Somewhere Booz Allen Hamilton Vice Chairman (and former NSA Director) Mike McConnell just said, “Ka-Ching.”
As I noted, the initial manager’s amendment of HR 3361 (AKA USA Freedumb Act) added compensation language to Section 215 that didn’t originally exist.
(j) COMPENSATION.—The Government shall compensate, at the prevailing rate, a person for producing tangible things or providing information, facilities, or assistance in accordance with an order issued or an emergency production required under this section.
In this latest iteration, the compensation has been expanded beyond just the telecoms to anyone else who assists.
(j) COMPENSATION.—The Government shall compensate a person for reasonable expenses incurred for—
(1) producing tangible things or providing information, facilities, or assistance in accordance with an order issued with respect to an application described in subsection (b)(2)(C) or an emergency production under subsection (i) that, to comply with subsection (i)(1)(D), requires an application described in subsection (b)(2)(C); or
(2) otherwise providing technical assistance to the Government under this section or to implement the amendments made to this section by the USA FREEDOM Act.
There’s reason to believe that contractors (AKA Booz!) does some of the triage work on the data currently. So one solution to that problem might be to move those Booz contractors — with their access directly to the raw data of Americans — over to Verizon and AT&T.
Because why shouldn’t NSA contractors be in bed together, wallowing in all your raw data.
Glad to see this bill is improving Intelligence Contractors bottom line, even if it doesn’t improve the dragnet.
As part of my ongoing focus on Executive Order 12333, I’ve been reviewing how the Bush Administration changed the EO when, shortly after the passage of the FISA Amendments Act, on July 30, 2008, they rolled out a new version of the order, with little consultation with Congress. Here’s the original version Ronald Reagan issued in 1981, here’s the EO making the changes, here’s how the new and improved version from 2008 reads with the changes.
While the most significant changes in the EO were — and were billed to be — the elaboration of the increased role for the Director of National Intelligence (who was then revolving door Booz executive Mike McConnell), there are actually several changes that affected NSA.
Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.
The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,
In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.
The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.
In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.
Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.
In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.
And a more subtle change goes even further. Section 2.5 of the EO delegates authority to the AG to “approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes.” In both the original and the revised EO, that delegation must be done within the scope of FISA (or FISA as amended, in the revision). But in 1981, FISA surveillance had to be “conducted in accordance with that Act [FISA], as well as this Order,” meaning that the limits on US person collection and dissemination from the EO applied, on top of any limits imposed by FISA. The 2008 EO dropped the last clause, meaning that such surveillance only has to comply with FISA, and not with other limits in the EO.
That’s significant because there are at least three things built into known FISA minimization procedures — the retention of US person data to protect property as well as life and body, the indefinite retention of encrypted communications, and the broader retention of “technical data base information” — that does not appear to be permitted under the EO’s more general guidelines but, with this provision, would be permitted (and, absent Edward Snowden, would also be hidden from public view in minimization procedures no one would ever get to see).
Update, March 11: Docket 07-449 is not an Internet dragnet one (those all have a PR/TT preface). This is one of the bulk collection programs approved in early 2007.
The Court has effectively concluded that certain communications containing a reference to a targeted selector are reasonably likely to contain foreign intelligence information, including communications between non-target accounts that contain the name of the targeted facility in the body of the message. See Docket No. 07-449, May 31, 2007 Primary Order at 12 (finding probable cause to believe that certain “about” communications were “themselves being sent and/or received by one of the targeted foreign powers”). Insofar as the discrete, wholly domestic “about” communications at issue here are communications between non-target accounts that contain the name of the targeted facility, the same conclusion applies to them.
And suggested the May 31, 2007 order in question was probably the Primary Order for the Internet Dragnet program.
Given the description, it likely was a primary order for the purportedly defunct Internet dragnet program; if so, it would represent the application of an opinion about metadata to collection including content.
Timewise, that might make sense. Colleen Kollar-Kotelly signed the first Pen Register/Trap & Trace order for Internet metadata on July 14, 2004. Accounting for some margin of error in reapplications and the 5 days earlier 90-day authorizations would be each year, a May 31 order 3 years after that first order is not far off what you’d expect.
