Posts

Data Mining Adoptive Parents along with Suspected Terrorists

/10 Comments/in , , /by

I’m a sucker for groups of adoptive kids. Like the time when a group of Michigan families with adopted Ethiopian kids had a rambunctious reunion at my favorite Ethiopian restaurant, with the owner catering to the kids like a grandparent. Or the time I shared a restaurant in Guangzhou with a bunch of French families who had just picked up their baby daughters; they somehow expected these girls who had lived in Chinese orphanages to immediately understand how to act like proper French kids.

There’s a lot that can be abusive in international adoptions, but when I see joyful gatherings like these, I’m awestruck by the faith such parents have in our common humanity.

Which is why I’ve been obsessing by one of the implications of this post. As I noted, DHS’s Inspector General helpfully explained that among all the other people in DHS’ IDENT database are the American citizens who had adopted internationally.

Individuals with fingerprints in IDENT include persons with an immigration history, such as aliens who have been removed but have reentered the country, immigration visa applicants, legal permanent residents, naturalized citizens, and some U.S. citizens.
IDENT includes two categories of U.S. citizens:

  • Citizens who have adopted a child from abroad (which involves U.S. Citizenship and Immigration Services), participated in a trusted traveler program, or may have been fingerprinted by immigration officials for smuggling aliens or drugs across U.S. borders;
  • Individuals who were not citizens at the time that their fingerprints were collected, but subsequently became citizens through naturalization, legal permanent residency, or immigration.[my emphasis]

Now, we can be pretty sure that when NCTC decided it needed to acquire US agency databases and data mine them with their existing terrorism databases, complete with the US person data they included, the IDENT database–the primary purpose of which is to track people who’ve come through the immigration system–was one of the first databases they went after.

Which is another way of saying the US persons in the IDENT database should assume they’ll also be in NCTC’s databases for five years. Including those parents who adopted children from China or Ethiopia or Guatemala or Romania.

“Well, if they’ve done nothing wrong they don’t have anything to be worried about.”

Perhaps. Except that the kind of people who adopt kids internationally may also tend to have reason for a significant number of international connections, whether because of religious faith, an effort to establish some tie to their child’s native country, or a comfort with international travel.

There are a lot of people whose biometric data shouldn’t be mined along with a bunch of terrorist suspects. At the top of that list, though, are families whose primary interaction with Bureau of Customs and Immigration Services entailed adopting a baby from another country.

SCOTUS Limits Privacy Act Just as NCTC Expands Access to US Person Data

/6 Comments/in /by

Well, this is rather inauspicious timing.

The conservatives on SCOTUS have sharply limited the teeth of the Privacy Act–limiting damages to out-of-pocket damages.

The Supreme Court has dealt privacy advocates a huge setback. By a 5-3 majority, the court ruled that people who sue the government for invading their privacy can only recover out-of-pocket damages. And whistle-blower lawyers say that leaves victims who suffer emotional trouble and smeared reputations with few if any options.

Justice Samuel Alito and all four of his conservative colleagues turned back a challenge from a pilot named Stan Cooper. (Justice Elena Kagan did not participate in the case.)

Cooper said the Social Security Administration, which was sending him disability benefits, had improperly shared his HIV status with transportation officials.

In 1974, while the abuses of Watergate were fresh in people’s minds, Congress made that kind of unauthorized information-sharing illegal under the Privacy Act. The law said the U.S. had to pay actual damages to victims.

But in Wednesday’s ruling, Alito said actual damages represent monetary harm, not mental or emotional distress.

That’s absurd, according to the dissent by Justice Sonia Sotomayor. Sotomayor said that means people who suffer severe emotional distress can’t get any money — but people with minor out-of-pocket expenses can.

The whole point of the Privacy Act was to impose some kind of real penalty on the government for using the damage it collects on you in a way that ends up hurting you. Without pain or suffering damages, it will make it very difficult for aggrieved people to find legal representation to sue the government for violations. And without pain and suffering damages, the penalties would generally be so small, in any case, as to make violating your privacy the cost of doing business.

