Posts

Devin Nunes Thinks Congress Needs More Classified Briefings to Understand Phone Dragnet

/4 Comments/in /by

In an article describing the current state of play on the Section 215 sunset, WaPo quotes Devin Nunes claiming that the poor maligned phone dragnet is just misunderstood. So he plans on having more briefings (curiously, just for the Republican caucus).

“NSA programs, including the bulk telephone metadata program, are crucial anti-terror and foreign intelligence tools that should be reauthorized,” said Rep. Devin Nunes (R-Calif.), chairman of the House Intelligence Committee.

He told reporters on Tuesday that he felt the program has been misunderstood and that he would hold classified briefings for the GOP caucus.

I don’t mean to mock Nunes. After all, I’ve been saying for well over a year that the public assessments of the phone dragnet don’t actually measure how the government really uses it (below the rule I’ve copied the part of this post that describes other ways we know they use it). And that was before the phone dragnet orders replaced “contact chaining” with “connection chaining” over a year ago, which presumably adds a correlating function to the mix (that is, the government also uses the phone dragnet to identify a person’s multiple phone-based identities, potentially including smart phone identities).

But I do think it worth noting two things.

First, Nunes’ decision to tell Republicans more, coming relatively soon after he took over the House Intelligence Chair from Mike Rogers, suggests that Mike Rogers was never fully forthcoming — not even in the secret briefings he gave in lieu of passing on Executive Branch explanations of the phone dragnet — about what it did.

But Nunes’ response is not to require the government to itself explain publicly what it’s really doing with the phone dragnet. But instead to hold classified briefings that often serve as a means to buy silence from those who attend.

In any case, that story you’ve been told for almost two years about how the phone dragnet identifies who is two degrees away from Osama bin Laden? Unsurprisingly, it’s nowhere near the full story.

[A]ssessments of the phone dragnet […] don’t even take the IC at its word in its other, quieter admissions of how it uses the dragnet (notably, in none of Stone’s five posts on the dragnet does he mention any of these — one, two, three, four,five — raising questions whether he ever learned or considered them). These uses include:

  • Corporate store
  • “Data integrity” analysis
  • Informants
  • Index

Corporate store: As the minimization procedures and a few FISC documents make clear, once the NSA has run a query, the results of that query are placed in a “corporate store,” a database of all previous query results.

ACLU’s Patrick Toomey has described this in depth, but the key takeaways are once data gets into the corporate store, NSA can use “the full range of SIGINT analytic tradecraft” on it, and none of that activity is audited.

NSA would have you believe very few Americans’ data gets into that corporate store, but even if the NSA treats queries it says it does, it could well be in the millions. Worse, if NSA doesn’t do what they say they do in removing high volume numbers like telemarketers, pizza joints, and cell voice mail numbers, literally everyone could be in the corporate store. As far as I’ve seen, the metrics measuring the phone dragnet only involve tips going out to FBI and not the gross number of Americans’ data going into the corporate store and therefore subject to “the full range of analytic tradecraft,” so we (and probably even the FISC) don’t know how many Americans get sucked into it. Worse, we don’t know what’s included in “the full range of SIGINT analytic tradecraft” (see this post for some of what they do with Internet metadata), but we should assume it includes the data mining the government says it’s not doing on the database itself.

The government doesn’t datamine phone records in the main dragnet database, but they’re legally permitted to datamine anyone’s phone records who has come within 3 degrees of separation from someone suspected of having ties to terrorism.

“Data integrity” analysis: As noted, the NSA claims that before analysts start doing more formal queries of the phone dragnet data, “data integrity” analysts standardize it and do something (it’s unclear whether they delete or just suppress) “high volume numbers.” They also — and the details on this are even sketchier — use this live data to develop algorithms. This has the possibility of significantly changing the dragnet and what it does; at the very least, it risks eliminating precisely the numbers that might be most valuable (as in the Boston Marathon case, where a pizza joint plays a central role in the Tsarnaev brothers’ activities). The auditing on this activity has varied over time, but Dianne Feinstein’s bill would eliminate it by statute. Without such oversight, data integrity analysts have in the past, moved chunks of data, disaggregated them from any identifying (collection date and source) information, and done … we don’t know what with it. So one question about the data integrity analyst position is how narrowly scoped the high volume numbers are (if it’s not narrow, then everyone’s in the corporate store); an even bigger is what they do with the data in often unaudited behavior before it’s place into the main database.

