A group of privacy and security organizations have just sent President Obama a letter asking him to issue a veto threat over the Cybersecurity Information Sharing Act passed out of the Senate Intelligence Committee last week. It’s a great explanation of why this bill sucks and doesn’t do what it needs to to make us safer from cyberattacks. It argues that CISA’s exclusive focus on information sharing — and not on communications security more generally — isn’t going to keep us safe.
Which is why it really pays to look at the role of SIFMA — the Securities Industry and Financial Markets Association – in all this.
As I’ve noted, they’re the banksters whom Keith Alexander is charging big bucks to keep safe. As Bloomberg recently reported, Alexander has convinced SIFMA to demand a public-private cyber war council, involving all the stars of revolving door fearmongering for profit.
Wall Street’s biggest trade group has proposed a government-industry cyber war council to stave off terrorist attacks that could trigger financial panic by temporarily wiping out account balances, according to an internal document.
The proposal by the Securities Industry and Financial Markets Association, known as Sifma, calls for a committee of executives and deputy-level representatives from at least eight U.S. agencies including the Treasury Department, the National Security Agency and the Department of Homeland Security, all led by a senior White House official.
The trade association also reveals in the document that Sifma has retained former NSA director Keith Alexander to “facilitate” the joint effort with the government. Alexander, in turn, has brought in Michael Chertoff, the former U.S. Secretary of Homeland Security, and his firm, Chertoff Group.
Public reporting positions SIFMA as the opposition to the larger community of people who know better, embracing this public-private war council approach.
Kenneth Bentsen, chief executive at the Securities Industry and Financial Markets Association, said in a statement that leaders of the Senate Intelligence panel who wrote the bill have “taken a balanced and considered approach which will help the financial services industry to better protect our customers from cyber terrorists and criminals, as well as their privacy.”
According to the same banksters who crashed our economy 6 years ago, this bill is about protecting them at the expense of our privacy and rule of law.
Cyber attacks are increasingly a major threat to our financial system. As such, enhancing cyber security is a top priority for the financial services industry. SIFMA believes we have an obligation to do everything possible to protect the integrity of our markets and the millions of Americans who use financial services every day.
However, the threat increases every day. SIFMA and its members have undertaken additional efforts to develop cyber defense standards for the securities industry sector as a follow on to the recently published NIST standards. And we are developing enhanced recovery protocols for market participants and regulators in the event of an attack that results in closure of the equity and fixed income markets. We are undertaking this work in close collaboration with our regulators and recently held a meeting to brief them on our progress. And, we plan to increase our efforts even further as the risks are too great for current efforts alone.
We know that a strong partnership between the private sector and the government is the most efficient way to address this growing threat. Industry and investors benefit when the private sector and government agencies can work together to share relevant threat information. We would like to see more done in Congress to eliminate the barriers to legitimate information sharing, which will enable this partnership to grow stronger, while protecting the privacy of our customers.
This is not — contrary to what people like Dianne Feinstein are pretending — protecting the millions who had their credit card data stolen because Target was not using the cyberdefenses it put into place.
Rather, this is about doing the banksters’ bidding, setting up a public-private war council, without first requiring them to do basic things — like limiting High Frequency Trading — to make their industry more resilient to all kinds of attacks, from even themselves.
Meanwhile, if that’s not enough indication this is about the bankstsers, check out what Treasury Secretary Jack Lew is doing this afternoon.
In the afternoon, the Secretary will visit Verizon’s facilities in Ashburn, Virginia to discuss cybersecurity and highlight the important role of telecommunications companies in supporting the financial system.
Just what we need: our phone provider serving the interests of the financial system first.
DiFi wants to make it easier to spy on Americans domestically to help private companies that have already done untold damage to Main Street America. We ought to be protecting ourselves from them, not degrading privacy to subsidize their insecure practices.