And of course, this happens just as the government decided to make its agency databases accessible to the National Counterterrorism Center for data mining to find terrorists. The Privacy Act would have been one of the few limits on what the government can do with this data. For example, the Guidelines on this new access warns that “All disseminations under these Guidelines must be … permissible under the Privacy Act,” which would normally limit dissemination (in this context) to law enforcement purposes. But now that Alito has gutted the protections of the Privacy Act, there is less to prevent some gung ho counterterrorism professional to leak information about who looks like a terrorist when you data mine their personal data. Or to use the now-collated information (the Privacy Act protections allowing you to see your own data reside with the originator here, which I suspect will mean you don’t get to see what your data gets collated with) for more personal, nefarious purpose.

These two events are unrelated. SCOTUS didn’t do this because of the government’s new power grab at NCTC. But SCOTUS’ decision does make that power grab still more dangerous.

Note: For those of you interested in these issues, I urge you to stop by FDL’s Book Salon on Saturday at 5. Tim Weiner will speak about his generally very good book, Enemies. The salon will be particularly interesting, though, because the ACLU’s Mike German will host. Not only does German’s FBI background make him an ideal reviewer of this history of the FBI’s abuses, but he’s probably the best person to address the book’s most glaring fault: inaccurate and wildly over-optimistic treatment of the FBI’s Domestic Investigations and Operations Guide.

Michael Leiter Went Skiing … And All We Got Were Vast Expansions of Data-Sharing and No T-Shirt

/6 Comments/in , /by

In its short summary of the new NCTC data sharing guidelines, Lawfare said this:

The White House has passed new ”Guidelines for Access, Retention, Use, and Dissemination. . . of Information in Datasets Containing Non-Terrorism Information.” Read the new guidelines here. The Times tells us that the National Counterterrorism Center can now ”retain private information about Americans when there is no suspicion that they are tied to terrorism” for 5 years, instead of the previous 6 months. You can thank Umar Farouk Abdulmutallab for that. The Wall Street Journal and the Post also have the story. [my emphasis]

Actually, no.

I guess you can’t blame Michael Leiter for going skiing right after the UndieBomber attack. But when the report on the 14 failures that led us to miss the attack was released, it was pretty clear the National Counterterrorism Center–Leiter’s unit–deserved most of the blame.

Leiter wasn’t fired. He served over a year longer.

We didn’t do the most basic thing we could have done in response to the UndieBomber attack–hold those who failed accountable.

Instead, we’re now rolling back Americans’ privacy yet again, because those in charge would prefer to trade citizens’ civil liberties for actual accountability for failure.

It’s easy for folks like Lawfare to blame all this on the terrorist and none of it on the people who failed to defend against terrorism. And ultimately, that means the rest of us pay because Michael Leither chose to ski instead of ensuring we found terrorists.

The “Oversight” over NCTC’s Not-Terrorist-Terrorist Database

/20 Comments/in , /by

Back when John Negroponte appointed him to be the Director of National Intelligence’s Civil Liberties Protection Officer, Alexander Joel admitted he had no problem with Cheney’s illegal domestic wiretap program.

When the NSA wiretapping program began, Mr. Joel wasn’t working for the intelligence office, but he says he has reviewed it and finds no problems. The classified nature of the agency’s surveillance work makes it difficult to discuss, but he suggests that fears about what the government might be doing are overblown.

“Although you might have concerns about what might potentially be going on, those potentials are not actually being realized and if you could see what was going on, you would be reassured just like everyone else,” he says.

That should trouble you, because he’s the cornerstone of oversight over the National Counterterrorism Center’s expanded ability to obtain and do pattern analysis on US person data.

