Posts

Will Keith Alexander FINALLY Tell the Full Truth about the Section 215 Dragnet in Today’s Secret Emergency Hearing?

Since Edward Snowden made it clear the government has been collecting every American’s phone records in the name of terrorism (and Iran), the National Security establishment has made a great show of transparency.

Don’t worry it’s “just” metadata, they said. Only 300 queries, well, we really mean only 300 identifiers to query on, which works out to be more than 300 queries. Only those who talk to terrorists. Or talk to those who talk to terrorists. Or talk to those who talk to those who talk to those who talk to terrorists, they ultimately revealed.

But last Thursday, the government admitted, sort of, that they’re not being as transparent as they claim. In a letter submitted in an effort to stall for time in ACLU’s suit to stop the 215 collection, the government offered a 400+ word description of the program. But the description started by claiming the program is, “in may respects, still classified.”

This case concerns a highly sensitive and, in many respects, still classified intelligence-collection program that is designed to assist the U.S. Government in discovering whether known or suspected terrorists have been in contact with other persons who may be engaged in terrorist activities, including persons and activities inside the United States. Under this program, the Federal Bureau of Investigation (FBI) obtains authorization from the Foreign Intelligence Surveillance Court (“FISA Court”) to collect telephony metadata from certain telecommunications service providers. The National Security Agency (NSA), in turn, archives this information; queries the data, when strict standards are met, to detect communications between foreign terrorist organizations and their potential operatives located in the United States; and provides leads to the FBI or others in the Intelligence Community for counterterrorism purposes. [my emphasis]

So what do the “many respects” of this program that remain classified do? And do those “many respects” describe why the government needs to create an associational database including every American to help in just 13 plots over 7 years?

Which is why I find it interesting that, as soon as it became clear the Amash-Conyers amendment to the Defense Appropriations — which would defund the dragnet collection — would get a vote, NSA Director Keith Alexander decided he needed to talk to Congress in secret.

NSA head General Keith Alexander scheduled a last-minute, members-only briefing in response to the amendment, according to an invitation distributed to members of Congress this morning and forwarded to HuffPost. “In advance of anticipated action on amendments to the DoD Appropriations bill, Ranking Member C.A. Dutch Ruppersberger of the House Intelligence Committee invites your Member to attend a question and answer session with General Keith B. Alexander of the National Security Agency,” reads the invitation.

“The briefing will be held at the Top Secret/SCI level and will be strictly Members-Only,” the invitation read.

So it seems that Alexander has more to say about this program he has feigned transparency on for the last month and a half.

That said, Alexander has a serial history of misleading statements when he doesn’t have a public fact-checker. So while he may tell Congressmen and -women more details about how they’re really using this dragnet database and why making 13 investigations easier merits such overkill, it’s unlikely he’ll tell the compete truth. I’m not optimistic.

But he may finally reveal why the government chose this overkill method of surveillance.

While Alexander is conducting this top secret briefing, you can do your own lobbying[: call you member of Congress and tell them to support Amash-Conyers.

Study Shows Cybertheft Really Isn’t the Greatest Transfer of Wealth in History

I’ve long mocked the claim — often wielded by people like Sheldon Whitehouse and Keith Alexander — that cybertheft is the greatest transfer of wealth in history. Sure, cybertheft might be big. But bigger than colonization? Bigger than slavery?

But a new study shows that it is just a fraction of what cyber-boosters have been claiming: $25 to $100 billion rather than a $1 trillion.

The study does still show it is costly — leading to the lost of 508,000 jobs a year. And the study didn’t account for something else I often harp on: the unknown role of Chinese hacking into weapons programs in degrading the effectiveness of those programs.

Still unknown, for example, are the unseen costs of military cybertheft, said Mr. Lewis. “A lot of the cost overruns in some of our big programs are because they had to rewrite the code after the Chinese got in—and the real damage won’t appear until we see how weapons actually perform,” he said.

The study also did not calculate the effect of cybertheft on American competitiveness, which seems like a significant issue.

Ultimately, though, this is a problem that should be fought without the bluster. It is real. It is a threat, in large part, to private companies that don’t pay their fair share in taxes. How we combat that problem should account for those factors.

Wherein Alexander the Great Conquers the World

“Collect it all,” an anonymous source describes General Keith Alexander’s approach to data, in a bizarre WaPo profile this morning.

The article includes several anonymous condemnations of Alexander the Great’s approach.

  • “But even his defenders say Alexander’s aggressiveness has sometimes taken him to the outer edge of his legal authority.”
  • “Some in Congress complain that Alexander’s NSA is sometimes slow to inform the oversight committees of problems, particularly when the agency’s eavesdroppers inadvertently pick up communications that fall outside the NSA’s legal mandates.”
  • “Even close allies have fretted about the concentration of so much responsibility — not to mention influence — in a single individual.”

