As part of my ongoing focus on Executive Order 12333, I’ve been reviewing how the Bush Administration changed the EO when, shortly after the passage of the FISA Amendments Act, on July 30, 2008, they rolled out a new version of the order, with little consultation with Congress. Here’s the original version Ronald Reagan issued in 1981, here’s the EO making the changes, here’s how the new and improved version from 2008 reads with the changes.
While the most significant changes in the EO were — and were billed to be — the elaboration of the increased role for the Director of National Intelligence (who was then revolving door Booz executive Mike McConnell), there are actually several changes that affected NSA.
Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.
The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,
In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.
The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.
In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.
Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.
In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.
And a more subtle change goes even further. Section 2.5 of the EO delegates authority to the AG to “approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes.” In both the original and the revised EO, that delegation must be done within the scope of FISA (or FISA as amended, in the revision). But in 1981, FISA surveillance had to be “conducted in accordance with that Act [FISA], as well as this Order,” meaning that the limits on US person collection and dissemination from the EO applied, on top of any limits imposed by FISA. The 2008 EO dropped the last clause, meaning that such surveillance only has to comply with FISA, and not with other limits in the EO.
That’s significant because there are at least three things built into known FISA minimization procedures — the retention of US person data to protect property as well as life and body, the indefinite retention of encrypted communications, and the broader retention of “technical data base information” — that does not appear to be permitted under the EO’s more general guidelines but, with this provision, would be permitted (and, absent Edward Snowden, would also be hidden from public view in minimization procedures no one would ever get to see).
In today’s HJC hearing on the NSA, there was extensive discussion about the risks of outsourcing the dragnet to the telecoms or — especially, to a third party holding all the data. It’s a concern I share.
That said, not a single person at the hearing seemed to be aware of this footnote, which has been in the phone dragnet primary orders since at least last April.
5 For purposes of this Order, “National Security Agency” and “NSA personnel” are defined as any employees of the National Security Agency/Central Security Service (“NSA/CSS” or “NSA”) and any other personnel engaged in Signals Intelligence (SIGINT) operations authorized pursuant to FISA if such operations are executed under the direction, authority, or control of the Director, NSA/Chief, CSS (DIRNSA).
If this language left any doubt that it permits contractors to directly query the database of every single phone-based relationship in the US, this language from Dianne Feinstein’s Fake FISA Fix bill report (which aims to codify the status quo) should eliminate them.
The Committee believes that, to the greatest extent practicable, all queries conducted to the authorities established under this section should be performed by Federal employees. Nonetheless, the Committee acknowledges that it may be necessary in some cases to use contractors to perform such queries. By using the term “government personnel” the Committee does not intend to prohibit such contractor use.
Contractors already have access to the dragnet.
If it presents a security threat to have contractors from Booz Allen Hamilton or some other intelligence contractor to have direct access to the dragnet, then we need to shut the dragnet down.
Because they’ve already got it.
In Volokh Conspiracy’s new digs at the WaPo, former DHS Assistant Secretary Stewart Baker pushes back on Georgetown Professor Randy Barnett’s call to end the Third Party doctrine in truly remarkable terms.
Randy’s solution to that problem is to overrule a line of Supreme Court cases (Smith v. Maryland) holding that no one has a reasonable expectation of privacy in information they’ve disclosed to a third party. With Smith v. Maryland set aside, the government would need a search warrant to see the metadata.
Overruling Supreme Court precedent is a law professor’s prerogative, but the rest of us don’t have to go along. And in fact the Smith v. Maryland doctrine makes sense, especially compared to Randy’s solution. We all learned no later than the third grade that secrets shared with another are not really secrets. They can be revealed at times and in ways we never expected. It hurts, but it’s a fact of life.
Randy’s solution is a fiction; he wants the courts to deny the facts of life and pretend that we still control information we willingly gave away. [my emphasis]
“We all learned no later than the third grade,” this Snowden critic says, “that secrets shared with another are not really secrets.”
Such secrets “can be revealed at times and in ways we never expected,” Baker warns.
“The facts of life,” prove that we do not “still control information we willingly gave away.”
Baker argues that the Third Party doctrine arises not as a matter of law, but as a matter of fact, the facts of life, that no entity that shares information with another entity can claim that information is secret.
