes it clear that Trump was particularly irked by Comey’s admission that “It makes me mildly nauseous to think that we might have had some impact on the election,” as that diminished Trump’s win. (h/t TC)

May 9, 2017: Regarding the decision to fire Mr. Comey: When was it made? Why? Who played a role?

The May 3 hearing is reportedly the precipitating event for Trump heading to Bedminster with Ivanka, Jared, and Stephen Miller on May 4 and deciding to fire Comey. Trump had Miller draft a letter explaining the firing, which Don McGahn would significantly edit when he saw it on May 8. McGahn also got Sessions and Rosenstein, who were peeved about different aspects of the hearing (those focused on Comey’s actions with regards to Hillary), to write letters supporting Comey’s firing.

Given that Mueller has the original draft of the firing letter and testimony from McGahn, Rosenstein, and Sessions, this question will largely allow Trump to refute evidence Mueller has already confirmed.

RESOURCES

These are some of the most useful resources in mapping these events.

Mueller questions as imagined by Jay Sekulow

CNN’s timeline of investigative events

Majority HPSCI Report

Minority HPSCI Report

Trump Twitter Archive

Jim Comey March 20, 2017 HPSCI testimony

Comey May 3, 2017 SJC testimony

Jim Comey June 8, 2017 SSCI testimony

Jim Comey written statement, June 8, 2017

Jim Comey memos

Sally Yates and James Clapper Senate Judiciary Committee testimony, May 8, 2017

NPR Timeline on Trump’s ties to Aras Agalarov

George Papadopoulos complaint

George Papadopoulos statement of the offense

Mike Flynn statement of the offense

Internet Research Agency indictment

Text of the Don Jr Trump Tower Meeting emails

Jared Kushner’s statement to Congress

Erik Prince HPSCI transcript

THE SERIES

Part One: The Mueller Questions Map Out Cultivation, a Quid Pro Quo, and a Cover-Up

Part Two: The Quid Pro Quo: a Putin Meeting and Election Assistance, in Exchange for Sanctions Relief

Part Three: The Quo: Policy and Real Estate Payoffs to Russia

Part Four: The Quest: Trump Learns of the Investigation

Part Five: Attempting a Cover-Up by Firing Comey

Part Six: Trump Exacerbates His Woes

[Photo: National Security Agency via Wikimedia]

If a Tech Amicus Falls in the Woods but Rosemary Collyer Ignores It, Would It Matter?

/10 Comments/in , /by

Six senators (Ron Wyden, Pat Leahy, Al Franken, Martin Heinrich, Richard Blumenthal, and Mike Lee) have just written presiding FISA Court judge Rosemary Collyer, urging her to add a tech amicus — or even better, a full time technical staffer — to the FISA Court.

The letter makes no mention of Collyer’s recent consideration of the 702 reauthorization certificates, nor even of any specific questions the tech amicus might consider.

That’s unfortunate. In my opinion, the letter entirely dodges the real underlying issue, at least as it pertains to Collyer, which is her unwillingness to adequately challenge or review Executive branch assertions.

In her opinion reauthorizing Section 702, Collyer apparently never once considered appointing an amicus, even a legal one (who, under the USA Freedom structure, could have suggested bringing in a technical expert). She refused to do so in a reconsideration process that — because of persistent problems arising from technical issues — stretched over seven months.

I argued then that that means Collyer broke the law, violating USA Freedom Act’s requirement that the FISC at least consider appointing an amicus on matters raising novel or significant issues and, if choosing not to do so, explain that decision.

In any case, this opinion makes clear that what should have happened, years ago, is a careful discussion of how packet sniffing works, and where a packet collected by a backbone provider stops being metadata and starts being content, and all the kinds of data NSA might want to and does collect via domestic packet sniffing. (They collect far more under EO 12333.) As mentioned, some of that discussion may have taken place in advance of the 2004 and 2010 opinions approving upstream collection of Internet metadata (though, again, I’m now convinced NSA was always lying about what it would take to process that data). But there’s no evidence the discussion has ever happened when discussing the collection of upstream content. As a result, judges are still using made up terms like MCTs, rather than adopting terms that have real technical meaning.

For that reason, it’s particularly troubling Collyer didn’t use — didn’t even consider using, according to the available documentation — an amicus. As Collyer herself notes, upstream surveillance “has represented more than its share of the challenges in implementing Section 702” (and, I’d add, Internet metadata collection).

At a minimum, when NSA was pitching fixes to this, she should have stopped and said, “this sounds like a significant decision” and brought in amicus Amy Jeffress or Marc Zwillinger to help her think through whether this solution really fixes the problem. Even better, she should have brought in a technical expert who, at a minimum, could have explained to her that SCTs pose as big a problem as MCTs; Steve Bellovin — one of the authors of this paper that explores the content versus metadata issue in depth — was already cleared to serve as the Privacy and Civil Liberties Oversight Board’s technical expert, so presumably could easily have been brought into consult here.

That didn’t happen. And while the decision whether or not to appoint an amicus is at the court’s discretion, Collyer is obligated to explain why she didn’t choose to appoint one for anything that presents a significant interpretation of the law.

A court established under subsection (a) or (b), consistent with the requirement of subsection (c) and any other statutory requirement that the court act expeditiously or within a stated time–

(A) shall appoint an individual who has been designated under paragraph (1) to serve as amicus curiae to assist such court in the consideration of any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law, unless the court issues a finding that such appointment is not appropriate;

For what it’s worth, my guess is that Collyer didn’t want to extend the 2015 certificates (as it was, she didn’t extend them as long as NSA had asked in January), so figured there wasn’t time. There are other aspects of this opinion that make it seem like she just gave up at the end. But that still doesn’t excuse her from explaining why she didn’t appoint one.

Instead, she wrote a shitty opinion that doesn’t appear to fully understand the issue and that defers, once again, the issue of what counts as content in a packet.

Without even considering an amicus, Collyer for the first time affirmatively approved the back door searches of content she knows will include entirely domestic communications, effectively affirmatively permitting the NSA to conduct warrantless searches of entirely domestic communications, and with those searches to use FISA for domestic surveillance. In approving those back door searches, Collyer did not conduct her own Fourth Amendment review of the practice.

Moreover, she adopted a claimed fix to a persistent problem — the collection of domestic communications via packet sniffing — without showing any inkling of testing whether the fix accomplished what it needed to. Significantly, in spite of 13 years of problems with packet sniffing collection under FISA, the court still has no public definition about where in a packet metadata ends and content begins, making her “abouts” fix — a fix that prohibits content sniffing without defining content — problematic at best.

I absolutely agree with these senators that the FISC should have its own technical experts.

But in Collyer’s case, the problem is larger than that. Collyer simply blew off USA Freedom Act’s obligation to consider an amicus entirely. Had she appointed Marc Zwillinger, I’m confident he would have raised concerns about the definition of content (as he did when he served as amicus on a PRTT application), whether or not he persuaded her to bring in a technical expert to further lay out the problems.

Collyer never availed herself of the expertise of Zwillinger or any other independent entity, though. And she did so in defiance of the intent of Congress, that she at least explain why she felt she didn’t need such outside expertise.

And she did so in an opinion that made it all too clear she really, really needed that help.