It also provides details of why he is so dangerous.

  • “Alexander has argued for covert action authority, which is traditionally the domain of the CIA, individuals familiar with the matter say.”
  • “He has been credited as a key supporter of the development of Stuxnet, the computer worm that infected Iran’s main uranium enrichment facility in 2009 and 2010 and is the most aggressive known use to date of offensive cyberweaponry.”
  • “‘He is the only man in the land that can promote a problem by virtue of his intelligence hat and then promote a solution by virtue of his military hat,’ said one former Pentagon official,”
  • Private companies should give the government access to their networks so it could screen out the harmful software. The NSA chief was offering to serve as an all-knowing virus-protection service, but at the cost, industry officials felt, of an unprecedented intrusion into the financial institutions’ databases.”

But the entire article — which focuses far more closely on Alexander the Great’s cybersecurity and cyberwar activities than terrorism — pretends to be about terrorism.

For NSA chief, terrorist threat drives passion to ‘collect it all,’ observers say

In late 2005, as Iraqi roadside bombings were nearing an all-time peak, the National Security Agency’s newly appointed chief began pitching a radical plan for halting the attacks that then were killing or wounding a dozen Americans a day.

At the time, more than 100 teams of U.S. analysts were scouring Iraq for snippets of electronic data that might lead to the bomb-makers and their hidden factories. But the NSA director, Gen. Keith B. Alexander, wanted more than mere snippets. He wanted everything: Every Iraqi text message, phone call and e-mail that could be vacuumed up by the agency’s powerful computers.

“Rather than look for a single needle in the haystack, his approach was, ‘Let’s collect the whole haystack,’ ” said one former senior U.S. intelligence official who tracked the plan’s implementation. “Collect it all, tag it, store it. . . . And whatever it is you want, you go searching for it.”

The unprecedented data collection plan, dubbed Real Time Regional Gateway, would play a role in breaking up Iraqi insurgent networks and significantly reducing the monthly death toll from improvised explosive devices by late 2008. It also encapsulated Alexander’s controversial approach to safeguarding Americans from what he sees as a host of imminent threats, from terrorism to devastating cyberattacks.

This approach (which appears to be sheer regurgitation on the part of one of WaPo’s writers, perhaps not surprising given Joby Warrick’s contributions) replicates both David Petraeus’ false claims about the surge winning the war in Iraq (rather than bribes to delay the violence that is exploding again) and the very legal ploy I’ve described is built into FISA programs.

That is, every time NSA proposes some vast new expansion of its collection, it does so by pointing to the Terror Terror Terror threat (whether or not that’s the chief threat at hand). People within National Counterterrorism Center troll their files to build up the threat as urgently as possible, including using tortured evidence. And then they pull that together into a justification that probably looks just like the first paragraphs of this article as self-justification.

And remember, Alexander the Great was resuming comprehensive collection on Iraq after Jack Goldsmith had limited it to terrorists in 2004 (presumably after he and others discovered comprehensive collection includes eavesdropping on calls from servicemen calling home).

And by using the Terror Terror Terror threat, Alexander the Great can invoke the certainty of death to describe proposals that include camping on the most private bank websites to hunt for malware (to say nothing of offensively attacking other states).

“Everyone also understands,” he said, “that if we give up a capability that is critical to the defense of this nation, people will die.”

Once you get beyond the initial several paragraphs of propaganda, the story makes clear that a number of people — and not just Jeff Merkley, who is one of the named critics — are beginning to realize this is too much.

But by the time you get there, Alexander the Great has conquered the world.

“Collect it all.”

Citing a Culture of “Verified Trust,” DefCon Asks Feds Not to Come

Even after I wrote this post, few people following the NSA story seem to get that James Clapper’s lie to Ron Wyden was just the culmination of a seven month effort on Wyden’s part to get Keith Alexander to correct two misleading statements he made in an unclassified forum at DefCon last year.

That is, when Wyden asked Clapper “Does the NSA collect any type of data at all on ‘millions or hundreds of millions of Americans’?,” he was trying to correct Alexander’s dodge — by way of introducing the notion of “dossiers” — that the NSA doesn’t collect information on all Americans.

Which we now know, thanks to Edward Snowden’s leaks, it does.

So I’m not surprised that — a year after Alexander made lies that have now been exposed as such — DefCon has asked the Feds not to come. (h/t Brian Krebs)

FEDS, WE NEED SOME TIME APART.

POSTED 7.10.13

For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.

When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a “time-out” and not attend DEF CON this year.