But the description of the opinion — which pertains to messages identified because they contain information “about” a target — seems to refer to content, not metadata (though packets would blur this issue).
The Court has effectively concluded that certain communications containing a reference to a targeted selector are reasonably likely to contain foreign intelligence information, including communications between non-target accounts that contain the name of the targeted facility in the body of the message. See Docket No. 07-449, May 31, 2007 Primary Order at 12 (finding probable cause to believe that certain “about” communications were “themselves being sent and/or received by one of the targeted foreign powers”).
Moreover, this order would have been issued during the period when two FISC orders allowed the collection of content. And those orders — as the 2009 Draft NSA IG Report explains — formalized the claim that a targeted “facility” could consist of a switch carrying general traffic rather than a specific phone number or IP address.
Ultimately, DoJ decided to pursue a FISC order for content collection wherein the traditional FISA definition of a “facility” as a specific telephone number or email address was changed to encompass the gateway or cable head that foreign targets use for communications. Continue reading
I’m reading a very old SSCI hearing on FISA today — from May 1, 2007, when then Director of National Intelligence Mike McConnell initiated the push for the Protect America Act.
Given recent revelations that NSA continues to conduct some collection under EO 12333 — including the address books of people all over the world, including Americans — I thought this part of the hearing might amuse some of you.
SEN. FEINGOLD: I thank the witnesses for testifying today. Can each of you assure the American people that there is not — and this relates to what — the subject Senator Wyden was just discussing — that there is not and will not be any more surveillance in which the FISA process is side-stepped based on arguments that the president has independent authority under Article II or the authorization of the use of military force?
MR. McCONNELL: Sir, the president’s authority under Article II is – - are in the Constitution. So if the president chose to exercise Article II authority, that would be the president’s call. What we’re attempting to do here with this legislation is to put the process under appropriate law so that it’s conducted appropriately to do two things — protect privacy of Americans on one hand, and conduct foreign surveillance on the other.
SEN. FEINGOLD: My understanding of your answer to Senator Wyden’s last question was that there is no such activity going on at this point. In other words, whatever is happening is being done within the context of the FISA statute.
MR. McCONNELL: That’s correct.
SEN. FEINGOLD: Are there any plans to do any surveillance independent of the FISA statute relating to this subject?
MR. McCONNELL: None that — none that we are formulating or thinking about currently. But I’d just highlight, Article II is Article II, so in a different circumstance, I can’t speak for the president what he might decide.
SEN. FEINGOLD: Well, Mr. Director, Article II is Article II, and that’s all it is. Continue reading
I’m in the process of going really deep in the weeds on this Section 215 stuff, just adjusting my earlier timelines.
Several of us have noted the curious timing of the discovery of the problems with Section 215 dragnet. November 2, 2008 was the stated high number of identifiers which the NSA could contact chain, at 27,090 (though when NSA started cleaning this stuff up they only audited back through November 1, 2008).
On December 10, 2008, two analysts (whom I wildarseguess suspect were actually FBI Agents) start doing searches on unapproved identifiers, doing 280 over the next month and a half.
On December 11 and 12, 2008, Reggie Walton wrote the first systematic opinion on this program and approved a new Primary Order.
On December 15, 2008, the NSA stopped one of its abusive alert system processes.
On January 9, 2009, NSA told folks at DOJ’s National Security Division about them.
By January 15, 2009, NSA had seemingly purged thousands of identifiers from its alert list, because on that day (five days before the inauguration) it had only 17,835, down from 27,090 two days before Obama was elected.
January 20, 2009: Obama took the oath as President, replacing George Bush.
That, of course, led to change at key positions. One which I find remarkably interesting, however was that of Mike McConnell, who had spent two years as Director of National Intelligence (just long enough to get immunity for those who did all this illegally under Cheney’s program). McConnell left on January 27, 2009, leading to a delay on (reported) DNI involvement in this until his replacement Dennis Blair came in on January 29. Blair was briefed on this on his second day in office, January 30, 2009.
I don’t know — because the documents don’t say (see, especially, Keith Alexander’s chart on page 25 of his declaration that is totally non-responsive about anyone in DNI who would have known about these problems)– how much the revolving Intelligence Contractor Exec McConnell knew about NSA’s extension of the illegal Cheney program, illegally, under the FISC sanctioned Section 215 order.
