Charles McCullough

The Black Holes in USA Freedumber’s Inspector General Reports

I’m still working on understanding all the crud that is included in the USA Freedumber Act. And for the first time, I have looked really closely at the language on Inspector General Reports, which effectively modifies Section 106 of the 2005 PATRIOT Act Reauthorization. Not only does the language add a DOJ IG Report roughly parallel to the ones mandated for the years through 2006 for 2012 through 2014, but it adds an Intelligence Community IG Report for those 3 years.

I’ve long noted that that seems to leave 2010 and 2011 unexamined. That might be covered in the IG report Pat Leahy requested of the Intelligence Committee IG, Charles McCullough, though the dates are different and McCullough said he didn’t really have the time. So 2010 and 2011 may or may not currently being reviewed; they’re not required to be by the bill, however.

But upon closer review I’m just as interested in some holes the two reports will likely have, in combination.

What I realized when I reviewed the actual language, below, is that USA Freedumber is exploiting the fact that Section 215 was originally written exclusively for the FBI, even if the NSA and CIA and probably a bunch of other agencies are using it too (they’re doing this with minimization procedures elsewhere in the bill, too). Thus, they can leave language that applies specifically to FBI, and pretend that it applies to other agencies.

In practice, that leaves the DOJ IG to investigate general things about Section 215 use, including:

  • any noteworthy facts or circumstances relating to orders under such section, including any improper or illegal use of the authority provided under such section; and

  • the categories of records obtained and the importance of the information acquired to the intelligence activities of the Federal Bureau of Investigation or any other Department or agency of the Federal Government;

So long as FBI retains a role in the application process, it will have access to and can review the categories of records obtained, which is critical because this is one of the ways Congress will learn what those categories are.

But only the DOJ IG assesses whether Section 215 is adhering to law (as opposed to protecting Americanas’ constitutional rights). At one level, I’d much rather have DOJ IG perform this review, because we’ve never seen anything out of the IC IG resembling real oversight. Plus, under Glenn Fine, DOJ’s IG did point to real legal problems with the dragnet (which DOJ largely refused to fix, but which may have led to addition FISC opinions on those subjects). But I have questions whether DOJ’s IG would get enough visibility into what NSA and CIA and other agencies are doing with this data to perform a real review of the legality of it.

Then there are some somewhat parallel things both DOJ’s and IC’s IG would review, including:

  • the importance (IC IG) or effectiveness (DOJ IG) of Section 215

  • the manner in which that information was collected, retained, analyzed, and disseminated by the intelligence community;

  • the minimization procedures used by elements of the intelligence community under such title and whether the minimization procedures adequately protect the constitutional rights of United States persons; and

  • any minimization procedures proposed by an element of the intelligence community under such title that were modified or denied by the FISC

These are all well and good, and there’s the possibility that an IC IG review of how NSA analyzes and disseminates Section 215 data would find any of the most concerning potential practices.

I find the last two things DOJ’s IG would review at FBI but not even at DEA (if DEA uses Section 215), and which the IC IG would not review at all, the most telling.

  • whether, and how often, the Federal Bureau of Investigation used information acquired pursuant to an order under section 501 of such Act to produce an analytical intelligence product for distribution within the Federal Bureau of Investigation, to the intelligence community or to other Federal, State, local, or tribal government Departments, agencies, or instrumentalities; and
  • whether, and how often, the Federal Bureau of Investigation provided such information to law enforcement authorities for use in criminal proceedings

That is, the DOJ IG reports on how often the FBI uses Section 215 for finished intelligence products and how often it serves supports criminal proceedings. But it doesn’t track how often NSA uses Section 215 for finished intelligence products, nor does it track how often NSA uses Section 215 to investigate an American further.

The latter fact — that NSA isn’t counting how many Americans its targets because of Section 215 derived information — is not all that surprising. NSA has worked hard to obscure how many Americans have been sucked up in its analytical maw. Still, if we were serious about providing some transparency to the corporate store — where anyone 2 or 3 degrees from a RAS approved selector can get dumped and subjected to all of NSA’s analytical tradecraft forever — we’d require the IC IG to count this number, too.

And the fact that no one asks NSA and CIA how many finished intelligence reports they’re generating out of Section 215 is problematic both because it doesn’t identify how often NSA and CIA are sharing intelligence with FBI or National Counterterrorism Center or other agencies like DEA (which was one of the big problems with both the phone and Internet dragnet in 2009-10). But it also makes it harder for Congress to get a real understanding of how effective these tools are.

You can’t judge the efficacy of something you don’t measure.

To understand how important this is, consider the discussions about the phone dragnet we’ve had since last year. Everything has been measured in terms of reporting to FBI, which not only doesn’t disclose how many people are stuck in NSA’s maw, but to outsiders made the program look totally useless. We still don’t know precisely how the government is using the phone dragnet, because the data they’ve shared to describe its efficacy is probably not the most significant way it is used.

It seems the intelligence community would like to keep it that way. Continue reading

The NSA’s Retroactive Discovery of Tamerlan Tsarnaev

In the days after the Boston Marathon attack last year, NSA made some noise about expanding its domestic surveillance so as to prevent a similar attack.

But in recent days, we’ve gotten a lot of hints that NSA may have just missed Tamerlan Tsarnaev.

Consider the following data points.

First, in a hearing on Wednesday, Intelligence Community Inspector General Charles McCullough suggested that the forensic evidence found after the bombing might have alerted authorities to Tamerlan Tsarnaev’s radicalization.