This will give everybody time to think about how we got here, and what comes next. [my emphasis]

The other content of Snowden’s leaks aside, the Verizon order and the minimization procedures show that what Alexander did last year was dress up in a hacker costume and lie — not just about the degree to which NSA collects the contacts of all Americans (the lie Ron Wyden worked so hard to correct), but also about the protections offered to people who encrypt their communications (that is, hackers).

As such, any chill between the Feds and hackers should not be laid at Snowden’s feet. They should be laid at General Alexander’s.

In These Times We Can’t Blindly Trust Government to Respect Freedom of Association

One of my friends, who works in a strategic role at American Federation of Teachers, is Iranian-American. I asked him a few weeks ago whom he called in Iran; if I remember correctly (I’ve been asking a lot of Iranian-Americans whom they call in Iran) he said it was mostly his grandmother, who’s not a member of the Republican Guard or even close. Still, according to the statement that Dianne Feinstein had confirmed by NSA Director Keith Alexander, calls “related to Iran” are fair game for queries of the dragnet database of all Americans’ phone metadata.

Chances are slim that my friend’s calls to his grandmother are among the 300 identifiers the NSA queried last year, unless (as is possible) they monitored all calls to Iran. But nothing in the program seems to prohibit it, particularly given the government’s absurdly broad definitions of “related to” for issues of surveillance and its bizarre adoption of a terrorist program to surveil another nation-state. And if someone chose to query on my friend’s calls to his grandmother, using the two-degrees-of-separation query they have used in the past would give the government — not always the best friend of teachers unions — a pretty interesting picture of whom the AFT was partnering with and what it had planned.

In other words, nothing in the law or the known minimization rules of the Business Records provision would seem to protect some of the AFT’s organizational secrets just because they happen to employ someone whose grandmother is in Iran. That’s not the only obvious way labor discussions might come under scrutiny; Colombian human rights organizers with tangential ties to FARC is just one other one.

When I read labor organizer Louis Nayman’s “defense of PRISM,” it became clear he’s not aware of many details of the programs he defended. Just as an example, Nayman misstated this claim:

According to NSA officials, the surveillance in question has prevented at least 50 planned terror attacks against Americans, including bombings of the New York City subway system and the New York Stock Exchange. While such assertions from government officials are difficult to verify independently, the lack of attacks during the long stretch between 9/11 and the Boston Marathon bombings speaks for itself.

Keith Alexander didn’t say NSA’s use of Section 702 and Section 215 have thwarted 50 planned attacks against Americans; those 50 were in the US and overseas. He said only around 10 of those plots were in the United States. That works out to be less than 20% of the attacks thwarted in the US just between January 2009 and October 2012 (though these programs have existed for a much longer period of time, so the percentage must be even lower). And there are problems with three of the four cases publicly claimed by the government — from false positives and more important tips in the Najibullah Zazi case, missing details of the belated arrest of David Headley, to bogus claims that Khalid Ouazzan ever planned to attack NYSE. The sole story that has stood up to scrutiny is some guys who tried to send less than $10,000 to al-Shabaab.

While that doesn’t mean the NSA surveillance programs played no role, it does mean that the government’s assertions of efficacy (at least as it pertains to terrorism) have proven to be overblown.

Yet from that, Nayman concludes these programs have “been effective in keeping us safe” (given Nayman’s conflation of US and overseas, I wonder how families of the 166 Indians Headley had a hand in killing feel about that) and defends giving the government legal access (whether they’ve used it or not) to — among other things — metadata identifying the strategic partners of labor unions with little question.

And details about the success of the program are not the only statements made by top National Security officials that have proven inaccurate or overblown. That’s why Nayman would be far better off relying on Mark Udall and Ron Wyden as sources for whether or not the government can read US person emails without probable cause than misstating what HBO Director David Simon has said (Simon said that entirely domestic communications require probable cause, which is generally but not always true). And not just because the Senators are actually read into these programs. After the Senators noted that Keith Alexander had “portray[ed] protections for Americans’ privacy as being significantly stronger than they actually are” — specifically as it relates to what the government can do with US person communications collected “incidentally” to a target — Alexander withdrew his claims.

Nayman says, “As people who believe in government, we cannot simply assume that officials are abusing their lawfully granted responsibility and authority to defend our people from violence and harm.” I would respond that neither should we simply assume they’re not abusing their authority, particularly given evidence those officials have repeatedly misled us in the past.

Nayman then admits, “We should do all we can to assure proper oversight any time a surveillance program of any size and scope is launched.” But a big part of the problem with these programs is that the government has either not implemented or refused such oversight. Some holes in the oversight of the program are:

  • NSA has not said whether queries of the metadata dragnet database are electronically  recorded; both SWIFT and a similar phone metadata program queries have been either sometimes or always oral, making them impossible to audit
  • Read more

On the Meanings of “Dishonor” and “Hack”

The former NSA IG (and current affiliate of the Chertoff Group profiteers, though he didn’t disclose that financial interest) Joel Brenner has taken to the pages of Lawfare to suggest anyone trying to force some truth out of top Intelligence Community officials is dishonorable.