In my opinion, Collyer badly screwed up this year’s reauthorization certificates, kicking the problems created by upstream collection down the road, to remain a persistent FISA problem for years to come. But she did so by blowing off the clear requirement of law, not because she didn’t have technical expertise to rely on (though the technical expertise is probably necessary to finally resolve the issues raised by packet sniffing).

Yet no one but me — not even privacy advocates testifying before Congress — want to call her out for that.

Congress already told the FISA court they “shall” ask for help if they need it. Collyer demonstrably needed that help but refused to consider using it. That’s the real problem here.

I agree with these senators that FISC badly needs its own technical experts. But a technical amicus will do no good if, as Collyer did, a FISC judge fails to consult her amici.

Chris Wray’s DodgeBall and Trump’s Latest Threats

/22 Comments/in , , , , /by

Though I lived-tweeted it, I never wrote up Christopher Wray’s confirmation hearing to become FBI Director. Given the implicit and explicit threats against prosecutorial independence Trump made in this interview, the Senate should hold off on Wray’s confirmation until it gets far more explicit answers to some key questions.

Trump assails judicial independence

The NYT interview is full of Trump’s attacks on prosecutorial independence.

It started when Trump suggested (perhaps at the prompting of Michael Schmidt) that Comey only briefed Trump on the Christopher Steele dossier so he could gain leverage over the President.

Later, Trump called Sessions’ recusal “unfair” to the President.

He then attacked Rod Rosenstein by suggesting the Deputy Attorney General (who, Ryan Reilly pointed out, is from Bethesda) must be a Democrat because he’s from Baltimore.

Note NYT goes off the record (note the dashed line) with Trump in his discussions about Rosenstein at least twice (including for his response to whether it was Sessions’ fault or Rosenstein’s that Mueller got appointed), and NYT’s reporters seemingly don’t think to point out to the President that he appeared to suggest he had no involvement in picking DOJ’s #2, which would seem to be crazy news if true.

Finally, Trump suggested (as he has elsewhere) Acting FBI Director Andrew McCabe is pro-Clinton.

Having attacked all the people who are currently or who have led the investigation into him (elsewhere in the interview, though, Trump claims he’s not under investigation), Trump then suggested that FBI Directors report directly to the President. In that context, he mentioned there’ll soon be a new FBI Director.

In other words, this mostly softball interview (though Peter Baker made repeated efforts to get Trump to explain the emails setting up the June 9, 2016 meeting) served as a largely unfettered opportunity for Trump to take aim at every major DOJ official and at the concept of all prosecutorial independence. And in that same interview, he intimated that the reporting requirements with Christopher Wray — who got nominated, ostensibly, because Comey usurped the chain of command requiring him to report to Loretta Lynch — would amount to Wray reporting directly to Trump.

Rosenstein does what he says Comey should be fired for

Close to the same time this interview was being released, Fox News released an “exclusive” interview with Rod Rosenstein, one of two guys who acceded to the firing of Jim Comey ostensibly because the FBI Director made inappropriate comments about an investigation. In it, the guy overseeing Mueller’s investigation into (in part) whether Trump’s firing of Comey amounted to obstruction of justice, Rosenstein suggested Comey acted improperly in releasing the memos that led to Mueller’s appointment.

And he had tough words when asked about Comey’s recent admission that he used a friend at Columbia University to get a memo he penned on a discussion with Trump leaked to The New York Times.

“As a general proposition, you have to understand the Department of Justice. We take confidentiality seriously, so when we have memoranda about our ongoing matters, we have an obligation to keep that confidential,” Rosenstein said.

Asked if he would prohibit releasing memos on a discussion with the president, he said, “As a general position, I think it is quite clear. It’s what we were taught, all of us as prosecutors and agents.”

While Rosenstein went on to defend his appointment of Mueller (and DOJ’s reinstatement of asset forfeitures), he appears to have no clue that he undermined his act even as he defended it.

Christopher Wray’s dodge ball

Which brings me to Wray’s confirmation hearing.

In fact, there were some bright spots in Christopher Wray’s confirmation hearing, mostly in its last dregs. For example, Dick Durbin noted that DOJ used to investigate white collar crime, but then stopped. Wray suggested DOJ had lost its stomach for such things, hinting that he might “rectify” that.

Similarly, with the last questions of the hearing Mazie Hirono got the most important question about the process of Wray’s hiring answered, getting Wray to explain that only appropriate people (Trump, Don McGahn, Reince Priebus, Mike Pence) were in his two White House interviews.

But much of the rest of the hearing alternated between Wray’s obviously well-rehearsed promises he would never be pressured to shut down an investigation, alternating with a series of dodged questions. Those dodges included:

  • What he did with the 2003 torture memo (dodge 1)
  • Whether 702 should have more protections (dodge 2)
  • Why did Trump fire Comey (dodge 3)
  • To what extent the Fourth Amendment applies to undocumented people in the US (dodge 4)
  • What we should do about junk science (dodge 5)
  • Whether Don Jr should have taken a meeting with someone promising Russian government help to get Trump elected (dodge 6)
  • Whether Lindsey Graham had fairly summarized the lies Don Jr told about his June 9, 2016 meeting (dodge 7)
  • Can the President fire Robert Mueller (dodge 8)
  • Whether it was a good idea to form a joint cyber group with Russia (dodge 9)
  • The role of tech in terrorist recruitment (dodge 9 the second)
  • Whether FBI Agents had lost faith in Comey (dodge 10)
  • Who was in his White House interview — though this was nailed down in a Hirono follow up (dodge 11)

Now, don’t get me wrong, this kind of dodge ball is par for the course for executive branch nominees in this era of partisan bickering — it’s the safest way for someone who wants a job to avoid pissing anyone off.

But at this time of crisis, we can’t afford the same old dodge ball confirmation hearing.

Moreover, two of the these dodges are inexcusable, in my opinion. First, his non-responses on 702. That’s true, first of all, because if and when he is confirmed, he will have to jump into the reauthorization process right away, and those who want basic reforms let Wray off the hook on an issue they could have gotten commitments on. I also find it inexcusable because Wray plead ignorance about 702 even though he played a key role in (not) giving defendants discovery on Stellar Wind, and otherwise was read into Stellar Wind after 2004, meaning he knows generally how PRISM works. He’s not ignorant of PRISM, and given how much I know about 702, he shouldn’t be ignorant of that, either.

But the big one — the absolutely inexcusable non answer that would lead me to vote against him — is his claim not to know the law about whether the President can fire Robert Mueller himself.

Oh, sure, as FBI Director, Wray won’t be in the loop in any firing. But by not answering a question the answer to which most people watching the hearing had at least looked up, Wray avoided going on the record on an issue that could immediately put him at odds with Trump, the guy who thinks Wray should report directly to him.

Add to that the Committee’s failure to ask Wray two other questions I find pertinent (and his answers on David Passaro’s prosecution either revealed cynical deceit about his opposition to torture or lack of awareness of what really happened with that prosecution).

The first question Wray should have been asked (and I thought would have been by Al Franken, who instead asked no questions) is the circumstances surrounding Wray’s briefing of John Ashcroft about the CIA Leak investigation in 2003, including details on Ashcroft’s close associate Karl Rove’s role in exposing Valerie Plame’s identity.