But remember: as Vice Chair of Booz, Mike McConnell was (sort of) Edward Snowden’s boss until the latter absconded with proof of these gross violations under McConnell’s tenure at DNI.
Among other things, this rough outline suggests this wasn’t so much a “discovery” of violations, it was an attempt to hide what at least some people knew were systematic and gross violations of the Section 215 program, just before Obama came in and replaced some of the top players.
But I do find it ironic that McConnell’s company, Booz, played its small part in making all this clear.
Back in 2009 when the government released what we now know is a FISA Court of Review decision ordering Yahoo to cooperate in PRISM, I questioned a passage of the decision that relied on the government’s claim that it doesn’t keep a database of incidentally collected conversations involving US persons.
In this post, I just want to point to a passage that deserves more scrutiny:
The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26)
To translate, if the government collects information from a US citizen (here or abroad), a legal permanent US resident, a predominantly US organization, or a US corporation in the course of collecting information on someone it is specifically targeting, it it claims it does not keep that in a database (I’ll come back and parse this in a second). In other words, if the government has a tap on your local falafel joint because suspected terrorists live off their falafels, and you happen to call in a take out order, it does not that have in a database.
There are reasons to doubt this claim.
In the rest of the post, I showed how a response from Michaels Mukasey and McConnell to Russ Feingold’s efforts to protect US person incidental collection during the FISA Amendments Act had made it clear having access to this incidentally collected data was part of the point, meaning the government’s reassurances to the FISCR must have been delicate dodges in one way or another. (Feingold’s Amendments would have prevented 3 years of Fourth Amendment violative collection, by the way.)
Did the court ask only about a database consisting entirely of incidentally collected information? Did they ask whether the government keeps incidentally collected information in its existing databases (that is, it doesn’t have a database devoted solely to incidental data, but neither does it pull the incidental data out of its existing database)? Or, as bmaz reminds me below but that I originally omitted, is the government having one or more contractors maintain such a database? Or is the government, rather, using an expansive definition of targeting, suggesting that anyone who buys falafels from the same place that suspected terrorist does then, in turn, becomes targeted?
McConnell and Mukasey’s objections to Feingold’s amendments make sense only in a situation in which all this information gets dumped into a database that is exposed to data mining. So it’s hard to resolve their objections with this claim–as described by the FISA Appeals Court.
Which is part of the reason I’m so intrigued by this passage of John Bates’ October 3, 2011 decision ruling some of NSA’s collection and retention practices violated the Fourth Amendment. In a footnote amending a passage explaining why the retention of entirely US person communications with the permissive minimization procedures the government had proposed is a problem, Bates points back to that earlier comment.
The Court of Review plaining limited its holding regarding incidental collection to the facts before it. See In re Directives at 30 (“On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.” (emphasis added). The dispute in In re Directives involved the acquisition by NSA of discrete to/from communications from an Internet Service Provider, not NSA’s upstream collection of Internet transactions. Accordingly, the Court of Review had occasion to consider NSA’s acquisition of MCTs (or even “about” communications, for that matter). Furthermore, the Court of Review noted that “[t]he government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary.” Id. Here, however, the government proposes measures that will allow NSA to retain non-target United States person information in its databases for at least five years.
Ultimately, Bates’ approval for the government to query on US person identifiers on existing incidentally collected Section 702 material (see pages 22-23) show that he hasn’t really thought through what happens to US person incidental collection; he actually has a shocking (arguably mis-) understanding of how permissive the existing minimization rules are, and therefore how invasive his authorization for searching on incidentally collected information will actually be.
But his complaint with the proposed minimization procedures shows what he believes they should be.
The measures proposed by the government for MCTs, however, largely dispense with the requirement of prompt disposition upon initial review by an analyst. Rather than attempting to identify and segregate information “not relevant to the authorized purpose of the acquisition” or to destroy such information promptly following acquisition, NSA’s proposed handling of MCTs tends to maximize the retention of such information, including information of or concerning United States persons with no direct connection to any target.