On March 12 of this year, Senator Ron Wyden asked James Clapper, the director of national intelligence, whether the National Security Agency gathers “any type of data at all on millions or hundreds of millions of Americans.”

“No, sir,” replied the director, visibly annoyed. “Not wittingly.”

Wyden is a member of the Senate Select Committee on Intelligence and had long known about the court-approved metadata program that has since become public knowledge. He knew Clapper’s answer was incorrect. But Wyden, like Clapper, was also under an oath not to divulge the story. In posing this question, he knew Clapper would have to breach his oath of secrecy, lie, prevaricate, or decline to reply except in executive session—a tactic that would implicitly have divulged the secret. The committee chairman, Senator Diane Feinstein, may have known what Wyden had in mind. In opening the hearing she reminded senators it would be followed by a closed session and said,  “I’ll ask that members refrain from asking questions here that have classified answers.” Not dissuaded, Wyden sandbagged he [sic] director.

This was a vicious tactic, regardless of what you think of the later Snowden disclosures. Wyden learned nothing, the public learned nothing, and an honest and unusually forthright public servant has had his credibility trashed.

Brenner of course doesn’t mention that Clapper had had warning of this question, so should have provided a better non-answer. Later in his post, he understates how revealing telephone metadata can be (and of course doesn’t mention it can also include location). He even misstates how often the phone metadata collection has been queried (it was queried on 300 selectors, not “accessed only 300 times”).

But the really hackish part of his argument is in pretending this whole exchange started on March 12.

It didn’t. It started over a year ago and continued through last week when Keith Alexander had to withdraw a “fact sheet” purporting to lay out the “Section 702 protections” Americans enjoy (see below for links to these exchanges).

The exchange didn’t start out very well, with two Inspectors General working to ensure that Wyden and Mark Udall would not get their unclassified non-answer about how many Americans are surveilled under Section 702’s back door until after the Intelligence Committee marked up the bill.

But perhaps the signature exchange was this October 10, 2012 Wyden letter (with 3 other Senators) to Keith Alexander and Alexander’s November 5, 2012 response.

On July 27, 2012, Alexander put on a jeans-and-t-shirt costume and went to DefCon to suck up to hackers. After giving a schmaltzy speech including lines like, “we can protect the networks and have civil liberties and privacy,” DefCon founder Jeff Moss asked Alexander about recent Bill Binney allegations that the NSA was collecting communications of all Americans. Wired reported the exchange here.

It was this exchange — Keith Alexander’s choice to make unclassified statements to a bunch of hackers he was trying to suck up to — that underlies Wyden’s question. And Wyden explicitly invoked Alexander’s comments in his March 12 question to Clapper.

In Wyden’s letter, he quoted this, from Alexander.

We may, incidentally, in targeting a bad guy hit on somebody from a good guy, because there’s a discussion there. We have requirements from the FISA Court and the Attorney General to minimize that, which means nobody else can see it unless there’s a crime that’s been committed.

Wyden then noted,

We believe that this statement incorrectly characterized the minimization requirements that apply to the NSA’s FISA Amendments Act collection, and portrays privacy protections for Americans’ communications as being stronger than they actually are.

This is almost precisely the exchange that occurred last week, when Wyden and Udall had to correct Alexander’s public lies about Section 702 protections again. 8 months later and Alexander is reverting to the same lies about protections for US Persons.

In the letter, Wyden quoted from Alexander again,

You also stated, in response to the same question, that “…the story that we have millions or hundreds of millions of dossiers on people is absolutely false. We are not entirely clear what the term “dossier” means in this context, so we would appreciate it if you would clarify this remark.

And asked,

Are you certain that the number of American communications collected is not “millions or hundreds of millions”? If so, then clearly you must have some ability to estimate the scale of this number, at least some range in which you believe it falls. If this is the case, how large could this number possibly be? How small could it possibly be?

Does the NSA collect any type of data at all on “millions or hundreds of millions of Americans”?

This last question was precisely the question Wyden asked Clapper 5 months later on March 12 (Alexander’s response in November didn’t even acknowledge this question — he just blew it off entirely).

As Wyden emphasized, Alexander is the one who chose to make misleading assertions in unclassified form, opening up the door for demands for an unclassified response.

Since you made your remarks in an unclassified forum, we would appreciate an unclassified response to these questions, so that your remarks can be properly understood by Congress and the public, and not interpreted in a misleading way.