Sure, at some level, Wray was just briefing his boss back in 2003 when he gave Ashcroft details he probably shouldn’t have. The fault was Ashcroft’s, not Wray’s. But being willing to give an inappropriate briefing in 2003 is a near parallel to where Comey found himself, being questioned directly by Trump on a matter which Trump shouldn’t have had access to. And asking Wray to explain his past actions is a far, far better indication of how he would act in the (near) future than his rehearsed assurances he can’t be pressured.

The other question I’d have loved Wray to get asked (though this is more obscure) is how, as Assistant Attorney General for the Criminal Division under Bush, he implemented the July 22, 2002 Jay Bybee memo permitting the sharing of grand jury information directly with the President and his top advisors without notifying the district court of that sharing. I’d have asked Wray this question because it was something he would have several years of direct involvement with (potentially even with the Plame investigation!), and it would serve as a very good stand-in for his willingness to give the White House an inappropriate glimpse into investigations implicating the White House.

There are plenty more questions (about torture and the Chiquita settlement, especially) I’d have liked Wray to answer.

But in spite of Wray’s many rehearsed assurances he won’t spike any investigation at the command of Donald Trump, he dodged (and was not asked) key questions that would have made him prove that with both explanations of his past actions and commitments about future actions.

Given Trump’s direct assault on prosecutorial independence, an assault he launched while clearly looking forward to having Wray in place instead of McCabe, the Senate should go back and get answers. Trump has suggested he thinks Wray will be different than Sessions, Rosenstein, Comey, and McCabe. And before confirming Wray, the Senate should find out whether Trump has a reason to believe that.

Update: I did not realize that between the time I started this while you were all asleep and the time I woke up in middle of the night Oz time SJC voted Wray out unanimously, which is a testament to the absolute dearth of oversight in the Senate.

Jeff Sessions’ Narrow Recusal

/23 Comments/in , /by

Update: I was on Democracy Now on these issues today. Here’s the link.

As you know, after having two meetings with Russian Ambassador Sergey Kislyak that he did not reveal in response to specific questions posed as part of his confirmation process exposed, Attorney General Jeff Sessions recused from any investigation into the elections.

Contrary to much reporting on the recusal, it was nowhere near a complete recusal from matters pertaining to Trump’s administration and its’ ties to Russia. Here’s what Sessions said in his statement:

During the course of the confirmation proceedings on my nomination to be Attorney General, I advised the Senate Judiciary Committee that ‘[i]f a specific matter arose where I believed my impartiality might reasonably be questioned, I would consult with Department ethics officials regarding the most appropriate way to proceed.

During the course of the last several weeks, I have met with the relevant senior career Department officials to discuss whether I should recuse myself from any matters arising from the campaigns for President of the United States.

Having concluded those meetings today, I have decided to recuse myself from any existing or future investigations of any matters related in any way to the campaigns for President of the United States.

I have taken no actions regarding any such matters, to the extent they exist.

This announcement should not be interpreted as confirmation of the existence of any investigation or suggestive of the scope of any such investigation.

Consistent with the succession order for the Department of Justice, Acting Deputy Attorney General and U.S. Attorney for the Eastern District of Virginia Dana Boente shall act as and perform the functions of the Attorney General with respect to any matters from which I have recused myself to the extent they exist.

As I emphasized, the only thing he is recusing from is “existing or future investigations of any matters related in any way to the campaigns for President of the United States.”

There are two areas of concern regarding Trump’s ties that would not definitively be included in this recusal: Trump’s long-term ties to mobbed up businessmen with ties to Russia (a matter not known to be under investigation but which could raise concerns about compromise of Trump going forward), and discussions about policy that may involve quid pro quos (such as the unproven allegation, made in the Trump dossier, that Carter Page might take 19% in Rosneft in exchange for ending sanctions against Russia), that didn’t involve a pay-off in terms of the hacking. There are further allegations of Trump involvement in the hacking (a weak one against Paul Manafort and a much stronger one against Michael Cohen, both in the dossier), but that’s in no way the only concern raised about Trump’s ties with Russians.

The concern about the scope of Sessions’ recusal is underscored by the way in which he narrowly addressed his lies to the Senate. Here is his answer to Al Franken, which was a question about campaign surrogates, but did not ask about communications about the campaign.

FRANKEN: CNN has just published a story and I’m telling you this about a news story that’s just been published. I’m not expecting you to know whether or not it’s true or not. But CNN just published a story alleging that the intelligence community provided documents to the president-elect last week that included information that quote, “Russian operatives claimed to have compromising personal and financial information about Mr. Trump.” These documents also allegedly say quote, “There was a continuing exchange of information during the campaign between Trump’s surrogates and intermediaries for the Russian government.”

Now, again, I’m telling you this as it’s coming out, so you know. But if it’s true, it’s obviously extremely serious and if there is any evidence that anyone affiliated with the Trump campaign communicated with the Russian government in the course of this campaign, what will you do?

SESSIONS: Senator Franken, I’m not aware of any of those activities. I have been called a surrogate at a time or two in that campaign and I didn’t have — did not have communications with the Russians, and I’m unable to comment on it.

His press conference and a (surprisingly good) interview with Tucker Carlson underscores that he is just addressing questions about the election, not conversations with Russians generally (conversations that might address those other two concerns, especially that of influencing policy on things like Ukraine). In the interview, Sessions denied having conversations with Russians “on a continuing basis to advance any kind of campaign agenda” and said “I never had any conversations with the Russians about the campaign.”

By Sessions’ own admission, the conversation with Kislyak concerned Ukraine; he said Kislyak was pushing back on what the Ukrainian Ambassador had said just the day before, though Sessions claims he himself pushed back as well.

That’s important because they key policy issue on which there have been concerns about undue influence is Ukraine.

It is not illegal to have meetings with an Ambassador, where the Ambassador makes a case for policies his country supports — precisely what appears to have gone on in the meeting Sessions did not disclose. But the (thus far unproven) allegations involving other Trump officials go beyond that, without necessarily pertaining to the election. That’s why Sessions’ recusal is far too narrow to be meaningful.

After We Help the Saudis Commit More War Crimes We’re Going to Mars!

/4 Comments/in /by

mars-globe-valles-marineris-enhanced-br2This afternoon, the Senate had a debate on Chris Murphy and Rand Paul’s resolution to halt the sale of $1.5 billion in arms to the Saudis to use on their invasion of Yemen.

The debate was repulsive.

The opponents of the measure — led by Mitch McConnell, John McCain, and Lindsey Graham — had little to say about the well-being of Yemenis.

Lindsey even shrugged off both Saudi support for terrorism.

[shrugs] They have double dealing in the past of helping terrorist organizations.

And Saudi bombing of civilians.

They have dropped bombs on civilians. There’s no way to wage war without [shrugs again] mistakes being made.

But we had to help the Saudis kill Yemeni civilians, Lindsey argued, because Iran humiliated American sailors who entered Iranian waters, purportedly because of navigation errors.

That argument — one which expressed no interest in the well-being of Yemenis but instead pitched this as a battle for hegemony in the Middle East — held the day. By a vote of 71-27, the Senate voted to table the resolution.