In addition to its exposure of the sheer senselessness of much of the spying NSA engages in, yesterday’s WaPo story also shows that the government’s assurances that Edward Snowden could not access raw data have been misplaced.
For close to a year, NSA and other government officials have appeared to deny, in congressional testimony and public statements, that Snowden had any access to the material.
As recently as May, shortly after he retired as NSA director, Gen. Keith Alexander denied that Snowden could have passed FISA content to journalists.
“He didn’t get this data,” Alexander told a New Yorker reporter. “They didn’t touch —”
“The operational data?” the reporter asked.
“They didn’t touch the FISA data,” Alexander replied. He added, “That database, he didn’t have access to.”
Robert S. Litt, the general counsel for the Office of the Director of National Intelligence, said in a prepared statement that Alexander and other officials were speaking only about “raw” intelligence, the term for intercepted content that has not yet been evaluated, stamped with classification markings or minimized to mask U.S. identities.
“We have talked about the very strict controls on raw traffic, the training that people have to have, the technological lockdowns on access,” Litt said. “Nothing that you have given us indicates that Snowden was able to circumvent that in any way.”
In the interview, Snowden said he did not need to circumvent those controls, because his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center gave him “unusually broad, unescorted access to raw SIGINT [signals intelligence] under a special ‘Dual Authorities’ role,” a reference to Section 702 for domestic collection and Executive Order 12333 for collection overseas. Those credentials, he said, allowed him to search stored content — and “task” new collection — without prior approval of his search terms.
No one should ever have believed those assurances.
That’s because the documentation on the Section 215 program makes it clear how little oversight there is over tech people just like Snowden. The current phone dragnet order, for example, makes it clear that:
The audit language in the dragnet order applies only to “foreign intelligence analysis purposes or using foreign intelligence analysis tools,” suggesting the tech analysis role access to the dragnet data is not audited.
Language in the order defining “NSA” suggests contractors may access the data (though it’s unclear whether they do so in a technical or intelligence analysis function); something made explicit in Dianne Feinstein’s bill.
That is, it is at least possible that Booz analysts are currently conducting audit-free tech massaging of the raw phone dragnet data.
And NSA knew this access was a vulnerability. As recently as 2012, tech analysts were found to have 3,000 files worth of phone dragnet data (it’s unclear how much data each file included) on an improper server past its required destruction date. NSA destroyed that data before definitively researching what it was doing there.
Thus, the risk of tech analyst breach is very real, and no one — not NSA, and not Congress, which has only codified this arrangement — seems to be addressing it.
Indeed, it is likely that some kind of Booz-type contractors will continue to have direct access to this data after it gets outsourced to the telecoms, otherwise USA Freedumber would not extend immunity to such second-level contractors.
For months, intelligence officials claimed not only that Snowden had not accessed raw data, but could not. That was always a dubious claim; even if Snowden couldn’t have accessed that data, other contractors just like him could and still can, with less oversight than NSA’s intelligence analysts get.
But it turns out Snowden could and did. And thanks to that, we now know many of the other claims made by government witnesses are also false.
In a piece for Salon, I note some of the weird silences in yesterday’s PCLOB report, from things like the failure to give defendants notice (which I discussed yesterday) to the false claim that Targeting Procedures haven’t been released (they have been — by Edward Snowden). One of the most troubling silences, however, pertains to cybersecurity.
That’s especially true in one area where PCLOB inexplicably remained entirely silent. PCLOB noted in its report that, because Congress limited its mandate to counterterrorism programs, it focused primarily on those uses of Section 702. That meant a number of PCLOB’s discussions — particularly regarding “incidental collections” of Americans sucked up under Section 702 — minimized the degree to which Americans who corresponded with completely innocent foreigners could be in a government database. That said, PCLOB did admit there were other uses, and it discussed the government’s use of Section 702 to pursue weapons proliferators.