Senator Tom Carper: If the Russians had not shared their initial tip, would we have had any way to detect Tamerlan’s radicalization?

[McCullough looks lost.]

Carper: If they had not shared their original tip to us, would we have had any way to have detected Tamerlan’s radicalization? What I’m getting at here is just homegrown terrorists and our ability to ferret them out, to understand what’s going on if someone’s being radicalized and what its implications might be for us.

McCullough: Well, the Bureau’s actions stemmed from the memo from the FSB, so that led to everything else in this chain of events here. You’re saying if that memo didn’t exist, would he have turned up some other way? I don’t know. I think, in the classified session, we can talk about some of the post-bombing forensics. What was found, and that sort of thing. And you can see when that radicalization was happening. So I would think that this would have come up, yes, at some point, it would have presented itself to law enforcement and the intelligence community. Possibly not as early as the FSB memo. It didn’t. But I think it would have come up at some point noting what we found post-bombing.

Earlier in the hearing (around 11:50), McCullough described reviewing evidence “that was within the US government’s reach before the bombing, but had not been obtained, accessed, or reviewed until after the bombing” as part of the IG Report on the attack. So some of this evidence was already in government hands (or accessible to it as, for example, GCHQ data might be).

We know some of this evidence not accessed until after the bombing was at NSA, because the IG Report says so. (See page 20)

Screen Shot 2014-04-12 at 12.37.13 PM

That may or may not be the same as the jihadist material Tamerlan posted to YouTube in 2012, which some agency claims could have been identified as Tamerlan even though he used a pseudonym for some of the time he had the account.

The FBI’s analysis was based in part on other government agency information showing that Tsarnaev created a YouTube account on August 17, 2012, and began posting the first of several jihadi-themed videos in approximately October 2012. The FBI’s analysis was based in part on open source research and analysis conducted by other U.S. government agencies shortly after the bombings showing that Tsarnaev’s YouTube account was created with the profile name “Tamerlan Tsarnaev.” After reviewing a draft of this report, the FBI commented that Tsarnaev’s YouTube display name changed from “muazseyfullah” to “Tamerlan Tsarnaev” on or about February 12, 2013, and suggested that therefore Tsarnaev’s YouTube account could not be located using the search term “Tamerlan Tsarnaaev” before that date.20 The DOJ OIG concluded that because another government agency was able to locate Tsarnaev’s YouTube account through open source research shortly after the bombings, the FBI likely would have been able to locate this information through open source research between February 12 and April 15, 2013. The DOJ OIG could not determine whether open source queries prior to that date would have revealed Tsarnaev to be the individual who posted this material.

20 In response to a DOJ OIG request for information supporting this statement, the FBI produced a heavily redacted 3-page excerpt from an unclassified March 19, 2014, EC analyzing information that included information about Tsarnaev’s YouTube account. The unredacted portion of the EC stated that YouTube e-mail messages sent to Tsarnaev’s Google e-mail account were addressed to “muazseyfullah” prior to February 12, 2013, and to “Tamerlan Tsarnaev” beginning on February 14, 2013. The FBI redacted other information in the EC about Tsarnaev’s YouTube and Google e-mail accounts.

The FBI may not have been able to connect “muazseyfullah” with Tamerlan, but that’s precisely what the NSA does with its correlations process; it has a database that does just that (though it’s unclear whether it would have collected this information, especially given that it postdated the domestic Internet dragnet being shut down).

Finally, there’s the matter of the Anwar al-Awlaki propaganda.

An FBI analysis of electronic media showed that the computers used by Tsarnaev contained a substantial amount of jihadist articles and videos, including material written by or associated with U.S.-born radical Islamic cleric Anwar al-Aulaqi. On one such computer, the FBI found at least seven issues of Inspire, an on-line English language magazine created by al-Aulaqi. One issue of this magazine contained an article entitled, “Make a Bomb in the Kitchen of your Mom,” which included instructions for building the explosive devices used in the Boston Marathon bombings.

Information learned through the exploitation of the Tsarnaev’s computers was obtained through a method that may only be used in the course of a full investigation, which the FBI did not open until after the bombings.

The FBI claims they could only find the stuff on Tamerlan’s computer using methods available in full investigations (this makes me wonder whether the FBI uses FISA physical search warrants to remotely search computer hard drives).

But that says nothing about what NSA (or even FBI, back in the day when they had the full time tap on Awlaki, though it’s unclear what kind of monitoring of his content they’ve done since the government killed him) might have gotten via a range of means, including, potentially, upstream searches on the encryption code for Inspire.

In other words, there’s good reason to believe — and the IC IG seems to claim – that the government had the evidence to know that Tamerlan was engaging in a bunch of reprehensible speech before he attacked the Boston Marathon, but they may not have reviewed it.

Let me be clear: it’s one thing to know a young man is engaging in reprehensible but purportedly protected speech, and another to know he’s going to attack a sporting event.

Except that this purportedly protected speech is precisely — almost exactly — the kind of behavior that has led FBI to sic multiple informants and/or undercover officers on other young men, including Adel Daoud and Mohamed Osman Mohamud, even in the absence of a warning from a foreign government.

And they didn’t here.

Part of the issue likely stems from communication failures between FBI and NSA. The IG report notes that “the relationship between the FBI and the NSA” was one of the most relevant relationships for this investigation. Did FBI (and CIA) never tell the NSA of the Russian warning? And clearly they never told NSA of his travel to Russia.