The NSA, of course, willingly gives away information all the time. Huge chunks of that data go to Booz Allen Hamilton, the contractor Snowden worked for. Equally large chunks go to GCHQ. Chunks of that data go to Lockheed and SAIC and a slew of other contractors.
According to Stewart Baker’s facts of life, the NSA has no business expecting this data to remain secret. None. Believing such data is secret defies common third grade logic and the facts of life.
Now that a big defender of the NSA has made the case that the NSA, too, is subject to the Third Party doctrine, perhaps we can move forward on giving the Third Grade treatment to all of their secret programs so we can debate them like adults?
It is “really important that the government respond well to this particular abuse,” he said of the Snowden and Manning cases.
Mr. Hayden said he does not endorse some forms of exemplary punishment, “what the French call ‘for the encouragement of others.’”
But if hackers “have this attachment to transparency, perhaps the intelligence community is not where they should be,” he said, adding that the government needs to use the Snowden case to show that it is “serious.”
The former director of both the NSA and CIA said it is “very appropriate” for the U.S. government to pursue Mr. Snowden relentlessly and make his fate an issue in its bilateral relations with any nation that harbors him.
“We need to recruit from this culture,” he said. “Members of this culture, when they embrace government service with its necessary requirements of secrecy, need to be shown the government is quite serious about those necessary requirements.”
To WT’s credit, they do acknowledge that Hayden currently works for the Chertoff Group, one of the most corrupt profiteers off the war on terror.
But it doesn’t mention that Hayden’s the guy who decided it’d be a good idea to outsource NSA’s IT to companies like Booz Allen Hamilton so as to get more people “from this culture” working on NSA’s programs in the first place.
More importantly, it doesn’t mention that the 2009 Draft NSA IG Report that Snowden leaked provided new details about how Hayden made the final decision to continue the illegal wiretapping program even after DOJ’s top lawyers judged it illegal in 2004.
Edward Snowden leaked new details of Michael Hayden’s crime. He leaked new details of how Hayden betrayed the public trust in probably more serious fashion than Edward Snowden has.
And yet somehow Michael Hayden continues to be the primary go-to guy to talk about how serious this leak is? Michael Hayden gets to opine about how Edward Snowden should be made an example of?
Now, perhaps applying Hayden’s own logic would have been valuable years ago. Perhaps if Hayden had been made an example of himself, after he betrayed the public trust and broke the law, we not only would have more trust in the NSA, but we have a better understanding of what NSA did then and is doing now.
But since we didn’t, Michael Hayden remains one primary exhibit about why Snowden’s leaks, however illegal, have a certain legitimacy.
Because so long as Michael Hayden runs free, we know the government refuses to police itself on these issues.
It’s all very rich for one criminal to call for another criminal to be made an example of. But the responsible press should at least point out how ironic it is that the criminal who escaped justice insists those who have exposed new details of his own crime get the full brunt of it.
As reporting on Edward Snowden reveal the scope of our spying on European friends, I’ve been thinking a lot about SWIFT.
SWIFT, you recall, is the database tracking international online money transfers. After 9/11, the US Government started helping itself to the data to track terrorist financing. But then in 2010 the servers moved entirely to the EU, and the EU forced the US to accede to certain protections: protections for EU citizens, a prohibition on bulk collection (and with it data mining), and two-pronged audit system.
Today, the CEO of SWIFT until 2007, Leonard Schrank, and the former Homeland Security Advisor, Juan Zarate, boast about the controls on SWIFT, suggesting it provides a model for data collection with oversight.
Both the Treasury and Swift ensured that the constraints on the information retrieved and used by analysts were strictly enforced. Outside auditors hired by Swift confirmed the limited scope of use, and Swift’s own representatives (called “scrutineers”) had authority to stop access to the data at any time if there was a concern that the restrictions were being breached. These independent monitors worked on site at government agencies and had real-time access to the system. Every time an analyst queried the system, the scrutineer could immediately review the query. Each query had to have a reason attached to it that justified it as a counterterrorism matter. Over time, the scope of data requested and retained was reduced.
This confirmed that the information was being used in the way we said it was — to save lives.
The use of the data was legal, limited, targeted, overseen and audited. The program set a gold standard for how to protect the confidential data provided to the government. Treasury legally gained access to large amounts of Swift’s financial-messaging data (which is the banking equivalent of telephone metadata) and eventually explained it to the public at home and abroad.