Yet PCLOB remained silent about a use of Section 702 that both Director of National Intelligence James Clapper’s office, in its very first information sheet on Section 702 released in June 2013, and multiple government witnesses at PCLOB’s own hearing on this topic in March, discussed: cybersecurity. Not only should that have been discussed because Congress is preparing to debate cybersecurity legislation that would be modeled on Section 702. But the use of Section 702 for cybersecurity presents a number of unique, and potentially more significant, privacy concerns.
And PCLOB just dodged that issue entirely, even though Section 702′s use for cybersecurity is unclassified.
In the transcript of the March PCLOB hearing on Section 702 uses, the word “cyber” shows up 12 times. Four of those references come from DOJ’s Deputy Assistant Attorney General Brad Wiegmann’s description of the kinds of foreign intelligence uses targeted under Section 702. (The other references came from Information Technology Industry Council President Dean Garfield.)
MR. WIEGMANN: You task a selector. So you’re identifying, that’s when you take that selector to the company and say this one’s been approved. You’ve concluded that it is, does belong to a non-U.S. person overseas, a terrorist, or a proliferator, or a cyber person, right, whoever it is, and then we go to the company and get the information.
It’s aimed at only those people who are foreign intelligence targets and you have reason to believe that going up on that account that I mentioned, bad guy at Google.com is going to give you back information, information that is foreign intelligence, like on cyber threats, on terrorists, on proliferation, whatever it might be.
So in other words, if I need to, if it’s Joe Smith and his name is necessary if I’m passing it to that foreign government and it’s key that they understand that it’s Joe Smith because that’s relevant to understanding what the threat is, or what the information is, let’s say he’s a cyber, malicious cyber hacker or whatever, and it was key to know the information, then you might pass Joe Smith’s name.
Yesterday’s report, however, doesn’t mention “cyber” a single time. Indeed, it seems to go out of its way to avoid mentioning it.
As discussed elsewhere in this Report, the Board believes that the Section 702 program significantly aids the government’s efforts to prevent terrorism, as well as to combat weapons proliferation and gather foreign intelligence for other purposes.
The Section 702 program, for instance, is also used for surveillance aimed at countering the efforts of proliferators of weapons of mass destruction.473 Given that these other foreign intelligence purposes of the program are not strictly within the Board’s mandate, we have not scrutinized the effectiveness of Section 702 in contributing to those other purposes with the same rigor that we have applied in assessing the program’s contribution to counterterrorism. Nevertheless, we have come to learn how the program is used for these other purposes, including, for example, specific ways in which it has been used to combat weapons proliferation and the degree to which the program supports the government’s efforts to gather foreign intelligence for the benefit of policymakers.
I find PCLOB’s silence about the use of Section 702 to pursue cyber targets particularly interesting for several reasons.
First, because cyber targets pose unique privacy threats — in part because cyberattackers are more likely to hide their location and exploit the communications of entirely innocent people, meaning Section 702′s claimed targeting limits offer no protection to Americans. Additionally, targeting (as Wiegmann describes it) a “malicious cyber hacker” goes beyond any traditional definition of foreign agent; it is telling he didn’t use a Chinese military hacker as his example instead! Indeed, while proliferation (along with foreign governments, the other presumed certification) is solidly within FISA Amendment Act’s definition of foreign intelligence, cybersecurity is not. In its discussion of back door searches, PCLOB admits there are concerns raised by back door searches that are heightened (or perhaps more sensitive, because they involve affluent white people) outside the counterterrorism context, that’s especially true for cybersecurity targeting.
Consider, too, the likelihood that cyber collection is among the categories of about collection that PCLOB obliquely mentions but doesn’t describe due to classification.
Although we cannot discuss the details in an unclassified public report, the moniker “about” collection describes a number of distinct scenarios, which the government has in the past characterized as different “categories” of “about” collection. These categories are not predetermined limits that confine what the government acquires; rather, they are merely ways of describing the different forms of communications that are neither to nor from a tasked selector but nevertheless are collected because they contain the selector somewhere within them.