In other words, Brenner presents the context of Wyden’s question to Clapper completely wrong. He pretends this exchange was about one cleared person setting up another cleared person to answer a question. But Brenner ignores (Wyden’s clear invocation of it notwithstanding) that this exchange started when a cleared person, General Alexander, chose to lie to the public.

And now that we’ve seen the minimization standards, we know just how egregious a lie Alexander told to the hackers at DefCon. It’s bad enough that Alexander didn’t admit that anything that might possibly have a foreign intelligence purpose could be kept and, potentially, disseminated, a fact that would affect all Americans’ communications.

But Alexander was talking to high level hackers, probably the group of civilians who encrypt their online communications more than any other.

And Alexander knows that the NSA keeps encrypted communications indefinitely, and with his say-so, can keep them even if they’re known to be entirely domestic communications.

In other words, in speaking to the group of American civilians whose communications probably get the least protections from NSA (aside from the encryption they themselves give it), Alexander suggested their communications would only be captured if they were talking to bad guys. But the NSA defines “those who encrypt their communications” as bad guys by default.

He was trying to suck up to the hackers, even as he lied about the degree to which NSA defines most of them as bad guys.

Brenner gets all upset about his colleagues being “forced” to lie in public. But that’s not what’s going on here: James Clapper and, especially, Keith Alexander are choosing to lie to the public.

And if it is vicious for an intelligence overseer to call IC officials on willful lies to the public, then we’ve got a very basic problem with democracy. Read more

James Clapper’s Double Super Secret Correction

Screen shot 2013-07-01 at 9.21.55 AMIf the Director of National Intelligence corrects a lie but nobody hears it, does it make a sound?

Greg Miller returns focus to James Clapper and Keith Alexander and President Obama’s lies that underscore why, at least for some of his leaks, Edward Snowden must count as a whistleblower. He reveals two new details about why Clapper is not headed for prison.

First, Clapper claims his staffers acknowledged to Wyden (presumably not in writing) his error after the Senator demanded a correction.

Sen. Ron Wyden (D-Ore.), who had asked Clapper the question about information collection on Americans, said in a recent statement that the director had failed to clarify the remark promptly despite being asked to do so. Clapper disputed that in his note to the committee, saying his “staff acknowledged the error to Senator Wyden’s staff soon after the hearing.”

And then, more than two weeks after Snowden proved Clapper to be a liar (and 10 days after Wyden called for hearings for the Intelligence Committee to correct their disinformation), Clapper sent the Senate Intelligence Committee a letter apologizing for his “clearly erroneous” comment.

Acknowledging the “heated controversy” over his remark, Clapper sent a letter to the Senate Intelligence Committee on June 21 saying that he had misunderstood the question he had been asked.

“I have thought long and hard to re-create what went through my mind at the time,” Clapper said in the previously undisclosed letter. “My response was clearly erroneous — for which I apologize.” [my emphasis]

Miller also reveals that Clapper presented yet another explanation for why his lie wasn’t really a lie.

He made a new attempt to explain the exchange in his June 21 correspondence, which included a hand-written note to Wyden saying that an attached letter was addressed to the committee chairman but that he “wanted [Wyden] to see this first.”

Clapper said he thought Wyden was referring to NSA surveillance of e-mail traffic involving overseas targets, not the separate program in which the agency is authorized to collect records of Americans’ phone calls that include the numbers and duration of calls but not individuals’ names or the contents of their calls.

Referring to his appearances before Congress over several decades, Clapper concluded by saying that “mistakes will happen, and when I make one, I correct it.”

Note, this particular lie retreats to Administration claims that they no longer collect Internet metadata, at least no via Section 702 collection, at least as far as they’lll tell us.

Of course, that’s only been true (if it is in fact true) since 2011, for what that’s worth.

One thing Miller is missing in this otherwise laudable article is one more detail from Wyden: that he gave Clapper notice he was going to ask the question.

Clapper got the question for the test before taking it, and he still — he says — misunderstood it.

But of course that’s not what happened. The way Clapper has made false statements in public and then “acknowledged errors” in secret is all part of the game by which Clapper mostly sort of tells the truth to Congress, but continues to lie to the American people.

In other news, it has now been almost a week since, caught in another lie, the NSA took down their “Section 702 Protections” document, without replacing them with an accurate description of what  protections, if any, Americans have under Section 702.

Perhaps NSA has finally decided to start telling the truth?

Keith Alexander: “We Must Win, There Is No Substitute for Victory”

I frankly have no problem with Keith Alexander giving the employees of the National Security Agency a pep talk as the truth of what they’re doing to us becomes public. They are not, after all, responsible for the serial disinformation Alexander and James Clapper have spread about their work. And the overwhelming majority of them are just trying to support the country.