As Bates tells it, so long as he’s paying close attention to an issue, the government should ideally destroy any US person data it collects that is not relevant to the authorized purpose of the acquisition. (His suggestion to segregate it actually endorses Russ Feingold’s fix from 2008.)
But the minimization rules clearly allow the government to keep such data (after this opinion, they made an exception only for the multiple communication transactions in question, but not even for the other search identifiers involving entirely domestic communication so long as that’s the only communication in the packet).
All the government has to do, for the vast majority of the data it collects, is say it might have a foreign intelligence or crime or encryption or technical data or threat to property purpose, and it keeps it for 5 years.
In a database.
Back when the FISCR used this language, it allowed the government the dodge that, so long as it didn’t have a database dedicated to solely US person communications incidentally, it was all good. But the language Bates used should make all the US person information sitting in databases for 5 year periods (which Bates seems not to understand) problematic.
Not least, the phone dragnet database, which — after all — includes the records of 310 million people even while only 12 people’s data has proved useful in thwarting terrorist plots.
Update: Fixed the last sentence to describe what the Section 215 dragnet has yielded so far.
A new wave of cyberattacks is striking American corporations, prompting warnings from federal officials, including a vague one issued last week by the Department of Homeland Security. This time, officials say, the attackers’ aim is not espionage but sabotage, and the source seems to be somewhere in the Middle East.
It ties these attacks to earlier attacks, claimed to have been launched by Iran, against ARAMCO and Qatar’s RasGas.
Two senior officials who have been briefed on the new intrusions say they were aimed largely at the administrative systems of about 10 major American energy firms, which they would not name. That is similar to what happened to Saudi Aramco, where a computer virus wiped data from office computers, but never succeeded in making the leap to the industrial control systems that run oil production.
At Saudi Aramco, the virus replaced company data on thousands of computers with an image of a burning American flag. The attack prompted the defense secretary at the time, Leon E. Panetta, to warn of an impending “cyber 9/11” if the United States did not respond more efficiently to attacks. American officials have since concluded the attack and a subsequent one at RasGas, the Qatari energy company, were the work of Iranian hackers. Israeli officials, who follow Iran closely, said in interviews this month that they thought the attacks were the work of Iran’s new “cybercorps,” organized after the cyberattacks that affected their nuclear facilities.
Saudi Aramco said that while the attackers had attempted to penetrate its oil production systems, they had failed because the company maintained a separation between employees’ administrative computers and the computers used to control and monitor production. RasGas said the attack on its computers had failed for the same reason.
And while the adoption of earlier sabotage approach used with ARAMCO and RasGas infrastructure to US energy producers does not mean all members of the coalition to topple Bashar al-Assad have been attacked by an entity insinuated to be Iran (unless the European parters’ energy companies have been attacked and we just don’t know about it). But this attack does seem to be an assault on the coalition trying to undercut Iran by taking down its client regime in Syria.
Which has me wondering whether this is an Iranian attack — revenge, if you will, for StuxNet, serves the US right. Or if it’s an attack launched by a coalition, possibly including Russia.
I also wonder whether the point of the sabotage isn’t on the information side of the equation, rather than the operational one.
In other news, remember how former NSA head and all-around cyberwar profiteer Mike McConnell declared digital 9/11 warning based on the ARAMCO attack and some crude DNS attacks on banks here in the US? Guess who has become a player in Saudi (and Gulf generally) cybersecurity?
During this event, Booz Allen Hamilton leadership shared their insights on global cyber security practices and the importance of a cross-border cooperative approach to protecting critical infrastructure in the Gulf.
Commenting at the event, McConnell said, “The GCC states have become global hubs in finance. However, this growth introduces increased cyber security risks by threat actors who target this region for monetary or political gain. GCC states have already experienced significant cybercrime in the recent past, it is now more important than ever to ensure that these are not repeated.”
He also added, “Financial institutions are a prime target for cyber criminals, and as a result, they need to focus on staying ahead of cyber threats by developing the right human capital, developing appropriate training programmes and retaining the right skills and technology to properly access and protect corporate data.”