But part of the problem likely stems from the way NSA identifies leads — precisely the triaging process I examined here. That is, NSA is going to do more analysis on someone who communicates with people who are already targeted. Obviously, the ghost of Anwar al-Awlaki is one of the people targeted (though the numbers of young men who have Awlaki’s propaganda is likely huge, making that a rather weak identifier). The more interesting potential target would be William Plotnikov, the Canadian-Russian boxer turned extremist whom Tamerlan allegedly contacted in 2012 (and it may be this communication attempt is what NSA had in its possession but did not access until after the attacks). But I do wonder whether the NSA didn’t prioritize similar targets in countries of greater focus, like Yemen and Somalia.

It’d be nice to know the answer to these questions. It ought to be a central part of the debate over the NSA and its efficacy or lack thereof. But remember, in this case, the NSA was specifically scoped out of the heightened review (as happened after 9/11, which ended up hiding the good deal of warning the NSA had before the attack).

We’ve got a system that triggers on precisely the same kind of speech that Tamerlan Tsarnaev engaged in before he attacked the Marathon. But it didn’t trigger here.

Why not?

Surprise! DOJ IG’s 1,403 Day Old Section 215 Investigation Had a Baby!

As longtime readers know, I have long tracked a DOJ Inspector General investigation into FBI’s use of Section 215 and other PATRIOT Act authorities.

  • June 2010: Then DOJ IG Glenn Fine lays out investigation
  • June 2013: Transition to Michael Horowitz stalls PATRIOT investigation
  • August 2013: The investigation has been ongoing
  • September 2013: Pat Leahy calls for an IC IG investigation into 215 and 702; IC IG Charles McCullough declines
  • December 2013: Horowitz states current investigation limited by AG/DNI declassification of earlier reports

A good healthy obsession!

Since it’s been a while — the investigation is now 1,403 days old — yesterday I decided to nag the IG office.

They were mum on when we might finally see the report. Instead of offering details, they directed me to their new (apparently brand spanking new) “in the interest of transparency” page on their ongoing work.

It shows the long-promised report, still focusing on Section 215 use through 2009, as well as NSLs and pen register.

Use of National Security Letters, Section 215 Orders, and Pen Register and Trap-and-Trace Authorities under FISA from 2007 through 2009

The OIG is again examining the FBI’s use of NSLs and Section 215 orders for business records. This review is assessing the FBI’s progress in responding to the OIG’s recommendations in its first and second reports on the FBI’s use of NSLs and its report on the FBI’s improper use of exigent letters and other informal means to obtain telephone records. A focus of this review is the NSL subsystem, an automated workflow system for NSLs that all FBI field offices and headquarters divisions have been required to use since January 1, 2008, and the effectiveness of the subsystem in reducing or eliminating noncompliance with applicable authorities. The current review is also examining the number of NSLs issued and Section 215 applications filed by the FBI between 2007 and 2009, and any improper or illegal uses of these authorities. In addition, the review is examining the FBI’s use of its pen register and trap-and-trace authority under FISA.

But it also shows a report not mentioned in Michael Horowitz’ last report.

A report on the dragnet.

Bulk Telephony Review

The OIG is reviewing the FBI’s use of information derived from the National Security Agency’s (NSA) collection of telephony metadata obtained from certain telecommunications service providers under Section 215 of the Patriot Act. The review will examine the FBI’s procedures for receiving, processing, and disseminating leads the NSA develops from the metadata, and any changes that have been made to these procedures over time. The review will also examine how FBI field offices respond to leads, and the scope and type of information field offices collect as a result of any investigative activity that is initiated. In addition, the review will examine the role the leads have had in FBI counterterrorism efforts.

In truth, this investigation may not be all that distinct from the known PATRIOT authorities investigation. The minimization procedures for both – and therefore the way the information gets used, an issue central to both investigations — appear to be the same. And to the extent that the number of 215 orders with minimization procedures has been growing since 2010 indicates the FBI is collecting other information in bulk, the programs may well interrelate.

At first, I thought that this investigation, with the very significant exception of the way the dragnet serves to identify informants, might not reveal anything that problematic. Upon review, I’m not so sure. I’ll explain why in a follow-up report.

The one big difference between the two investigations, however (and I’ll discuss this at more length in the follow-up), is that dragnet investigation, unlike the PATRIOT Authority one, appears not to be time delimited. Whereas the older investigation only looks at practices through 2009, the dragnet investigation appears to be examining on-going practices. It seems to be investigating all the 215-related issues identified by Pat Leahy that the IC IG should investigate that come under DOJ’s jurisdiction.

So bad news good news! DOJ is still, 1,403 days later, investigating how the FBI used PATRIOT Act authorities 5 years ago, meaning more recent developments are not getting much attention.

But there is a potentially related investigation looking at what the FBI ingests from the phone dragnet (at least the small part relating to Section 215) right now.

The Day After Government Catalogs Data NSA Collected on Tsarnaevs, DOJ Refuses to Give Dzhokhar Notice

On Thursday, the Inspectors General of the Intelligence Community, DOJ, CIA, and DHS (but not NSA) released their report on the Marathon Bombing. While the public release was just a very condensed summary, included the redaction of both classified and “sensitive” information, and made no attempt to reconstruct data government agencies had or could have had on Dzhokhar Tsarnaev, the report did show that the NSA had data on Tamerlan Tsarnaev and that the FBI found information on his computers that NSA might have gotten via other means.

On Friday, prosecutors in the case against Dzhokhar refused to tell him what they collected under FISA.