I don’t find this part of Alexander’s speech even remotely accurate, mind you, but I’ve gotten used to dissembling from Alexander.

The issue is one that is partly fueled by the sensational nature of the leaks and the way their timing has been carefully orchestrated to inflame and embarrass. The challenge of these leaks is exacerbated by a lack of public understanding of the safeguards in place and little awareness of the outcomes that our authorities yield. Leadership, from the President and others in the Executive Branch to the Congress, is now engaged in a public dialogue to make sure the American public gets the rest of the story while not disclosing details that would further endanger our national security.

It’s hard to understand how leaks can be inflammatory and embarrassing but all the claims about safeguards and dialogue to also be true.

But it’s this passage I’m far more struck by:

Let me say again how proud I am to lead this exceptional workforce, uniformed and civilian, civil service and contract personnel. Your dedication is unsurpassed, your patriotism unquestioned, and your skills are the envy of the world. Together with your colleagues in US Cyber Command, you embody the true meaning of noble intent through your national service. In a 1962 speech to the Corps of Cadets on “duty, honor and country,” one of this nation’s military heroes, General Douglas MacArthur, said these words teach us “not to substitute words for action; not to seek the path of comfort, but to face the stress and spur of difficulty and challenge; to learn to stand up in the storm.” You have done all that and more. “Duty, Honor, Country” could easily be your motto, for you live these words every day. [my emphasis]

It’s not just that he calls out Cyber Command in the midst of a scandal that’s not supposed to be (but really is) about offensive war.

It’s not just that he chooses to cite one of the most powerful Generals ever, one who defied civilian command to try to extend a war that — it turns out — wasn’t existential.

But it’s also that he chose to cite a speech that invokes that moment of insubordination, a speech that encourages political inaction among the troops, a speech whose audience MacArthur defined as singularly military.

And through all this welter of change and development your mission remains fixed, determined, inviolable. It is to win our wars. Everything else in your professional career is but corollary to this vital dedication. All other public purpose, all other public projects, all other public needs, great or small, will find others for their accomplishments; but you are the ones who are trained to fight.

Yours is the profession of arms, the will to win, the sure knowledge that in war there is no substitute for victory, that if you lose, the Nation will be destroyed, that the very obsession of your public service must be Duty, Honor, Country.

Others will debate the controversial issues, national and international, which divide men’s minds. But serene, calm, aloof, you stand as the Nation’s war guardians, as its lifeguards from the raging tides of international conflict, as its gladiators in the arena of battle. For a century and a half you have defended, guarded and protected its hallowed traditions of liberty and freedom, of right and justice.

Let civilian voices argue the merits or demerits of our processes of government. Whether our strength is being sapped by deficit financing indulged in too long, by federal paternalism grown too mighty, by power groups grown too arrogant, by politics grown too corrupt, by crime grown too rampant, by morals grown too low, by taxes grown too high, by extremists grown too violent; whether our personal liberties are as firm and complete as they should be.

These great national problems are not for your professional participation or military solution. Your guidepost stands out like a tenfold beacon in the night: Duty, Honor, Country.

At a moment of crisis, at a moment when his own credibility is under strain, Keith Alexander has chosen to address the military, civilian, and contractor employees of the NSA as unthinking warriors, isolated from the critical issues swirling around them at the moment. He has chosen to frame NSA as a war machine, not as a defense machine.

The employees of NSA’s first duty is to the Constitution, not the secret battles Alexander wants to escalate and win at all costs. I do hope they don’t despair of that duty.

Keith Alexander’s Secret Lie: Retention and Distribution of Domestic Encrypted and Hacking Communications?

As I noted in my last two posts, Keith Alexander has admitted that the classified lie Mark Udall and Ron Wyden accused him of telling “could have more precisely described the requirements of collection under FISA Amendments Act.”

He then goes onto repeat the many claims about Section 702, which are different forms of saying that it may not collect information on someone knowingly in the US.

Which leads me to suspect that the lie Udall and Wyden described is that the program can retain and distribute domestic communications, which are defined as “communications in which the sender and all intended recipients are reasonably believed to be located in the United States at the time of acquisition.”