If your Senators voted against tabling this amendment, please call to thank them:

Baldwin (D-WI)
Blumenthal (D-CT)
Booker (D-NJ)
Boxer (D-CA)
Cantwell (D-WA)
Durbin (D-IL)
Franken (D-MN)
Gillibrand (D-NY)
Heinrich (D-NM)
Heller (R-NV)
Hirono (D-HI)
Kirk (R-IL)
Klobuchar (D-MN)
Leahy (D-VT)
Lee (R-UT)
Markey (D-MA)
Murphy (D-CT)
Murray (D-WA)
Paul (R-KY)
Reid (D-NV)
Sanders (I-VT)
Schatz (D-HI)
Stabenow (D-MI)
Tester (D-MT)
Udall (D-NM)
Warren (D-MA)
Wyden (D-OR)

The creepiest thing, however, came just after the vote. Bill Nelson (D-Mission to Space) got up, not just to do a victory lap that the US would continue to support Saudi war crimes. But he also announced a resolution passed earlier, which funds NASA to send humans to Mars by 2030, with an eye to colonizing the red planet.

It was as if he was saying that proliferating arms and war crimes on this globe won’t matter so much because we can just go colonize another.

Surrogating the 2016 American Presidency

/74 Comments/in , , , , , /by

Tonight was the opening of the Democratic National Convention. It was a rather stunning difference from the scenes on the street yesterday and today, where there were minimal and well behaved cops in Philly as contrasted with the warrior cop oppressive stormtrooper presence in Cleveland. From my reporter friends from the Arizona Republic, the food is totally better in Philly too. Hey, armies move on food, and cheesesteaks rule.

Is everything coming up roses? Nope. There was the whole Debbie Wasserman Schultz thing. She was well advised by our friend David Dayen to stay away and excommunicate herself from the convention podium. But, crikey, the rest simply looks beautiful. Sanders supporters marching in the streets for change, mostly unfettered and unoppressed, other voices being heard, and all relative delegates meeting and co-existing in the halls. This ain’t the dysfunctional RNC bigoted shit show. That, in and of itself, would be worth this post. There is more.

Don’t let cable coverage and the relentless yammer of their panels of self interested toadies fool you, the few true camera pans at the RNC showed more than a few empty seats and a far smaller crowd (especially in the upper decks) than displayed tonight at the DNC.

The real tell, in difference, was in the quality of the speakers and presentation. The only lasting memory from the RNC’s opening night was the embarrassing plagiarism in Melania Trump’s speech. Honestly, my bet is that is not on her, but the understaffed and idiot handlers her narcissistic, yet bumbling, husband provided. That said, it was a res ipsa loquitur deal and, in the end, spoke for itself. What else do you remember from that night other than Tim Tebow did not appear? I got nuthin.

The first night of the DNC in Philly, however, came with a litany of decent and well presented folks presented to a full and energetic hall. Emphasis on full. The dynamics in staging and presentation were stark. As were the quality and mental coherence of the speakers. The first electric moment came when Sarah Silverman, who along with Al Franken, was doing a bit and intro to Paul Simon singing (a geriatric, albeit mesmerizing) Bridge Over Troubled Water. Silverman and Franken had to kill an extra 120 seconds or so and she blurted out some hard, and real, truth that her fellow Bernie Sanders supporters who refuse to help Clinton defeat Trump are flat out “being ridiculous”. Truer words have never been spoken.

But soon came Michelle Obama to the podium. I am not sure I have the words to describe how good Michelle was. As a convention speaker, a surrogate, a leader, a mother and as a First Lady embodying all of the above. Michelle Obama killed it. She blew the joint up. I don’t know how else to describe it, but if you did not witness it live, watch the video up at top. Just do it.

Frankly, at the conclusion of Michelle Obama’s speech, it was hard to see how the last two key speakers, Elizabeth Warren and Bernie Sanders, could possibly top the moment. Sadly, they could not. Liz Warren gave a great, and often in depth, speech. One that absolutely slayed Donald Trump in nearly every way. On its own, it would have been noteworthy. But sandwiched between the brilliance of Michelle Obama and Sanders, with his acolytes cheering and hers still reeling, it seemed good, but not great.

Bernie Sanders caught a little more fire, but mostly because of his yuuge contingent of supporters. And that is not just a good thing, it is a great thing. Sanders did everything, and more, he should have done in this speech by ginning up the classic points and issues his campaign, and its followers, were built on…and then transferring them to Clinton.

It did not work perfectly, but this will be a process up until the election date on November 8. Bernie went a long way, gracefully and patiently, tonight. And, while the cheering crowd appeared to be much more than just the “Sandernistas”, all of the hall seemed to get on board. That, along with Sarah Siverman telling holdout Bernie Busters to wake up and not be ridiculous, were giant steps in unifying support for Clinton over Trump.

Listen, I have been around the block a few times, and know I am supposed to lead with the headline. Sorry, this one worked up to it, and here it is. The RNC and Trump got their lousy bounce because the media, once again, cravenly portrayed what happened in Cleveland as normal, and tit for tat, with what is happening, and will happen, in Philadelphia. That is simply a ratings and craven click germinated lie. The difference is stark.

Nowhere is it more stark than in the picture painted as to the surrogates who will come out of the respective conventions to campaign for their respective candidate between now and November 8.

Um, let’s see, for the GOP we have Newt, Carson, Melania, Thiel, Flynn, Joe Arpaio and Chachi Baio. I excluded Ivanka because she might actually be competent. Seriously, that is basically it for Trump surrogates. From the whole convention. Even Clint Eastwood’s chair took a pass in this, the year of the Orange Faced Short Fingered Vulgarian Bigot.

Let’s compare that with what came out of the Democratic Convention’s first night. Sarah Silverman, Al Franken, Paul Simon, Eva Longoria, Corey Booker and, then, the big three…Michelle Obama, Liz Warren and Bernie Sanders. That is just the first night folks.

See a bit of a dichotomy in personality and credibility there?

Then picture that Clinton’s road warrior surrogates will include not just the above, but also Joe Biden, President Barack Obama and the Big Dog himself, Bill Clinton.

Elections are won in the trenches. Say what you will about Hillary Clinton, and I will probably join you on many negatives, but the Clintons do have a ground operation. And their surrogates are like the 1927 Yankees compared to the Bad News Bears for Trump and the RNC. How will Trump bolster his bench, by bringing in Roger Ailes to molest the women of America? Is there another ground plan for the Trump Juggalos?

Sure, Clinton can still muck it up and lose. She, and the DNC, have been beyond pathetic in how they have treated nearly half their party, and much of their activist base, during the primaries and aftermath. Not just ugly, but stupid. They deserve any hell they get for that, whether it comes from appropriately enraged Sanders supporters or from press reporting on hacks (THE RUSSIANS ARE COMING, THE RUSSIANS ARE COMING!!!)

Bottom line is this: Which set of surrogates would you think would do a better job spreading out over the country: Crazy Newt, Racist Flynn, Bigot Arpaio and Chachi, …. or Michelle Obama, Liz Warren, Bernie Sanders, Barack Obama and Joe Biden?

Think I will go with the latter, and I think they will reach a heck of a lot more voters who will actually engage than will the trite and petty bigots Trump will have on the public offer.

And the Dems have a laundry list of other quality surrogates who will stand up. Trump has apparent Klan worthy members like Jeff Sessions, felons like Don King and Mike Tyson, and people who seek to be them.