It could remain a model for how to limit the government’s use of mass amounts of data in a world where access to information is necessary to ensure our security while also protecting privacy and civil liberties.
This description should already raise concerns about the so-called gold standard for spying. When “scrutineers” cohabit with those they’re supposed to be scrutinizing, it tends to encourage cooperation, not scrutiny.
And somehow, Schrank and Zarate neglect to mention that the vaunted audit process they describe was conducted by none other than Booz Allen Hamilton, the contractor that hired and let Edward Snowden abscond with the spying world’s crown jewels. And, as ACLU noted in a report for the EU in 2006, even during Schrank’s tenure, Booz was neck deep in aggressive surveillance.
But the real problem with highlighting SWIFT as a poster child of massive surveillance done right post-dates Schrank’s tenure (though he must know about this), when the EU’s independent audits for the first time revealed what went on in SWIFT queries. Among other things: the actual requests were oral, and therefore couldn’t be audited.
The report revealed that the Americans have been submitting largely identical requests–but then supplementing them with oral requests.
The oral requests, of course, make it impossible to audit the requests.
At the time of the inspection, Europol had received our requests for SWIFT data. Those four requests are almost identical in nature and request–in abstract terms–broad types of data, also involving EU Member States’ data. Due to their abstract nature, proper verification of whether the requests are in line with the conditions of the Article 4(2) of the TFTP Agreement–on the basis of the available documentation–is impossible. The JSB considers it likely that the information in the requests could be more specific.
Information provided orally–to certain Europol staff by the US Treasury Department, with the stipulation that no written notes are made–has had an impact upon each of Europol’s decisions; however, the JSB does not know the content of that information. Therefore, where the requests lack the necessary written information to allow proper verification of compliance with Article 4(2) of the TFTP Agreement, it is impossible to check whether this deficiency is rectified by the orally provided information. [my emphasis]
In addition, in spite of demands that the program include no bulk downloads, that’s precisely what the US was doing.
“We have given our trust to the other EU institutions, but our trust has been betrayed”, said Sophia in’t Veld (ALDE, NL), rapporteur on the EU-US Passenger Name Record (PNR) agreements. “This should be kept in mind when they want our approval for other agreements”, she declared.
“Somehow I am not surprised”, said Simon Busuttil (EPP, MT), recalling that “at the time of the negotiations last year we were not satisfied with having Europol controlling it - we wanted additional safeguards”. He added that ”the agreement is not satisfactory”, since it involves the transfer of bulk data, and insisted that ”we need an EU TFTP”.
For Claude Moraes (S&D, UK), the US demands are “too general and too abstract”. He also recalled that MEPs had insisted at the time that it must be specified how the US request would be made and that they needed to be “narrowly tailored”. A written explanation should accompany each request, he added.
This agreement is not in line with Member States’ constitutional principles and with fundamental rights, argued Jan Philipp Albrecht (Greens/EFA, DE). He highlighted the problem of bulk data transfer, “which is exactly what we have criticised before“. [my emphasis]
In other words, once an actual independent reviewer — not an embedded contractor like Booz — reviewed the program, it became clear it was designed to be impossible to audit, even while engaging in precisely the bulk downloads the Europeans feared.
Not only is the experience of SWIFT one reason why the Europeans are so quick to object to the scale of US spying on them. But it is actually a poster child for surveillance done wrong.
Contrary to what its boosters want you to believe.
For what it’s worth, I consider reports that the government doesn’t know what Edward Snowden took to be disinformation. And indeed, claims to that effect in this WaPo article are sourced to: “one former government official,”a “former senior U.S. official,” and “a former senior U.S. intelligence official who served in Russia.” There’s also “a senior intelligence official” who says only it’ll take months to complete the damage assessment on Snowden’s materials, which is different from claiming (as the other sources do) that Russia and China have what he took. And a “second senior intelligence official” who fearmongers improbably about how much easier this will make things on the terrorists.
But ultimately, most of the people claiming NSA doesn’t know what Snowden took are former officials, presumably out of the loop on such issues (unless, of course, they’re Booz Allen Hamilton revolving doormen).
Funny thing is, if all that were true — if the government is still struggling to figure out what Snowden took a month after he left NSA — it indicates that the government would not know if a Sysadmin at the NSA had spied on Americans, if ever, until months after someone did so.
But, promise, this giant dragnet is secure.
