As I pointed out the other day, the CIA IG Report on spying on the Senate Intelligence Committee appears to say the egregious spying happened after John Brennan told Dianne Feinstein and Saxby Chambliss on January 15 CIA had been spying on SSCI.
Agency Access to Files on the SSCI RDINet:
Five Agency employees, two attorneys and three information technology (IT) staff members, improperly accessed or caused access to the SSCI Majority staff shared drives on the RDINet.
Agency Crimes Report on Alleged Misconduct by SSCI Staff:
The Agency filed a crimes report with the DOJ, as required by Executive Order 12333 and the 1995 Crimes Reporting Memorandum between the DOJ and the Intelligence Community, reporting that SSCI staff members may have improperly accessed Agency information on the RDINet. However, the factual basis for the referral was not supported, as the author of the referral had been provided inaccurate information on which the letter was based. After review, the DOJ declined to open a criminal investigation of the matter alleged in the crimes report.
Office of Security Review of SSCI Staff Activity:
Subsequent to directive by the D/CIA to halt the Agency review of SSCI staff access to the RDINet, and unaware of the D/CIA’s direction, the Office of Security conducted a limited investigation of SSCI activities on the RDINet. That effort included a keyword search of all and a review of some of the emails of SSCI Majority staff members on the RDINet system.
With respect to your second question about monitoring of Members of Congress and Legislative Branch employees, in general those individuals will not be subject to [User Activity Monitoring] because their classified networks are not included in the definition of national security systems (NSS) for which monitoring is required.
Because no internally owned or operated Legislative branch network qualifies as a national security system, UAM by the Executive Branch is accordingly neither required nor conducted. To be clear, however, when Legislative Branch personnel access a national security system used or operated by the Executive Branch, they are of course subject to UAM on that particular system.
CIA’s spying on SSCI took place on CIA’s RDI network, not on the SSCI one. SSCI had originally demanded they be given the documents pertaining to the torture program, but ultimately Leon Panetta required them to work on a CIA network, as Dianne Feinstein explained earlier this year.
The committee’s preference was for the CIA to turn over all responsive documents to the committee’s office, as had been done in previous committee investigations.
Director Panetta proposed an alternative arrangement: to provide literally millions of pages of operational cables, internal emails, memos, and other documents pursuant to the committee’s document requests at a secure location in Northern Virginia. We agreed, but insisted on several conditions and protections to ensure the integrity of this congressional investigation.
Per an exchange of letters in 2009, then-Vice Chairman Bond, then-Director Panetta, and I agreed in an exchange of letters that the CIA was to provide a “stand-alone computer system” with a “network drive” “segregated from CIA networks” for the committee that would only be accessed by information technology personnel at the CIA—who would “not be permitted to” “share information from the system with other [CIA] personnel, except as otherwise authorized by the committee.”
It was this computer network that, notwithstanding our agreement with Director Panetta, was searched by the CIA this past January,
Presumably, those limits on access should have prevented CIA’s IT guys from sharing information about what SSCI was doing on the network. But it’s not clear they would override Clapper’s UAM.
Remember, too, when Brennan first explained how this spying didn’t qualify as a violation of the Computer Fraud and Abuse Act, he said CIA could conduct “lawfully authorized … protective … activity” in the US. Presumably like UAM.
I have no idea whether this explains why CIA’s IG retracted what Feinstein said had been his own criminal referral or not. But I do wonder whether the CIA has self-excused some of its spying on SSCI in the interest of continuous user monitoring?
If so, it would be the height of irony, as UAM did not discover either Chelsea Manning’s or Edward Snowden’s leaks. Imagine if the only leakers the Intelligence Community ever found were their own overseers?
In an interview with the Guardian published yesterday, Edward Snowden claimed that compromising pictures get shared around NSA.
Made a startling claim that a culture exists within the NSA in which, during surveillance, nude photographs picked up of people in “sexually compromising” situations are routinely passed around.
The usual whiners are suggesting Snowden is making this up and demanding proof.