The Guidelines describe such oversight to include the following:

  • Periodic spot checks overseen by CLPO to make sure database use complies with Terms and Conditions
  • Periodic reviews to determine whether ongoing use of US person data “remains appropriate”
  • Reporting (the Guidelines don’t say by whom) of any “significant failure” to comply with guidelines; such reports go to the Director of NCTC, the ODNI General Counsel, the CLPO, DOJ (it doesn’t say whom at DOJ), and the IC Inspector General; note, the Guidelines don’t require reporting to the Intelligence Oversight Board, which should get notice of significant failures
  • Annual reports from the Director of NCTC on an (admittedly worthwhile) range of metrics on performance to the Guidelines; this report goes to the CLPO, ODNI General Counsel, the IC IG, and–if she requests it–the Assistant Attorney General for National Security

There are a few reasons to be skeptical of this. First, rather than replicate the audits recently mandated under the PATRIOT Act–in which the DOJ Inspector General develops the metrics, these Guidelines have NCTC develop the metrics themselves. And they’re designed to go to the CLPO, who officially reports to the NCTC head, rather than an IG with some independence.

That is, to a large extent, this oversight consists of NCTC reporting to itself.

Read more

Does NCTC Have the Minimal Data Security to Guard Its New Not-Terrorist-Terrorist Database?

/4 Comments/in , , , /by

As I noted here and here, yesterday the Director of National Intelligence and DOJ rolled out new Guidelines allowing the National Counterterrrorism Center to acquire non-terrorist datasets from federal agencies–including US person data–so they can do pattern analysis on those datasets and pass off the resulting data to other agencies.

When intelligence officials wanted to explain to Charlie Savage how this would work, they pointed to a State Department dataset–visa applications–as one dataset NCTC might now access directly.

A person from Yemen applies for a visa and lists an American as a point of contact. There is no sign that either person is a terrorist. Two years later, another person from Yemen applies for a visa and lists the same American, and this second person is a suspected terrorist.

Under the existing system, they said, to discover that the first visa applicant now had a known tie to a suspected terrorist, an analyst would have to ask the State Department to check its database to see if the American’s name had come up on anyone else’s visa application — a step that could be overlooked or cause a delay. Under the new rules, a computer could instantly alert analysts of the connection.

The State Department is, of course, still reportedly recovering from the fact that because of DOD’s lax network security, 250,000 diplomatic cables got liberated for the world to see.

Not surprisingly, then, the new Guidelines appear determined to reassure original dataset owners that their data won’t be compromised by sharing it with NCTC (which can then share it with other elements of the Intelligence Community and even foreign allies). You can tell they’re serious about this, because it’s one of the places they occasionally use “shall” (in other sensitive areas, they use the squishier “will”).

For access to or acquisition of specific datasets, the DNI, or the DNI’s designee, shall collaborate with the data provider to identify any legal constraints, operational considerations, privacy or civil rights or civil liberties concerns and protections, or other issues, and to develop appropriate Terms and Conditions that will govern NCTC’s access to or acquisition of datasets under these guidelines.

[snip]

In addition to the [general requirements laid out for sharing this data], at the time when NCTC acquires a new dataset or a new portion of a dataset, the Director of NCTC shall determine, in writing, whether enhanced safeguards, procedures, and oversight mechanisms are needed.

Though this bold approach almost immediately breaks down, as the Guidelines not only revert to “will,” but–worse–dig out the passive voice when describing the data transfer.

Measures will be put into place to ensure that the dataset is received and stored in a manner to prevent unauthorized access and use prior to the completion of replication.

And when the Guidelines get into specifics, they use that passive “will” again.

Access to these datasets will be monitored, recorded, and audited. This includes tracking of logons and logoffs, file and object manipulation, and changes, and queries executed, in according with audit and monitoring standards applicable to the Intelligence Community.

Who will (“shall”) implement these data security measures? What if he or she fails to do so adequately?