Update: Mark Hosenball’s version of this apparently organized leak (his is sourced to “several U.S. officials,” “one non-government source familiar with Snowden’s materials,” and “2 U.S. national security sources,” makes it fairly clear the government intends to release this disinformation — along with incorrect claims about the history of WikiLeaks — as a way to fearmonger about that connection.
Although WikiLeaks initially made the diplomatic cables available to media outlets, including the Guardian and New York Times, who redacted potentially sensitive information before publishing them, the website eventually released an entirely unredacted archive of the material, to the dismay of the Obama Administration. U.S. officials said the information put sources at risk and damaged relations with foreign governments.
The disinformation people spreading this story apparently are less worried about confirming genuine concerns about the security of these programs than they are about trying to catch up to WikiLeaks involvement with a new line of fearmongering.
Update: I changed the title of this after it was published.
The FT reports (and CNET repeats almost in its entirety) that former Director of National Intelligence Mike McConnell says we have had our 9/11 warning and we risk the cyber equivalent of a World Trade Center attack unless “urgent action” is taken.
A former US intelligence chief says the west has had its “9/11 warning” on cybersecurity and warns that unless urgent action is taken, the US faces “the cyber equivalent of the World Trade Center attack”.
According to John “Mike” McConnell, such an attack would bring the country’s banking system, power grid and other essential infrastructure to their knees.
Mind you, McConnell doesn’t appear to be talking about a real warning–the kind of intelligence that set George Tenet’s hair on fire in 2001. Rather, he says the recent attacks on Saudi Aramco and some banks’ internet interfaces constitutes that warning.
Sustained cyber attacks targeting the websites of a dozen major US banks including Wells Fargo, JPMorgan Chase and Bank of America, coupled with an earlier attack on Saudi Aramco, which erased data on two-thirds of the Saudi oil company’s corporate PCs, were examples of the growing threat.
McConnell apparently would have us believe that some crude DNS attacks on banks and an infiltrator’s attack on Saudi oil business (not production) computers is a hair on fire warning.
Leon Panetta made similarly unconvincing claims back in October.
Nevertheless, the FT presented McConnell’s warning without providing readers a few important details. First, here’s how they describe the background that qualifies McConnell to issue such warnings.
Mr McConnell, who served as director of the National Security Agency under President Bill Clinton and then as director of national intelligence under President George W. Bush and President Barack Obama, believes those corporate attacks should be treated as a further “wake-up call” to politicians and business leaders in the west.
Here’s the very important detail they left out.
Mike McConnell is Vice Chairman of Booz Allen Hamilton, where his primary roles include serving on the firm’s Leadership Team and leading Booz Allen’s rapidly expanding cyber business.
It is McConnell’s job to make the cyber threat seem as dangerous as possible so his employer can get rich by charging the government an arm and a leg to take “urgent action.” While I’m not sure where the emails are available anymore, one of the amusing features of the HB Gary emails liberated by Anonymous is Mike McConnelll licking his chops as he identified new purported threats to build business around.
More amusing still is this:
Mr McConnell said such an attack could see a country like Iran work with Russian criminals or Chinese hackers to target banks, the power grid and the computers that control routing and ticketing for planes and trains.
Mr McConnell said he doubted whether Iran or a terrorist group could undertake such a devastating assault at the moment but added that it is only a matter of time before the sophisticated tools needed fall into the wrong hands.
The government (and, apparently McConnell himself) believes Iran launched the attacks on Aramco and the banks. But as McConnell suggests, Iran couldn’t carry out a real 9/11 cyber-attack by itself: it’d have to have the help of Russian criminals or Chinese hackers to pull off a really serious attack.
Because, you see, cyberattacks aren’t as easy as McConnell’s fear-mongering suggests.
But note the scenario he envisions: “the sophisticated tools” needed for a cyber attack would “fall into the wrong hands” and enable such an attack.
Mike McConnell was Director of National Intelligence from 2007 to 2009. During his tenure, the StuxNet project moved from intelligence-gathering to testing to implementation. It is inconceivable the DNI, the former head of NSA, and former executive of BAH would be out of the loop on that operation.
In other words, McConnell is almost certainly one of the people involved in the decision to unleash these sophisticated tools in the first place. And now he’s screaming about the dangers he unleashed for profit.
It’s a very neat system our Military Intelligence Industrial Complex has created.