Before I get into the government’s refusal on FISA notice — some of which has repercussions for other cases — let’s go over what electronic communications the government did have or could have had.

First, the IG Report (which did not specifically involve NSA’s IG and did not include Dzhokhar in its scope) nevertheless points to information NSA collected in 2012 that was not turned over to FBI until after the attack.

Screen Shot 2014-04-12 at 12.37.13 PM

The report also points to communications dating to January 2011, which is entirely redacted. This probably refers to communications the Russians intercepted, not the NSA (indeed, the report discusses NSA data, above, later in the same section, which indicates the earlier redaction doesn’t pertain to NSA). Though there’s no indication whether the NSA received notice of these communications, including the non-US person interlocutor located overseas involved in them, who would have been a legal NSA target.

Continue reading

Working Thread on the Combined Marathon IG Report

I started reading the Combined IG Report on the Marathon attack (including the DOJ, CIA, DHS, and Intelligence Community IGs, but not NSA). And the whole thing looked so bogus from the start, I figured a working thread was in order.

One thing to remember here: we’ve only got a 32-page summary that includes 5 pages of agency (but not CIA) response and a title page. We’re getting a mere fraction of the 168-page report.

To make things worse, some things are redacted that aren’t even classified, they’re just sensitive.

Redactions in this document are the result of classification and sensitivity designations we received from agencies and departments that provided information to the OIGs for this review. As to several of these classification and sensitivity designations, the OIGs disagreed with the bases asserted. We are requesting that the relevant entities reconsider those designations so that we can unredact those portions and make this information available to the public.

(PDF 2) Several things in this passage:

Law enforcement officials identified brothers Tamerlan and Dzhokhar Tsarnaev as primary suspects in the bombings. After an extensive search for the then unidentified suspects, law enforcement officials encountered Tamerlan and Dzhokhar Tsarnaev in Watertown, Massachusetts. Tamerlan Tsarnaev was shot during the encounter and was pronounced dead shortly thereafter.

First, they don’t say what law enforcement officials IDed the brothers. That sentence precedes one which claims there were “unidentified suspects,” which suggests they had suspicions before they were “IDed.” The word “encountered” is awfully suspicious, given that explanations of how the shootout in Watertown happened have been contradictory. And note they don’t say whether Tamerlan died immediately or not–again, an issue about which there’s some contention.

(PDF 2) Note they tell us Anzor’s ethnicity, but not his wife’s (who is more central to this narrative)?

(PDF 2) The report dodges legitimate questions about why the family got refugee status by referring only to “an immigration benefit.” Given reports the uncle had ties to the CIA, that benefit may be more than a simple asylum request.

(PDF 3) Note that, after having previously said the brothers were ID’ed by LE, they now specify FBI [Actually, I think that's wrong: this is still ambiguous about who IDed them]. But the timing is crazy: it says FBI reviewed its records by April 19, but never says when they were IDed, and doesn’t say whether they were reviewed during a period of suspicion.

By April 19, 2013, after the Tsarnaev brothers were identified as suspects in the bombings, the FBI reviewed its records and determined that in early 2011 it had received lead information from the FSB about Tamerlan Tsarnaev, had conducted an assessment of him, and had closed the assessment after finding no link or “nexus” to terrorism.

(PDF 4) This seems very broad. I wonder what they’re including? Online communications?

As a result, the scope of this review included not only information that was in the possession of the U.S. government prior to the bombings, but also information that existed during that time and that the federal government reasonably could have been expected to have known before the bombings.

(PDF 4) This passage and footnote are huge dodges, making the entire report meaningless.

We carefully tailored our requests for information and interviews to focus on information available before the bombings and, where appropriate, coordinated with the U.S. Attorney’s Office conducting the prosecution of alleged bomber Dzhokhar Tsarnaev.1

1 The initial lead information from the FSB in March 2011 focused on Tamerlan Tsarnaev, and to a lesser extent his mother Zubeidat Tsarnaeva. Accordingly, the FBI and other agencies did not investigate Dzhokhar Tsarnaev’s possible nexus to terrorism before the bombings, and the OIGs did not review what if any investigative steps could have been taken with respect to Dzhokhar Tsarnaev.

I’ll come back to this. But the indictment lists a number of things that the FBI, in their stings, have found and used to identify easy marks. They did not do so here, with Dzhokhar. Which raises real questions about why they chose not to pursue him when they’ve pursued so many other young men like Dzhokhar?

(PDF 4) Here’s who was included in this review:

We also requested other federal agencies to identify relevant information they may have had prior to the bombings. These agencies included the Department of Defense (including the National Security Agency (NSA)), Department of State, Department of the Treasury, Department of Energy, and the Drug Enforcement Administration.

There has been little discussion of DEA’s likely awareness of the brothers, but it is likely, given that they were dealing drugs with potential ties to organized crime. And NSA, but I harp on that too much. I’m curious what role DOE might have.

(PDF 4) Again, they specify they’re only looking at pre-attack data. Which dodges what they could have collected but didn’t.

Additionally, each OIG conducted or directed its component agencies to conduct database searches to identify relevant pre-bombing information.

(PDF 4-5) As with HHSC’s report, the FBI stalled here.

As described in more detail in the classified report, the DOJ OIG’s access to certain information was significantly delayed at the outset of the review by disagreements with FBI officials over whether certain requests fell outside the scope of the review or could cause harm to the criminal investigation. Only after many months of discussions were these issues resolved, and time that otherwise could have been devoted to completing this review was instead spent on resolving these matters.