It’s a really, really important question because–as this year’s intelligence authorizations make clear, the Intelligence Community does not yet have insider threat detection–the kind of security that would permit these audits–and they’re not going to get it until 18 months from now. Hell, they’re not even going to start getting it until 6 months from now!

(a) Initial Operating Capability.–Not later than October 1, 2012, the Director of National Intelligence shall establish an initial operating capability for an effective automated insider threat detection program for the information resources in each element of the intelligence community in order to detect unauthorized access to, or use or transmission of, classified intelligence.

Read more

The National Counterterrorism Center Just Declared All of Us Domestic Terrorists

/10 Comments/in , , /by

I’m going to have a series of posts on the new National Counterterrorism Center data sharing guidelines. As a reminder, the whole point of these guidelines is to allow the NCTC to obtain information on US persons, dump it into their datamining, and then ultimately pass it on. In this, I’ll show how, by magic of cynical bureaucracy, the government is about to turn non-terrorist data into terrorist data.

Here’s how that trick is accomplished rhetorically. In the Background section (and in one or two other places), the document includes this language to legally justify throwing US person data into big databases to be data mined. It starts by laying out NCTC’s data mandate:

[NCTC] shall “serve as the primary organization in the United States for analyzing and integrating all intelligence possessed or acquired by the United States Government pertaining to terrorism and counterterrorism, excepting intelligence pertaining exclusively to domestic terrorists and domestic counterterrorism.

It blathers on about how NCTC also has the responsibility to request information and pass it on. This is the legal language they’re going to translate to mean the opposite of what it says.

Jumping ahead a bit, the guidelines acknowledges that NCTC is only supposed to have access, if needed, to domestic terrorism information.

In the National Security Act of 1947, as amended, Congress recognized that NCTC must have access to a broader range of information than it has primary authority to analyze and integrate if it is to achieve its missions. The Act thus provides that NCTC “may, … receive intelligence pertaining exclusively to domestic terrorism from any Federal, State, or local government or other source necessary to fulfill its responsibility and retain and disseminate intelligence.” [my emphasis]

See that? It can have all the foreign terrorism information, and then if it needs to, it can have the domestic terrorism information.

Now, going back a few lines, it takes this authority–“pertaining exclusively to domestic terrorism”–and uses it to get … everything.

NCTC’s analytic and integration efforts … at times require it to access and review datasets that are identified as including non-terrorism information in order to identify and obtain “terrorism information,” as defined in section 1016 of the Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004, as amended. “Non-terrorism information” for purposes of these Guidelines includes information pertaining exclusively to domestic terrorism, as well as information maintained by other executive departments and agencies that has not been identified as “terrorism information” as defined by IRTPA. [my emphasis]

Note that bolded section is not a citation from existing law. It is, instead, NCTC turning NCTC’s authority to sometimes get domestic terrorism information into authority to get any dataset maintained by any executive agency that NCTC believes might include some information that might be terrorism information.

Those of us in the US Government’s tax, social security, HHS, immigration, military, and other federal databases? We’ve all, by bureaucratic magic, been turned into domestic terrorists.

Now, NCTC seems to understand what a grasp this is, so it deploys one more rhetorical effort, this time noting that the Director of National Intelligence–to whom NCTC reports–also gets access to all national security intelligence.

[The National Security Act] provides that “[u]nless otherwise directed by the President, the Director of National Intelligence shall have access to all national intelligence and intelligence related to hte national security which is collected by any federal department, agency, or other entity…”

So in addition to all of us in government databases–that is, all of us–being deemed domestic terrorists, the data the government keeps to track our travel, our taxes, our benefits, our identity? It just got transformed from bureaucratic data into national security intelligence.

We are all, now, first and foremost potential terrorists now. Only after NCTC destroys our data in five years (if they don’t find some excuse to keep it before then) will we become citizens again.