Booz Allen Hamilton was recently registered by the Kingdom of Saudi Arabia Ministry of Commerce and Industry to pursue business opportunities in the Kingdom in support of domestic economic diversification. The firm will provide services to government and commercial clients on critical issues related to the Kingdom’s development, most notably in the areas of cyber security, information technology, financial services and other selected infrastructure. [my emphasis]
I’m guessing BAH’s work in KSA has a lot to do with the expanded Technical Cooperation Agreement signed with the US in January, which added a cyber component onto the previous effort to create a 35,000 person security force Mohammed bin Nayef could use to protect the kingdom’s oil infrastructure.
So if you’re bummed that BAH gets to troll American networks with abandon, rest assured that it will now be doing so in Saudi Arabia, too.
The FT reports (and CNET repeats almost in its entirety) that former Director of National Intelligence Mike McConnell says we have had our 9/11 warning and we risk the cyber equivalent of a World Trade Center attack unless “urgent action” is taken.
A former US intelligence chief says the west has had its “9/11 warning” on cybersecurity and warns that unless urgent action is taken, the US faces “the cyber equivalent of the World Trade Center attack”.
According to John “Mike” McConnell, such an attack would bring the country’s banking system, power grid and other essential infrastructure to their knees.
Mind you, McConnell doesn’t appear to be talking about a real warning–the kind of intelligence that set George Tenet’s hair on fire in 2001. Rather, he says the recent attacks on Saudi Aramco and some banks’ internet interfaces constitutes that warning.
Sustained cyber attacks targeting the websites of a dozen major US banks including Wells Fargo, JPMorgan Chase and Bank of America, coupled with an earlier attack on Saudi Aramco, which erased data on two-thirds of the Saudi oil company’s corporate PCs, were examples of the growing threat.
McConnell apparently would have us believe that some crude DNS attacks on banks and an infiltrator’s attack on Saudi oil business (not production) computers is a hair on fire warning.
Leon Panetta made similarly unconvincing claims back in October.
Nevertheless, the FT presented McConnell’s warning without providing readers a few important details. First, here’s how they describe the background that qualifies McConnell to issue such warnings.
Mr McConnell, who served as director of the National Security Agency under President Bill Clinton and then as director of national intelligence under President George W. Bush and President Barack Obama, believes those corporate attacks should be treated as a further “wake-up call” to politicians and business leaders in the west.
Here’s the very important detail they left out.
Mike McConnell is Vice Chairman of Booz Allen Hamilton, where his primary roles include serving on the firm’s Leadership Team and leading Booz Allen’s rapidly expanding cyber business.
It is McConnell’s job to make the cyber threat seem as dangerous as possible so his employer can get rich by charging the government an arm and a leg to take “urgent action.” While I’m not sure where the emails are available anymore, one of the amusing features of the HB Gary emails liberated by Anonymous is Mike McConnelll licking his chops as he identified new purported threats to build business around.
More amusing still is this:
Mr McConnell said such an attack could see a country like Iran work with Russian criminals or Chinese hackers to target banks, the power grid and the computers that control routing and ticketing for planes and trains.
Mr McConnell said he doubted whether Iran or a terrorist group could undertake such a devastating assault at the moment but added that it is only a matter of time before the sophisticated tools needed fall into the wrong hands.
The government (and, apparently McConnell himself) believes Iran launched the attacks on Aramco and the banks. But as McConnell suggests, Iran couldn’t carry out a real 9/11 cyber-attack by itself: it’d have to have the help of Russian criminals or Chinese hackers to pull off a really serious attack.
Because, you see, cyberattacks aren’t as easy as McConnell’s fear-mongering suggests.
But note the scenario he envisions: “the sophisticated tools” needed for a cyber attack would “fall into the wrong hands” and enable such an attack.
Mike McConnell was Director of National Intelligence from 2007 to 2009. During his tenure, the StuxNet project moved from intelligence-gathering to testing to implementation. It is inconceivable the DNI, the former head of NSA, and former executive of BAH would be out of the loop on that operation.
In other words, McConnell is almost certainly one of the people involved in the decision to unleash these sophisticated tools in the first place. And now he’s screaming about the dangers he unleashed for profit.
It’s a very neat system our Military Intelligence Industrial Complex has created.