(PDF 5) The 12333 passage makes it clear NSA had a big role here. But, again, its IG did not conduct an investigation.

(PDF 6-7) The CIA section is very thin. I assume some stuff is missing.

(PDF 8) Note the importance of NSA’s sharing with FBI here?

Of particular relevance to this review are the relationships between the FBI, CIA, and DHS, as well as the relationship between the FBI and the NSA, and the NCTC’s relationships throughout the Intelligence Community.

(PDF 8) This makes clear that the transcription and birthdate errors were in both FSB warnings; it’s just that CIA didn’t fix the second one.

Importantly, the memorandum included two incorrect dates of birth (October 21, 1987 or 1988) for Tamerlan Tsarnaev, and the English translation used by the FBI transliterated their last names as Tsarnayev and Tsarnayeva, respectively.

(PDF 10) This passage seems to admit that FBI could have, but did not, search FISA related databases. It also suggests there was a “certain telephone database,” which might include the Hemisphere database, which performs the same function as the NSA claims (falsely) the phone dragnet does. Note, too, that they’ve only checked for the Tsarnaevs in FBI databases. I’ll come back to these databases in a later post.

Additionally, the DOJ OIG determined that the CT Agent did not use every relevant search term known or available at the time to query the FBI systems, including certain telephone databases and databases that include information collected under authority of the Foreign Intelligence Surveillance Act (FISA). However, searches of FBI databases conducted at the direction of the DOJ OIG during this review produced little information beyond that identified by the CT Agent during the assessment, with the exception of additional travel-related data for Zubeidat Tsarnaeva.

(PDF 11) Note that the second FBI letter to FSB, dated October 7, 2011, postdated the FSB notice to CIA. But it also comes at a time when Boston area law enforcement were conducting an investigation into the murder of Tamerlan’s best friend. The Waltham murders are not mentioned at all in the unclassified report.

(PDF 12) The IG Report does not tell us the date in September when FSB provided notice to CIA. Given that Tamerlan may have just been or was about to be involved in a grisly murder, I find that omission very notable.

(PDF 12) Note you can be watchlisted without derogatory information. This seems to be because of the exception mentioned in FN 10. But fat lot of good it did in this case. Per the footnote, that exception subsequently got disqualified, though I bet it has been qualified again.

(PDF 12) The IG Report doesn’t even acknowledge there was some other kind of difference between the first and the later watchlist entries as indicated on pp 33-4 of the HHSAC Committee report, which suggests that discussion may be redacted entirely.

(PDF 16) Note that, as happens with all Legal Permanent Residents, Tamerlan was photographed (and fingerprinted) during immigration. I’m surprised there isn’t more discussion of this (though it may be classified). But one big point of this relatively new border protocol is to have recent pictures on hand in case, say, you need to do facial recognition on pictures from a terrorist attack. Were they used?

(PDF 19) Note the big redaction describing intercepted communications. This may simply describe what the Russians had collected, which led to their tip. But I do wonder whether NSA collected its own version, not least because details of the Russian intercept has been widely reported.

(PDF 20) Note that the discussion of Tamerlan’s (remember, Dzhokhar is not included here) computer materials is described solely in terms of what FBI could do. That’s different from what both DHS does (they track public online speech) and NSA. It’s unclear whether they could have found some of this using methods available to them, but the report’s silence on that point is notable.

The FBI’s analysis was based in part on other government agency information showing that Tsarnaev created a YouTube account on August 17, 2012, and began posting the first of several jihadi-themed videos in approximately October 2012. The FBI’s analysis was based in part on open source research and analysis conducted by other U.S. government agencies shortly after the bombings showing that Tsarnaev’s YouTube account was created with the profile name “Tamerlan Tsarnaev.”

[snip]

The DOJ OIG concluded that because another government agency was able to locate Tsarnaev’s YouTube account through open source research shortly after the bombings, the FBI likely would have been able to locate this information through open source research between February 12 and April 15, 2013. The DOJ OIG could not determine whether open source queries prior to that date would have revealed Tsarnaev to be the individual who posted this material.

The passage goes on to report the 7 copies of Inspire on one of the computers used by Tamerlan (again, there’s no mention of Dzhokhar here).

Something they’re not saying, but we know to be true.  Had they picked up Inspire either through a 702 upstream search or XKeyscore, they would have had identifiers that could have pegged Tsarnaev’s identity and tied it to all his other identities, regardless of the fact Tamerlan used an alias until February 2013.

And note the big redaction: NSA had information that dated to 2012, which may well have been the intercepts with Plotnikov.

Finally, note that FBI never turned over most of the information about Tamerlan’s Google accounts. The excuse (as noted above) was the ongoing investigation. But I wonder whether that’s ongoing investigation into the Waltham murder or the Marathon attack.

(PDF 25) Note the discussion of enhancement in the 2nd-to-last bullet. I believe this suggests that transliteration questions are only addressed with this enhancement.

(PDF 25) Note that they at least used to delete US person travel info after 6 months unless it represents terrorism information. This would arise from NCTC’s minimization procedures.

(PDF 32) As noted above, we don’t get John Brennan’s response to this, though he presumably sent one. I suspect that means there are classified recommendations for the Agency and that his response reflects that. While it’s not clear what the foreign target would be in this context (perhaps an investigation of the person to whom Zubeidat was speaking about Tamerlan wanting to join jihad?) but there seems to have been some.