They seem to have forgotten the proof we’ve already seen of NSA officially retaining sexually compromising material. Here’s what Bart Gellman described in a follow-up to WaPo’s recent report on the data collected under Section 702.
Among the large majority of people who are not NSA targets, many of the conversations in our sample are exceedingly private. Often they are very far from publishable, without editing.
Him: “How about you [verb, possessive adjective, noun]
Her: “I [verb] if you [another verb].”
Him: “That can be arranged.”
Her: “I really need punishment.”
Another young woman, also not a target, responds to a suitor who proposes to pay a visit.
Her: “don’t think that would b fair on the guy im seeing”
Him: “you can be a bit naughty at times lol”
Her: “Yeah lol”
The conversation proceeds from there.
This is stuff officially retained by NSA. This is stuff they claim has foreign intelligence value. This is sexually compromising. And Gellman says many of the retained communications are like that.
Sure, I get that NSA wants to contact chain on who’s fucking whom, just as they want to chain on who’s calling whom. But to do that, they’re retaining smut.
In addition to its exposure of the sheer senselessness of much of the spying NSA engages in, yesterday’s WaPo story also shows that the government’s assurances that Edward Snowden could not access raw data have been misplaced.
For close to a year, NSA and other government officials have appeared to deny, in congressional testimony and public statements, that Snowden had any access to the material.
As recently as May, shortly after he retired as NSA director, Gen. Keith Alexander denied that Snowden could have passed FISA content to journalists.
“He didn’t get this data,” Alexander told a New Yorker reporter. “They didn’t touch —”
“The operational data?” the reporter asked.
“They didn’t touch the FISA data,” Alexander replied. He added, “That database, he didn’t have access to.”
Robert S. Litt, the general counsel for the Office of the Director of National Intelligence, said in a prepared statement that Alexander and other officials were speaking only about “raw” intelligence, the term for intercepted content that has not yet been evaluated, stamped with classification markings or minimized to mask U.S. identities.
“We have talked about the very strict controls on raw traffic, the training that people have to have, the technological lockdowns on access,” Litt said. “Nothing that you have given us indicates that Snowden was able to circumvent that in any way.”
In the interview, Snowden said he did not need to circumvent those controls, because his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center gave him “unusually broad, unescorted access to raw SIGINT [signals intelligence] under a special ‘Dual Authorities’ role,” a reference to Section 702 for domestic collection and Executive Order 12333 for collection overseas. Those credentials, he said, allowed him to search stored content — and “task” new collection — without prior approval of his search terms.
No one should ever have believed those assurances.
That’s because the documentation on the Section 215 program makes it clear how little oversight there is over tech people just like Snowden. The current phone dragnet order, for example, makes it clear that:
The audit language in the dragnet order applies only to “foreign intelligence analysis purposes or using foreign intelligence analysis tools,” suggesting the tech analysis role access to the dragnet data is not audited.
Language in the order defining “NSA” suggests contractors may access the data (though it’s unclear whether they do so in a technical or intelligence analysis function); something made explicit in Dianne Feinstein’s bill.
That is, it is at least possible that Booz analysts are currently conducting audit-free tech massaging of the raw phone dragnet data.
And NSA knew this access was a vulnerability. As recently as 2012, tech analysts were found to have 3,000 files worth of phone dragnet data (it’s unclear how much data each file included) on an improper server past its required destruction date. NSA destroyed that data before definitively researching what it was doing there.
Thus, the risk of tech analyst breach is very real, and no one — not NSA, and not Congress, which has only codified this arrangement — seems to be addressing it.
Indeed, it is likely that some kind of Booz-type contractors will continue to have direct access to this data after it gets outsourced to the telecoms, otherwise USA Freedumber would not extend immunity to such second-level contractors.
For months, intelligence officials claimed not only that Snowden had not accessed raw data, but could not. That was always a dubious claim; even if Snowden couldn’t have accessed that data, other contractors just like him could and still can, with less oversight than NSA’s intelligence analysts get.
But it turns out Snowden could and did. And thanks to that, we now know many of the other claims made by government witnesses are also false.