Informants: Then there’s the very specific, admitted use of the dragnet that no one besides me (as far as I know) has spoken about: to find potential informants. From thevery start of the FISC-approved program, the government maintained the dragnet “may help to discover individuals willing to become FBI assets,” and given that the government repeated that claim 3 years later, it does seem to have been used to find informants.

This is an example of a use that would support “connecting the dots” (as the program’s defenders all claim it does) but that could ruin the lives of people who have no tie to actual terrorists (aside from speaking on the phone to someone one or two degrees away from a suspected terror affiliate). The government has in the past told FISCR it might use FISA data to find evidence of other crimes — even rape — to coerce people to become informants, and in some cases, metadata (especially that in the corporate store, enhanced by “the full range of analytic tradecraft”) could pinpoint not just potential criminals, but people whose visa violations and extramarital affairs might make them amenable to narcing on the people in their mosque (with the additional side effect of building distrust within a worship community). There’s not all that much oversight over FBI’s use of informants in any case (aside from permitting us to learn that they’re letting their informants commit more and more crimes), so it’s pretty safe to assume no one is tracking the efficacy of the informants recruited using the powerful tools of the phone dragnet.

Index: Finally, there’s the NSA’s use of this metadata as a Dewey Decimal System (to useJames Clapper’s description) to pull already-collected content off the shelf to listen to — a use even alluded to in the NSA’s declarations in suits trying to shut down the dragnet.

Section 215 bulk telephony metadata complements other counterterrorist-related collection sources by serving as a significant enabler for NSA intelligence analysis. It assists the NSA in applying limited linguistic resources available to the counterterrorism mission against links that have the highest probability of connection to terrorist targets. Put another way, while Section 215 does not contain content, analysis of the Section 215 metadata can help the NSA prioritize for content analysis communications of non-U.S. persons which it acquires under other authorities. Such persons are of heightened interest if they are in a communication network with persons located in the U.S. Thus, Section 215 metadata can provide the means for steering and applying content analysis so that the U.S. Government gains the best possible understanding of terrorist target actions and intentions. [my emphasis]

Don’t get me wrong. Given how poorly the NSA has addressed its longterm failure to hire enough translators in target languages, I can understand how much easier it must be to pick what to read based on metadata analysis (though see my concerns, above, about whether the NSA’s assessment techniques are valid). But when the NSA says, “non-US persons” here, what they mean is “content collected by targeting non-US persons,” which includes a great deal of content of US persons.

Which is another way of saying the dragnet serves as an excuse to read US person content.

Choking the Security State with Its Own Bottleneck

/10 Comments/in /by

One former and one current high-ranking intelligence official (is that you Keith?) have gone to CNBC to complain that tech firms are showing reluctance to get more of their people security clearances.

U.S. government officials say privately they are frustrated that Silicon Valley technology firms are not obtaining U.S. security clearances for enough of their top executives, according to interviews with officials and executives in Washington and California. Those clearances would allow the government to talk freely with executives in a timely manner about intelligence they receive, hopefully helping to thwart the spread of a hack, or other security issues.

The lack of cooperation from Silicon Valley, Washington officials complain, injects friction into a process that everyone agrees is central to the fight to protect critical U.S. cyberinfrastructure: Real-time threat information sharing between government and the private sector.

[snip]

The former intelligence official said dealing with Silicon Valley firms is much different than his experience in other industries—or with all American companies a generation ago. “It used to be, during World War II or the Cold War, that getting cooperation from boards of directors was pretty straightforward. That’s not true today, particularly at these huge start-ups that went from nothing to billions.”

It’s interesting that this complainer went to CNBC’s Eamon Javers, who covers the overlap between corporations and intelligence, rather than someone like Kim Zetter or Shane Harris, who just finished interesting books on cybersecurity. Because the only challenge to those DC insiders’ claims about the importance of information sharing comes from this anonymous executive’s suggestion that the intelligence they’d get from the government isn’t all that useful.

In Silicon Valley, however, cybersecurity executives have a different perspective on the tension. “I believe that this is more about the overclassification of information and the relatively low value that government cyberintel has for tech firms,” said one Silicon Valley executive. “Clearances are a pain to get, despite what government people think. Filling out the paper work … is a nightmare, and the investigation takes a ridiculous amount of time.”

More generally (including in each of their books), I think people are raising more questions about the value of information sharing. At a recent panel on cybersecurity (starting at 12:20) for example, a bunch of security experts seemed to agree that information sharing shouldn’t be the priority it is. Yahoo CISO Alex Stamos (who at the same conference had this awesome exchange with NSA Director Mike Rogers) argued that the government emphasizes information sharing because it’s easy — he’d rather see the government cancel just one F-35 and put the money into bug bounties for open source software.