At the beginning of the report, PCLOB repeated the government’s claim this is primarily about emails; here in the guts of it, it obliquely references other categories of collection, without really considering whether these categories present different privacy concerns.
Remember, too, that the original, good version of USA Freedom Act remains before the Senate Judiciary Committee. That bill would disallow the use of upstream 702 for any use but counterterrorism and counterproliferation. Did PCLOB ignore this use of Section 702 just to avoid alerting Senators who haven’t been briefed on it that it exists?
Finally, I also find PCLOB’s silence about NSA’s admitted use of Section 702 to pursue cyberattackers curious given that, after Congress largely ditched ideas to involve PCLOB in various NSA oversight — such as providing it a role in the FISA Advocate position — Dianne Feinstein’s Cyber Information Sharing Act all of a sudden has found a use for PCLOB again (serving a function, I should add, that arguably replaces FISC review).
(1) BIENNIAL REPORT FROM PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD.—Not later than 1 year after the date of the enactment of this Act and not less frequently than once every 2 years thereafter, the Privacy and Civil Liberties Oversight Board shall submit to Congress and the President a report providing—
(A) an assessment of the privacy and civil liberties impact of the type of activities carried out under this Act; and
(B) an assessment of the sufficiency of the policies, procedures, and guidelines established pursuant to section 5 in addressing privacy and civil liberties concerns.
Feinstein introduced this bill on June 17, several weeks after PCLOB briefed her staffers on their report (they briefed Congressional committee aides on June 2, and the White House on June 17 — see just after 9:00).
A renewed openness to expanding PCLOB’s role may be entirely unmotivated, or it may stem from PCLOB’s chastened analysis of the legal issues surrounding Section 702.
But I do find it interesting that PCLOB uttered, literally, not one word about the topic that, if DiFi’s bill passes, would expand their mandate.
Yesterday, we learned:
Back in November, when Dianne Feinstein was trying to codify these unwarranted back door searches explicitly into law, here’s what anonymous sources described as Senate Intelligence Committee aides told the WaPo:
They say that there have been only a “small number” of such queries each year. Such searches are useful, for instance, if a tip arises that a terrorist group is plotting to kill or kidnap an American, officials have said.
“Only a small number.”
Over 2,000 counted searches between the CIA and NSA. Uncounted, but substantial, number of searches by FBI. “Only a small number.”
Were these anonymous sources ignorant — relying on false information from the Agencies? The actual number of unwarranted back door searches doesn’t appear in the unredacted portions of the one Semiannual Section 702 Compliance report we’ve seen (see page 13); there doesn’t appear to be a redacted section where they would end up.
So have the Agencies (CIA and NSA in this case; FBI’s back door searches get audited in a different way) simply hidden from their Congressional overseers how frequently they were doing these searches?
Or were these aides trying, once again, to pass legislation permitting the nation’s spy agencies to conduct intrusive searches on Americans by lying?
One way or another, it’s a damn good thing Ron Wyden asked for and insisted on getting an answer to his question of how common these back door searches are (even if the FBI still refuses to count them). Because the key people who are supposed to oversee them are either ignorant or lying about them.
There are two significant changes (which may well be related).
First, perhaps in anticipation of shifting to production from the providers, perhaps because the Court has rethought its authorization granted in November 2012, the government appears to have given up its effort to introduce an automated query.
Queries of the BR metadata using RAS-approved selection terms for purposes of obtaining foreign intelligence information may occur by manual analyst query only.
PCLOB provided the only unclassified description of what the government had been trying to do with its automated query.
In 2012, the FISA court approved a new and automated method of performing queries, one that is associated with a new infrastructure implemented by the NSA to process its calling records.68 The essence of this new process is that, instead of waiting for individual analysts to perform manual queries of particular selection terms that have been RAS approved, the NSA’s database periodically performs queries on all RAS-approved seed terms, up to three hops away from the approved seeds.