Steven Aftergood suggests there’s disagreement among Senate Intelligence Committee members about whether or not the FISA Amendments Act allows the government to get US person content without a warrant.
The dispute was presented but not resolved in a new Senate Intelligence Committee report on the Foreign Intelligence Surveillance Act Amendments Act (FAA) Sunsets Extension Act, which would renew the provisions of the FISA Amendments Act through June 2017.
“We have concluded… that section 702 [of the Act] currently contains a loophole that could be used to circumvent traditional warrant protections and search for the communications of a potentially large number of American citizens,” wrote Senators Ron Wyden and Mark Udall.
But Senator Dianne Feinstein, the Committee chair, denied the existence of a loophole. Based on the assurances of the Department of Justice and the Intelligence Community, she said that the Section 702 provisions “do not provide a means to circumvent the general requirement to obtain a court order before targeting a U.S. person under FISA.”
I don’t think there is a conflict. Rather, I think DiFi simply responded to Wyden and Udall’s assertions with the same spin the government has used for some time. That’s because DiFi is talking about “targeting” and Wyden and Udall are talking about “searching” US person communications.
DiFi quotes much of the language from Section 702 earlier in her statement on FAA, repeating, repeating the word “target” three times.
In enacting this amendment to FISA, Congress ensured there would be important protections and oversight measures to safeguard the privacy and civil liberties of U.S. persons, including specific prohibitions against using Section 702 authority to: “intentionally target any person known at the time of acquisition to be located in the United States;” “intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States;” “intentionally target a United States person reasonably believed to be located outside the United States;” or “intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States.” As an additional measure the law also requires that an acquisition under Section 702 “shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.” [my emphasis]
Her specific retort to the problem Wyden and Udall differentiates clearly between “querying information collected under Section 702 to find communications of a particular United States person” and “conduct[ing] queries to analyze data already in its possession” and “targeting.”
Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. Continue reading
I’ve been reviewing the docket on Thomas Drake’s case to see whether it touches on the privacy concerns Drake had about NSA’s post-9/11 activities.
It appears it doesn’t, even while there was an ongoing dispute about whether or not Drake will have access to the materials he submitted to the DOD Inspector General in support of claims that the ThinThread program operated more effectively than the Trailblazer program that Michael Hayden chose to enrich SAIC with instead (the Judge ruled that material would be admissible, but not a formal whistleblower defense, which Drake wasn’t trying to do anyway).
There are a couple of reasons why the silence, in the legal filings, about privacy concerns is interesting (aside from the fact that it’s a focus of Jane Mayer’s article.
First, because the two-sentence summary of the conclusion of the DOD IG Report on Trailblazer and ThinThread that the defense provides in a filing doesn’t address privacy.
In 2004, after more than a year of fact-finding, the Inspector General issued its initial audit findings. In a report entitled, “Requirements for the Trailblazer and Thinthread Systems,” the auditors concluded that “the National Security Agency is inefficiently using resources to develop a digital network exploitation system that is not capable of fully exploiting the digital network intelligence available to analysts from the Global Information Network . . . (T)he NSA transformation effort may be developing a less capable long-term digital network exploitation solution that will take longer and cost significantly more to develop.” The NSA continued to support the “less capable” program and its successor.
Which suggests the IG Report may not have addressed the claim that, in addition to being less efficient at “connecting the dots” than ThinThread, Trailblazer also offered none of the privacy protections ThinThread had.
That’s important because the government argued that Drake couldn’t claim to be a whistleblower because, by 2007, the issues at hand were resolved. They’re arguing both that any whistleblower claims would be mooted because Turbulence, Trailblazer’s successor, integrated “significant portions” of ThinThread, and that the debate was “over” by 2007, when Drake was (according to the indictment) serving as a source for Baltimore Sun reporter Siobhan Gorman.
In or about December 2004, the DOD IG completed its audit of [Trailblazer], including the allegations raised in the complaint letter. The NSA responded in August 2004 and February 2005, stating that based on the judgments of NSA’s experienced technical experts, the allegations were unfounded. Nonetheless, NSA agreed to incorporate significant portions of [ThinThread] into [Trailblazer] as a result of the DOD IG recommendations, thus largely mooting the issues raised in the complaint. In addition, starting in late 2005 and early 2006, the NSA transitioned away from [Trailblazer] to [Turbulence], another corporate architecture solution for Signals Intelligence collection.