Charles McCullough Too Busy Investigating Leakers to Investigate the Dragnet

As I noted back in September, Patrick Leahy and a bunch of other Senators asked the Intelligence Community Inspector General Charles McCullough to investigate the dragnet.

In particular, we urge you to review for calendar years 2010 through 2013:

  • the use and implementation of Section 215 and Section 702 authorities, including the manner in which information – and in particular, information about U.S. persons – is collected, retained, analyzed and disseminated;
  • applicable minimization procedures and other relevant procedures and guidelines, including whether they are consistent across agencies and the extent to which they protect the privacy rights of U.S. persons;
  • any improper or illegal use of the authorities or information collected pursuant to them; and
  • an examination of the effectiveness of the authorities as investigative and intelligence tools.

McCullough just answered.

No.

“At present, we are not resourced to conduct the requested review within the requested timeframe,” wrote McCullough, before adding he and other agency inspectors general are weighing now whether they can combine forces on a larger probe.

Leahy had asked McCullough to finish in what was then 15 months, December 2014, which would make it available for the PATRIOT Reauthorization due the next year.

Note, McCullough gave the same answer he and NSA’s IG gave when Ron Wyden asked how many Americans get caught up in the dragnet.

Not enough resources.

Mind you, he apparently has enough resources to do this:

Finally, we began to implement a program to lead IC-wide administrative investigations into unauthorized disclosures of classified information (i.e., “leak”) matters.

[snip]

The Investigations Division reviewed hundreds of closed cases from across the IC. Going forward, the division will engage in gap mitigation for those cases where an agency does not have the authority to investigate (multiple agencies or programs) or where DOJ declined criminal prosecution. The division will conduct administrative investigations with IG Investigators from affected IC elements to maximize efficiencies, expedite investigations, and enhance partnerships.

[snip]

The Investigations Division is reviewing 375 unauthorized disclosure case files.

But not enough resources to review a massive dragnet affecting every American in time to have results before the dragnet gets reauthorized.

Update: And apparently the Senate Intelligence Committee just told ODNI to investigate more leaks and pre-leaks.

  • Empowering the Director of National Intelligence to improve the government’s process to investigate (and reinvestigate) individuals with security clearances to access classified information;

The Dog Ate Charles McCullough’s Homework

Let’s take the narrative the Federal Government wants to tell us about the Boston Marathon attack.

Both FBI and CIA got tips from Russia in early- and mid-2011 implicating Tamerlan Tsarnaev in extremism which FBI, which appropriately has jurisdiction, investigated and entered into the relevant databases accessible to Joint Terrorism Task Force partners.

Later that year, the government alleges (based on the word of a guy they killed immediately thereafter), Tamerlan and Ibragim Todashev — and possibly Tamerlan’s brother Dzhokhar — knifed three friends and associates to death on 9/11 while they waited for pizza from a place the brothers may have once worked; while several of the people on both sides of that killing were involved in selling drugs, the presumed motive for that killing (especially given the date) pertains to Islamic extremism, not a drug and money dispute, in spite of or perhaps because of the pot and money left at the scene. After the killing, Tamerlan disappeared from the scene in Cambridge and was never interviewed by the cops. Senate Intelligence Committee members allege Russia passed on another warning about Tamerlan after October 2011, though the FBI insists it kept asking for more information to no avail.

The next year, Tamerlan left for Russia and Chechnya and Dagestan, but the Homeland Security dragnet missed him because Aeroflot misspelled his name (an issue that contributed to their missing the UndieBomb, too; Russia’s original tip to the FBI had gotten his birthdate wrong). While in Russia, Tamerlan met a bunch of Chechen extremists, several of whom were killed shortly after he met them. Then, Tamerlan returned to Boston, and he and his brother made some bombs out of pressure cookers and fireworks in his Cambridge flat (testimony of their cab driver notwithstanding), and then set them off near the finish line of the Boston Marathon, killing 3 and maiming hundreds.

In spite of the thousands of videos of the event, FBI’s prior investigation, and immigration records on the brothers including pictures, the government’s facial recognition software proved unable to find them (in spite of claims “FBI” officials were asking around Cambridge already), so the government released their pictures and set off a manhunt that resulted in Tamerlan’s death and the arrest of Dzhokhar.

That’s the story, right?

Two weeks after the attack, James Clapper tasked the Intelligence Community Inspector General, Charles McCullough, with investigating the attack to see if it could have been prevented (note, after the 2009 UndieBomb attack, the Senate Intelligence Committee conducted such an investigation but I’ve heard no peep of them doing so here). Also involved in that investigation are DOJ, DHS, and CIA’s IG, but not NSA’s IG, in spite of the fact that the Russians, at least, reportedly intercepted international texts implicating Tamerlan in planning jihad (though there’s no reason to believe the non-US side of those texts — a family member of the brothers’ mother — would have been a known CT target). (Note that, even as McCullough has been conducting this investigation, which ultimately involves information that has been leaked to the press, James Clapper has him conducting investigations into unauthorized leaks — does anyone else see the huge conflict here???)

Back on September 19 (perhaps not coincidentally the day after Ibragim Todashev’s friend Ashurmamad Miraliev was arrested in FL and questioned for 6 hours without a lawyer), McCullough wrote Congress to tell them that because “information relevant to the review is still being provided to the review team,” the review would be indefinitely delayed.

According to the BoGlo, McCullough is offering a new excuse for further delay: the shutdown.