The minimization procedures actually describe four kinds of domestic communications that can be distributed with written NSA Director determination. Three of those — significant foreign intelligence information, evidence of a crime imminently being committed, and threat of serious harm to life or property — were generally known. But there is a fourth which I think is probably huge collection:

Section 5(3)

The communication is reasonably believed to contain technical data base information, as defined in Section 2(i), or information necessary to understand or assess a communications security vulnerability. Such communication may be provided to the FBI and/or disseminated to other elements of the United States Government. Such communications may be returned for a period sufficient to allow a thorough exploitation and to permit access to data that are, or are reasonably believed likely to become, relevant to a current or future foreign intelligence requirement. Sufficient duration may vary with the nature of the exploitation.

a. In the context of a cryptanalytic effort, maintenance of technical data bases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any time period during which encrypted material is subject to, or of us in, cryptanalysis.

b. In the case of communications that are not enciphered or otherwise thought to contain secret meaning, sufficient duration is five years unless the Signal Intelligence Director, NSA, determines in writing that retention for a longer period is required to respond to authorized foreign intelligence or counterintelligence requirements,

Technical data base information, according to the definitions, “means information retained for cryptanalytic, traffic analytic, or signal exploitation purposes.”

In other words, hacking.

Encrypted communications and evidence of hacking have secretly been included in a law purportedly about foreign intelligence collection. And they can keep that information as long as it takes, exempting it from normal minimization requirements.

To be clear, the government still has to get the communication believing (according to its 51% rule) that it has one foreign component. But if Keith Alexander says so, NSA can keep it, forever, even after it finds out it is a domestic communication.

Update: Here’s the July 2012 letter to Clapper. Here’s Clapper’s August 2012 response — the good bits of which are all classified.

NSA’s Querying of US Person Data, Take Two

Update: Alexander’s office has conceded Udall and Wyden’s point about the classified inaccuracy. It also notes:

With respect to the second point raised in your 24 June 2013 letter, the fact sheet did not imply nor was it intended to imply “that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.”

He then cites two letters from James Clapper’s office which I don’t believe have been published.

Joshua Foust tries to refute this post and in doing so proves once again he doesn’t understand the meaning of “target” under Section 702.

Out of courtesy to him, I’m going to rewrite this post to help him understand it. The issue is not whether the US can “target” a US person without a warrant. They can’t. The issue is what the US does with US person data they collect incidentally off a legal target (which must be a foreigner overseas collected for a legitimate intelligence purpose).

At issue is this sentence in the Mark Udall/Ron Wyden letter to Keith Alexander.

Separately, this same fact sheet states that under Section 702, “Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.” We believe that this statement is somewhat misleading, in that it implies that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.

The passage says that the claim, “any inadvertently acquired communication of or concerning a US person must be promptly destroyed” is “somewhat misleading,” for two reasons:

  1. It implies that the NSA has the ability to determine how many American communications it has collected under section 702
  2. It implies that the law does not allow the NSA to deliberately search for the records of particular Americans

Now, before I get into bullet point 2, which is the one in question, note that this entire passage is talking about “inadvertently acquired communication of or concerning a US person.” This is not information on someone who has been targeted. It discusses what happens to information collected along with the communications of those who’ve been targeted (say, by emailing the target). Therefore, this entire passage is irrelevant to the issue of what happens with the targeted person’s communication. The Udall/Wyden claim is not about targeting in the least; it is about incidental collection.

Okay, bullet point 2: Udall and Wyden claim that Alexander’s fact sheet is misleading because it implies the law does not allow the NSA to deliberately search for the records of particular Americans. They could be wrong, but their claim is that it is misleading for Alexander to suggest that the law does not allow the NSA to deliberately search for the records of particular Americans. That means they believe the law does allow the NSA to deliberately search for the records of particular Americans, otherwise they wouldn’t think his statement was misleading.

Now, if it were just Udall and Wyden making this claim, it’d be a he-said/he-said. But  pointed out that this claim is not new at all. It’s not even one limited to Udall and Wyden. In the FAA report released by Dianne Feinstein last year, it said,

Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession.

First, the report describes a debate the committee had:

The Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained.

The committee debated two things:

  1. Whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited.
  2. Whether querying information collected under Section 702 to find communications of a particular United States person should be more robustly constrained.

Bullet point 1 makes it clear they were debating whether they should prohibit this activity. If they had to consider that, it means that it is not prohibited (which is precisely what Udall and Wyden say–that the law allows it). Bullet point 2 says they also considered whether they should “more robustly constrain” it, which suggests (though does not prove) that it is going on now, otherwise there’d be nothing to constrain.

The IC IGs won’t tell us how much of this goes on–they claim they have no way of counting it, which ought to alarm you, because it says they’re not actually tracking it via some kind of auditing function.

I defer to his conclusion that obtaining such an estimate was beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission. He further stated that his office and NSA leadership agreed that an IG review of the sort suggested would itself violate the privacy of U.S. persons.

Now, as I already laid out, what we’re talking about is not targeting a US person–focusing collection on that person. What we’re talking about is what you can do with the US person data collected “incidentally” with the communications collected of that targeted person. That information–as the minimization guidelines describe–is lawfully collected. The big question is what you can do with it once you have collected it, and in many but not all cases there are restrictions against circulating that information before you’ve hidden the identity of the US person in question.