Nevertheless, these sources have been granted anonymity to suggest tech companies are un-American because they’re not rushing to share more data with the federal government.

Not to mention, not rushing to sign up to have their lives regulated by the McCarthyite system of security clearances.

Because it’s not just that the security clearance application that is unwieldy. It’s that clearance comes with a gag order about certain issues, backed by the threat of prison (I forget whether it was Harris’ or Zetter’s book, but one describes a tech expert talking about that aspect of clearance).

Why would anyone sign up for that if the tech companies have more that the government wants than the government has that the tech companies need?

So it will be interesting to see how the security establishment respond to this. It would be a wonderful way to force the government fix some of the problems with overclassification to be able to obtain the cooperation of what are supposed to be private corporations.

Maybe Petraeus’ Plea Deal Is More Interesting to the Benghazi Report than Hillary’s Emails?

/3 Comments/in , /by

There is an exception to every rule, standard operating procedure, and poli­cy; it is up to leaders to determine when exceptions should be made and to ex­plain why they made them.

David Petraeus’ Rules for Living, as presented by Paula Broadwell as they were being caught in an FBI investigation

Predictably, Trey Gowdy has subpoenaed more information about Hillary Clinton’s email personal email revealed this week.

But it seems he also ought to call David Petraeus in for another chat about Benghazi in light of details in the former CIA Director’s plea deal.

That’s because the Plea Documents show that the investigation into Petraeus and Paula Broadwell intersects with the Benghazi investigation in ways that are even more interesting than was already clear. Consider what those two timelines look like when you add in the fact that Petraeus lied to the FBI about leaking information to his mistress on October 26, 2012, which has been updated from this post (note that contemporaneous reporting dated Petraeus’ FBI interview to October 29).

From the sex and leaking standpoint, the revised timeline is interesting because it shows Petraeus and Broadwell together at — of all places! — the annual celebration for old-style subterfuge, the OSS dinner, between the time Petraeus lied to the FBI and the time Broadwell was interviewed a second time.

But from a Benghazi perspective, it shows that on the same day Petraeus lied to the FBI, Paula Broadwell made the accusation that the attack was really about freeing militia members held at the CIA annex. The next day Petraeus and Broadwell hobnobbed together among the old style spooks. and then days later — even as an FBI whistleblower was forcing the investigation into the public, without which it might have been dropped — Petraeus went on a “fact-finding” mission to Cairo, in part to consult with some of the people involved in the Benghazi response.

Petraeus did a report on that trip, but Dianne Feinstein was complaining that her committee had not received a copy of it on November 12 (Petraeus was resisting, in part, because he no longer worked at CIA).

There’s no evidence that the House Intelligence Committee consulted Petraeus’ trip report when they did their report on the attack. (Indeed, the report shows remarkable lack of interest in Petraeus’ role altogether, in spite of the fact that he watched the later parts of the attack develop via the drone surveillance camera feed piped to the SCIF at his home.)

Did either of the Intelligence Committees ever get the report on the trip Petraeus did after he knew he was in trouble with the FBI, at a time when his ex-girlfriend was claiming the reason behind the attack was entirely different from what we’ve been told?

As I’ve noted, more than anyone else, current HPSCI Chair Devin Nunes showed significant interest in that claim about detainees, as reflected in the backup to a report that Mike Rogers made sure to get done before he left Nunes in charge. In response to his question (as well as some questions about arms-running) Nunes got non-denials denials.

In a related detail, in the earlier session Nunes also elicited a non-denial denial about detainees (and accusation first leveled by David Petraeus’ mistress Paula Broadwell), the other alleged reason for the attack on US entities in Benghazi.

Mr. Nunes: Okay. To the detainees, were there ever any detainees at either of these locations in the last year of any kind?

Mr. Morell: Not with regard to the CIA facility, sir.

Mr. Kennedy: And the State Department does not engage in detentions overseas.

Rather than just answering no, between them Morell and Kennedy carved out a space where it might be possible the CIA (or someone else, possibly JSOC) were holding detainees at the TMF or elsewhere in Benghazi.

Maybe Petraeus’ last minute trip to do a personal investigation of the aftermath of Benghazi — the results of which Petraeus resisted sharing with the Committees investigating the attack — is just a coinkydink.