5 Years of Data Not Collected by NSA

/18 Comments/in /by

Just days after General Keith Alexander successfully dodged questions about the NSA’s massive new data storage facility by disclaiming any responsibility for collecting US person data, the National Counterterrorism Center is preparing to extend how long they can retain US person data to 5 years.

The Justice Department is close to approving guidelines that would allow the intelligence community to lengthen the period of time it retains information about U.S. residents, even if they have no known connection to terrorism.

Senior U.S. officials familiar with the guidelines said the changes would allow the National Counterterrorism Center, the intelligence community’s clearinghouse for counterterrorism data, to keep such information for up to five years.

Currently, the center must promptly destroy any information about U.S. citizens or residents unless a connection to terrorism is evident.

I guess if you’ve got all that data storage space in UT, you’re going to need something to fill it with.

To justify this power grab, the WaPo’s sources point to two attacks that had nothing to do with the length of data retention: the Nidal Hasan attack, in which information on his conversations with Anwar al-Awlaki hadn’t been shared throughout the government, and Umar Farouk Abdulmutallab, in which his suspect status hadn’t been loaded into the no-fly list.

They don’t, however, point to a concrete example where 5 year old data of US persons might have helped solve an actual terror attack.

But thanks to this measure pushed through in almost complete secrecy, when they declare–say–your Church a terrorist organization in three year’s time, they’ll have records of your association with it in a database in UT.

Update: Here’s Charlie Savage on this. Here’s the new guidelines. And here’s the guidelines they replaced. I’ll come back to these later.

In First Act as DNI, James Clapper Adds to Redundancy Competitive Analysis

/in /by

When James Clapper testified before the Senate Intelligence Committee, he rejected one of the central criticisms in the WaPo’s Top Secret America series–that the redundancy in the Intelligence Community contributed to waste and intelligence failures.

Clapper disputed criticism of redundancy in intelligence programs, saying that duplication is sometimes a conscious decision. “One man’s duplication is another man’s competitive analysis,” he said.

Perhaps it should come as no surprise, then, that his first act as DNI is to add to the redundancy.

After my second week on the job, I wanted to let you know what an honor it is to be leading this Community of such skilled and dedicated professionals.

When President Obama asked me to lead the Intelligence Community he said he wanted someone who would continue to build our enterprise into an integrated team.  I have begun to embark on that process and wanted to share with you a few of my initial thoughts and plans.

I have asked DIA Deputy Director Robert Cardillo to join ODNI in the newly-created role of Deputy Director for Intelligence Integration.  While the specifics of this position are still being developed, it unites the roles of Analysis and Collection to elevate information sharing and collaboration between these two essential functions.

Admittedly, Clapper doesn’t explain what he just hired a top DOD intell guy to do, but it sure seems like it overlaps with the mandate of the National Counterterrorism Center.

NCTC serves as the primary organization in the United States Government for integrating and analyzing all intelligence pertaining to terrorism possessed or acquired by the United States Government (except purely domestic terrorism); serves as the central and shared knowledge bank on terrorism information; provides all-source intelligence support to government-wide counterterrorism activities; establishes the information technology (IT) systems and architectures within the NCTC and between the NCTC and other agencies that enable access to, as well as integration, dissemination, and use of, terrorism information.

NCTC serves as the principal advisor to the DNI on intelligence operations and analysis relating to counterterrorism, advising the DNI on how well US intelligence activities, programs, and budget proposals for counterterrorism conform to priorities established by the President.

And the move is all the more bizarre given that Clapper only has this job because the Administration chose to fire Dennis Blair rather than hold Michael Leiter, the Director of the NCTC, responsible for failing to connect the dots on the UndieBomber attack, even though it appears that Leiter deserves more of the blame. So if I’m right that this new position is duplicative of the NCTC position, then the Administration has chosen not to fire the guy most responsible for missing the UndieBomber clues, and instead fire the DNI and replace him with a guy that–rather than firing the guy most responsible for missing the UndieBomber clues–will instead just create a second version of that guy’s position.