Who you gonna call when it comes time to vote?

Seems like an easy decision, especially when you consider that the next 30 to 35 years of ideological control of the Supreme Court hang in the balance.

How the Purpose of the Data Sharing Portal Changed Over the OmniCISA Debate

/2 Comments/in /by

Last year, House Homeland Security Chair Michael McCaul offered up his rear-end to be handed back to him in negotiations leading to the passage of OmniCISA on last year’s omnibus. McCaul was probably the only person who could have objected to such a legislative approach because it deprived him of weighing in as a conferee. While he made noise about doing so, ultimately he capitulated and let the bill go through — and be made less privacy protective — as part of the must-pass budget bill.

Which is why I was so amused by McCaul’s op-ed last week, including passage of OmniCISA among the things he has done to make the country more safe from hacks. Here was a guy, holding his rear-end in his hands, plaintively denying that, by claiming that OmniCISA reinforced his turf.

I was adamant that the recently-enacted Cybersecurity Act include key provisions of my legislation H.R. 1731, the National Cybersecurity Protection Advancement Act. With this law, we now have the ability to be more efficient while protecting both our nation’s public and private networks.

With these new cybersecurity authorities signed into law, the Department of Homeland Security (DHS) will become the sole portal for companies to voluntarily share information with the federal government, while preventing the military and NSA from taking on this role in the future.

With this strengthened information-sharing portal, it is critical that we provide incentives to private companies who voluntarily share known cyber threat indicators with DHS. This is why we included liability protections in the new law to ensure all participants are shielded from the reality of unfounded litigation.

While security is vital, privacy must always be a guiding principle. Before companies can share information with the government, the law requires them to review the information and remove any personally identifiable information (PII) unrelated to cyber threats. Furthermore, the law tasks DHS and the Department of Justice (DOJ) to jointly develop the privacy procedures, which will be informed by the robust existing DHS privacy protocols for information sharing.

[snip]

Given DHS’ clearly defined lead role for cyber information sharing in the Cybersecurity Act of 2015, my Committee and others will hold regular oversight hearings to make certain there is effective implementation of these authorities and to ensure American’s privacy and civil liberties are properly protected.

It is true that under OmniCISA, DHS is currently (that is, on February 1) the sole portal for cyber-sharing. It’s also true that OmniCISA added DHS, along with DOJ, to those in charge of developing privacy protocols. There are also other network defense measures OmniCISA tasked DHS with — though the move of the clearances function, along with the budget OPM had been asking for to do it right but not getting, to DOD earlier in January, the government has apparently adopted a preference for moving its sensitive functions to networks DOD (that is, NSA) will guard rather than DHS. But McCaul’s bold claims really make me wonder about the bureaucratic battles that may well be going on as we speak.

Here’s how I view what actually happened with the passage of OmniCISA. It is heavily influenced by these three Susan Hennessey posts, in which she tried to convince that DHS’ previously existing portal ensured privacy would be protected, but by the end seemed to concede that’s not how it might work out.

  1. CISA in Context: Privacy Protections and the Portal

  2. CISA in Context: The Voluntary Sharing Model and that “Other” Portal

  3. CISA in Context: Government Use and What Really Matters for Civil Liberties

Underlying the entire OmniCISA passage is a question: Why was it necessary? Boosters explained that corporations wouldn’t share willingly without all kinds of immunities, which is surely true, but the same boosters never explained why an info-sharing system was so important when experts were saying it was way down the list of things that could make us safer and similar info-sharing has proven not to be a silver bullet. Similarly, boosters did not explain the value of a system that not only did nothing to require cyber information shared with corporations would be used to protect their networks, but by giving them immunity (in final passage) if they did nothing with information and then got pawned, made it less likely they will use the data. Finally, boosters ignored the ways in which OmniCISA not only creates privacy risks, but also expands new potential vectors of attack or counterintelligence collection for our adversaries.

So why was it necessary, especially given the many obvious ways in which it was not optimally designed to encourage monitoring, sharing, and implementation from network owners? Why was it necessary, aside from the fact that our Congress has become completely unable to demand corporations do anything in the national interest and there was urgency to pass something, anything, no matter how stinky?

Indeed, why was legislation doing anything except creating some but not all these immunities necessary if, as former NSA lawyer Hennessey claimed, the portal laid out in OmniCISA in fact got up and running on October 31, between the time CISA passed the Senate and the time it got weakened significantly and rammed through Congress on December 18?

At long last DHS has publically unveiled its new CISA-sanctioned, civil-liberties-intruding, all-your-personal-data-grabbing, information-sharing uber vacuum. Well, actually, it did so three months ago, right around the time these commentators were speculating about what the system would look like. Yet even as the cleverly-labeled OmniCISA passed into law last month, virtually none of the subsequent commentary took account of the small but important fact that the DHS information sharing portal has been up and running for months.

Hennessey appeared to think this argument was very clever, to suggest that “virtually no” privacy advocates (throughout her series she ignored that opposition came from privacy and security advocates) had talked about DHS’ existing portal. She must not have Googled that claim, because if she had, it would have become clear that privacy (and security) people had discussed DHS’ portal back in August, before the Senate finalized CISA.

Back in July, Al Franken took the comedic step of sending a letter to DHS basically asking, “Say, you’re already running the portal that is being legislated in CISA. What do you think of the legislation in its current form?” And DHS wrote back and noted that the portal being laid out in CISA (and the other sharing permitted under the bill) was different in several key ways from what it was already implementing.

Its concerns included:

  • Because companies could share with other agencies, the bill permitted sharing content with law enforcement. “The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.”
  • The bill permitted companies to share more information than that permitted under the existing portal. “Unlike the President’s proposal, the Senate bill includes ‘any other attribute of a cybersecurity threat’ within its definition of cyber threat indicator.”
  • Because the bill required sharing in real time rather than in near-real time, it would mean DHS could not do all the privacy scrubs it was currently doing. “If DHS distributes information that is not scrubbed for privacy concerns, DHS would fail to mitigate and in fact would contribute to the compromise of personally identifiable information by spreading it further.”
  • Sharing in real rather than near-real time also means participants might get overloaded with extraneous information (something that has made existing info-sharing regimes ineffective). “If there is no layer of screening for accuracy, DHS’ customers may receive large amounts of information with dubious value, and may not have the capability to meaningfully digest that information.”
  • The bill put the Attorney General, not DHS, in charge of setting the rules for the portal. “Since sharing cyber threat information with the private sector is primarily within DHS’s mission space, DHS should author the section 3 procedures, in coordination with other entities.”
  • The 90-day implementation timeline was too ambitious; according to DHS, the bill should provide for an 180-day implementation. “The 90-day timeline for DHS’s deployment of a process and capability to receive cyber threat indicators is too ambitious, in light of the need to fully evaluate the requirements pertaining to that capability once legislation passes and build and deploy the technology.”

As noted, that exchange took place in July (most responses to it appeared in August). While a number of amendments addressing DHS’ concerns were proposed in the Senate, I’m aware of only two that got integrated into the bill that passed: an Einstein (that is, federal network monitoring) related request, and DHS got added — along with the Attorney General — in the rules-making function. McCaul mentioned both of those things, along with hailing the “more efficient” sharing that may refer to the real-time versus almost real-time sharing, in his op-ed.