But given the timing — and Petraeus’ sweetheart plea deal — it’d be nice if the Benghazi Committee asked a few more questions about that coinkydink. Read more

Benghazi: A Poster Child for Covert Ops Blowback

/9 Comments/in /by

You’ve no doubt heard that, last Friday (a pre-holiday Friday, as some people are already on their way to Thanksgiving), the Benghazi scandal ended with a fizzle.

The House Intelligence Committee released its report on the Benghazi attack, which basically says all the scandal mongering has been wrong, that Susan Rice’s talking points came from the CIA, that no one held up any rescue attempts, and so on and so on. This post will attempt to lay out why that might have happened. The short version, however, is that the report reveals (but does not dwell on) a number of failures on the part of the CIA that should raise real concerns about Syria.

Note that not all Republicans were as polite as the ultimate report. Mike Rogers, Jeff Miller, Jack Conaway, and Peter King released an additional views report, making precisely the points you’d expect them to — though it takes them until the 4th summary bullet to claim that Administration officials “perpetuated an inaccurate story that matched the Administration’s misguided view that the United States was nearing victory over al-Qa’ida.” Democrats released their own report noting that “there was no AQ mastermind” and that “extremists who were already well-armed and well-trained took advantage of regional violence” to launch the attack. Among the Republicans who presumably supported the middle ground were firebrands like Michele Bachmann and Mike Pompeo, as well as rising Chair Devin Nunes (as you’ll see, Nunes was a lot more interested in what the hell CIA was doing in Benghazi than Rogers). The day after the initial release Rogers released a second statement defending — and pointing to the limits of and Additional Views on — his report.

Now consider what this report is and is not.

The report boasts about the 1000s of hours of work and 1000s of pages of intelligence review, as well as 20 committee events, interviews with “senior intelligence officials” and 8 security personnel (whom elsewhere the report calls “the eight surviving U.S. personnel”) who were among the eyewitnesses in Benghazi. But the bulk of the report is sourced to 10 interviews (the 8 security guys, plus the Benghazi and Tripoli CIA Chiefs), and a November 15, 2012 presentation by James Clapper, Mike Morell, Matt Olsen, and Patrick Kennedy. (Here are  the slides from that briefing: part onepart two.) As I’ll show, this means some of the claims in this report are not sourced to the people who directly witnessed the events. And the reports sources almost nothing to David Petraeus, who was CIA Director at the time.

The FBI analyzed the intelligence better than CIA did

One of the best explanations for why this is such a tempered report may be that FBI performed better analysis of the cause of the attack than CIA did. This is somewhat clear from the summary (though buried as the 4th bullet):

There was no protest. The CIA only changed its initial assessment about a protest on September 24, 2012, when closed caption television footage became available on September 18, 2012 (two days after Ambassador Susan Rice spoke), and after the FBI began publishing its interviews with U.S. officials on the ground on September 22, 2012.

That is, one reason Susan Rice’s talking points said what they did is because CIA’s analytical reports still backed the claim there had been a protest outside State’s Temporary Mission Facility.

Moreover, in sustaining its judgment there had been a protest as long as it did, CIA was actually ignoring both a report from Tripoli dated September 14, and the assessment of the Chief of Station in Tripoli, who wrote the following to Mike Morell on September 15.

We lack any ground-truth information that protest actually occurred, specifically in the vicinity of the consulate and leading up to the attack. We therefore judge events unfolded in a much different manner than in Tunis, Cairo, Khartoum, and Sanaa, which appear to the the result of escalating mob violence.

In a statement for the record issued in April 2014, Mike Morell explained that Chiefs of Station “do not/not make analytic calls for the Agency.” But it’s not clear whether Morell explained why CIA appears to have ignored their own officer.

While the report doesn’t dwell on this fact, the implication is that the FBI was more successful at interviewing people on the ground — including CIA officers!! — to rebut a common assumption arising from public reporting. That’s a condemnation of CIA’s analytical process, not to mention a suggestion FBI is better at collecting information from humans than CIA is. But HPSCI doesn’t seem all that worried about these CIA failures in its core missions.

Or maybe CIA failed for some other reason. Read more

Lying Keith the Kapitalist

/6 Comments/in /by

On Sunday I asked who was crying wolf — JP Morgan itself, or Mike Rogers — about the claimed JP Morgan attack that might not be a serious attack at all and had been attributed to Russia without yet proof of that.

So who should crawl out of his sinecure but Keith Alexander?

Keith Alexander, the NSA director from 2005 until last March, said he had no direct knowledge of the attack though it could have been backed by the Russian government in response to sanctions imposed by the U.S. and EU over the crisis in Ukraine.