But, as I reported in February, NSA has never been able to pull off its automated alert, purportedly for technical reasons (which usually means it could not technically meet the requirements imposed by the court).
The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes. Accordingly, this amendment to the Primary Order authorizes the use of this automated query process for development and testing purposes only. No query results from such testing shall be made available for analytic purposes. Use of this automated query process for analytical purposes requires further order of this Court.
The government revealed NSA’s failure to implement its automatic alert in its motion to amend this year’s first dragnet order.
In that same motion it implemented the change in standard dragnet language that has been retained in these more recent dragnet orders: the NSA is chaining on “connections” as well as actual calls.
14 The first “hop” from a seed returns results including all identifiers (and their associated metadata) with a contact and/or connection with the seed. The second “hop” returns results that include all identifiers (and their associated metadata) with a contact and/or connection with an identifier revealed by the first “hop.”
Now, it may be that the entire time one after another government witness has testified to Congress that this phone dragnet only returns on calls, they’ve been doing this connection-based chaining as well. As I noted in this post, connection-based chaining has been in a redacted section of phone dragnet orders describing their automated query. (They seem to have ditched the automation but retained the connection based chaining.) And Dianne Feinstein’s Fake FISA Fix also would have permitted connection chaining.
Whether Administration witnesses were being deliberately deceitful when testifying about call-based chaining (“not wittingly!”) or the NSA only recently resumed doing connection based chaining manually, having given up on doing it automatically, one thing is clear. The NSA has been doing connection based chaining since at least February, and very few people in Congress know what that means. Nevertheless, they’re about to authorize that formally.
As you know, I’ve been trying to track the language in existing phone dragnet orders and new legislation approving the collection of records that are “connected” to a selector by means other than actual calls made. (See here, here, and here for background.) Basically, the automated query approved by the FISA Court in 2012 and the USA Freedumber Act both authorize the government to collect call detail records from phones “connected” to a selector without any call having been made.
Clearly this provision serves to allow the government to track “burner” phones. But given that under the Hemisphere program, AT&T uses cell location to conduct chaining, I expect “connections” will include that too. And it may include things like address books, photos, and calendars, which would be accessible to smart phone providers, and which we know the NSA collects and uses to establish such connections overseas.
I just realized in the last few days that the Fake FISA Fix Dianne Feinstein passed through the Senate Intelligence Committee last year also provides for “connections” based chaining. Here’s how it appears in the bill:
Scope of permissible query return information:
For any query performed pursuant to paragraph (1)(D)(i), the query only may return information concerning communications—
(A) to or from the selector used to perform the query;
(B) to or from a selector in communication with the selector used to perform the query; or
(C) to or from any selector reasonably linked to the selector used to perform the query, in accordance with the court approved minimization procedures required under subsection (g). [my emphasis]
This appears to confirm that the existing connection chaining uses the minimization procedures stage to assess the validity of the connection.
Nowhere, however, have I ever seen any language limiting what kind of “reasonable links” NSA can make in secret.
Particularly given that the government is intent on giving telecoms to make these links, we really ought to be limiting the kinds of links they’re permitted to make.
In the Senate Intelligence Committee hearing on HR 3361 — which I call the USA Freedumber Act because it makes the dragnet worse in several ways — Dianne Feinstein used her opening statement to talk about the role of “specific selection term” in the bill.
She says, in part,
The problem comes with the definition of a “specific selection term,” which is not clear on its face and I believe it’s confusing.
I’m glad that Feinstein is concerned about the same thing I’ve been focusing on for a month.
The problem with trying to prevent “bulk collection” using the definition of selection term — even aside from the fact that the Intelligence Community understands “bulk collection” to mean something entirely different from what normal people understand it to mean — is that it will be abused.