Not only didn’t the Senate respond to most of the concerns DHS raised, as I noted in another post on the portal, the Senate also gave other agencies veto power over DHS’ scrub (this was sort of the quid pro quo of including DHS in the rule-making process, and it was how Ranking Member on the Senate Homeland Security Committee, Tom Carper, got co-opted on the bill), which exacerbated the real versus almost real-time sharing problem.

All that happened by October 27, days before the portal based on Obama’s executive order got fully rolled out. The Senate literally passed changes to the portal as DHS was running it days before it went into full operation.

Meanwhile, one more thing happened: as mandated by the Executive Order underlying the DHS portal, the Privacy and Civil Liberties Oversight Board helped DHS set up its privacy measures. This is, as I understand it, the report Hennessey points to in pointing to all the privacy protections that will make OmniCISA’s elimination of warrant requirements safe.

Helpfully, DHS has released its Privacy Impact Assessment of the AIS portal which provides important technical and structural context. To summarize, the AIS portal ingests and disseminates indicators using—acronym alert!—the Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII). Generally speaking, STIX is a standardized language for reporting threat information and TAXII is a standardized method of communicating that information. The technology has many interesting elements worth exploring, but the critical point for legal and privacy analysis is that by setting the STIX TAXII fields in the portal, DHS controls exactly which information can be submitted to the government. If an entity attempts to share information not within the designated portal fields, the data is automatically deleted before reaching DHS.

In other words, the scenario is precisely the reverse of what Hennessey describes: DHS set up a portal, and then the Senate tried to change it in many ways that DHS said, before passage, would weaken the privacy protections in place.

Now, Hennessey does acknowledge some of the ways OmniCISA weakened privacy provisions that were in DHS’ portal. She notes, for example, that the Senate added a veto on DHS’ privacy scrubs, but suggests that, because DHS controls the technical parameters, it will be able to overcome this veto.

At first read, this language would appear to give other federal agencies, including DOD and ODNI, veto power over any privacy protections DHS is unable to automate in real-time. That may be true, but under the statute and in practice DHS controls AIS; specifically, it sets the STIX TAXXI fields. Therefore, DHS holds the ultimate trump card because if that agency believes additional privacy protections that delay real-time receipt are required and is unable to convince fellow federal entities, then DHS is empowered to simply refuse to take in the information in the first place. This operates as a rather elegant check and balance system. DHS cannot arbitrarily impose delays, because it must obtain the consent of other agencies, if other agencies are not reasonable DHS can cut off the information, but DHS must be judicious in exercising that option because it also loses the value of the data in question.

This seems to flip Youngstown on its head, suggesting the characteristics of the portal laid out in an executive order and changed in legislation take precedence over the legislation.

Moreover, while Hennessey does discuss the threat of the other portal — one of the features added in the OmniCISA round with no debate — she puts it in a different post from her discussion of DHS’ purported control over technical intake data (and somehow portrays it as having “emerged from conference with the new possibility of an alternative portal” even though no actual conference took place, which is why McCaul is stuck writing plaintive op-eds while holding his rear-end). This means that, after writing a post talking about how DHS would have the final say on protecting privacy by controlling intake, Hennessey wrote another post that suggested DHS would have to “get it right” or the President would order up a second portal without all the privacy protections that DHS’ portal had in the first place (and which it had already said would be weakened by CISA).

Such a portal would, of course, be subject to all statutory limitations and obligations, including codified privacy protections. But the devil is in the details here; specifically, the details coded into the sharing portal itself. CISA does not obligate that the technical specifications for a future portal be as protective as AIS. This means that it is not just the federal government and private companies who have a stake in DHS getting it right, but privacy advocates as well. The balance of CISA is indeed delicate.

Elsewhere, Hennessey admits that many in government think DHS is a basket-case agency (an opinion I’m not necessarily in disagreement with). So it’s unclear how DHS would retain any leverage over the veto given that exercising such leverage would result in DHS losing this portfolio altogether. There was a portal designed with privacy protections, CISA undermined those protections, and then OmniCISA created yet more bureaucratic leverage that would force DHS to eliminate its privacy protections to keep the overall portfolio.

Plus, OmniCISA did two more things. First, as noted, back in July DHS said it would need 180 days to fully tweak its existing portal to match the one ordered up in CISA. CISA and OmniCISA didn’t care: the bill and the law retained the 90 day turnaround. But in addition, OmniCISA required DHS and the Attorney General develop their interim set of guidelines within 60 days (which as it happened included the Christmas holiday). That 60 deadline is around February 16. The President can’t declare the need for a second portal until after the DHS one gets certified, which has a 90 day deadline (so March 18). But he can give a 30 day notice that’s going to happen beforehand. In other words, the President can determine, after seeing what DHS and AG Lynch come up with in a few weeks, that that’s going to be too privacy restrictive and tell Congress FBI needs to have its own portal, something that did not and would not have passed under regular legislative order.

Finally, as I noted, PCLOB had been involved in setting up the privacy parameters for DHS’ portal, including the report that Hennessey points to as the basis for comfort about OmniCISA’s privacy risk. In final passage of OmniCISA, a PCLOB review of the privacy impact of OmniCISA, which had been included in every single version of the bill, got eliminated.

Hennssey’s seeming admission that’s the eventual likelihood appears over the course of her posts as well. In her first post, she claims,

From a practical standpoint, the government does not want any information—PII or otherwise—that is not necessary to describe or identify a threat. Such information is operationally useless and costly to store and properly handle.

But in explaining the reason for a second portal, she notes that there is (at least) one agency included in OmniCISA sharing that does want more information: FBI.

[T]here are those who fear that awarding liability protection exclusively to sharing through DHS might result in the FBI not getting information critical to the investigation of computer crimes. The merits of the argument are contested but the overall intention of CISA is certainly not to result in the FBI getting less cyber threat information. Hence, the fix.

[snip]

AIS is not configured to receive the full scope of cyber threat information that might be necessary to the investigation of a crime. And while CISA expressly permits sharing with law enforcement – consistent with all applicable laws – for the purposes of opening an investigation, the worry here is that companies that are the victims of hacks will share those threat indicators accepted by AIS, but not undertake additional efforts to lawfully share threat information with an FBI field office in order to actually investigate the crime.

That is, having decided that the existing portal wasn’t good enough because it didn’t offer enough immunities (and because it was too privacy protective), the handful of mostly Republican leaders negotiating OmniCISA outside of normal debate then created the possibility of extending those protections to a completely different kind of information sharing, that of content shared for law enforcement.

In her final post, Hennessey suggests some commentators (hi!!) who might be concerned about FBI’s ability to offer immunity for those who share domestically collected content willingly are “conspiracy-minded” even while she reverts to offering solace in the DHS portal protections that, her series demonstrates, are at great risk of bureaucratic bypass.

But these laws encompass a broad range of computer crimes, fraud, and economic espionage – most controversially the Computer Fraud and Abuse Act (CFAA). Here the technical constraints of the AIS system cut both ways. On one hand, the scope of cyber threat indicators shared through the portal significantly undercuts claims CISA is a mass surveillance bill. Bluntly stated, the information at issue is not of all that much use for the purposes certain privacy-minded – and conspiracy-minded, for that matter – critics allege. Still, the government presumably anticipates using this information in at least some investigations and prosecutions. And not only does CISA seek to move more information to the government – a specific and limited type of information, but more nonetheless – but it also authorizes at least some amount of new sharing.