“How would you shake the United States back? Attack a bank in cyberspace,” said Alexander, a retired U.S. Army general who has started his own cybersecurity company to sell services to U.S. banks. “If it was them, they just sent a real message: ‘You’re vulnerable.’”

[snip]

The hackers who attacked JPMorgan, the biggest U.S. bank, were “a group with exceptional skills or a nation-state backed group,” Alexander said in an interview yesterday at Bloomberg’s Washington bureau.

[snip]

“If you wanted to send a message, do you think that was significant enough for the U.S. government to say one of the best banks that we have from a cybersecurity perspective was infiltrated by somebody?” Alexander asked. “And if they could get in to do that, even if they never use it, they could get in and collapse it. Does that cause you concern?”

Note how Alexander admits he has no personal knowledge of the attack but then opines about the skills of the hackers and goes from there to hypothesize how this was a response from Russia?

So maybe it wasn’t JP Morgan or Mike Rogers crying wolf. It sure looks like Alexander is willingly feeding the poorly evidenced claims about this hack.

But don’t worry, Keith Alexander doesn’t have a conflict of interest at all.

PCLOB Member Rachel Brand Asked NSA General Counsel to Help Her Dissent from PCLOB

/9 Comments/in /by

Let me say straight out: Privacy and Civil Liberties Oversight Board member Rachel Brand is no slouch. She’s very smart and very accomplished.

All that said, I am rather intrigued by the way she consulted NSA General Counsel Raj De several times — as illustrated by these emails Jason Leopold liberated from PCLOB —  as she worked on her dissent to the Democratic PCLOB members’ conclusion that the Section 215 dragnet is illegal.

On January 6, Brand emailed De. “Do you have a couple minutes to talk about a PCLOB matter today or tomorrow?” They scheduled some time to talk at midday the next day — though a request from Keith Alexander appears to have forced De to delay. Nevertheless, by 1:30 on January 7, it appears De and Brand spoke, because De forwarded two things: I Con the Record’s press release announcing the FISA Court had reauthorized the dragnet even after Judge Richard Leon ruled it unconstitutional (De makes no mention in his email, but the order had considered Leon’s ruling before reauthorizing the program), and the GPO transcript of Robert Mueller’s claim in a June 2013 House Judiciary Committee hearing that the dragnet would have prevented 9/11.

Ten days later, on January 17, Brand was emailing De again, after having seen each other that morning (that was the morning President Obama announced his own reforms to the dragnet, so it may have been in that context). She sent NSA’s General Counsel a paragraph, with one sentence highlighted, asking if it was accurate. He responded with “some suggestions for accuracy for your consideration … Feel free to give a call if you want to discuss, or would like more detail.”

Then, over that weekend, Brand and De exchanged the following emails:

Saturday, January 18, 12:31: Brand sends “the current draft of my separate statement” stating she wants “to be sure there is nothing factually or legally inaccurate in it;” she says it is currently 5 pages and tells De she needs to give PCLOB Chair David Medine the final by Sunday night

Saturday, January 18, 2:11: De responds, “happy to”

Sunday, January 19, 10:51: De responds, saying, “not that you need or want my validation, but for what’s [sic] it is worth it really reads quite well.” De then provides 3 “additional factual details” which “might fit in if you wanted to use them;” those bullets are redacted

Sunday, January 19, 3:47: Brand replies, stating that Beth (Elisebeth Collins Cook, the other Republican on PCLOB) “explicitly makes the first two in her separate statement” and that she’s “trying to keep this short, so have to forego making every available point”

Read more

The Pearl-Clutchers Normalizing Inflammatory Dog Whistles

/12 Comments/in /by


As expected, last night Justin Amash held off a challenge from a corporatist Republican, Brian Ellis (though the margin was closer than polls predicted). What has the local punditry surprised, however, is Amash’s victory speech, where he attacked Ellis and former Congressman Crazy Pete Hoekstra, who endorsed Ellis.