Officials said the shutdown has hampered various agencies’ ability to conduct interviews, undertake research, or pay support personnel who are responsible for reviewing the operations of the government’s terrorism databases before the Marathon attack and determining whether information on the bombing suspects was properly handled.

[snip]

Last month congressional oversight communities were informed that while officials were “working diligently” to complete the review, the process of interviewing counter-terrorism officials and reviewing computer files had turned out to be more challenging than expected. McCullough, the intelligence community’s inspector general, said at the time that “information relevant to the review is still being provided to the review teams.”

A senior Senate staffer, who was not authorized to speak publicly, said briefings recently scheduled for intelligence officials to brief key congressional committees on the progress of the review were canceled.

So here we are over 6 months after the attack, and an inquiry purportedly reviewing whether our CT information sharing (led by the National Counterterrorism Center, which reports to Clapper, to whom McCullough also reports as a non-independent IG) did what it was supposed to, is still having trouble reviewing the actual databases (!?!?), ostensibly because they had to furlough the support people doing that rather than allow them to figure out how to fix problems to prevent the next terrorist attack. (Remember, James Clapper testified he had furloughed 70% of civilian IC staff, to the shock of Chuck Grassley and others.)

Perhaps that’s the problem. Perhaps it is the case that in 6 months time, IC support personnel had not yet been able to access and assess the database counterterrorism professionals are expected to monitor and respond to almost instantaneously. If that is the case, it, by itself, ought to be huge news.

Or perhaps there’s something about the Waltham investigation that has made it newly embarrassing that warnings before and — if blathery Senators are to be believed — after the murders didn’t focus more attention on Tamerlan Tsarnaev.

The Kiddie Porn and the UndieBomb

Screen shot 2013-09-26 at 1.22.11 PMI was at a funeral Monday and Tuesday. So when I heard the FBI had busted the guy who leaked the UndieBomb 2.0 story, I assumed they had finally arrested John Brennan.

But, as bmaz emphasized in his post on Donald Sachtleben’s plea agreement, there’s no hint of prosecuting Brennan, who leaked Top Secret details about the British/Saudi double agent into AQAP, even while they’re imprisoning Donald Sachtleben, who is only accused of leaking details he knew to be Secret.

A law enforcement official indicated that the case has not been officially closed but the charges against Sachtleben are the only ones expected.

(Sure, the evidence that Sachtleben was involved with kiddie porn seems solid, but then Brennan drone-killed children, so he’s not above reproach for his treatment of children either.)

But that is by no means the weirdest thing about the government’s treatment of the UndieBomb 2.0 leak investigation.

The entire premise of the FBI narrative is that they exercised greater care with a kiddie porn accusee they had dead to rights than they did the 100 or so AP reporters who got sucked up in their overbroad dragnet. They would have you believe that, even after seizing a CD holding a November 2, 2006 SECRET CIA intelligence report at Sachtleben’s house in May 2012 pursuant to a kiddie porn warrant (which they have not produced in the docket), they just sat on his devices for almost a year until they obtained the phone records for 20 AP phone lines, in a seizure far more intrusive into journalism than any recent known subpoena.

Sachtleben was identified as a suspect in the case of this unauthorized disclosure only after toll records for phone numbers related to the reporter were obtained through a subpoena and compared to other evidence collected during the leak investigation. This allowed investigators to obtain a search warrant authorizing a more exhaustive search of Sachtleben’s cell phone, computer, and other electronic media, which were in the possession of federal investigators due to the child pornography investigation.

(I may be mistaken, but I don’t think the FBI made this claim in any court document, so I assume it is bullshit, especially since they had had to do extensive forensic searches of Sachtleben’s computer and he had already signed a plea deal forfeiting it.)

They would also have you believe the AP had no inkling of the UndieBomb plot until ABC reported inflammatory claims about cavity bombs on April 30, 2012, even in spite of ABC’s reference to TSA head John Pistole’s earlier fear-mongering about it and in spite of additional reporting about broad Air Marshall mobilization. DOJ goes to great lengths to make you believe AP first texted Sachtleben on April 30 and not, say, on April 28 (which would mean the kiddie porn investigation accelerated after such contact), though there’s no reason to believe that’s true and the AP call records DOJ obtained apparently go back to well before April 30. They also suggest AP was asking Sachtleben about an Asiri bomb, though the first text they include is an assertion — not a question — that Asiri has been busy.

They would have you believe that two Pulitzer Prize winners would defy White House and CIA wishes with a story sourced to a single source who, just a day earlier, had provided a mistaken guess about the excitement. Continue reading

1,186 Days into IG Report Covering Dragnet, Leahy Calls for Another

As I’ve been tracking, DOJ’s Inspector General Office — now led by Michael Horowitz — has been working on a report on the use of Section 215 and Pen Register/Trap and Trace authorities up through 2009 for 1,186 days, well over 3 years. We have yet to see that outsider review of all the problems the NSA admitted in 2009, 4 years ago, and so NSA’s incredible claim it was too stupid to know what it was doing has been accepted unquestioningly.

On Monday, Patrick Leahy and several other Senate Judiciary Committee Senators called on the Intelligence Committee Inspector General, Charles McCullough, to conduct a similar inquiry for the period since 2009.

Recently declassified documents appear to reveal numerous violations of law and policy in the implementation of these authorities, including what the FISA Court characterized as three “substantial misrepresentation[s]” to the Court.  These declassified documents also demonstrate that the implementation of these authorities involves several components of the Intelligence Community (IC), including the National Security Agency, Department of Justice, Federal Bureau of Investigation, Central Intelligence Agency, and the Office of the Director of National Intelligence, among others.