[snip]

That question ultimately resolves to which STIX TAXII fields DHS decides to open or shut in the portal. So as CISA moves towards implementation, the portal fields – and the privacy interests at stake in the actual information being shared – are where civil liberties talk should start.

To some degree, Hennessey’s ultimate conclusion is one area where privacy (and security) advocates might weigh in. When the government provides Congress the interim guidelines sometime this month, privacy (and security) advocates might have an opportunity to weigh in, if they get a copy of the guidelines. But only the final guidelines are required to be made public.

And by then, it would be too late. Through a series of legislative tactics, some involving actual debate but some of the most important simply slapped onto a must-pass legislation, Congress has authorized the President to let the FBI, effectively, obtain US person content pertaining to Internet-based crimes without a warrant. Even if President Obama chooses not to use that authorization (or obtains enough concessions from DHS not to have to directly), President Trump may not exercise that discretion.

Maybe I am being conspiratorial in watching the legislative changes made to a bill (and to an existing portal) and, absent any other logical explanation for them, concluding those changes are designed to do what they look like they’re designed to do. But it turns out privacy (and security) advocates weren’t conspiratorial enough to prevent this from happening before it was too late.

Thursday Morning: Fast and Furious Edition

/21 Comments/in , , /by

[image (modified): Adam Wilson via Flickr]

[image (modified): Adam Wilson via Flickr]

Insane amount of overseas news overnight. Clearly did not include me winning $1.5B Powerball lottery. Attacks in Jakarta and Turkey are no joke.

Let’s move on.

Some U.S. utilities’ still wide open to hacking
Dudes, how many times do you need to be told your cheese is still hanging out in the wind? Some heads should roll at this point. US government’s Industrial Control Systems Cyber Emergency Response Team’s Marty Edwards sounded pretty torqued about this situation at the S4 ICS Security Conference this week. I don’t blame him; if a utility gets hacked, it’s not like your grandmother’s PC getting held ransom. It means the public’s health and safety are at risk. Get on it.

Your cellphone is listening to your TV — and you
Bruce Schneier wrote about the Internet of Things’ expansive monitoring of consumers, citing the example of SilverPush — an application which listens to your television to determine your consumption habits. Bet some folks thought this was an app still in the offing. Nope. In use now, to determine current TV program listings and ratings. Listening-to-your-consumption apps have now been around for years.

Wonder if our pets can hear all this racket inaudible to humans? Will pet food companies embed ads shouting out to our pets?

But you may be able to hide from devices
…depending on whether you are using location-based services, and if you can use the app developed by Binghamton University. A paper on this technology was presented last month at the Institute of Electrical and Electronics Engineers (IEEE) GLOBECOM Conference, Symposium on Communication & Information System Security. The lead researcher explained the purpose of the app:

“With Facebook, Twitter, LinkedIn and others we provide a huge amount of data to the service providers everyday. In particular, we upload personal photos, location information, daily updates, to the Internet without any protection,” Guo said. “There is such a chance for tragedy if that information is used to in a bad way.”

The app isn’t yet available, but when it is, it should prevent personally identifying location-based data from being used by the wrong folks.

VW emissions scandal: Well, this is blunt
I think you can kiss the idea of nuance goodbye, gang.

“Volkswagen made a decision to cheat on emissions tests and then tried to cover it up,” said CARB chair Mary Nichols in a statement.
“They continued and compounded the lie, and when they were caught they tried to deny it. The result is thousands of tons of nitrogen oxide that have harmed the health of Californians.”

Yeah. That.

The last bits
Nest thermostats froze out consumers after a botched update. (Do you really need internet-mediated temperature controls?)
Phone numbers may become a thing of the past if Facebook has its way. (Um, hell no to the Facebook. Just no.)
Senator Al Franken quizzes Google about data collection and usage on K-12 students. (Hope he checks toy manufacturers like Mattel and VTech, too.)

That’s a wrap, hope your day passes at a comfortable speed.

Why Is Congress Undercutting PCLOB?

/28 Comments/in /by

As I noted last month, the Omnibus budget bill undercut the Privacy and Civil Liberties Oversight Board in two ways.

First, it affirmatively limited PCLOB’s ability to review covert actions. That effort dates to June, when Republicans responded to PCLOB Chair David Medine’s public op-ed about drone oversight by ensuring PCLOB couldn’t review the drone or any other covert program.

More immediately troublesome, last minute changes to OmniCISA eliminated a PCLOB review of the implementation of that new domestic cyber surveillance program, even though some form of that review had been included in all three bills that passed Congress. That measure may have always been planned, but given that it wasn’t in any underlying version of the bill, more likely dates to something that happened after CISA passed the Senate in October.

PCLOB just released its semi-annual report to Congress, which I wanted to consider in light of Congress’ efforts to rein in what already was a pretty tightly constrained mandate.

The report reveals several interesting details.

First, while the plan laid out in April had been to review one CIA and one NSA EO 12333 program, what happened instead is that PCLOB completed a review on two CIA EO 12333 programs, and in October turned towards one NSA EO 12333 program (the reporting period for this report extended from April 1 to September 30).

In July, the Board voted to approve two in-depth examinations of CIA activities conducted under E.O. 12333. Board staff has subsequently attended briefings and demonstrations, as well as obtained relevant documents, related to the examinations.

The Board also received a series of briefings from the NSA on its E.O. 12333 activities. Board staff held follow-up sessions with NSA personnel on the topics covered and on the agency’s E.O. 12333 implementing procedures. Just after the conclusion of the Reporting Period, the Board voted to approve one in-depth examination of an NSA activity conducted under E.O. 12333. Board staff are currently engaging with NSA staff to gather additional information and documents in support of this examination.

That’s interesting for two reasons. First, it means there are two EO 12333 programs that have a significant impact on US persons, which is pretty alarming since CIA is not supposed to focus on Americans. It also means that the PCLOB could have conducted this study on covert operations between the time Congress first moved to prohibit it and the time that bill was signed into law. There’s no evidence that’s what happened, but the status report, while noting it had been prohibited from accessing information on covert actions, didn’t seem all that concerned about it.

Section 305 is a narrow exception to the Board’s statutory right of access to information limited to a specific category of matters, covert actions.

Certainly, it seems like PCLOB got cooperation from CIA, which would have been unlikely if CIA knew it could stall any review until the Intelligence Authorization passed.

But unless PCLOB was excessively critical of CIA’s EO 12333 programs, that’s probably not why Congress eliminated its oversight role in OmniCISA.

Mind you, it’s possible it was. Around the time the CIA review should have been wrapping up though also in response to the San Bernardino attack, PCLOB commissioner Rachel Brand (who was the lone opponent to review of EO 12333 programs in any case) wrote an op-ed suggesting public criticism and increased restrictions on intelligence agencies risked making the intelligence bureaucracy less effective (than it already is, I would add but she didn’t).