AMASH VICTORY SPEECH: U.S. Rep. Justin Amash’s win over 3rd District GOP primary challenger Brian Ellis wasn’t too surprising, but his victory speech was. Rather than simply celebrate, Amash reportedly refused to answer a concession phone call from Ellis and then unloaded on the businessman, who had run a TV ad calling him “Al Qaeda’s best friend” in Congress. “I ran for office to stop people like you,” Amash said to Ellis, who was not present. He also ripped former U.S. Rep. Pete Hoekstra, who backed Ellis in a separate commercial. “I’m glad we can hand you one more loss before you fade into total obscurity and irrelevance,” he said of Hoekstra. (more >>)

I get that you’re supposed to give a happy unity speech after you win (though I personally don’t much care if MI Republicans rip themselves apart, and MI’s Republican Congressmen already broke protocol by offering no support to Amash and in Mike Rogers’ case giving big support for Ellis). But not only is Crazy Pete a disgrace, Ellis did try to gain traction by smearing Amash.

From the coverage, I think Amash was most pissed that Ellis and Hoekstra treated a vote Amash refused to cast to defund Planned Parenthood on constitutional grounds as a pro-choice vote.

But in an interview with Fox, Amash also called Ellis’ ad rather famously repeating a claim he’s al Qaeda’s best friend in Congress disgusting.

“I’m an Arab-American, and he has the audacity to say I’m Al-Queda’s best friend in congress. That’s pretty disgusting.”

This ad, which played (among other prominent ad buys) during the World Cup, really pissed me off.

Not only for the treatment of Gitmo as anything but a terrible moneypit, all in the hopes of maintaining some extra-legal space to sustain the notion of war rather than law. But especially for the notion that anything but lock-step support for counterproductive counterterrorism policies makes you a friend of al Qaeda.

And yes, especially the suggestion that one of Congress’ only Arab-American members (Amash’s parents are Palestinian and Syrian Christians) might therefore be an Islamic terrorist.

For 12 years — ever since Saxby Chambliss used a similar technique to take out Max Cleland — our political culture has tolerated ads that invoke terror to short-circuit any real political debate about how we fight it. Those ads get treated as business as usual. Win or lose the race and then make nice with your opponent.

That such ads are still (were ever!) considered acceptable political discourse — that Amash, and not Ellis, is getting the scolds — damns our political system. By treating any debate over the efficacy of counterterrorism policy as terrorism itself, we foreclose potentially far more effective ways of keeping the country safe and potentially far smarter ways to spend limited resources. (Crazy Pete, for example, fear-mongered about moving Gitmo detainees to a prison threatened with closure in Michigan, thereby losing Michigan jobs, but also committing the US to continue to spend exorbitant amounts to keep our gulag open.)

At some point, it needs to be okay to call out such bullshit. Because until then, we’ll never be able to actually debate the best way to keep the country safe.

Did ACLU and EFF Just Help the NSA Get Inside Your Smart Phone?

/10 Comments/in /by

EFF ACLUThe ACLU and EFF normally do great work defending the Fourth Amendment. Both have fought the government’s expansive spying for years. Both have fought hard to require the government obtain a warrant before accessing your computer, cell phone, and location data.

But earlier this week, they may have taken action that directly undermines that good work.

On Wednesday, both civil liberties organizations joined in a letter supporting Patrick Leahy’s version of USA Freedom Act, calling it a necessary first step.

We support S. 2685 as an important first step toward necessary comprehensive surveillance reform. We urge the Senate and the House to pass it quickly, and without
making any amendments that would weaken the important changes described above.

ACLU’s Laura Murphy explained why ACLU signed onto the bill in a column at Politico, analogizing it to when, in 2010, ACLU signed onto a bill that lowered, but did not eliminate,  disparities in crack sentencing.

Reform advocates were at a crossroads. Maximalists urged opposition despite the fact the bill would, in a very real way, make life better for thousands of people and begin to reduce the severe racial and ethnic inequality in our prison system. Pragmatists, fearing that opposition to the bill would preclude any reform at all, urged support.

It was a painful compromise, but the ACLU ultimately supported the bill. It passed, astoundingly, with overwhelming support in both chambers.

And then something amazing happened. Conservative lawmakers, concerned about government waste, increasingly came to the table to support criminal justice reform. Liberals realized they could vote their conscience on criminal justice without accusations of being “soft on crime.” It has not been easy and there have been many steps backward, but in recent years, we’ve seen greater public opposition to mandatory minimum sentences and real movement on things like reducing penalties for low-level drug offenses.

The analogy is inapt. You don’t end crack disparities by increasing the number of coke dealers in jail. But Leahy’s USA Freedom Act almost certainly will increase the number of totally innocent Americans who will be subjected to the full brunt of NSA’s analytical authorities indefinitely.