We urge you to conduct comprehensive reviews of these authorities and provide a full accounting of how these authorities are being implemented across the Intelligence Community.  The IC Inspector General was created in 2010 for this very purpose.  Comprehensive and independent reviews by your office of the implementation of Sections 215 and 702 will fulfill a critical oversight role.  Providing a publicly available summary of the findings and conclusions of these reviews will help promote greater oversight, transparency, and public accountability.

In conducting such reviews, we encourage you to draw on the excellent work already done by the Inspectors General of several agencies, including the Department of Justice, in reviewing these authorities.  But only your office can bring to bear an IC-wide perspective that is critical to effective oversight of these programs.  The reviews previously conducted have been more narrowly focused – as might be expected – on a specific agency.

In particular, we urge you to review for calendar years 2010 through 2013:

  • the use and implementation of Section 215 and Section 702 authorities, including the manner in which information – and in particular, information about U.S. persons – is collected, retained, analyzed and disseminated;
  • applicable minimization procedures and other relevant procedures and guidelines, including whether they are consistent across agencies and the extent to which they protect the privacy rights of U.S. persons;
  • any improper or illegal use of the authorities or information collected pursuant to them; and
  • an examination of the effectiveness of the authorities as investigative and intelligence tools.

We’ll see how McCullough responds to this. My impression thus far has been that he is too close to the IC Agencies. Plus, he’s very busy conducting insider leak investigations.

But even though we’ve been waiting forever for the IG Report covering the earlier period, apparently Leahy has learned one thing from it. He gave McCullough a deadline this time.

Please proceed to administratively perform reviews of the implementation of Section 215 of the USA PATRIOT Act and Section 702 of FISA, and submit the reports no later than December 31, 2014.

If all goes well, this should provide a quasi-independent review of the programs before they get extended again in 2015.

If NSA Commits Database Query Violations, But Nobody Audits Them, Do They Really Happen?

Barton Gellman, at the beginning of the worthwhile video above, addresses something I addressed here: the only way the government can claim they haven’t “abused” the rules governing NSA activities is by treating all abuse done in the name of the mission as a mistake.

The President, like a lot of people who work for him, has a very narrow definition of two key words in that passage. One is “abuse” and the other is “inappropriately.” As the government depicts it — and this is language it’s using that it does not, frankly, explain.

Abuse — the only kind of abuse that exists would be if, say, an NSA employee were to stalk his ex-wife or spy on movie stars or something of that nature. If they are performing the mission that the NSA wants them to perform, and nevertheless overstep their legal authority, make unauthorized interceptions or searches or retentions or sharing of secret information, that is not abuse, that’s a mistake.

That’s how they get to pretend the 9% to 20% of violations in which a person does not follow the rules seemingly intentionally (these are distinct from human error and training violations) does not constitute an abuse.

With that in mind, I wanted to look more closely at what the audit report says about how errors are found, as shown primarily in this figure:

Screen shot 2013-08-20 at 10.21.25 AM

That looks pretty good on the face, with 64% of all violations found via automated alert, plus a few more — data flow analysis and traffic scanning — that involve technological review.

But this detail on the roamer problem (in which valid foreign targets continue to be targeted when they travel to the US) explains what that’s not all that impressive.  Continue reading

Emptywheel Twitterverse
bmaz RT @LegallyErin: There's something very sexy about Anthony Hopkins as Hannibal. I always date the worst guys.
1hreplyretweetfavorite
bmaz @imraansiddiqi You seemed like such a respectable chap, and now here you are talking about Kardashians. #Shame
2hreplyretweetfavorite
bmaz @cody_k I went as a Pando journalist blowing shit out of my ass about Greenwald.
2hreplyretweetfavorite
bmaz @dcbigjohn @erinscafe In or out of the furry costume?
2hreplyretweetfavorite
bmaz RT @AntheaButler: Hands up, don't shoot. RT @deray: Superhero protest. #Ferguson http://t.co/ejnhDLq7jv
2hreplyretweetfavorite
bmaz @JoshuaADouglas @rickhasen @chrislhayes And I ask because that was why I blew off the injunction+contemplated whether were provable damages.
2hreplyretweetfavorite
bmaz @JoshuaADouglas @rickhasen @chrislhayes Question since you are in state there, is hearing even possible before the injunction would be moot?
2hreplyretweetfavorite
bmaz @JoshuaADouglas @rickhasen @chrislhayes Exactly. But with the defenses, hard to see an injunction burden being met.
2hreplyretweetfavorite
bmaz @JoshuaADouglas @rickhasen @chrislhayes Not to mention the actual public figure blah blah blah that will lead the defense. Meh.
2hreplyretweetfavorite
bmaz @JoshuaADouglas @rickhasen @chrislhayes I think that's debatable, but assuming so, what are provable damages in an election context?
2hreplyretweetfavorite
bmaz The Guantánamo Tapes http://t.co/r6JfRJl7r4 Yes, of course force feeding tapes depict torture, why you think govt fights to keep classified?
3hreplyretweetfavorite
bmaz @gideonstrumpet @ScottGreenfield @LilianaSegura @roomfordebate My entry up:More Catcalling Debate Room Needed at NYT https://t.co/8k1CNdwGhx
3hreplyretweetfavorite
November 2014
S M T W T F S
« Oct    
 1
2345678
9101112131415
16171819202122
23242526272829
30