Just as importantly, by 2007, the timeframe of the charges in this case, there was no imminent harm faced by the defendant, because [Trailblazer] had incorporated elements of [ThinThread], and also because NSA had transitioned away from [Trailblazer] to [Turbulence].
The defendant’s actions had no impact in the debate regarding the efficacy of [Trailblazer and ThinThread], because NSA had begun transitioning to [Turbulence] by 2006. Put simply, the debate was over.
There’s a lot going on in this passage. Obviously, the government is trying to claim that since Drake was allegedly collecting information for Gorman in 2007, he couldn’t claim he was whistleblowing.
Mind you he was not claiming he was whistleblowing, in the legal sense. He was only trying to get the IG materials to prove that’s why he collected three of the documents he’s accused of willingly keeping; basically, he’s arguing that if he overlooked three documents out of 5 boxes worth originally collected for the IG–and did not retain the really classified materials–that he basically just overlooked the three documents, rather than willfully retained them.
And the government is playing funny with dates. After all, they say Drake served as a source for Gorman from February 27, 2006, to November 28, 2007. The key story about ThinThread Drake served as a source for was dated May 18, 2006. And one of the charges accuses Drake of obstruction for shredding other documents. So not only is the 2007 date bogus because it igonores debates ongoing in 2006, but the government suggests that either Drake would be guilty for illegally retaining information, or obstructing an investigation. Moreover, Drake maintains he inadvertently included the three IG-related documents in the several boxes of unclassified materials, so the fact the debate was over is pointless.
Moreover, the successor to Trailblazer, Turbulence, was suffering from the same management problems Trailblazer had, as the defense notes just after citing the IG Report. The government wants to pretend the shift from Trailblazer to Turbulence ended the complaints about management problems, but it didn’t.
The program the NSA rejected, called ThinThread, was developed to handle greater volumes of information, partly in expectation of threats surrounding the millennium celebrations. Sources say it bundled together four cutting-edge surveillance tools. ThinThread would have:
* Used more sophisticated methods of sorting through massive phone and e-mail data to identify suspect communications.
* Identified U.S. phone numbers and other communications data and encrypted them to ensure caller privacy.
* Employed an automated auditing system to monitor how analysts handled the information, in order to prevent misuse and improve efficiency.
* Analyzed the data to identify relationships between callers and chronicle their contacts. Only when evidence of a potential threat had been developed would analysts be able to request decryption of the records.
In other words, privacy was just one of three ways ThinThread was better than Trailblazer, according to Gorman’s sources.
But that’s not the aspect the government seems to address. That is, the government seems to be saying that, because Turbulence adopted some of the approaches of ThinThread that made it more efficient at analysis, Drake can’t complain. The suggestion is (though we can’t know because of the secrecy) privacy is not, like efficacy, an adequate reason to blow the whistle. Neither privacy, nor the Constitution.
And that’s interesting for two more reasons. First, because the government references a notebook of documents Drake provided that had nothing to do with the IG Report.
There was, for example, a notebook of documents provided by the defendant, many of which had nothing to do with the IG’s audit, but this notebook was destroyed before the case began, and after the IG completed its audit.
Is it playing games with the scope of the audit? That is, did Drake provide materials on privacy, which the IG didn’t include within the scope of its report? If so, the IG’s destruction of the notebook, in violation of DOD’s document retention policy, is all the more interesting.
Then, finally, the debates about privacy continued into 2007 and 2008. In August 2007, specifically, Mike McConnell nixed a Democratic version of the Protect America Act because it required the government to tell FISA judges what the plan for minimizing US person data is and allowed the judges to review for compliance. Debates on how to fix PAA continued throughout the fall and into the following year, with Russ Feingold and Sheldon Whitehouse both trying to make real improvements on the minimization requirements.
The government seems to want to say that Drake’s privacy concerns aren’t a valid whistleblowing concern. Because, I guess, government officials aren’t allowed to whistleblow about citizens’ rights.