That’s because by outsourcing to telecoms, NSA will actually increase the total percentage of Americans’ telephone records that get chained on; sources say it will be more “comprehensive” than the current dragnet and Deputy NSA Director Richard Ledgett agrees the “the actual universe of potential calls that could be queried against is [potentially] dramatically larger.” In addition, the telecoms are unlikely to be able to remove all the noisy numbers like pizza joints — as NSA currently claims to — meaning more people with completely accidental phone ties to suspects will get sucked in. And USA Freedom adopts a standard for data retention — foreign intelligence purpose — that has proven meaningless in the past, so once a person’s phone number gets turned over to the NSA, they’ll be fair game for further NSA spying, the really invasive stuff, indefinitely.

But that’s not the reason I find ACLU and EFF’s early support for USA Freedom so astounding.

I’m shocked ACLU and EFF are supporting this bill because they don’t know what the NSA will be permitted to do at the immunized telecoms. They have blindly signed onto a bill permitting “connection chaining” without first understanding what connection chaining entails.

As I have reported extensively, while every witness who has talked about the phone dragnet has talked about chaining on phone calls made — all the calls Anwar al-Awlaki made, all the calls those people made — the language describing this chaining process has actually been evolving. Dianne Feinstein’s Fake FISA Fix last fall allowed the NSA to chain on actual calls — as witnesses had described — but also on communications (not just calls) “to or from any selector reasonably linked to the selector.” A February modification and the last two dragnet orders permitted NSA to chain on identifiers “with a contact and/or connection” with the seed, making it clear that a “connection” is something different than a “contact.” The House bill USA Freedumber adopted the same language in a legislative report. Leahy’s bill adopts largely the same language for chaining.

(iii) provide that the Government may require the prompt production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;

Now, it’s possible that this language does nothing more than what NSA illegally did until 2009: chain on both the identifier itself, but also on identifiers it has determined to be the same person. Back in 2009, NSA referred to a separate database to determine these other identifiers. Though that’s unlikely, because the bill language suggests the telecoms will be identifying these direct connections.

It’s possible, too, that this language only permits the telecoms to find “burner” phones — a new phone someone adopts after having disposed of an earlier one — and chain on that too.

But it’s also possible that this language would permit precisely what AT&T does for DEA in its directly analogous Hemisphere program: conduct analysis using cell site data. The bill does not permit NSA to receive cell site data, but it does nothing to prohibit NSA from receiving phone numbers identified using cell site data. When Mark Warner asked about this, Ledgett did not answer, and James Cole admitted they could use these orders (with FISC approval) to get access to cell location.

It’s possible, too, that the telecoms will identify direct connections using other data we know NSA uses to identify connections in EO 12333 data, including phone book and calendar data.

The point is, nobody in the public knows what “connections” NSA will be asking its immunized telecom partners to make. And nothing in the bill or even the public record prohibits NSA from asking telecoms to use a range of smart phone information to conduct their analysis, so long as they only give NSA phone identifiers as a result.

In response to questions from Senators about what this means, Leahy’s office promised a letter from James Clapper’s office clarifying what “connections” means (No, I don’t remember the part of Schoolhouse Rock where those regulated by laws get to provide “clarifications” that don’t make it into the laws themselves). That letter was reported to be due on Tuesday, by close of business — several days ago. It hasn’t appeared yet.

I asked people at both EFF and ACLU about this problem. EFF admitted they don’t know what this language means. ACLU calls the language “ambiguous,” but based on nothing they were able to convey to me, insists getting smart phone data under the guise of connection chaining would be an abuse. ACLU also pointed to transparency provisions in the bill, claiming that would alert us if the NSA starting doing something funky with its connection language; that of course ignores that “connection chaining” is an already-approved process, meaning that existing processes won’t ever be need to be released. It also ignores that the Administration has withheld what is probably a directly relevant phone dragnet opinion from both ACLU and EFF in their dragnet FOIA.

I get Laura Murphy’s point about using USA Freedom to start the process of reform. But what I don’t understand is why you’d do that having absolutely no idea whether that “reform” codifies the kind of warrantless probable cause-free access to device data that ACLU and EFF have fought so hard to prevent elsewhere.

ACLU and EFF are supposed to be leaders in protecting the privacy of our devices, including smart phones. I worry with their embrace of this bill, they’re leading NSA right into our smart phones.

Mike Rogers Says Google Must Lose Its Quarter to Save a Rickety Bank

/13 Comments/in , /by

Screen shot 2014-06-12 at 10.03.25 PMJosh Gerstein already wrote about some of this Mike Rogers blather. But I wanted to transcribe the whole thing to display how utterly full of shit he is.