I’ve decided the best way to digest the collection of documents released by Spiegel this week is to do a working thread. You can find links to the individual files here, or a very big PDF of all files here.
Note they describe using XKeyscore for “behavior detection techniques.” Even in physical space, it’s not clear current science supports the validity of such behavior detection. But this involves using someone’s online behavior to translate “behavior” into suspicion.
In the list of topics they share on, there’s Der Spiegel has redacted the place in “Europeans traveling to [redacted] to fight.” That’s presumably Syria (though could be Somalia). It’d be interesting to see the lead time on this international sharing and the time it shows up in news articles.
Note the reference to using XKeyscore for (German) domestic warranted content.
In October 2011, SSG partnered with SUSLAG and BND to conduct a demonstration of XKEYSCORE to the BfV using BfV domestic warranted collection. The BND XKEYSCORE system successfully processed DSL wiretap collection belonging to a German domestic CT target.
I’ve long wondered whether they can use XKS for US domestic content. This would seem to suggest they can. It sort of makes you wonder whether they’d give XKS to telecoms under USA Freedumber?
Note the other documents describe the partnership primarily in terms of CT, but this document makes it clear it also includes transnational crime and counternarcotics, Afghan support, and one redacted topic.
Note cyber is something that is later described as something NSA is pushing (in January 2013) to get BND to partner on. This document describes IAD as leading discussions at this point (January 2013); but described a follow-up meeting with NTOC and FAD that same month.
Note Germany’s role in translating Igbo, left unredacted. This, and a number of other redacted references, seems to suggest the Germans play a key role in our collection and analysis of intelligence from Nigeria. Note, that might support the notion that one of the redacted sharing purposes is energy-related.
Germany appears to play a key role in our GSM collection. Note they also play a key role in VoIP, which may be why they were so interested in accessing Skype. Germany has already changed its privacy law to help us, but NSA isn’t satisfied. I’m reminded of US Ambassador to Germany Philip Murphy’s bitching about Germans not understanding the need to share information in the Internet era.
In 2012, Boundless Informant was going to soon roll out a “if you like this you’ll like this” query suggestion mode.
I’ve been tracking Keith Alexander’s utterly predictable new gig, getting rich off of having drummed up cybersecurity concerns for the last several years, while at the same time shacking up with the most dubious of shadow bank regulators, Promontory Financial Group.
Apparently, I’m not the only one. Alan Grayson just sent some of the entities that Alexander has been drumming up business with — the Security Industries and Financial Markets Association, Consumer Bankers Association, and Financial Services Roundtable — a letter asking how the former NSA Director can be making a reported $600,000 a month. He cites Bruce Schneier wondering whether part of the deal is that Alexander will share classified information he learned while at NSA.
Security expert Bruce Schneier noted that this fee for Alexander’s services is on its face unreasonable. “Think of how much actual security they could buy with that $600K a month.Unless he’s giving them classified information.” Schneier also quoted Recode.net, which headlined this news as: “For another million, I’ll show you the back door we put in your router.”
Disclosing or misusing classified information for profit is, as Mr. Alexander well knows, a felony. I question how Mr. Alexander can provide any of the services he is offering unless he discloses or misuses classified information, including extremely sensitive sources and methods. Without the classified information that he acquired in his former position, he literally would have nothing to offer to you.
Please send me all information related to your negotiations with Mr. Alexander, so that Congress can verify whether or not he is selling military and cybersecurity secrets to the financial services industry for personal gain.
Alexander is just the latest of a long line of people who profit directly off driving up the cybersecurity threat. But — as Recode.net notes — he’s also got the kind of inside information that could be particularly valuable.
As the Intelligence Industrial Complex and the Banking industry hop into bed together, there ought to be some transparency about just what kind of deals are being made. There’s simply too much immunity handed out to this community to let boondoggles like Alexander’s slide.
The intelligence community is subjecting every low level clearance holder to intense scrutiny right now. But thus far, there has not been a peep from those quarters that the former DIRNSA could command these fees for the expertise gained while overseeing the nation’s secrets.