In response to the public outcry following the leaks, Congress enacted several provisions restricting intelligence programs. The president unilaterally imposed several more restrictions. Many of these may protect privacy. Some of them, if considered in isolation, might not seem a major imposition on intelligence gathering. But in fact none of them operate in isolation. Layering all of these restrictions on top of the myriad existing rules will at some point create an encrusted intelligence bureaucracy that is too slow, too cautious, and less effective. Some would say we have already reached that point. There is a fine line between enacting beneficial reforms and subjecting our intelligence agencies to death by a thousand cuts.

Still, that should have been separate from efforts focusing on cybersecurity.

There was, however, one thing PCLOB did this year that might more directly have led to Congress’ elimination of what would have been a legislatively mandated role in cybersecurity related privacy: its actions under EO 13636, which one of the EOs that set up a framework that OmniCISA partly fulfills. Under the EO, DHS and other departments working on information sharing to protect critical infrastructure were required to produce a yearly report on how such shared affected privacy and civil liberties.

The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities.

As PCLOB described in its report, “toward the end of the reporting period” (that is, around September), it was involved in interagency meetings discussing privacy.

The Board’s principal work on cybersecurity has centered on its role under E.O. 13636. The Order directs DHS to consult with the Board in developing a report assessing the privacy and civil liberties implications of cybersecurity information sharing and recommending ways to mitigate threats to privacy and civil liberties. At the beginning of the Reporting Period, DHS issued its second E.O. 13636 report. In response to the report, the Board wrote a letter to DHS commending DHS and the other reporting agencies for their early engagement, standardized report format, and improved reporting. Toward the end of the Reporting Period, the Board commenced its participation in its third annual consultation with DHS and other agencies reporting under the Order regarding privacy and civil liberties policies and practices through interagency meetings.

That would have come in the wake of the problems DHS identified, in a letter to Al Franken, with the current (and now codified into law) plan for information sharing under OmniCISA.

Since that time, Congress has moved first to let other agencies veto DHS’ privacy scrubs under OmniCISA and, in final execution, provided a way to create an entire bypass of DHS in the final bill before even allowing DHS as much time as it said it needed to set up the new sharing portal.

That is, it seems that the move to take PCLOB out of cybersecurity oversight accompanied increasingly urgent moves to take DHS out of privacy protection.

All this is just tea leaf reading, of course. But it sure seems that, in addition to the effort to ensure that PCLOB didn’t look too closely at CIA’s efforts to spy on — or drone kill — Americans, Congress has also decided to thwart PCLOB and DHS’ efforts to put some limits on how much cybersecurity efforts impinge on US person privacy.

The Pro-Scrub Language Added to CISA Is Designed to Eliminate DHS’ Scrub

/3 Comments/in /by

I’ve been comparing the Manager’s Amendment (MA) Richard Burr and Dianne Feinstein introduced Wednesday with the old bill.

A key change — one Burr and Feinstein have highlighted in their comments on the floor — is the integration of DHS even more centrally in the process of the data intake process. Just as one example, the MA adds the Secretary of Homeland Security to the process of setting up the procedures about information sharing.

Not later than 60 days after the date of the enactment of this Act, the Attorney General and the Secretary of Homeland Security shall, in coordination with the heads of the appropriate Federal entities, develop and submit to Congress interim policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government. [my emphasis]

That change is applied throughout.

But there’s one area where adding more DHS involvement appears to be just a show: where it permits DHS conduct a scrub of the data on intake (as Feinstein described, this was an attempt to integrate Tom Carper’s and Chris Coons’ amendments doing just that).

This is also an issue DHS raised in response to Al Franken’s concerns about how CISA would affect their current intake procedure.

To require sharing in “real time” and “not subject to any delay [or] modification” raises concerns relating to operational analysis and privacy.

First, it is important for the NCCIC to be able to apply a privacy scrub to incoming data, to ensure that personally identifiable information unrelated to a cyber threat has not been included. If DHS distributes information that is not scrubbed for privacy concerns, DHS would fail to mitigate and in fact would contribute to the compromise of personally identifiable information by spreading it further. While DHS aims to conduct a privacy scrub quickly so that data can be shared in close to real time, the language as currently written would complicate efforts to do so. DHS needs to apply business rules, workflows and data labeling (potentially masking data depending on the receiver) to avoid this problem.

Second, customers may receive more information than they are capable of handling, and are likely to receive large amounts of unnecessary information. If there is no layer of screening for accuracy, DHS’ customers may receive large amounts of information with dubious value, and may not have the capability to meaningfully digest that information.

While the current Cybersecurity Information Sharing Act recognizes the need for policies and procedures governing automatic information sharing, those policies and procedures would not effectively mitigate these issues if the requirement to share “not subject to any delay [or] modification” remains.

To ensure automated information sharing works in practice, DHS recommends requiring cyber threat information received by DHS to be provided to other federal agencies in “as close to real time as practicable” and “in accordance with applicable policies and procedures.”

Effectively, DHS explained that if it was required to share data in real time, it would be unable to scrub out unnecessary and potentially burdensome data, and suggested that the “real time” requirement be changed to “as close to real time as practicable.”

But compare DHS’s concerns with the actual language added to the description of the information-sharing portal (the new language is in italics).

(3) REQUIREMENTS CONCERNING POLICIES AND PROCEDURES.—Consistent with the guidelines required by subsection (b), the policies and procedures developed and promulgated under this subsection shall—

(A) ensure that cyber threat indicators shared with the Federal Government by any entity pursuant to section 104(c) through the real-time process described in subsection (c) of this section—

(i) are shared in an automated manner with all of the appropriate Federal entities;

(ii) are only subject to a delay, modification, or other action due to controls established for such real-time process that could impede real-time receipt by all of the appropriate Federal entities when the delay, modification, or other action is due to controls—

(I) agreed upon unanimously by all of the heads of the appropriate Federal entities;

(II) carried out before any of the appropriate Federal entities retains or uses the cyber threat indicators or defensive measures; and

(III) uniformly applied such that each of the appropriate Federal entities is subject to the same delay, modification, or other action; and

This section permits one of the “appropriate Federal agencies” to veto such a scrub. Presumably, the language only exists in the bill because one of the “appropriate Federal agencies” has already vetoed the scrub. NSA (in the guise of “appropriate Federal agency” DOD) would be the one that would scare people, but such a veto would equally as likely to come from FBI (in the guise of “appropriate Federal agency” DOJ), and given Tom Cotton’s efforts to send this data even more quickly to FBI, that’s probably who vetoed it.

If you had any doubts the Intelligence Community is ordering up what it wants in this bill, the language permitting them a veto on privacy protections should alleviate you of those doubts.

On top of NSA and FBI’s veto authority, there’s an intentional logical problem here. DHS is one of the “appropriate Federal agencies,” but DHS is the entity that would presumably do the scrub. Yet if it can’t retain data before any other agency, it’s not clear how it could do a scrub.

In short, this seems designed to lead people to believe there might be a scrub (or rather, that under CISA, DHS would continue to do the privacy scrub they are currently doing, though they are just beginning to do it automatically) when, for several reasons, that also seems to be ruled out by the bill. And ruled out because one “appropriate Federal agency” (like I said, I suspect FBI) plans to veto such a plan.

So it has taken this Manager’s Amendment to explain why we need CISA: to make sure that DHS doesn’t do the privacy scrubs it is currently doing.

I’ll explain in a follow-up post why it would be so important to eliminate DHS’ current scrub on incoming data.