At a conference at Georgetown the other day, (see video 3), Rogers laid into the tech companies for opposing USA Freedumber, which he badly misrepresented just before this. The context of European opportunism beings at 1:06, the quote begins after 1:08.

We should be very mad at Google, and Microsoft, and Facebook, because they’re doing a very interesting, and I think, very dangerous thing. They’ve come out and said, “well, we oppose this new FISA bill because it doesn’t go far enough.” When you peel that onion back a little bit, and why are you doing this, this is a good bill, it’s safe, bipartisan, it’s rational, it meets all the requirements for Fourth Amendment protection, privacy protection, and allowing the system to work,

Rogers claims they’re doing so solely because they’re afraid to lose European business. And Rogers — a Republican! — is furious that corporations prioritize their profits (note, Rogers has never complained that some of these same companies use European tax shelters to cheat the tax man).

And they say, “well, we have to do this because we have to make sure we don’t lose our European business.” I don’t know about the rest of you, that offends me from the word, “European business.” Think about what they’re doing. They’re willing, in their minds, to justify the importance of their next quarter’s earnings in Europe, versus the National Security of the United States. Everybody on those boards should be embarrassed, and their CEOs should be embarrassed, and their stockholders should be embarrassed.That one quarter cannot be worth the National Security of the United States for the next 10 generations. And if we don’t get this part turned around very quickly, it will likely get a little ugly, and that emotional piece that we got by is going to be right back in the center of the room to no good advantage to our ability to protect the United States.

Mostly, he seems pissed because he knows the collective weight of the tech companies may give those of us trying to defeat USA Freedumber a fighting chance, which is what Rogers considers an emotional place because Democracy.

But Rogers’ rant gets truly bizarre later in the same video (after 1:23) where he explains what the security interest is:

We have one particular financial institution that clears, somewhere about $7 trillion dollars in global financial transactions every single day. Imagine if tomorrow that place gets in there and through an attack of which we know does exist, the potential does exist where the information is destroyed and manipulated, now you don’t know who owes what money, some of that may have lost transactions completely forever, imagine what that does to the economy, $7 trillion. Gone — right? Gone. It’s that serious.

Mind you, Rogers appears unaware that a banks shuffling of money — while an incredibly ripe target for hackers — does not really contribute to the American economy. This kind of daily volume is churn that only the very very rich benefit from. And one big reason it’s a target is because it is an inherently fragile thing.

To make all this even more hysterical, Rogers talks about risk driving insurance driving proper defensive measures from the target companies … yet he seems not to apply those rules to banks.

Mike Rogers, it seems, would rather kill Google’s business than permit this rickety vitality killing bank to feel the full brunt of the risk of its own business model.

The Law and EO-Breaking Report

/2 Comments/in /by

One of the things I was most surprised about in the House Intelligence Authorization was a requirement that the Director of National Intelligence report violations of law or EO 12333 to the Intelligence Committees.

SEC. 510. ANNUAL REPORT ON VIOLATIONS OF LAW OR EXECUTIVE ORDER.

(a) Annual Reports Required.–The Director of National Intelligence shall annually submit to the congressional intelligence committees a report on violations of law or executive order by personnel of an element of the intelligence community that were identified during the previous calendar year.
(b) Elements.–Each report required under subsection (a) shall include a description of, and any action taken in response to, any violation of law or executive order (including Executive Order 12333 (50 U.S.C. 3001 note)) by personnel of an element of the intelligence community in the course of such employment that, during the previous calendar year, was determined by the director, head, general counsel, or inspector general of any element of the intelligence community to have occurred.
(b) Initial Report.–The first report required under section 510 of the National Security Act of 1947, as added by subsection (a), shall be submitted not later than one year after the date of the enactment of this Act.

The language was inserted into the bill by Jim Himes (who also added very laudable language requiring Senate approval for the NSA’s Inspector General).

The language appeared in the RuppRoge NSA “reform” bill; I presumed then that it was meant as false transparency — an effort to show off that just one NSA cleared individual  a year gets caught stalking an ex-girlfriend using its authorities.

And it may well be.

But I’m intrigued that Mike Rogers dedicated most of a Manager’s Amendment to the bill to tighten language from that section (in part limiting the reporting to actions “relating to intelligence activities”). And the hackish Ted Yoho submitted an amendment requiring a version of the report be shared with the House Oversight and Senate Homeland Security and Government Affairs Committees. I can’t imagine Yoho asking for it unless there were partisan hay to make out of it.

Now I want that report!