Now in an ideal world, the next time someone misses an attack, we’ll be justified in firing Clapper, since he’s the guy who opted for redundancy rather than holding one person responsible. But I’m guessing by then Clapper will be capitalizing on his inevitably short tenure as DNI, getting rich heading six or eight intelligence contractors.

Keep Your Declaration of Independence Right Next to Your Assassination Cards

/in , /by

Call me crazy, but this is probably not exactly the kind of treatment Thomas Jefferson was thinking the Declaration of Independence would receive 234 years after he wrote it.

Many nights an item prompts a call to wake the NCTC director, Michael Leiter, 41, the junior member of the nighthawks. He displays a copy of the Declaration of Independence, next to a deck of baseball-style cards of high-value terrorist targets: “I keep the ones who are dead on top. It’s a little macabre, but that’s the world we live in.” When the NCTC calls in the middle of the night, he is often half-awake.

Among those cards, after all, is probably the one that signifies that the President has approved, with no due process, an order to assassinate US citizen Anwar al-Awlaki. That’s the kind of thing that Jefferson objected to when he called the following “Despotism”:

He has affected to render the Military independent of and superior to the Civil power.

[snip]

For Quartering large bodies of armed troops among us:

For protecting them, by a mock Trial, from punishment for any Murders which they should commit on the Inhabitants of these States:

[snip]

For depriving us in many cases, of the benefits of Trial by Jury:

[snip]

For taking away our Charters, abolishing our most valuable Laws, and altering fundamentally the Forms of our Governments:

While I’m making wildarsed Fourth of July guesses, let me also suggest that this kind of security porn–a 24-style terror play in 9 acts–is probably not exactly what Thomas Jefferson imagined as the role of the free press when he so furiously defended it.

Obama Appoints Fox To Evaluate Terror Watchlist Henhouse

/100 Comments/in , , , , , /by

fox-and-chicken-richardson-300x288Barack Obama, doing his best to make Dick Cheney’s questions about leadership look rational, has assigned John Brennan to conduct the Administration’s ballyhooed investigation into the claimed failure of the terrorist watchlist program in the Christmas Fruit Of The Loom Bomber incident.

What’s wrong with this picture? Throw a dart in any direction and you will find something.Politico gives the unsettling details:

President Barack Obama promised a “thorough review” of the government’s terrorist watch-list system after a Nigerian man reported to US government officials by his father to have radicalized and gone missing last month was allowed to board a Northwest Airlines flight to Detroit that he later tried to blow up without any additional security screening.

Yet the individual Obama has chosen to lead the review, White House counter-terrorism adviser John Brennan, served for 25 years in the CIA, helped design the current watch-list system and served as interim director of the National Counterterrorism Center, whose role is under review.

In the three years before joining the Obama administration, Brennan was president and CEO of The Analysis Corporation, an intelligence contracting firm that worked closely with the National Counterterrorism Center and other US government intelligence, law enforcement and homeland security agencies on developing terrorism watch-lists.

“Each and every day, TAC makes important contributions in the counterterrorism (CT) and national security realm by supporting national watchlisting activities as well as other CT requirements,” the company’s Web site states.

According to financial disclosures forms released by the White House, Brennan served as president and CEO of TAC from November 2005 until January 2009, when Obama named him to the White House terrorism and homeland security job. The disclosures show that Brennan reported earning a $783,000 annual salary from the Analysis Corporation in 2008. ….

One former senior intelligence official told POLITICO it is “unsavory to see Obama put Brennan in charge of a review of this matter since it is possible that NCTC or TAC could have failed in their responsibilities.”

Oy. “Unsavory”? Ya think? This is akin to a law school final exam where you try to identify all the conflicts of interest in the given situation. But there is not enough time to hit them all. Do not fret, the crack White House ethics team has looked at Brennan and determined Read more