The last part of the passage from the SSCI says,

With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession.

Again, some amount of US person data is collected under Section 702 along with the data of the targeted person (if it weren’t, they wouldn’t need minimization procedures). It is lawfully collected. The question is what you’re allowed to do with it. And as part of the debate the committee had about whether they were going to “prohibit” or “more robustly constrain” the querying of US person data that was lawfully collected as incidental data, SSCI describes the Intelligence Community (which includes, in part, the NSA, the CIA, and the FBI) providing several reasons why it might need to conduct queries of this data. And the committee agreed that these reasons were “legitimate foreign intelligence needs.”

The minimization procedures from 2009, at least, require destruction of US person data if it is “clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information).” (3(b)(1)) What is not immediately destroyed may be kept for up to 5 years. But it only destroys the stuff that is “clearly not relevant,” not data that might be relevant to the purpose of the investigation.

Now, while the language is not exact, the SSCI report’s description of data that has a “legitimate foreign intelligence” surely includes “foreign intelligence information.” This is kind of backwards (which may be part of complaint from Udall and Wyden), but unless the information is clearly not relevant — and the intelligence community says some of this data has legitimate intelligence purposes — then it is retained. This is probably why Udall and Wyden think Alexander’s “must be promptly destroyed” is misleading, because if the IC thinks they might need to query it because it would serve a legitimate foreign intelligence purpose, then it is not.

So who makes this decision whether to keep the data? “NSA analyst(s) will determine whether it … is reasonably believed to contain foreign intelligence information.” (3(b)(4)) The NSA, not FBI or CIA.

And this data cannot just be retained. It can also be “forwarded to analytic personnel responsible for producing intelligence information from the collected data.” (3(b)(2))

Now, in most cases, that information must be anonymized (which is what Kurt Eichenwald discusses here, which Foust cites). But it has always been the case there are exceptions to that rule. Some exceptions are if:

  • The Director of NSA specifically determines, in writing, that the communication is reasonably believed to contain significant foreign intelligence information. (5(1)) In that case the information goes to the FBI. [Update: This distribution is permitted with domestic communication–that is, US to US person.]
  • A recipient requiring the identity of such person for the performance of official duties needs the identity of the United States person to understand foreign intelligence information or assess its importance. (6(b)(2) This sometimes, but not always, happens after an initial distribution.

There are actually a slew more exceptions but these two should suffice. Again, these rules on distribution (except as they affect technical data base information, which might be relevant here, but not necessary) are not new with FAA. They’ve long been in place.

Again, this is all about what happens to incidentally collected data, not the data of the person actually targeted. Which is why these two passages are irrelevant to the entire point (the second of which Foust thought I was leaving out because it hurt my point).

As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause.

[snip]

The Department of Justice and Intelligence Community reaffirmed that any queries made of Section 702 data will be conducted in strict compliance with applicable guidelines and procedures and do not provide a means to circumvent the general requirement to obtain a court order before targeting a U.S. person under FISA.

What they say is that the government is prohibited from targeting a US person without a warrant and that any other things done with incidentally collected data must be conducted in strict compliance with applicable guidelines, which are the minimization procedures I just reviewed (though again, those are from 2009 so they may have changed somewhat). The passage very clearly envisions making queries of the data and very clearly considers such queries to be distinct from the targeting of a US person.

And the minimization procedures make it clear that if data is not “clearly not foreign intelligence,” (that is, if it might be foreign intelligence, as this queried data is, according to the IC) then it is retained, at least through the initial (NSA-conducted) review. Where it can be queried, so long as the other minimization procedures are met.

One final thing. Foust is actually wrong when he suggests the IC asked for new authority (in any case, the only conclusion would be that they got it). Rather, in both the SSCI and the Senate Judiciary Committee, Senators tried to limit this authority. In SJC, Mike Lee,  Dick Durbin, and Chris Coons submitted an amendment to (among other things) prohibit,

the searching of the contents of communications acquired under this section [702] in an effort to find communications of a particular United States person…

…Except with an emergency authorization.

Dianne Feinstein fought the amendment by arguing such a prohibition would have made it harder to find Nidal Hasan (whom we didn’t find anyway, and whose communications with Anwar al-Awlaki may well have been traditional FISA collection). But at one level that makes sense.

Sheldon Whitehouse said that such a restriction would “kill this program.”

I may not like what Whitehouse stated. But I do trust his judgement about how central to this program is access to US person communications.

That doesn’t say how much of this stuff goes on (though it does seem to suggest it does). But it does say we ought to at least track it.