I was asked to participate in a CATO debate about where we are a year post Snowden. My contribution to that debate — in which I argue any big drama going forward will come from the newly adversarial relationship between Google and the NSA — is here.
As part of that, I argued that the government made a choice after Snowden: to double down on hard power over soft power.
The conflict between Google and its home country embodies another trend that has accelerated since the start of the Snowden leaks. As the President of the Computer & Communications Industry Association, Edward Black, testified before the Senate last year, the disclosure of NSA overreach did not just damage some of America’s most successful companies, it also undermined the key role the Internet plays in America’s soft power projection around the world: as the leader in Internet governance, and as the forum for open speech and exchange once associated so positively with the United States.
The U.S. response to Snowden’s leaks has, to a significant degree, been to double down on hard power, on the imperative to “collect it all” and the insistence that the best cyberdefense is an aggressive cyberoffense. While President Obama paid lip service to stopping short of spying “because we can,” the Executive Branch has refused to do anything – especially legislatively – that would impose real controls on the surveillance system that undergirds raw power.
And that will likely bring additional costs, not just to America’s economic position in the world, but in the need to invest in programs to maintain that raw power advantage. Particularly given the paltry results the NSA has to show for its domestic phone dragnet – the single Somali taxi driver donating to al-Shabaab that Sanchez described. It’s not clear that the additional costs from doubling down on hard power bring the United States any greater security.
Because I was writing this essay, that’s largely where my mind has been as we debate getting re-involved in Iraq.
In the 3 or 4 wars we’ve waged in the Middle East/South Asia since 9/11 (counting Afghanistan, Iraq, Libya, and Syria), we’ve only managed to further destabilize the region. That was largely driven by a belligerence that goes well beyond our imperative to collect it all.
But I do think both the Snowden anniversary and the Iraq clusterfuck should focus far more energy on how we try to serve American interests through persuasion rather than bombs and dragnets.
Yesterday, The Register published what it claims is the story that led GCHQ to destroy the Guardian’s hard drives: the location of a key GCHQ base in the Middle East and its relationships with British Telecom and Vodaphone.
The secret British spy base is part of a programme codenamed “CIRCUIT” and also referred to as Overseas Processing Centre 1 (OPC-1). It is located at Seeb, on the northern coast of Oman, where it taps in to various undersea cables passing through the Strait of Hormuz into the Persian/Arabian Gulf. Seeb is one of a three site GCHQ network in Oman, at locations codenamed “TIMPANI”, “GUITAR” and “CLARINET”. TIMPANI, near the Strait of Hormuz, can monitor Iraqi communications. CLARINET, in the south of Oman, is strategically close to Yemen.
British national telco BT, referred to within GCHQ and the American NSA under the ultra-classified codename “REMEDY”, and Vodafone Cable (which owns the former Cable & Wireless company, aka “GERONTIC”) are the two top earners of secret GCHQ payments running into tens of millions of pounds annually.
The Brits would have you believe — and I have no reason to doubt them — that this cable landing in Oman is one of the key points in their surveillance infrastructure.
I raise this because of a cable listing the globe’s critical infrastructure — and fearmongering surrounding it — that Chelsea Manning leaked to Wikileaks. As I noted at the time, while the cable lists a slew of cable landings as critical infrastructure sites — including the Hibernia Atlantic undersea cable landing in Dublin, which gets mentioned in the Register story — it does not list a single cable landing site in the Middle East.
Bab al-Mendeb: Shipping lane is a critical supply chain node
‘Ayn Sukhnah-SuMEd Receiving Import Terminal
‘Sidi Kurayr-SuMed Offloading Export Terminal
Strait of Hormuz
Khark (Kharg) Island Sea Island Export Terminal
Khark Island T-Jetty
Al-Basrah Oil Terminal
Rafael Ordnance Systems Division, Haifa, Israel: Critical to Sensor Fused Weapons (SFW), Wind Corrected Munitions Dispensers (WCMD), Tail Kits, and batteries
Mina’ al Ahmadi Export Terminal
Strait of Gibraltar
Maghreb-Europe (GME) gas pipeline, Morocco
Strait of Hormuz
Ras Laffan Industrial Center: By 2012 Qatar will be the largest source of imported LNG to U.S.