We didn’t even get out of the hearing without such cynicism. At the hearing, Deputy Attorney General James Cole assured Martin Heinrich and Mark Udall that statements in the legislative record indicating a desire to limit such collection would prevent any abuse. This is the same DAG whose DOJ argued – just the day before!!! — that the legislative record of FISA, which clearly indicates the congressional intent that some defendants will get to review their FISA applications, should be ignored in favor of the 36 year history during which no defendants got such review.
Cole’s comments are all the proof we need that the Executive cannot be trusted to cede to Congress’ wishes (not to mention that the legislative record is far more ambivalent than Cole pretended).
So I’m grateful Feinstein is trying to tighten the definition (though I don’t think that is the workable way to improve the bill).
But I’m a bit confused by Feinstein’s confusion.
You see, as I noted some weeks ago, the term “selection term” is already used for Section 215, and has been for at least a year. And at least in phone dragnet Primary Order standard references to FISA content orders (that is, to traditional FISA warrants and the like), they’re using “selection term” as well.
The intelligence community and the FISA Court already have some common understanding of what “selection term” means — and Primary Orders appear to define the term in a classified-to-us-but-not-Feinstein footnote — and yet Feinstein is confused about what “specific selection term” might mean?
Granted, “selection term” is slightly different than “specific selection term.” Still, given that the “selection term” appears to be defined — and used — in the existing program, I would hope that Senator Feinstein would have some clarity about what it means.
Perhaps the way to start this discussion is to publicly explain how the IC is currently using “selection term”?
I’ve written several times about how HR 3361 — what others call USA Freedom Act and I dubbed the USA Freedumber Act when it was gutted in the House — is worse than the status quo in a number of ways.
But I’m also aware that the Senate could make it worse. I’m still waiting to see what kind of surprises Dianne Feinstein has in store for Thursday’s Senate Intelligence Committee hearing.
So I am thoroughly unsurprised that Ranking Republican Saxby Chambliss wants to make Freedumber worse.
Sen. Saxby Chambliss (R-Ga.) said the surveillance reform bill that passed the House last month goes too far in ending some of the National Security Agency’s (NSA) sweeping surveillance programs.
“I actually think they went a little bit too far on the bulk collection side of it,” Chambliss — the top Republican on the Senate Intelligence Committee — said Tuesday while speaking a Bloomberg event on cybersecurity.
I actually think this is a calculated move to add various transparency measures that Pat Leahy will respond to, but open up the floodgates to a full Internet-and-smart-phone dragnet. It will allow those who’ve gotten badly played in this negotiation an opportunity to declare victory even as the dragnet gets even worse.
Add this to the evidence this is all a big play:
Chambless said that he and Senate Intelligence Committee Chairwoman Dianne Feinstein (D-Calif.) and House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) will be able to reconcile any differences between the House bill and a reform bill that comes out of the Senate.
“I’m confident that Rogers, Ruppersberger, Dianne and I can bridge that gap quickly if we can get a bill out of the Senate,” he said.
The Gang of Four is just working to get to Conference, where they already seem to have in mind what they’ll produce.
Before we’re done, we’re sure to see USA Freedumbest.
As June 5 approaches — and with it the one year anniversary of the first reporting on Edward Snowden’s leaks — the privacy community is calling supporters to redouble efforts to improve the NSA “reform bill,” which I call the USA Freedumber Act, in the Senate.
I explained here why the Senate is unlikely to improve USA Freedumber in any meaningful way. The votes just aren’t there — not even in the Senate Judiciary Committee.
Ominously, Dianne Feinstein just scheduled an NSA hearing for Thursday afternoon, when most of the privacy community will be out rallying the troops.
Unless the surveillance community finds some way to defeat USA Freedumber, the intelligence community will soon be toasting themselves that they used the cover of Edward Snowden’s disclosures to expand surveillance. The “Edward Snowden Put the NSA in Your Smartphone Act,” they might call it.
To prevent that, the privacy community needs to find a way to defeat USA Freedumber. It’s not enough, in my opinion, to point to the judicial review codified by USA Freedumber to accede to letting this pass. Not only doesn’t USA Freedumber end what most normal people call, “bulk collection,” but it expands collection in a number of ways.
That’s true, in part, because of the way the bill defines “bulk collection.” USA Freedumber only considers something “bulk collection” if it collects all of some kind of data (so, all phone data in the US). If NSA limits collection at all — selecting to collect all the phone records from Area Code 202, for example — it no longer qualifies as bulk collection under the Intel Community definition used in the bill, no matter how broadly they’re collecting.
Here’s a post where I lay that out.
To make things worse, the last version of the House bill changed the term “selection term” to make it very broad: including “entities,” “addresses,” and “devices” among the things that count as a single target, all of which invite mass targeting. I was always skeptical about “specific selection term” serving as the limiting factor in the bill; key language about how the FISC currently understands “selection term” remains classified. But I do know that Zoe Lofgren and others in the House kept saying that under the current definition of the bill the government could collect all records in, say, my Area Code 202 example. And if that’s possible, it means the phone dragnet under this “reform” may be little more targeted than upstream Section 702 collection currently is, which has telecoms sniff through up to 75% of US Internet traffic.
But it’s not just that the bill doesn’t deliver what its boosters claim it does.
There are 4 other ways that the bill makes the status quo worse, as I show in this post:
In my opinion, these changes mean the NSA will be able to do much of what they were doing in 2009, before what were then called abuses – but under this bill would be legalized — were discovered. That, plus they’re likely to expand the dragnet beyond terrorism targets.
For a year, privacy advocates have believed we’d get reform in response to Snowden’s leaks. For too long, advocates treated HR 3361 as positive reform.
But unless we defeat USA Freedumber, the Intelligence Community will have used the event of Snowden’s leaks as an opportunity to expand the dragnet.
Yesterday, I noted that the subject of Edward Snowden’s emailed question to NSA’s Office of General Counsel pertained to one of the under-reported themes of his leaks, the way NSA uses EO 12333 to collect data on Americans that either clearly was or might have been covered by stricter laws passed by Congress. I also noted how unbelievably shitty the NSA training programs released to ACLU and EFF are, particularly the way seemingly outdated documents that remain in effect appear to allow spying on Americans prohibited by statute.
I’d like to return to the precise language Snowden used to refer to this email exchange (and a thus-far unreleased exchange he claims to have had with NSA’s Compliance folks).
Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published.
I suggested yesterday that this was likely a conflict over whether EO 12333 superseded laws passed by Congress, including but not limited to FISA.
But note: Snowden says he asked about a “classified” EO.
EO 12333 is unclassified.
So there are two possibilities. First, that there’s a classified EO — one that remains classified – that we don’t know about, one Congress may not even be fully cognizant of (on the premise that this EO supersedes the law).
That’s possible. But EO 12333 is the only EO referenced in USSID 18′s list of references.
The other possibility is far more interesting.
As I noted, the documents laying out the core regulations governing NSA conflict badly, largely because many of the documents are very dated, and have been (or should have been) superseded by recent laws (like the FISA Amendments Act) and court decisions (like John Bates’ 2011 ruling on upstream collection).
Of particular interest is NSA/CSS Policy 1-23 (starting at PDF 110). That policy is interesting, first of all, because it was first issued on March 11, 2004 by Michael Hayden. That is, this policy dates to the very day when Michael Hayden agreed to continue the illegal wiretap program even as half of DOJ threatened to quit.
The policy was updated twice, once to make what were considered minor adjustments in policy in 2007, and once in 2009 to incorporate FISA Amendments Act changes. Thus, the policy at least purports to fully incorporate FAA. The 2009 reissue — and its classified annex — is considered among the signature authorizing milestones according to a timeline leaked by Snowden, above, and the only one that mentions a classified annex.
But — as I noted yesterday — the policy still relies on (and incorporates) a classified annex to EO 12333 that was written in 1988 (though the document itself bears the March 11, 2004 date). Continue reading