Abqaiq Processing Center: Largest crude oil processing and stabilization plant in the world
Al Ju’aymah Export Terminal: Part of the Ras Tanura complex
As Saffaniyah Processing Center
Qatif Pipeline Junction
Ras at Tanaqib Processing Center
Ras Tanura Export Terminal
Shaybah Central Gas-oil Separation Plant
Trans-Med Gas Pipeline
United Arab Emirates (UAE):
Das Island Export Terminal
Jabal Zannah Export Terminal
Strait of Hormuz
Bab al-Mendeb: Shipping lane is a critical supply chain node
Note, Bahamas’ telecom, which recent reporting has also noted is critical to NSA’s spying, also gets no mention.
That’s not surprising in the least. The cable (and the list) is classified Secret. NSA and GCHQ’s prime collection points are (as the Register notes) classified several levels above Top Secret.
And while the list provided some indication of what sites were significant by their absence, it’s likely that the sites that were listed were the relatively unimportant sites.
At trial, Manning’s lawyers repeatedly point out that she had chosen not to leak stuff from JWICS, which would be classified at a higher level. The stuff she leaked, which she got on SIPRNET, was by definition less sensitive stuff.
I don’t mean to suggest this reflects on the relative value of what either Edward Snowden or Chelsea Manning leaked. I think it is a good indication, though, of how unfounded a lot of the fear mongering surrounding this particular leaked cable was.
I’ve written several times about how HR 3361 — what others call USA Freedom Act and I dubbed the USA Freedumber Act when it was gutted in the House — is worse than the status quo in a number of ways.
But I’m also aware that the Senate could make it worse. I’m still waiting to see what kind of surprises Dianne Feinstein has in store for Thursday’s Senate Intelligence Committee hearing.
So I am thoroughly unsurprised that Ranking Republican Saxby Chambliss wants to make Freedumber worse.
Sen. Saxby Chambliss (R-Ga.) said the surveillance reform bill that passed the House last month goes too far in ending some of the National Security Agency’s (NSA) sweeping surveillance programs.
“I actually think they went a little bit too far on the bulk collection side of it,” Chambliss — the top Republican on the Senate Intelligence Committee — said Tuesday while speaking a Bloomberg event on cybersecurity.
I actually think this is a calculated move to add various transparency measures that Pat Leahy will respond to, but open up the floodgates to a full Internet-and-smart-phone dragnet. It will allow those who’ve gotten badly played in this negotiation an opportunity to declare victory even as the dragnet gets even worse.
Add this to the evidence this is all a big play:
Chambless said that he and Senate Intelligence Committee Chairwoman Dianne Feinstein (D-Calif.) and House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) will be able to reconcile any differences between the House bill and a reform bill that comes out of the Senate.
“I’m confident that Rogers, Ruppersberger, Dianne and I can bridge that gap quickly if we can get a bill out of the Senate,” he said.
The Gang of Four is just working to get to Conference, where they already seem to have in mind what they’ll produce.
Before we’re done, we’re sure to see USA Freedumbest.
As June 5 approaches — and with it the one year anniversary of the first reporting on Edward Snowden’s leaks — the privacy community is calling supporters to redouble efforts to improve the NSA “reform bill,” which I call the USA Freedumber Act, in the Senate.
I explained here why the Senate is unlikely to improve USA Freedumber in any meaningful way. The votes just aren’t there — not even in the Senate Judiciary Committee.
Ominously, Dianne Feinstein just scheduled an NSA hearing for Thursday afternoon, when most of the privacy community will be out rallying the troops.
Unless the surveillance community finds some way to defeat USA Freedumber, the intelligence community will soon be toasting themselves that they used the cover of Edward Snowden’s disclosures to expand surveillance. The “Edward Snowden Put the NSA in Your Smartphone Act,” they might call it.
To prevent that, the privacy community needs to find a way to defeat USA Freedumber. It’s not enough, in my opinion, to point to the judicial review codified by USA Freedumber to accede to letting this pass. Not only doesn’t USA Freedumber end what most normal people call, “bulk collection,” but it expands collection in a number of ways.
That’s true, in part, because of the way the bill defines “bulk collection.” USA Freedumber only considers something “bulk collection” if it collects all of some kind of data (so, all phone data in the US). If NSA limits collection at all — selecting to collect all the phone records from Area Code 202, for example — it no longer qualifies as bulk collection under the Intel Community definition used in the bill, no matter how broadly they’re collecting.
Here’s a post where I lay that out.
To make things worse, the last version of the House bill changed the term “selection term” to make it very broad: including “entities,” “addresses,” and “devices” among the things that count as a single target, all of which invite mass targeting. I was always skeptical about “specific selection term” serving as the limiting factor in the bill; key language about how the FISC currently understands “selection term” remains classified. But I do know that Zoe Lofgren and others in the House kept saying that under the current definition of the bill the government could collect all records in, say, my Area Code 202 example. And if that’s possible, it means the phone dragnet under this “reform” may be little more targeted than upstream Section 702 collection currently is, which has telecoms sniff through up to 75% of US Internet traffic.
But it’s not just that the bill doesn’t deliver what its boosters claim it does.
There are 4 other ways that the bill makes the status quo worse, as I show in this post:
In my opinion, these changes mean the NSA will be able to do much of what they were doing in 2009, before what were then called abuses – but under this bill would be legalized — were discovered. That, plus they’re likely to expand the dragnet beyond terrorism targets.
For a year, privacy advocates have believed we’d get reform in response to Snowden’s leaks. For too long, advocates treated HR 3361 as positive reform.
But unless we defeat USA Freedumber, the Intelligence Community will have used the event of Snowden’s leaks as an opportunity to expand the dragnet.
Yesterday, I noted that the subject of Edward Snowden’s emailed question to NSA’s Office of General Counsel pertained to one of the under-reported themes of his leaks, the way NSA uses EO 12333 to collect data on Americans that either clearly was or might have been covered by stricter laws passed by Congress. I also noted how unbelievably shitty the NSA training programs released to ACLU and EFF are, particularly the way seemingly outdated documents that remain in effect appear to allow spying on Americans prohibited by statute.
I’d like to return to the precise language Snowden used to refer to this email exchange (and a thus-far unreleased exchange he claims to have had with NSA’s Compliance folks).
Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published.
I suggested yesterday that this was likely a conflict over whether EO 12333 superseded laws passed by Congress, including but not limited to FISA.
But note: Snowden says he asked about a “classified” EO.
EO 12333 is unclassified.
So there are two possibilities. First, that there’s a classified EO — one that remains classified – that we don’t know about, one Congress may not even be fully cognizant of (on the premise that this EO supersedes the law).
That’s possible. But EO 12333 is the only EO referenced in USSID 18′s list of references.
The other possibility is far more interesting.
As I noted, the documents laying out the core regulations governing NSA conflict badly, largely because many of the documents are very dated, and have been (or should have been) superseded by recent laws (like the FISA Amendments Act) and court decisions (like John Bates’ 2011 ruling on upstream collection).
Of particular interest is NSA/CSS Policy 1-23 (starting at PDF 110). That policy is interesting, first of all, because it was first issued on March 11, 2004 by Michael Hayden. That is, this policy dates to the very day when Michael Hayden agreed to continue the illegal wiretap program even as half of DOJ threatened to quit.
The policy was updated twice, once to make what were considered minor adjustments in policy in 2007, and once in 2009 to incorporate FISA Amendments Act changes. Thus, the policy at least purports to fully incorporate FAA. The 2009 reissue — and its classified annex — is considered among the signature authorizing milestones according to a timeline leaked by Snowden, above, and the only one that mentions a classified annex.
But — as I noted yesterday — the policy still relies on (and incorporates) a classified annex to EO 12333 that was written in 1988 (though the document itself bears the March 11, 2004 date). Continue reading